Mike Fell: taking security out of the shadows
Before his role as executive director of national cyber security operations at NHS England, Mike Fell spent 15 years in a variety of government security roles which included postings from Afghanistan to Zanzibar and supporting the London 2012 Olympics and Paralympics.
He later moved into IT security, holding senior roles in cyber operations for HMRC, before joining the NHS in 2022.
“The two pieces of information you probably don’t want your next-door neighbour to know in a breach, are how much money you’ve earned and what you last spoke to your doctor about,” Fell says.
Ahead of speaking at Rewired 2025, Digital Health News sat down with Fell to discuss Synnovis, the role of regulation and the potential risks of centralisation.
We’ve seen some major cyber attacks on healthcare over the last few years. Is cyber crime increasing and if so, why?
Ransomware and criminally motivated cyber crime is a globally endemic threat. The NHS is uniquely vulnerable due to its complexity, scale, and the presence of legacy technology that is harder to protect.
Ultimately there’s nearly £180bn flowing through the NHS in England to deliver public services, and that is attractive for cyber criminals.
I think we need to challenge some of the narrative against cyber crime being an ever-increasing threat. Actually, the evidence is that attacks have plateaued, if not on a downward trend, particularly against the NHS.
The UK government will not pay ransoms to cyber criminals. There are recent examples of the success of global law enforcement, including the UK and the counter ransomware initiative, taking down criminal gangs undertaking these attacks, such as the Conti ransomware group and the LockBit group.
We’re proving through national cyber services, combined with local investment and UK government policy, that we can make progress against these.
We’ve seen patient safety issues caused by Synnovis attack recently, with operations and appointments being delayed. What can be done to mitigate patient harm resulting from cyber crime?
The reason that we invest in preventing cyber attacks has to be because of the value in ensuring patient safety.
We’ve seen remarkably few cases where cyber attacks are directly linked to an increase in patient mortality. For example, with the Synnovis incident, there were over 10,000 patient appointments deferred, and over 1,700 elected cases deferred, but there were only five cases of ‘moderate harm’ identified as a result of the attack.
In the national cyber team we’ve embedded clinicians, so that we have clinical representation to help with making the right decisions during incidents.
The NHS is aligned to the National Cyber Security Centre (NCSC) framework, which talks about managing risks and protecting systems in the first place, but also about having the ability to detect incidents, which we do at a national level, through 24/7 monitoring.
We also need to plan for resilience by being able to respond and recover. This is one area where the health sector is remarkably good. Clinicians adapt if key tools are not available, from diagnostic equipment to a thermometer. They’re hardwired and trained to look at different ways of solving problems, which is a strength that we have in our sector.
What has been learned from the Synnovis attack that could prevent similar incidents in the future?
Like with all serious cyber incidents, the Department of Health and Social Care and others will conclude investigations and identify lessons from the Synnovis incident.
In general terms, the main lesson learnt from thousands of incidents – from near misses through to more serious cases – is that focusing on the foundations is really important.
Time and again we see the absence of foundational controls being the root cause within our sector and other sectors, such as the absence of multi-factor authentication, the absence of monitoring of key IT and not hardening systems against known vulnerabilities. We need to focus on those if we are to minimise the risk of future attacks.
The supply chain is also a complex and important area. There are over 80,000 suppliers to the NHS, each carrying their own risk and the overwhelming majority of those are not procured at a national level, so identifying and managing risks through the supply chain is another important lesson.
It’s also important to not assume that defenses will hold. There’s a whole range of ways in which organisations can be encouraged to undertake preparations, from business continuity through to effective decision-making capacity.
Can regulation such as the new Cyber Security Bill help mitigate supplier risk?
The health sector is already defined as critical national infrastructure in the UK and there has been a recent decision to add data centres, which were a key enabler for the health sector.
Operators of essential services, some of which are key suppliers and trusts, are regulated under the network information system regulations.
We are regulated by the Information Commissioners Office and the UK General Data Protection Regulation, but even in heavily regulated environments there are still cases where incidents happen. For that reason, the focus needs to be more heavily on raising awareness and supporting risk management of the supply chain.
The ‘Cyber security strategy for health and social care: 2023 to 2030’ identifies the supply chain as one of the key areas of focus. There has been over £350m invested in cyber programmes since the Wannacry incident of 2017.
Recent government announcements about the 10 year health plan include a unified patient record through the NHS App. Does centralisation increase the risk of cyber attack?
Like all national services, the risks need to be managed. Our approach to national services is for them to be secure by design, and the specific architectural solutions have not been determined yet.
One of the key findings of the Darzi report is the importance of moving from analogue to digital. That brings huge potential productivity gains and patient improvements, but we recognise that it needs to be risk managed.
Ultimately its success is going to be dependent on the public trusting us with their data. We can’t change what has happened in the past with how systems have been designed, but secure by design principles will make sure that the security of new systems is considered from the start and also throughout the whole life cycle.
Can you give us a taste of what you’ll be speaking about at Rewired 2025?
I’ll be talking to the core theme of taking security out of the shadows. We have great visibility of the threats, vulnerabilities and lessons from near misses and incidents, and there is no point in that remaining behind the closed doors of a security operations centre.
There are few sectors as complex as the NHS and the health sector. I’ll be sharing some thoughts about how we can focus on the foundations and make sure that security principles and foundational elements are in place, rather than getting distracted by complexity.
Hear Mike Fell’s presentation exclusively at Rewired 2025 at the NEC in Birmingham on 18-19 March 2025. The conference is free for NHS, public sector, charities and education. Register here.