Weekly Round Up: ISSUE 14

This week brought a China-linked ransomware group actively targeting UK healthcare systems to the retirement of a key digital assurance framework. Here is what happened, why it matters, and what to watch next.

Storm-1175 and the Medusa Ransomware Threat to UK Healthcare

On 6 April, Microsoft's Threat Intelligence team published a detailed analysis of Storm-1175, a China-linked threat actor conducting what Microsoft describes as "high-tempo" ransomware operations against internet-facing systems. Healthcare was explicitly identified as one of the primary targeted sectors in the United Kingdom, alongside Australia and the United States.

What makes Storm-1175 particularly concerning is the speed of its operations. The group has been observed moving from initial access to full Medusa ransomware deployment within 24 hours and, in several documented cases, exploiting vulnerabilities before patches were publicly available. The most recent example involved CVE-2026-23760 in SmarterMail, which Storm-1175 weaponised a full week before the vulnerability was publicly disclosed.

The group's attack methodology follows a consistent pattern: exploit a web-facing vulnerability to gain unauthenticated access, deploy remote monitoring tools, conduct internal reconnaissance, move laterally across the network, exfiltrate data, and finally detonate the ransomware payload. The entire chain can be completed in under 48 hours.

For NHS suppliers and healthtech organisations with internet-facing infrastructure, which now includes most, this is not a theoretical risk. The NHS has already experienced the consequences of ransomware at the patient safety level. Organisations should review their exposure to the technologies Storm-1175 has historically targeted, including Microsoft Exchange, Ivanti, ConnectWise ScreenConnect, and SmarterMail. Patch cadence and external attack surface management are the most immediate priorities.

NHS England Issues High-Severity Cyber Alert: FortiClient EMS Remote Code Execution

The day after the Storm-1175 disclosure, on 7 April, NHS England's National Cyber Security Operations Centre (CSOC) published CC-4766, a high-severity alert addressing CVE-2026-35616 in Fortinet's FortiClient EMS (Endpoint Management Server). The vulnerability carries a CVSSv3 score of 9.1 and allows an unauthenticated attacker to perform remote code execution via crafted network requests.

Fortinet has confirmed active exploitation in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35616 to its Known Exploited Vulnerabilities catalogue this week. NHS England's own assessment is that further exploitation is almost certain in the near term.

FortiClient EMS is widely deployed in healthcare environments as a centralised endpoint security management solution. Any NHS organisation or supplier using this product must review Fortinet's security advisory and apply the available patch immediately. The combination of active exploitation, a CVSS score above 9.0, and NHS CSOC flagging as high severity makes this the most operationally urgent item of the week.

DTAC Version 2: The Old Framework Is Now Retired

The 6 April deadline for transitioning to NHS England's updated Digital Technology Assessment Criteria (DTAC) Version 2 has now passed. From this point, the previous Version 1 form must not be used by either suppliers or procuring NHS bodies.

DTAC is the national baseline framework through which digital health technologies are assessed before NHS procurement. Version 2, published by NHS England on 24 February 2026 following a joint DHSC and NHS England policy webinar, simplifies the compliance process meaningfully. The number of questions has been reduced by 25 per cent, duplications with the Data Security and Protection Toolkit (DSPT) and Pre-Acquisition Questionnaire (PAQ) have been removed, and the requirement for Clinical Safety Officers to hold training certified by NHS Digital no longer stands.

The longer-term roadmap is also worth noting. NHS England has signalled it intends to develop an "Innovator Passport", a mechanism that would allow a completed DTAC assessment to transfer between NHS organisations without repeating the process from scratch. This is a significant potential reduction in friction for suppliers selling into multiple NHS trusts or ICBs.

If your organisation is in active procurement conversations with NHS bodies, this is the moment to confirm your DTAC V2 submission is complete and correctly formatted.

NHS England Publishes Digital Maturity Data and Launches TPPSFS

On 7 April, NHS England shared a substantive update on its digital-by-default agenda, drawing on findings from the latest Digital Maturity Assessment (DMA) and an Electronic Patient Record (EPR) usability survey.

The headline figure is striking: NHS trusts in the top quartile for digital maturity are eight per cent more productive overall, measured in cost-weighted clinical activity per pound spent compared with those in lower quartiles. They also deliver a four per cent shorter average length of stay and perform eight per cent better against 18-week referral to treatment standards.

The EPR usability findings, however, point to a significant gap between deployment and genuine adoption. Sixty per cent of doctors and seventy per cent of nurses reported they would welcome additional EPR training. Forty-four per cent said they had received no further training since joining their current organisation.

Separately, and as part of the NHS 10 Year Plan, the Transform Patient, Public and Staff-Facing Services (TPPSFS) programme formally launched on 1 April. This is a major structural initiative that will shape NHS technology procurement and partnership opportunities over the coming years. Suppliers operating in the patient-facing or workflow-automation space should be tracking this programme closely.

NICE Expands Technology Appraisals to Cover Digital Health Products

From April 2026, NICE has formally broadened its technology appraisals programme, previously limited to medicines, to include medical devices, diagnostics, and digital health technologies. This places high-impact digital health tools on a statutory footing equivalent to pharmaceuticals for the first time.

The change forms part of the wider National HealthTech Access Programme, a collaboration between NICE, NHS England, DHSC, MHRA, and the Office for Life Sciences. The first two topics proceeding through the new pathway are AI tools for detecting prostate and breast cancer, and capsule sponge tests for oesophageal cancer screening.

For healthtech companies with evidence-backed products at a meaningful scale, the implication is clear: a positive NICE technology appraisal will carry mandatory commissioning expectations across NHS England, replicating the leverage that medicines have enjoyed for years. Evidence strategy and health economic modelling are now front-and-centre considerations for any company with NHS ambitions.

Periculo Take

This week's alerts are a reminder that awareness is the first line of defence. Organisations that monitor NHS cyber advisories and threat intelligence will always be better positioned than those that catch up after the fact.

Beyond awareness, regular vulnerability scanning gives you a clear view of your exposed attack surface, surfacing unpatched products like FortiClient EMS before an attacker does. Penetration testing goes further, validating whether the lateral movement techniques Storm-1175 relies on are possible in your specific environment. And Cyber Essentials Plus provides the independently verified baseline that underpins both: its five technical controls map directly to the vectors exploited in this week's disclosures, and a valid CE+ certificate is an increasingly visible signal to NHS procurement teams under the NHS Cyber Security Supply Chain Charter.

Awareness, scanning, testing, and certification are a continuous loop, not a one-time exercise. If you have questions about where your organisation stands, Periculo is happy to help.