Weekly Round Up

Issue 1

Welcome to our new Weekly Round Up. We aim to give you a brief recap of what mattered this week, why it matters, and what comes next.

Calls Grow for a Synnovis Public Inquiry

The debate has reignited over the Synnovis ransomware attack, which paralysed pathology services across London last year. The incident has been linked to at least one patient death, raising national concern over how cyber events are classified and reported in healthcare.

People are calling for a public inquiry, citing inconsistent reporting and limited political oversight.

In response, NHS England’s cyber lead Mike Fell announced new “grab-bag” response kits for non-cyber staff to improve local incident handling.

Health-sector cyber events are no longer just IT failures; they are public-safety events. This shift will likely drive new requirements for transparent harm reporting and clearer recovery expectations across the NHS.

The UK’s New Cyber Resilience Index

The Cabinet Office, in partnership with the National Cyber Security Centre (NCSC) and other sector bodies, has announced a forthcoming Cyber Resilience Index (CRI) to benchmark the resilience of the UK’s critical national infrastructure, including health.

The CRI will complement the upcoming Cyber Security and Resilience Bill, which is expected to introduce tighter reporting duties, expanded oversight powers, and potentially public scoring of organisational resilience.

Hospitals, integrated care boards, and suppliers may soon find themselves rated on their ability to recover from cyber incidents, not just to comply with regulations.

For cybersecurity and governance teams, the question becomes: can we recover, and how fast?

It's NHS Cyber Awareness Month

NHS England has launched Cyber Security Awareness Month 2025, focusing on four simple but essential defences:

• Strong passwords

• Multi-factor authentication

• Recognising phishing attempts

• Prompt incident reporting

The campaign includes toolkits, posters, and short explainer videos for health and care organisations. It reinforces that effective cybersecurity starts with informed people, not just technology.

Heidi Health Raises £48 million to Expand AI Clinical Tools

Australian-founded Heidi Health, an AI scribe and clinical assistant platform already in use across much of the NHS, has raised £48 million ($65 million) in Series B funding. The company claims its technology is now supporting 60% of NHS GPs, helping automate referral letters, triage notes, and communication tasks.

This is one of the largest healthtech raises of the year. While automation could free clinicians from admin tasks, the expansion also raises questions about data security, access control, and model transparency. As AI embeds deeper into health workflows, information governance and DSPT/CAF alignment will be critical safeguards.

Drones take off for NHS logistics in Wales

A new drone logistics network, funded by Innovate UK and the Department for Transport, is expanding across Wales.

Project Dragon’s Heart is designed to deliver blood, pathology samples, and urgent medical supplies for the Welsh Blood Service and Welsh Ambulance Service.

The project represents the next stage in digital-enabled logistics for health services, offering faster, greener, and more reliable delivery routes. But as drone systems connect with NHS data infrastructure, they also open new attack surfaces that must be secured through robust encryption and access control.

Oracle Zero-Day Under Active Attack

NHS England’s cyber team issued a high-severity alert this week for a critical Oracle E-Business Suite vulnerability – CVE-2025-61882 – that is now being actively exploited.

With a CVSS score of 9.8, the flaw allows unauthenticated remote code execution, effectively giving attackers unrestricted access.

Many NHS trusts and suppliers rely on Oracle platforms for HR, finance, and patient administration systems. A successful exploit risks operational disruption and exposure of sensitive data.

Action:
If your organisation runs Oracle E-Business Suite, patch now or apply mitigations from Oracle’s advisory and the NHS England Cyber Alert (CC-4701). Schedule your change window immediately rather than waiting for the next routine update.

Periculo’s Take This Week

We are now seeing a shift of focus from compliance to measurable resiliences supported by frameworks such as the NCSC CAF, and the coming Cyber Resilience Index means that “good enough” security will no longer be acceptable.

Tips for the week:

• Review your incident response plans and ensure leadership knows their role.

• Strengthen third-party assurance, especially with new AI and IoT integrations.

• Start to prepare for the DSPT and CAF transitions, aligning policies and reporting.

Resilience now defines credibility. Whether you build, supply, or run digital health systems, cybersecurity is your licence to operate.

That’s all for this week. Keep an eye out for our upcoming threat report and the latest insights. See you next week.