The threat of potentially catastrophic cyber attacks on the NHS has increased “really dramatically” in recent weeks and is still “accelerating”, NHS England chief Sir Jim Mackey has said. His warning came just weeks after NHSE’s board was warned by its own digital experts that NHS job cuts posed an “unmitigated” risk to cybersecurity.

An NHSE risk assessment published on 4 June raised the risk level for cyber attacks to its highest possible level, with “frequent” attacks deemed likely and the potential impact assessed as “catastrophic”.

Speaking at an NHSE board meeting on the same day, Mackey said: “We’ve all been a bit uncomfortable about how well prepared we were to cope with potential risk. But the risk environment has now changed really dramatically and is accelerating.”

NHSE non-executive director Mark Bailie, who is also chief executive of digital price comparison service Compare the Market, told the meeting that the release in the coming weeks of new large language models, like Anthropic’s Mythos, which were capable of detecting and exploiting vulnerabilities in security systems, would “materially increase” the risk of attacks on the NHS.

Back in March, Bailie had warned the board that the impact of the voluntary redundancy (VR) programmes in NHSE and ICBs on the NHS’s technology workforce “represents a material and currently unmitigated risk” to cybersecurity.

A report from NHSE’s Data, Digital and Technology committee, chaired by Bailie, warned that “scarce specialist capacity is being drawn away from critical cyber and resilience work” due to the organisational upheaval. “The approach to VR may be a symptom of a wider root cause [in] that we have a system which needs to be digital but doesn’t know how we grown and nurture the technology workforce.”

In response to the increased risk, NHS England said it has prioritised funding bids for cybersecurity projects this year and is carrying out an audit of vulnerable “organisational assets”. A major cybersecurity exercise is also planned for July.

NHSE’s risk assessment says preventative measures being ramped up included secure architecture, cryptography and new identity and access controls as well as 24-hour monitoring by the NHS Cyber Security Operations Centre. Mitigation measures include better backups, removing old technology, monitoring for “insider threats” and “proactive vulnerabilty management”, NHSE added.