Recent legal changes to information standards, IT and cyber security in health and social care create immediate implications for HealthTech and care providers, with more reform than expected.
The twin challenges of digital integration and cyber security in the UK health system have been widely discussed for nearly a decade. Legislative changes introduced in summer 2025 may pave the way forwards, but will the changes work, what has been achieved so far, and what’s left to do? (A considerable amount is left to do, but we’ll come to that.)
What changed in 2025?
The law change was to section 250 of the Health & Social Care Act 2012, and it was brought in by the Data (Use and Access) Act 2025 (DUAA). DUAA received Royal Asset on 19 June 2025.
Section 250 gives the Secretary of State for Health, or NHS England, power to set and publish information standards.
The change to section 250 came into force on 5 February 2026, along with many other provisions of DUAA, including (it’s relevant to mention in passing) numerous detailed changes, to UK GDPR and the Data Protection Act 2018.
Yet another tweak to section 250
Section 250 has a bit of a history of being adjusted to widen its scope of organisations that the information standards apply to and supporting Government powers. The changes are cumulative: once in scope, no organisation type has been ‘released’.
In its box-fresh form in 2012, the standards only applied to NHS providers of health services, adult social care who are commissioned by public bodies, plus NHS bodies including, since 2022, Integrated Care Boards (ICBs) and Systems (ICSs).
Section 250 was widened in 2022, by the same legislation that ushered in ICBs and ICSs (the Health & Care Act). The changes took a small step and applied the information standards also to private sector health and care providers who are subject to registration with the Care Quality Commission (CQC). It also gave the Health Secretary powers to conduct desktop audits to monitor compliance with standards and to apply waivers of any of the standards and established a simple procedure that the Government must follow to prepare and publish the standards.
A big step in 2026
At a superficial level the changes that apply from 5 February 2026 more than double the length of section 250, align section 251 with it, and add supporting sections 250A and 251ZA – 251ZE.
As we will see, however, they are also backed by an ambitious and aggressive agenda for change in addressing integration and security problems in the UK health system, with extensive implications for providers of HealthTech, health and social care alike.
The key changes, applying in England only, include:
- Expanded scope of standards: No longer limited to information and information security. The standards can now cover IT (i.e. computers, devices, networks, infrastructure, components, software and code including integrations) and IT services (e.g. development, hosting and managed services)
- Broader factors: This is the focus of the new section 250A, which sets open-ended lists of factors including design, quality, capabilities and other characteristics of IT or IT services, and marketing, supply or provision arrangements including contracts
- Technical requirements: Another area covered by section 250A, which headlines (again as an open-ended list) functionality, connectivity, interoperability, portability, information storage and access, and security
- Application to HealthTech: The standards now apply to IT providers, i.e. any organisation or individual involved in marketing, supplying, providing or making available any IT, IT service or information processing using IT in connection with provision of healthcare or adult social care in England
- Desktop audit: The Health Secretary’s powers to monitor HealthTech or health and care providers’ compliance with standards are extended, not only to apply to the broader scope of standards, but also so the Secretary can set the timescale, form and manner in which a provider supplies documents, records and information for monitoring
- Compliance notices and censure: If there are reasonable grounds to suspect non-compliance the Health Secretary has power to ask any HealthTech provider to comply and provide evidence, and can stipulate steps that the provider must take, all to be completed within 28 days of the notice. The Secretary can also publish a statement confirming any suspicion that the HealthTech provider is not complying with standards, including the grounds for the suspicion, but only after giving the provider a copy of the proposed statement and an opportunity to make representations (which the Secretary must respond to before publishing the statement)
- Accreditation scheme: A scheme can be set up under which HealthTech providers can be accredited
- Separation of powers: In passing, note that the Health Secretary can exercise any of the section 250, monitoring and compliance notice powers, and can give directions to exercise the Secretary’s functions or on how to exercise the monitoring and notice powers. NHS England is back in its box: it can only exercise section 250 powers in relation to provision of NHS services, and can only exercise the other powers under direction from the Secretary. The changes also allow the Health Secretary to adopt third party standards.
Changes so far: not much?
NHS England publishes the information standards (and, going forwards, the IT, information and security standards) here.
The repository is extensive and not easy to search (it cannot be sorted by date of publication or update). But, based on a glance in early Summer 2026 you might come away thinking that little has changed, and the standards look much as they did in 2024, well before DUAA.
The only two standards that explicitly touch IT or security are old items, the Digital Security and Protection Toolkit (DSPT) and the Secure Email standard relating to NHS Mail. Other old chestnuts, including COVID SitRep templates are still in there. Digital Technology Assessment Criteria (DTAC) still sit outside the repository (see here). Between them, they play in the NHS’s Pre-Acquisition Questionnaire and the UK Government’s Software Security Code of Practice and Cyber Security Supply Chain Charter.
Vision and what’s visible
So, is that it? Do the changes effected by DUAA serve merely to pivot an awkward collection of existing information standards, with limited coverage of IT and security, into HealthTech suppliers?
Or is it time for health and care providers to get even more concerned about the speed of progress? (42% of respondents to a survey carried out by HIMSS for PwC and reported in PwC’s Tech powered healthcare report of 2022 thought that mandatory technology standards were highest priority. That was 4 years ago.)
The Government’s vision is articulated in the Department for Health & Social Care’s (DHSC) Impact Assessment for DUAA (see here). It’s clear that the plan is indeed to introduce new standards that drive improved functional and data integration, and security, across IT products and services. The vision is for “standardisation to allow for information to be shared easily, in real time, between organisations” (paragraph 1 of the Impact Assessment).
Early steps towards change
The task of setting standards is a huge one and will be time-consuming, and in some ways it’s not surprising that new standards have not yet seen light of day. But there are signs of it. The “Drafts” section of the NHS England information standards repository lists one item: a Canonical Data Model (CDM) described as being a single, central, consistent approach for structuring NHS data (see here).
This is an essential prerequisite for integration, and its absence has been a key obstacle to effective, secure integration. The CDM item in the repository suggests that we’re on the road.
Although the changes made by DUAA provide for a scheme for accreditation of HealthTech products or providers, separate regulations are required to set it up, and they are nowhere in sight. Given that we are at the start of the road to defining HealthTech IT and IT service standards, it seems likely we are some way off having an accreditation scheme.
What HealthTech providers should do
To answer this we need to be aware of some supporting changes to the law that arrived in July 2025 (and entered into force on 6 August 2025). The Health and Social Care Information Standards (Procedure) Regulations 2025 (Procedure Regulations) supplement the simple procedure that the Health Secretary must follow in preparing and publishing new standards.
These regulations require the Health Secretary to seek advice, involve persons, and have regard to advice received and views obtained in preparing a standard.
HealthTech providers need to consider whether and how to get involved in shaping standards. There is already one draft standard that looks likely to have a major impact on data schemas, so the time for action is now.
Why early engagement matters
Early involvement offers clear advantages:
- Greater visibility in the market
- Early insight into future standards
- Time to align product development and roadmaps
- Opportunity to influence outcomes.
HealthTech providers will also need to assess what the changes mean for their commercial models, particularly in relation to contracts, product or service distribution, integrations and supply chain management.
HealthTech is a large, diverse and global supply segment, and for all but the businesses that are large or have a dominant position it is likely that the business case or opportunity to advise on or be involved in HealthTech standards development will be via membership organisations or some other collective method.
Stalking horses
Solution and provider security and resilience remain key, and very challenging.
We must pause to acknowledge that the one new and draft standard that is visible in the NHS England repository centres on data schemas. There are various potential knock-on security improvements that could flow from the new standard, but it isn’t a security standard as such. In the meantime we have DSPT and DTAC: heavy, difficult, dare we say blunt, tools?
They certainly seem to be ineffective tools in their current form. The list of recent targets includes Medtronic (April 2026), Stryker (March 2026), DXS International (December 2025), Ocuco (April 2025) and Compumedics (February – March 2025).
Analysis of these incidents
All of these provides supply into the UK; in each case the attacker claimed (but some have not proven) to have extracted patient data or other important information; in two cases there was significant disruption to UK healthcare, in one case due to a shortage of products (implants), and in another case to software availability.
In these high-profile cases the attacker’s method of entry into its target’s IT systems (where reported) involved social engineering and exploitation of unpatched vulnerabilities in software.
It is clear from these examples that HealthTech providers are targeted by attackers. The reasons include that they are part of health and care infrastructure (the attack may interrupt healthcare). As a bonus for the attacker, they may also yield confidential information including personal data (e.g. relating to product development, trials or field service) and might be persuaded to pay ransoms.
But Healthcare providers who are less service-critical, hold less explosive information or data, or have lighter resources, know that they should not rest easy.
Proactive product and internal security
There is a very present and significant security and resilience risk for HealthTech providers, and the available segment-specific tools in the UK are not working. HealthTech providers certainly need to fill the vacuum and get busy with securing their products and manufacturing systems (where applicable) and internal corporate systems.
For those who are outside the UK or new to this, the first step is to appoint a leader with expertise in cyber-security and business resilience, then conduct a security and resilience maturity assessment. One of the outputs is an action plan. Deliver the action plan, and in doing so aim proactively to establish policies, measures and practices that align to or achieve appropriate third party (non-NHS) relevant standards, using high-level frameworks to manage coverage.
The choice of standards and frameworks should be made by your leader and their advisers, and the needs of your business as revealed by the maturity assessment. In terms of frameworks, a good baseline is the UK NCSC’s Cyber Assessment Framework (CAF). Thinking about standards, Cyber Essentials (self-certified) and Cyber Essentials Plus (certified) should be on the route, but they are narrow and go mainly to the IT-technical aspects of security and resilience. There are more specialised standards that apply to information security (e.g. ISO 27001) and resilience (e.g. ISO 22301, 27031). For vulnerability assessment and penetration testing, and for social engineering, there are practitioner accreditations and you should appoint an accredited practitioner.
You can readily see that a fleet of largely external professional appointments is on your horizon if you choose to tackle security and resilience. They are deeply specialised in scope and implication and taking an adviser who understands the territory, and the contracts, is recommended.
Implications for all providers
Our focus and recommendations so far in this article have mainly been for HealthTech providers. Our focus is led by the legislation and the reported cases of cyber-security and resilience attacks. But there is much here for health and care providers to think about.
The DHSC’s own Impact Assessment on the changes made by DUAA repeatedly make the point that the new standards “will not diminish the importance of contractual obligations on IT providers” (para 8 of the Executive Summary), and state that one of the options considered as an alternative to legislation was guidance on contracting.
It is therefore no surprise that the new section 250A of the Health & Social Care Act 2012 provides for the Health Secretary to issue such guidance. But such guidance is evidently not DHSC’s priority, and in the meantime providers, whether of HealthTech or health or social care, really need to tool up in this area.
One of the problems with that solution, however, is its vast scope, which is equal to the scope of all technology, security and resilience contracting. The scope includes consulting and professional service contracts for security and resilience consulting (as described above) but also equally includes your contracts with, for example:
- For all providers: Your device, network and cloud facilities providers, Managed Services Providers and resellers. Your leaders (including fractional leaders, “virtual” experts or services as well as full time hires), expert consultants and contractors. Existing and new services required or brought in to support your security and resilience action plan, such as Security Operation Centre providers
- For health and care providers: Your HealthTech providers
- For HealthTech providers: Your manufacturing, software and distribution partners.
Surveys and the related reports from PwC (particularly, due to its work with NHS England) in recent years signal that health and care provider organisations, and health care professionals, lack the support that they need in relation to technology, security and resilience contracting, and lack confidence in what they have in place. These areas of contracting are niche and require specialist support (more often than not from private practice advisers outside the NHS and Government).
Whatever the blockers are on access to the right advisory input at the right time, they need to be found and lifted. Quite aside from the Health Secretary’s new powers, the attackers are evidently ready and waiting.