Birmingham Community Healthcare flags cyber security risk
- 9 July 2025
- Birmingham Community Healthcare NHS Foundation Trust (BCHC) has flagged potential vulnerabilities that could lead to a cyber attack
- The trust said that there is a risk of a cyber security incident due to operating systems and software being unpatched
- Also it may not have the required skills, knowledge, infrastructure and cyber protection to deliver services throughout the trust
Birmingham Community Healthcare NHS Foundation Trust (BCHC) has flagged potential vulnerabilities that could lead to a cyber attack.
The trust’s board paper, published on 5 June 2025, states that “there is a risk of a cyber security incident (examples malware/virus, ransomware and spyware) due to an exposed vulnerability due to operating systems and software being unpatched and not on the current expected level of security and compliance”.
This could “lead to the loss of systems and data, leading to an information governance breach, loss of service and reputational damage,” it adds.
The trust also admits that it “may not have the required skills, knowledge, infrastructure and cyber protection as we increase our reliance on digital technology which may impact out ability to deliver services throughout the trust”.
During the board meeting, Chris Holt, chief transformation officer at the trust, said this risk was “broad in scope and that as well as the increasing cyber security threat, it considered the increasing reliance on technology and the potential impact of outages”.
Chichi Abraham-Igwe, non-executive director, concurred that possible lack of skills, knowledge, infrastructure and cyber protection was “a significant area of risk for the trust”.
In the board paper it lists some of the current gaps in controls for the trust, including limited resources in the cyber team, increasing number of cyber threats being introduced, hardware in use that needs replacing, and a list of users in specific groups with authorised access to software which needs to be reviewed.
The trust however has highlighted within the paper the controls that are now in place to help protect the organisation from being at risk of a cyber attack.
These include having a team in place who have responsibility for cyber with a dedicated lead, a third-party company who is responsible for cyber monitoring where they manage the firewall and any potential attacks, and annual data security training in place for all BCHC staff.
Shafiq Khalifa, deputy director of digital services at BCHC, told Digital Health News: “We take cyber security very seriously, and is paramount to our organisation. It is at the forefront of everything we do.
“We have implemented robust security measures, including regular updates and continuous monitoring, to ensure our systems remain secure and compliant.
“Our positive exposure score is a testament to our unwavering commitment to cyber security, and we have comprehensive plans in place to maintain this high standard.”
In February 2025, for the risk of a cyber security incident, BCHC’s exposure score was 55, before dropping to 44 in March and then 20 in April, which “demonstrates that we now have this risk under control”, the board paper states.
Meanwhile, King’s College Hospital NHS Foundation has confirmed that a patient death has been linked to the cyber attack on NHS pathology system provider Synnovis.
The ransomware attack on 4 June 2024 caused widespread disruption to NHS services in London, with 10,152 acute outpatient appointments and 1,710 elective procedures postponed at King’s College Hospital NHS FT and Guy’s and St Thomas’ NHS FT.
