Weekly Round-Up Issue 15

This week's round-up arrives against a backdrop of significant cyber, regulatory and assurance activity affecting healthcare organisations across the UK and Europe. There are active exploit alerts from NHS England's National CSOC, new intelligence from Microsoft about a threat actor directly targeting UK healthcare, and a ransomware attack on a major European patient-record supplier that should concern anyone thinking seriously about supply chain risk. Alongside the threat landscape, there are important market and regulatory developments, from UK-US medical device cooperation and MHRA's expanding AI Airlock programme to the Cyber Security and Resilience Bill progressing through Parliament,  all of which will shape the compliance environment for months to come. There is also a live DSPT deadline that a number of suppliers may still be underestimating.

NHS CSOC high-severity alert: FortiClient EMS zero-day (CC-4766)

NHS England's National CSOC rated this high severity on 7 April. CVE-2026-35616 affects FortiClient EMS versions 7.4.5 and 7.4.6, allows unauthenticated remote code execution, and was being actively exploited before the advisory was published. Fortinet released out-of-band hotfixes immediately. If you run FortiClient EMS, this is an incident-response task, not a scheduled patch. DSPT patch management outcomes are directly engaged.

NHS England investigates compromised GP websites

NHS England confirmed this week it is investigating after several GP surgery websites were found linking to adult content and illegal streams. The issue follows an earlier incident affecting NHS Scotland domains and appears to stem from compromised WordPress setups or DNS tampering. Researchers have warned that the same domains could easily be redirected to phishing sites, with NHS branding lending credibility to any attack. Suppliers managing web infrastructure for NHS organisations should review DNS configuration and CMS patching across their estate now.

Storm-1175 Medusa ransomware: UK healthcare named as target

Microsoft Threat Intelligence published a detailed profile on 6 April of Storm-1175, a group deploying Medusa ransomware that has been actively hitting healthcare organisations in the UK, US, and Australia. In some cases it moves from initial access to ransomware deployment within 24 hours of a vulnerability going public. The group has exploited over 16 vulnerabilities since 2023 including zero-days in GoAnywhere MFT and SmarterMail. Review your internet-facing application patching cycles and perimeter exposure now.

ChipSoft ransomware: a European supply-chain warning

Dutch patient-record vendor ChipSoft, which serves around 80 per cent of hospitals in the Netherlands, was hit by ransomware on 7 April. Patient data access was disrupted, and the company could not rule out data theft. It is a stark illustration of what supply-chain concentration risk looks like in practice, and precisely the scenario the Cyber Security and Resilience Bill's supplier provisions are designed to address. Worth mapping your own critical dependencies against this picture.

UK and US deepen medical device regulatory cooperation

The MHRA and the US FDA have announced strengthened cooperation on medical device regulation, alongside a wider UK-US pharmaceutical partnership. The MHRA plans to open "international reliance routes", allowing devices cleared through FDA 510(k), De Novo and PMA pathways to gain faster access to the UK market.

UK medtech reform is expected to enter legislation in 2026, with reliance routes opening from 2027. For UK-based manufacturers and NHS-facing healthtechs, this is a material shift: it shortens the distance between US and UK market access and may reduce duplicative approvals, though it does not remove the need for robust clinical evidence, post-market surveillance and cybersecurity controls.

NHS Supply Chain reinforces supplier cyber resilience expectations

NHS Supply Chain's April 2026 supplier webinar reiterated that suppliers must expect more direct engagement on cyber controls under the NHS Cyber Improvement Programme. Core expectations continue to centre on Cyber Essentials Plus (for those in scope of PPN 014), DSPT "Standards Met" status, MFA, patching cadence and board-level cyber training. Supplier cyber risk is the NHS's most persistent attack surface. The April session confirms that NHS England is moving from broad charter commitments to evidence-based engagement. Contact-data hygiene sounds mundane, but it is now part of the assurance picture: suppliers will be asked to verify incident response contacts and update them as staff change.

Action. If your organisation sells into the NHS, make sure you have a single, named accountable owner for cyber assurance, an up-to-date DSPT submission plan and evidence ready for independent scrutiny.

MHRA secures £3.6 million to expand AI Airlock regulatory sandbox

DHSC has allocated £1.2 million per year for three years to expand the MHRA's AI Airlock programme , the UK's first regulatory sandbox for AI as a Medical Device. The current phase is exploring LLMs, voice tools, and diagnostic AI, with phase two findings due in summer 2026 and a phase three call for applications later this year. For suppliers developing clinical AI, the Airlock is increasingly the mechanism through which MHRA expects to see regulatory evidence built. Worth considering alongside your DTAC and DSPT obligations.

Cyber Security and Resilience Bill moves to the House of Lords

Parliamentary records updated 14 April confirm the Bill has cleared all Commons stages and is now in the Lords. Royal Assent is expected later this year, with full implementation phased to 2028. Key provisions include 24-hour incident notification, penalties up to £17 million or 4 per cent of global turnover, and expanded scope covering managed service providers and critical suppliers. If you supply NHS-connected services, now is the time to assess whether you fall into scope.

DSPT v8 deadline: 30 June 2026

Ten weeks away. Organisations requiring independent CAF-aligned assessments, including OES-designated IT suppliers, need assessors booked and evidence collection underway. Missing the deadline risks loss of NHS systems access and contract renewal issues. This week's FortiClient alert and Storm-1175 intelligence are both directly relevant to DSPT patch management and incident response outcomes, compliance, and operational security are the same conversation.

Periculo's Take This Week

Eight themes connect this week: an actively exploited zero-day in widely used endpoint software; compromised NHS domains that could easily become phishing infrastructure; a ransomware group hitting UK healthcare within 24 hours of a vulnerability going public; a major European supply-chain attack that mirrors risks closer to home; stronger UK-US regulatory alignment on medical devices; growing MHRA focus on assuring clinical AI through the Airlock programme; a landmark Cyber Security and Resilience Bill moving closer to Royal Assent; and a DSPT deadline now only ten weeks away. The thread running through all of it is the same: resilience is no longer just about preventing attacks, it is about proving governance, readiness and response at the speed modern risk now moves. The gap between knowing about a risk and acting on it is where attackers and regulators both operate. See you soon.