Weekly Round Up - Issue 18

The clock is ticking loudest on the DSPT, with version 8 due at the end of the month and a meaningfully higher bar for suppliers this cycle. Around it, Parliament debated the legislation behind the NHS Single Patient Record, the Cyber Security and Resilience Bill moved towards its final Commons stages, and Bedfordshire Hospitals confirmed the long tail of the 2024 Synnovis breach. Here is what mattered, and why it should be on your radar.

The Single Patient Record reaches the Commons

MPs debated the Health Bill (also referred to as the NHS Modernisation Bill) at second reading on 1 June. The bill would enable the Secretary of State to legally require all NHS providers, including GPs, to disclose data so it can be combined in a single patient record, with the power to set fines for non-compliance. During the debate, the health secretary confirmed that the Department of Health and the Secretary of State will take on a role as data controller where information is shared through the Single Patient Record, and said it would be governed by the highest levels of security, including an access audit trail.

A single, England-wide record changes the data-governance landscape your products plug into. The bill will also abolish NHS England and transfer most of its functions to the DHSC or integrated care boards. If you process, surface or contribute clinical data, expect renewed scrutiny of where controller and processor responsibilities sit. 

A consolidated record accessible to a large clinical workforce concentrates risk. The King's Fund noted that a single patient record could improve care co-ordination but faces delivery and governance challenges. Suppliers should map their data flows now and be ready to evidence access controls, audit logging and lawful basis for sharing.

The Cyber Security and Resilience Bill nears third reading

The Cyber Security and Resilience (Network and Information Systems) Bill is scheduled for report stage and third reading on 10 June 2026. The bill broadens the scope of regulated organisations, introduces a faster two-stage incident reporting model, and strengthens oversight of supply chain risk.

Around 1,000 service providers are expected to fall within scope, with requirements for third-party suppliers to strengthen cyber security and data protection. Many healthtechs that consider themselves "just a vendor" may find themselves in scope as critical or managed service providers. 

The bill introduces broader incident reporting, with organisations required to report major incidents within 24 hours for early notification and 72 hours for a full report. That demands mature detection and escalation now, not after Royal Assent. Note also that the EU's NIS2 sits alongside this, so cross-border suppliers should build a single, harmonised reporting capability. 

Bedfordshire Trust confirms 33,000 patients affected by the Synnovis breach

In a statement published on 1 June, Bedfordshire Hospitals NHS Foundation Trust revealed that almost 33,000 of its patients had personal data stolen and published online following the June 2024 Synnovis ransomware attack. The data relates to 32,927 patients and may include names, dates of birth, NHS numbers, postcodes and test results from before November 2020. The trust said the affected records were created before 2020, because the service was subsequently in-sourced.

This is a stark illustration of the long tail of a supply-chain incident. The trust was only informed in October 2025 that some recovered data related to its organisation, and more than a year of specialist analysis was needed because the data was not organised as a single database. A breach at a single pathology supplier is still generating patient notifications two years on.

The stolen data is now subject to a court injunction prohibiting third parties from accessing, sharing or misusing it, and the trust has warned of a limited risk of phishing or unsolicited contact. For suppliers, the lesson is that breach impact is not bounded by your own systems or even by the incident date; downstream organisations inherit the notification, legal and reputational burden for years. Robust data minimisation and clear records of what you hold, and for how long, materially reduce that tail.

The DSPT v8 deadline is closing in

The DSPT v8 cycle bites at the end of this month. Organisations must meet the new DSPT version 8 standards by the deadline of 30 June 2026, and failing to comply could risk access to NHS contracts.

The 2025/26 DSPT introduces a major shift to full alignment with the NCSC Cyber Assessment Framework, moving away from checklist compliance toward evidence-based, outcome-driven assurance, with independent CAF-aligned audits required. Version 8 also updates the requirements for IT suppliers to include the DSIT code of practice for software vendors.

This is the practical front line. Suppliers need a digital asset register and demonstrable evidence rather than self-declared "yes" answers. Treat the 30 June deadline as a gating item for contract renewal, and start assembling audit evidence now rather than in the final fortnight.

NHS SBS launches a £900m Healthcare AI framework

NHS Shared Business Services launched a £900m Healthcare AI Solutions framework, published on 11 May, providing a national procurement route for AI spanning diagnostics, predictive analytics, operational efficiency, robotics and consultancy, with a tender submission deadline of 23 June 2026.

A national route to market for AI is significant for healthtechs, but the framework has drawn criticism, including from GP and clinical safety officer Marcus Baw over its high value. 

Procurement readiness for AI now means evidencing secure-by-design development, lifecycle monitoring and clear risk management. Buyers increasingly expect consistency between security claims, regulatory submissions and contractual commitments.

Cyber alerts: patch discipline still matters

NHS England's CSOC continued to issue alerts through late May and into June. Recent high-severity alerts include CC-4788, covering a vulnerability under active exploitation that could allow remote code execution, and an alert on a Trend Micro Apex One on-premise flaw allowing code injection via directory traversal. 

These are the bread-and-butter threats that cause real disruption. Registering for and acting on alerts is a baseline expectation under the NHS cyber programme.

Ensure your team is registered for the Respond to an NHS Cyber Alert service and can evidence remediation timelines, exactly the kind of operational assurance CAF-aligned audits probe.

The wider picture: healthcare remains the prime target

The international backdrop reinforces the UK direction of travel. The FBI's Internet Crime Complaint Center reports that healthcare was the most targeted critical infrastructure sector for ransomware in 2025, with 460 ransomware incidents. A recent US breach at NYC Health + Hospitals, affecting at least 1.8 million individuals, was attributed to a breach at a third-party vendor, fitting the pattern of supply-chain compromises.

Supply-chain risk is the common thread linking every story above. UK regulation is converging on exactly this exposure.

Whether the entry point is a vendor in New York or a GP software supplier in England, the lesson is identical: your suppliers' weaknesses become yours.

If there is one thing to act on this week, it is the DSPT. The 30 June deadline is close, the bar is higher, and the shift to evidence-based assurance means the work cannot be left to the final fortnight. The wider picture, from the Single Patient Record to the Bedfordshire notifications, only reinforces the point that suppliers are now expected to demonstrate their security posture rather than simply assert it. At Periculo, we help health and care suppliers prepare for exactly this kind of scrutiny, calmly and well ahead of the deadline. If anything here raises a question for your team, we are always happy to talk it through.