Weekly Round-up Issue 11

This week, the NHS's direct supplier engagement programme moved from letter to reality, a significant Microsoft patch cycle demanded urgent action from IT teams across health and care, and the government opened the door to a substantial new healthtech funding opportunity. 

NHS Begins Active Security Checks on Suppliers

NHS England has moved beyond the open letter stage. Following the joint DHSC–NHS England letter to approximately 36,000 suppliers issued in January, Computing and other trade publications confirmed this week that NHS England, or relevant contracting authorities, is now actively contacting suppliers to discuss cybersecurity controls. The conversations focus on the expectations set out in the Cyber Security Supply Chain Charter: maintained DSPT status, multi-factor authentication, patching discipline, immutable backups, and 24/7 monitoring of critical infrastructure. Where a supplier is deemed critical to patient care or continuity, the programme may escalate to requests for supporting evidence.

NHS England has been clear that this is not an audit and carries no pass or fail outcome at this stage. The stated purpose is risk identification and partnership-based remediation.

The shift from voluntary charter to active outreach is significant. Suppliers who have not yet signed the charter, or who have signed it but not yet substantiated their controls, are now at risk of being flagged. The programme is described as prioritised and proportionate, meaning higher-risk, more critical suppliers are likely to hear first, but all suppliers in scope of the NHS Standard Contract should treat the programme as live and immediate.

NHS Cyber Alert CC-4744: Microsoft February 2026 Patch Tuesday

The NHS England National Cyber Security Operations Centre issued alert CC-4744 on 11 February 2026, rated Medium severity, covering Microsoft's February 2026 Patch Tuesday. The update addresses 58 vulnerabilities across Windows, Windows Server, Microsoft Office, and associated platforms. Six of those vulnerabilities, including flaws in Windows Shell, MSHTML, Microsoft Word, and Desktop Window Manager, have been added to the US CISA Known Exploited Vulnerabilities catalogue and are assessed by the NHS CSOC as highly likely to be exploited. The NHS National Data Security and Protection Toolkit Breach Guidance was also updated on 11 February 2026, adding clarification on NIS Regulations and incident reporting.

Any supplier running Windows endpoints, Microsoft 365 environments, or Windows Server infrastructure in clinical or NHS-facing systems is directly affected. Six of the patched vulnerabilities carry CVSSv3 scores of 7.8 or higher. In parallel, NHSmail teams were managing multiple Microsoft Defender degradation incidents this week , including supervised iOS devices losing network connectivity and auto-remediation errors soft-deleting legitimate emails , underlining how quickly a misconfigured or delayed patch cycle can compound operational disruption.

Timely patching against NHS CSOC alerts is a DSPT requirement and a Supply Chain Charter expectation. Where patches affect NHS-facing systems, suppliers should apply updates as a priority and document the action taken. The DSPT evidence trail starts here.

DHSC Opens £20 Million Addiction Technology Funding

On 16 February 2026, the Department of Health and Social Care opened applications for £20 million in government grants through Innovate UK as part of the Office for Life Sciences' Addiction Healthcare Goals programme. Two funding tracks are available: up to £10 million for late-stage, near-deployment technologies and up to £1.5 million for earlier-stage innovations. Eligible technologies include wearables, AI-enabled tools, mobile applications, and virtual reality therapies designed to improve treatment, support recovery, and reduce harm from drug and alcohol addiction. Successful applicants will also receive access to an MHRA and NICE education session on navigating the regulatory pathway to UK certification and roll-out. Applications close on 6 May 2026.

This is a concrete, open funding opportunity for digital health companies developing tools in the addiction and substance misuse space. The two-track structure makes it accessible to both established suppliers approaching deployment and earlier-stage innovators who need to strengthen their evidence base. The inclusion of MHRA and NICE regulatory guidance sessions as part of the award is particularly valuable for companies navigating the Software as a Medical Device pathway.

Any digital health tool seeking NHS deployment will need to demonstrate DTAC compliance and appropriate data protection controls as part of its route to clinical adoption. Building this infrastructure now, rather than after a grant is awarded, accelerates time to roll out.

Government Unlocks GP Data Access for UK Biobank Research

The government published a data provision notice enabling coded GP patient data in England to be shared with consented cohort studies, principally UK Biobank, Our Future Health, and Genomics England's 100,000 Genomes Project, via NHS England. The notice transfers legal responsibility for the data from individual GP practices to NHS England, removing a significant barrier that has existed since the UK Biobank was established over twenty years ago. Coded data, including diagnoses, prescriptions, referrals, and laboratory results, will be made available through the UK Biobank's secure Research Analysis Platform. Free-text clinical notes will not be included. Digital Health reported the development on 17 February.

This is a significant shift in the UK health data landscape. For suppliers developing AI diagnostic tools, clinical decision support systems, or population health analytics platforms, the expansion of research-grade linked datasets creates both opportunities, richer model training data, and obligations, as the governance standards underpinning access to this data are robust and publicly visible. Any commercial use of NHS-adjacent research data will need to demonstrate equivalent governance standards.

Periculo's Take This Week

This week's developments share a common thread: the NHS is moving from stated expectations to active verification. Supplier outreach is live, patching alerts carry real compliance weight, and the legislative backdrop is tightening. The GP data governance shift and the addiction technology funding both point in the same direction, greater digital ambition, with proportionally greater scrutiny of those who supply it.