Welcome to this week’s round-up. We cover a major IT failure disrupting GP services, a targeted phishing campaign against a password manager, and NHS England’s recruitment of a chair for the NHS Online hospital trust, alongside critical Microsoft updates. With six months until the 2025/26 DSPT submission deadline, this round-up focuses on what has happened, why it matters for your organisation, and what you need to do next.
A significant IT outage has suspended online services across GP practices in Kent and Medway, resulting in operational disruption and patient service delays.
Why it matters: This incident highlights the vulnerability of primary care digital infrastructure and the importance of resilient IT systems. NHS suppliers must prioritise business continuity and incident response planning.
Cybersecurity and compliance implications: The failure underscores the need to comply with NHS DSPT requirements on resilience and incident management. Suppliers should review their contingency arrangements and ensure rapid recovery capabilities to maintain trust and service continuity.
NHS England has begun recruiting an ‘exceptional’ chair for the NHS Online hospital, set to launch as a trust in June 2026. This marks a significant step towards establishing a fully digital hospital-based care model.
Why it matters: The creation of an online hospital trust signals NHS England’s commitment to digital-first care. Suppliers should anticipate new procurement and partnership opportunities but also heightened scrutiny on digital governance.
Compliance implications: NHS Online will need to comply with NHS DSPT requirements and align with the Health and Social Care Network (HSCN) standards. Cybersecurity leaders should monitor how this trust sets precedents for digital governance and supplier risk management.
With six months until the 30 June 2025/26 DSPT submission deadline, ensure you have scheduled and budgeted for the mandatory independent audits required for Category 2 IT suppliers.
Two critical alerts this week—Microsoft's January patches addressing 112 vulnerabilities (including one actively exploited), and an updated Cisco alert (CVE-2025-20393) allowing root privilege escalation. Both underscore that timely patching remains a regulatory and patient safety imperative, not optional.
A phishing email began on 19 January, impersonating LastPass with urgent "maintenance" warnings. Fake messages claim users must back up password vaults within 24 hours. Subject lines include "LastPass Infrastructure Update: Secure Your Vault Now" and "Protect Your Passwords: Backup Your Vault (24-Hour Window)."
Victims clicking "Create Backup Now" are redirected to fake LastPass login pages at 'mail-lastpass[.]com'. Enter your master password, and attackers gain access to every credential in your vault—NHS system logins, clinical applications, administrative access, everything.
LastPass confirmed on 22 January that attackers deployed a second wave after initial infrastructure was disrupted.
What to do now
A significant IT outage has suspended online services across GP practices in Kent and Medway, resulting in operational disruption and patient service delays.
Why it matters: This incident highlights the vulnerability of primary care digital infrastructure and the importance of resilient IT systems. NHS suppliers must prioritise business continuity and incident response planning.
Cybersecurity and compliance implications: The failure underscores the need to comply with NHS DSPT requirements on resilience and incident management. Suppliers should review their contingency arrangements and ensure rapid recovery capabilities to maintain trust and service continuity.
NHS England has begun recruiting an ‘exceptional’ chair for the NHS Online hospital, set to launch as a trust in June 2026. This marks a significant step towards establishing a fully digital hospital-based care model.
Why it matters: The creation of an online hospital trust signals NHS England’s commitment to digital-first care. Suppliers should anticipate new procurement and partnership opportunities but also heightened scrutiny on digital governance.
Compliance implications: NHS Online will need to comply with NHS DSPT requirements and align with the Health and Social Care Network (HSCN) standards. Cybersecurity leaders should monitor how this trust sets precedents for digital governance and supplier risk management.
With six months until the 30 June 2025/26 DSPT submission deadline, ensure you have scheduled and budgeted for the mandatory independent audits required for Category 2 IT suppliers.
Two critical alerts this week—Microsoft's January patches addressing 112 vulnerabilities (including one actively exploited), and an updated Cisco alert (CVE-2025-20393) allowing root privilege escalation. Both underscore that timely patching remains a regulatory and patient safety imperative, not optional.
A phishing email began on 19 January, impersonating LastPass with urgent "maintenance" warnings. Fake messages claim users must back up password vaults within 24 hours. Subject lines include "LastPass Infrastructure Update: Secure Your Vault Now" and "Protect Your Passwords: Backup Your Vault (24-Hour Window)."
Victims clicking "Create Backup Now" are redirected to fake LastPass login pages at 'mail-lastpass[.]com'. Enter your master password, and attackers gain access to every credential in your vault—NHS system logins, clinical applications, administrative access, everything.
LastPass confirmed on 22 January that attackers deployed a second wave after initial infrastructure was disrupted.
What to do now
This week’s developments underline a clear trend: operational resilience and proactive security are now baseline expectations for NHS suppliers. The Kent and Medway GP outage shows how quickly IT disruption becomes a patient safety and service issue, while the LastPass phishing campaign illustrates how targeted and credential-focused attacks against healthcare have become. As NHS England accelerates digital-first programmes such as the NHS Online hospital trust, the security and governance expectations placed on suppliers will continue to intensify.
With the 2025/26 DSPT deadline approaching, organisations that have not yet scheduled their mandatory Category 2 audits need to do so without delay.
At Periculo, we help NHS suppliers and digital health organisations strengthen the resilience and compliance foundations required for trusted digital health services. Stay informed, stay secure, and we will see you next week.