Trust chief executives should face stronger “personal consequences” if their organisation’s cyber security fails, according to a senior government figure.
Alan Milburn, who is the Department of Health and Social Care’s lead non-executive director, today endorsed a report that said there was “insufficient accountability or personal consequences for senior executives who fail to fulfil their responsibilities to ensure a minimum level of cyber security and resilience”.
King’s College London published the report on “building NHS resilience to ransomware”, calling for a new “cyber leadership framework” for the NHS.
The report acknowledges that resources for cyber security in the NHS are meagre, unevenly distributed and not centrally tracked. But it says that, despite this, cultural changes could make it more resilient.
It recommends more centralised and consistent standards – to be enforced by regulators – and adding a cyber security rating to existing NHS England provider league table rankings.
In a foreword to the report, Mr Milburn argues: “We need to reduce the risk, especially as we press forward with better leveraging patient data and AI.
“I very much welcome… the focus on how governance and cultural fixes can reduce the risk – rather than simply throwing more resources at the problem. There are few, if any, areas where achieving clarity of accountability and consistency matters more than in cyber security and resilience.”
Read full story (paywalled)
Source: HSJ, 31 March 2026
0 Comments
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now