Mike Fell: ‘The evidence is that cyber attacks against the NHS have plateaued’ (2024)

Mike Fell, executive director of national cyber security operations at NHS England (Image provided by Mike Fell)

Before his role as executive director of national cyber security operations at NHS England, Mike Fell spent 15 years in government security roles which included postings from Afghanistan to Zanzibar and supporting the London 2012 Olympics and Paralympics.

He later moved into IT security, holding senior roles in cyber operations for HMRC, before joining the NHS in 2022.

“The two pieces of information you probably don’t want your next-door neighbour to know in a breach, are how much money you’ve earned and what you last spoke to your doctor about,” Fell says.

Ahead of speaking at Rewired 2025, Fell sat down with Digital Health News to discuss the Synnovis ransomware attack, the potential risks of centralisation and why we need to change the narrative on cyber crime.

We’ve seen some major cyber attacks on healthcare over the last few years. Is cyber crime increasing and if so, why?

Ransomware and criminally motivated cyber crime is a globally endemic threat. The NHS is uniquely vulnerable due to its complexity, scale, and the presence of legacy technology that is harder to protect.

Ultimately there’s nearly £180bn flowing through the NHS in England to deliver public services, and that is attractive for cyber criminals.

The evidence is that attacks have plateaued, if not are on a downward trend, particularly against the NHS

I think we need to challenge some of the narrative against cyber crime being an ever-increasing threat. Actually, the evidence is that attacks have plateaued, if not are on a downward trend1 , particularly against the NHS.

The UK government will not pay ransoms to cyber criminals. There are recent examples of the success of global law enforcement, including the UK and the counter ransomware initiative, taking down criminal gangs undertaking these attacks, such as the Conti ransomware group and the LockBit group.

We’re proving through national cyber services, combined with local investment and UK government policy, that we can make progress against these.

We’ve seen patient safety issues from cyber attacks such as the one on Synnovis in June 2024. What can be done to mitigate patient harm resulting from cyber crime?

The reason that we invest in preventing cyber attacks has to be because of the value in ensuring patient safety.

We’ve seen remarkably few cases where cyber attacks are directly linked to an increase in patient mortality. For example, with the Synnovis incident, there were over 10,000 patient appointments deferred, and over 1,700 elected cases deferred, but there were only five cases of ‘moderate harm’ identified as a result of the attack.

We’ve seen remarkably few cases where cyber attacks are directly linked to an increase in patient mortality

In the national cyber team we’ve embedded clinicians, so that we have clinical representation to help with making the right decisions during incidents.

The NHS is aligned to the National Cyber Security Centre Framework, which talks about managing risks and protecting systems in the first place, but also about having the ability to detect incidents, which we do at a national level, through 24/7 monitoring.

We also need to plan for resilience by being able to respond and recover. This is one area where the health sector is remarkably good. Clinicians adapt if key tools are not available, from diagnostic equipment to a thermometer. They’re hardwired and trained to look at different ways of solving problems.

What has been learned from the Synnovis attack that could prevent similar incidents in the future?

Like with all serious cyber incidents, the Department of Health and Social Care and others will conclude investigations and identify lessons from the Synnovis incident.

In general terms, the main lesson learnt from thousands of incidents – from near misses through to more serious cases – is that focusing on the foundations is really important.

Time and again we see the absence of foundational controls being the root cause within our sector and other sectors, such as the absence of multi-factor authentication, the absence of monitoring of key IT and not hardening systems against known vulnerabilities. We need to focus on those if we are to minimise the risk of future attacks.

There are over 80,000 suppliers to the NHS, each carrying their own risk

The supply chain is also a complex and important area. There are over 80,000 suppliers to the NHS, each carrying their own risk and the overwhelming majority of those are not procured at a national level, so identifying and managing risks through the supply chain is another important lesson.

It’s also important to not assume that defences will hold. There’s a whole range of ways in which organisations can be encouraged to undertake preparations, from business continuity through to effective decision-making capacity.

Can regulation such as the new Cyber Security Bill help mitigate supplier risk?

The health sector is already defined as critical national infrastructure in the UK and there has been a recent decision to add data centres, which were a key enabler for the health sector.

Operators of essential services, some of which are key suppliers and trusts, are regulated under the network information system regulations.

We are regulated by the Information Commissioner’s Office and the UK General Data Protection Regulation, but even in heavily regulated environments there are still cases where incidents happen. For that reason, the focus needs to be more heavily on raising awareness and supporting risk management of the supply chain.

The ‘Cyber security strategy for health and social care: 2023 to 2030’ identifies the supply chain as one of the key areas of focus. There has been over £350m invested in cyber programmes since the Wannacry incident of 2017.

Recent government announcements about the 10 year health plan include a unified patient record through the NHS App. Does centralisation increase the risk of cyber attack?

Like all national services, the risks need to be managed. Our approach to national services is for them to be secure by design, and the specific architectural solutions have not been determined yet.

We can’t change what has happened in the past with how systems have been designed

One of the key findings of the Darzi report is the importance of moving from analogue to digital. That brings huge potential productivity gains and patient improvements, but we recognise that it needs to be risk managed. Ultimately its success is going to be dependent on the public trusting us with their data.

We can’t change what has happened in the past with how systems have been designed, but secure by design principles will make sure that the security of new systems is considered from the start and also throughout the whole life cycle.

Can you give us a taste of what you’ll be speaking about at Rewired 2025?

I’ll be talking to the core theme of taking security out of the shadows. We have great visibility of the threats, vulnerabilities and lessons from near misses and incidents, and there is no point in that remaining behind the closed doors of a security operations centre.

There are few sectors as complex as the NHS and the health sector. I’ll be sharing some thoughts about how we can focus on the foundations and make sure that security principles and foundational elements are in place, rather than getting distracted by complexity.

Fell will be speaking at Rewired 2025at the NEC in Birmingham on 18-19 March 2025.Register here.

The event is co-headline sponsored by The Access Group and Microsoft, whilst Alcidion, Nervecentre, Solventum and Cynerio are also sponsors.

  1. In 2020, over 20% of incidents reported to NCSC related to healthcare https://www.ncsc.gov.uk/files/NCSC%20Annual%20Review%202021.pdf p.10 By 2023, healthcare was not even in the top 5 sectors reporting incidents into the NCSC https://www.ncsc.gov.uk/collection/annual-review-2023/threats-risks []
Mike Fell: ‘The evidence is that cyber attacks against the NHS have plateaued’ (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Barbera Armstrong

Last Updated:

Views: 6277

Rating: 4.9 / 5 (79 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Barbera Armstrong

Birthday: 1992-09-12

Address: Suite 993 99852 Daugherty Causeway, Ritchiehaven, VT 49630

Phone: +5026838435397

Job: National Engineer

Hobby: Listening to music, Board games, Photography, Ice skating, LARPing, Kite flying, Rugby

Introduction: My name is Barbera Armstrong, I am a lovely, delightful, cooperative, funny, enchanting, vivacious, tender person who loves writing and wants to share my knowledge and understanding with you.