NHS trust flags cyber security risks owing to funding cuts
- 16 April 2025
- A report highlighting potential cyber security risks and IT infrastructure issues was shared with the Torbay and South Devon NHS Foundation Trust board last month
- The trust confirmed the risks outlined in the report have not been costed but do highlight areas where future investment might be needed in its IT infrastructure
- After securing national funding the trust will deliver a new Epic EPR under the One Devon EPR programme in 2026
Torbay and South Devon NHS Foundation Trust board has highlighted potential cyber security risks owing to a reduction in funding which is jeopardising the replacement of end-of-life systems.
A trust board paper published on 26 March 2025, flags “limited assurance on cyber security approach & provision; currently insufficient clarity on approach & alignment with NHS & national standards”.
The trust’s Digital and Cyber Resilience report states that “Reduction in funding for cyber team will reduce intended progress around cyber-security measures and jeopardise tactical replacement of end-of-life systems”.
It adds that “longer-term capital and revenue investment programmes are required to ensure that digital infrastructure refresh cycles, improvements and maintenance are sustained”.
“The reliance on digital systems in the delivery of business processes and clinical services is high and the impact of a cyber attack could be catastrophic (for example, extended loss of essential service in more than one critical area).
“This is evidenced by the recent CrowdStrike-induced outage which caused significant international issues with IT systems availability and affected several trust IT systems such as staff scheduling/rostering, again highlighting the impact external factors have on trust operations,” the report says.
It adds that the trust “will require further investment” in order to meet the robust requirements of the government’s forthcoming Cyber Security and Resilience Bill, announced in the King’s Speech in July 2024, which were outlined in more detail earlier this month.
The report also highlights potential “computer hardware risks” and “key infrastructure components failing due to age/lack of support”, noting that “there are a large number of IM&T systems that require developments of procurement, that are highlighted as a significant risk on the digital prioritisation matrix for which there is no current capital or revenue availability”.
A spokesperson for Torbay and South Devon NHS Foundation Trust told Digital Health News that “The Digital and Cyber Resilience report that was shared with our board in March formed part of our organisation’s risk register.
“The report highlights potential risks that have been identified to ensure our board is given as much notice as possible about potential issues and assurances to manage them.
“The risks outlined in the Board Assurance Framework (BAF) report have not been costed but do highlight areas where future investment might be needed in our IT infrastructure to ensure we remain compliant with the law and are able to replace equipment when needed.”
They added that the trust has secured national funding for a new electronic patient record (EPR) in December 2024 and has signed a contract with Epic.
“We are working with our partners at University Hospitals Plymouth (UHP) and Royal Devon University Healthcare to deliver our EPR next year, which will bring significant improvements to the way we provide care to our patients,” they said.
Digital Health News reported in January 2025 that Torbay and South Devon and UHP had both signed a contract with Epic to implement a single EPR across Devon under the One Devon programme, which is expected to go live in 2026.
