‘Lessons can be learned’ from DHSC cyber progress, says PAC

The Public Accounts Committee (PAC) has suggested that “lessons can be learned” from the Department of Health and Social Care (DHSC) on how government departments can improve their cyber resilience.

A report on government cyber resilience, published on 9 May 2025, points to steps taken by DHSC in recent years to shore up cyber security in health and social care.

These include putting in place a cyber security strategy, strengthening assurance processes, investing in common services, and setting clear policies.

It contrasts this against comparatively lacklustre performance in other government departments, with the report raising concerns about the UK’s ability to protect essential services against cyber attacks.

The PAC highlights the role DHSC played in supporting the Government Cyber Security Strategy 2022–2030, which sets out long-term plans for how the government will ensure that public sector organisations are resilient to cyber threats by ensuring that their arm’s-length bodies and the wider public sector meet resilience targets.

The report says: “While recognising that departments’ response to the strategy had been ‘varying’, the Cabinet Office focused on the Department of Health and Social Care (DHSC) as a positive example.

“It told us that DHSC had set a clear cyber security strategy for health and social care that linked to the Cabinet Office’s own strategy.

“The Cabinet Office said that by strengthening assurance processes, putting in place policies, and investing in common services, DHSC had started to improve its sector’s resilience.”

The PAC notes that DHSC had begun to meet its responsibility for cyber oversight across its sector, in line with the expectations set out in the government strategy.

“Departments have not always met this expectation because of insufficient funding, staff and oversight mechanisms.

“Lessons can be learned from the Department of Health and Social Care, which has begun to improve the resilience of its sector by putting in place a cyber security strategy, strengthening assurance processes, investing in common services, and setting clear policies,” the report says.

The PAC report highlights wider challenges facing cyber security in the public sector, including the fact that top talent is frequently poached by private companies who can pay higher salaries.

It also points to fundamental infrastructure challenges, noting that the government’s digital estate is “vast, complex and diverse”, with departments and arm’s–length bodies using “a wide range of IT systems to provide public services”, including outdated legacy systems.

In April 2025, the government published its plans for the Cyber Security and Resilience Bill, which aims to boost cyber defences for public services including the NHS by requiring more organisations and suppliers to meet robust cyber security requirements.

The new legislation is intended to prevent attacks similar to the Synnovis ransomware attack in June 2024, which impacted London pathology services and lead to at least two incidents of severe patient harm.

Meanwhile, suppliers to the NHS have been urged to sign a charter of cyber security best practice to show their commitment to being trusted and secure partners to the health system in an open letter published on 15 May 2025.