Weekly Round-Up Issue 10

This week brought clarity to NHS digital priorities alongside sobering research on security preparedness: the EPR implementation phase is over, productivity measurement begins, and a confidence crisis in cybersecurity capability has been quantified.

NHS Staff: 94% Understand Cyber Risks, Only 36% Trust Current Defences

BT research published this month revealed a critical gap in NHS cybersecurity: whilst 94% of NHS staff understand their role in protecting against cyber-attacks, only 36% believe current security measures are sufficient. Meanwhile, 60% of UK citizens are concerned that cyber-attacks could disrupt critical NHS systems.

The research identified systemic challenges: 64% of NHS staff reported patient data remains isolated and inoperable due to outdated systems, and the NHS typically invests approximately 5% of IT budgets in cybersecurity, less than half the 12% global standard.

The 58-percentage-point gap between awareness and confidence reveals NHS organisations recognise vulnerability but lack the capability to address it.

The 5% cybersecurity investment benchmark provides context for supplier pricing. NHS organisations face budget constraints that limit security purchasing. Solutions must deliver material risk reduction at constrained price points.

The legacy system challenge (64% reporting isolated data) means security solutions must accommodate fragmented IT environments. Products requiring wholesale infrastructure replacement face adoption barriers.

NHS England: EPR Era Ends, Productivity Era Begins

At the HETT Leadership Summit on 12 February, Ming Tang confirmed NHS England is "moving away from electronic patient records" as the Frontline Digitisation programme concludes. The new Frontline Productivity programme launches in April 2026, focusing on "business change and benefits realisation."

From 12th February, NHS England publishes monthly trust-level productivity statistics explicitly tracking how technology contributes to efficiency. Tang called cyber improvement a "must have," with NHS central teams providing surveillance tools and mandating two-factor authentication.

Procurement now demands measurable productivity gains – workforce hours saved, throughput increased, waiting times reduced. Monthly reporting creates transparent benchmarks. Technologies without clear evidence face scrutiny; those with proven gains can leverage published data.

Security capability becomes standard procurement criteria. Tang's reference to "services we've neglected in the past" signals investment in securing under-resourced systems.

Critical Remote Code Execution Vulnerability Flagged

NHS Digital issued high-severity alert CC-4743 on 9 February (updated 12 February): CVE-2026-1731 allows unauthenticated remote code execution. This followed Microsoft's Patch Tuesday on 11 February addressing six actively exploited zero-days.

RCE vulnerabilities give attackers complete system control without authentication. Suppliers must patch immediately. Monitor digital.nhs.uk/cyber-alerts for real-time NHS-specific threat intelligence – generic vendor advisories miss healthcare exploitation context.

For multi-NHS suppliers, one unpatched system creates risk across the entire customer base.

NICE Launches Fast-Track Pathway for Proven Technologies

On 9 February, NICE announced the National HealthTech Access Programme (NHAP) – expanding technology appraisals to medical devices, diagnostics, and digital health tools. Select high-impact technologies gain automatic NHS-wide reimbursement and deployment.

First priorities: capsule sponge tests for oesophageal cancer and AI tools for prostate/breast cancer detection.

NHAP transforms market access from fragmented local procurement to coordinated national rollout. Technologies successfully navigating NHAP gain deployment mandates across the NHS.

Cancer diagnostics as first priorities signal NHS focus: major disease burdens, early diagnosis, reduced specialist capacity constraints.

However, pharmaceutical-grade evaluation applies. Health economic assessments, QALY calculations, and robust real-world evidence become mandatory. Technologies with marginal or unproven benefits face significant barriers.

Periculo's Take

The BT research quantifies what many suspected: NHS awareness of cyber risks is high, but capability lags badly. The 5% investment level (versus 12% global standard) explains the confidence crisis. For suppliers, this creates both challenge and opportunity. NHS organisations need cost-effective security solutions that work within budget constraints whilst delivering material risk reduction.

The productivity shift creates transparent accountability through monthly trust-level reporting. The timing alongside critical vulnerability alerts isn't coincidental; security incidents directly impact the productivity metrics NHS England now publishes monthly.

NHAP offers a transformational opportunity for evidence-backed technologies but creates barriers for marginal solutions. The market bifurcates between evaluated technologies achieving national scale and unevaluated solutions confined to local adoption.