The leaked record of the five meetings of the UK–US Trade & Investment Working Group held in 2017–18 has led to a controversy in the UK election campaign around the claim that ‘the NHS is up for sale’.

But a careful reading of the leaked documents reveals how remarkably little concerns the NHS – in five meetings over 16 months, the NHS is mentioned just four times. The patent regime and how it affects medicines is discussed in more depth but largely in terms of the participants trying to understand each other’s systems and perspectives. For the most part, the discussions were overwhelmingly about everything else a trade deal would cover other than healthcare – matters such as subsidies, rules of origin and customs facilitation.

But this does not mean there will be no impact on Britain’s health service. There are three main concerns about the possible implications of a US–UK trade deal after Brexit – a negotiation that will of course only take place if the UK remains outside the EU customs union and single market and also does not reach a trade agreement with the EU that proves incompatible with US negotiating objectives.

One concern is that the US aim of securing ‘full market access for US products’, expressed in the US negotiating objectives, will affect the ability of NICE (The National Institute for Health and Care Excellence) to prevent the NHS from procuring products that are deemed too expensive in relation to their benefits. It could also affect the ability of the NHS to negotiate with companies to secure price reductions as, for instance, happened recently with Orkambi, a cystic fibrosis drug.

A peculiarity of the main US government healthcare programme (Medicare) is that it has historically not negotiated drug prices, although there are several bills now before Congress aiming to change that. US refusal to negotiate or control prices is one reason that US drug prices are the highest in the world.  

A second concern is that the US objective of securing ‘intellectual property rights that reflect a standard of protection similar to that found in US law’ will result in longer patent terms and other forms of exclusivity that will increase the prices the NHS will have to pay for drugs.

However, it is not immediately apparent that UK standards are significantly different from those in the US – the institutional arrangements differ but the levels of protection offered are broadly comparable. Recent publicity about a potential extra NHS medicine bill of £27 billion resulting from a trade deal is based on the NHS having to pay US prices on all drugs – which seems an unlikely outcome unless the UK contingent are extraordinarily bad negotiators.

Nevertheless, in an analysis section (marked for internal distribution only), the UK lead negotiator noted: ‘The impact of some patent issues raised on NHS access to generic drugs (i.e. cheaper drugs) will be a key consideration going forward.’

A third concern is that the US objective of providing ‘fair and open conditions for services trade’ and other US negotiating objectives will oblige the UK to open up the NHS to American healthcare companies.

This is where it gets complicated. At one point in a discussion on state-owned enterprises (SOEs) the US asked if the UK had concerns about their ‘health insurance system’ (presumably a reference to the NHS). The UK response was that it ‘wouldn’t want to discuss particular health care entities at this time, you’ll be aware of certain statements saying we need to protect our needs; this would be something to discuss further down the line…’

On this exchange the UK lead negotiator commented:  ‘We do not currently believe the US has a major offensive interest in this space – not through the SOE chapter at least. Our response dealt with this for now, but we will need to be able to go into more detail about the functioning of the NHS and our views on whether or not it is engaged in commercial activities…’

On the face of it, these documents provide no basis for saying the NHS would be for sale – whatever that means exactly. The talks were simply an exploratory investigation between officials on both sides in advance of possible negotiations.

But it is a fact that US positions in free trade agreements are heavily influenced by corporate interests. Their participation in framing agreements is institutionalized in the US system and the pharmaceutical and healthcare industries in the US spend, by a large margin, more on lobbying the government than any other sector does. Moreover, President Donald Trump has long complained about ‘the global freeloading that forces American consumers to subsidize lower prices in foreign countries through higher prices in our country’.

It is when (and if) the actual negotiations on a trade deal get under way that the real test will come as the political profile and temperature is raised on both sides of the Atlantic.

The World Health Organization, US Department of Health and Human Services, and hospitals in Spain, France and the Czech Republic have all suffered cyberattacks during the ongoing COVID-19 crisis.

In the Czech Republic, a successful attack targeted a hospital with one of the country’s biggest COVID-19 testing laboratories, forcing its entire IT network to shut down, urgent surgical operations to be rescheduled, and patients to be moved to nearby hospitals. The attack also delayed dozens of COVID-19 test results and affected the hospital’s data transfer and storage, affecting the healthcare the hospital could provide.

In the UK, the National Health Service (NHS) is already in crisis mode, focused on providing beds and ventilators to respond to one of the largest peacetime threats ever faced. But supporting the health sector goes beyond increasing human resources and equipment capacity.

Health services ill-prepared

Cybersecurity support, both at organizational and individual level, is critical so health professionals can carry on saving lives, safely and securely. Yet this support is currently missing and the health services may be ill-prepared to deal with the aftermath of potential cyberattacks.

When the NHS was hit by the Wannacry ransomware attack in 2017 - one of the largest cyberattacks the UK has witnessed to date – it caused massive disruption, with at least 80 of the 236 trusts across England affected and thousands of appointments and operations cancelled. Fortunately, a ‘kill-switch’ activated by a cybersecurity researcher quickly brought it to a halt.

But the UK’s National Cyber Security Centre (NCSC), has been warning for some time against a cyber attack targeting national critical infrastructure sectors, including the health sector. A similar attack, known as category one (C1) attack, could cripple the UK with devastating consequences. It could happen and we should be prepared.

Although the NHS has taken measures since Wannacry to improve cybersecurity, its enormous IT networks, legacy equipment and the overlap between the operational and information technology (OT/IT) does mean mitigating current potential threats are beyond its ability.

And the threats have radically increased. More NHS staff with access to critical systems and patient health records are increasingly working remotely. The NHS has also extended its physical presence with new premises, such as the Nightingale hospital, potentially the largest temporary hospital in the world.

Radical change frequently means proper cybersecurity protocols are not put in place. Even existing cybersecurity processes had to be side-stepped because of the outbreak, such as the decision by NHS Digital to delay its annual cybersecurity audit until September. During this audit, health and care organizations submit data security and protection toolkits to regulators setting out their cybersecurity and cyber resilience levels.

The decision to delay was made to allow the NHS organizations to focus capacity on responding to COVID-19, but cybersecurity was highlighted as a high risk, and the importance of NHS and Social Care remaining resilient to cyberattacks was stressed.

The NHS is stretched to breaking point. Expecting it to be on top of its cybersecurity during these exceptionally challenging times is unrealistic, and could actually add to the existing risk.

Now is the time where new partnerships and support models should be emerging to support the NHS and help build its resilience. Now is the time where innovative public-private partnerships on cybersecurity should be formed.

Similar to the economic package from the UK chancellor and innovative thinking on ventilator production, the government should oversee a scheme calling on the large cybersecurity capacity within the private sector to step in and assist the NHS. This support can be delivered in many different ways, but it must be mobilized swiftly.

The NCSC for instance has led the formation of the Cyber Security Information Sharing Partnership (CiSP)— a joint industry and UK government initiative to exchange cyber threat information confidentially in real time with the aim of reducing the impact of cyberattacks on UK businesses.

CiSP comprises organizations vetted by NCSC which go through a membership process before being able to join. These members could conduct cybersecurity assessment and penetration testing for NHS organizations, retrospectively assisting in implementing key security controls which may have been overlooked.

They can also help by making sure NHS remote access systems are fully patched and advising on sensible security systems and approved solutions. They can identify critical OT and legacy systems and advise on their security.

The NCSC should continue working with the NHS to enhance provision of public comprehensive guidance on cyber defence and response to potential attack. This would show they are on top of the situation, projecting confidence and reassurance.

It is often said in every crisis lies an opportunity. This is an opportunity for the UK government to show agility in how it deals with cyber threats and how it cooperates with the private sector in creating cyber resilience.

It is an opportunity to lead a much-needed cultural change showing cybersecurity should never be an afterthought.

The leaked record of the five meetings of the UK–US Trade & Investment Working Group held in 2017–18 has led to a controversy in the UK election campaign around the claim that ‘the NHS is up for sale’.

But a careful reading of the leaked documents reveals how remarkably little concerns the NHS – in five meetings over 16 months, the NHS is mentioned just four times. The patent regime and how it affects medicines is discussed in more depth but largely in terms of the participants trying to understand each other’s systems and perspectives. For the most part, the discussions were overwhelmingly about everything else a trade deal would cover other than healthcare – matters such as subsidies, rules of origin and customs facilitation.

But this does not mean there will be no impact on Britain’s health service. There are three main concerns about the possible implications of a US–UK trade deal after Brexit – a negotiation that will of course only take place if the UK remains outside the EU customs union and single market and also does not reach a trade agreement with the EU that proves incompatible with US negotiating objectives.

One concern is that the US aim of securing ‘full market access for US products’, expressed in the US negotiating objectives, will affect the ability of NICE (The National Institute for Health and Care Excellence) to prevent the NHS from procuring products that are deemed too expensive in relation to their benefits. It could also affect the ability of the NHS to negotiate with companies to secure price reductions as, for instance, happened recently with Orkambi, a cystic fibrosis drug.

A peculiarity of the main US government healthcare programme (Medicare) is that it has historically not negotiated drug prices, although there are several bills now before Congress aiming to change that. US refusal to negotiate or control prices is one reason that US drug prices are the highest in the world.  

A second concern is that the US objective of securing ‘intellectual property rights that reflect a standard of protection similar to that found in US law’ will result in longer patent terms and other forms of exclusivity that will increase the prices the NHS will have to pay for drugs.

However, it is not immediately apparent that UK standards are significantly different from those in the US – the institutional arrangements differ but the levels of protection offered are broadly comparable. Recent publicity about a potential extra NHS medicine bill of £27 billion resulting from a trade deal is based on the NHS having to pay US prices on all drugs – which seems an unlikely outcome unless the UK contingent are extraordinarily bad negotiators.

Nevertheless, in an analysis section (marked for internal distribution only), the UK lead negotiator noted: ‘The impact of some patent issues raised on NHS access to generic drugs (i.e. cheaper drugs) will be a key consideration going forward.’

A third concern is that the US objective of providing ‘fair and open conditions for services trade’ and other US negotiating objectives will oblige the UK to open up the NHS to American healthcare companies.

This is where it gets complicated. At one point in a discussion on state-owned enterprises (SOEs) the US asked if the UK had concerns about their ‘health insurance system’ (presumably a reference to the NHS). The UK response was that it ‘wouldn’t want to discuss particular health care entities at this time, you’ll be aware of certain statements saying we need to protect our needs; this would be something to discuss further down the line…’

On this exchange the UK lead negotiator commented:  ‘We do not currently believe the US has a major offensive interest in this space – not through the SOE chapter at least. Our response dealt with this for now, but we will need to be able to go into more detail about the functioning of the NHS and our views on whether or not it is engaged in commercial activities…’

On the face of it, these documents provide no basis for saying the NHS would be for sale – whatever that means exactly. The talks were simply an exploratory investigation between officials on both sides in advance of possible negotiations.

But it is a fact that US positions in free trade agreements are heavily influenced by corporate interests. Their participation in framing agreements is institutionalized in the US system and the pharmaceutical and healthcare industries in the US spend, by a large margin, more on lobbying the government than any other sector does. Moreover, President Donald Trump has long complained about ‘the global freeloading that forces American consumers to subsidize lower prices in foreign countries through higher prices in our country’.

It is when (and if) the actual negotiations on a trade deal get under way that the real test will come as the political profile and temperature is raised on both sides of the Atlantic.

The World Health Organization, US Department of Health and Human Services, and hospitals in Spain, France and the Czech Republic have all suffered cyberattacks during the ongoing COVID-19 crisis.

In the Czech Republic, a successful attack targeted a hospital with one of the country’s biggest COVID-19 testing laboratories, forcing its entire IT network to shut down, urgent surgical operations to be rescheduled, and patients to be moved to nearby hospitals. The attack also delayed dozens of COVID-19 test results and affected the hospital’s data transfer and storage, affecting the healthcare the hospital could provide.

In the UK, the National Health Service (NHS) is already in crisis mode, focused on providing beds and ventilators to respond to one of the largest peacetime threats ever faced. But supporting the health sector goes beyond increasing human resources and equipment capacity.

Health services ill-prepared

Cybersecurity support, both at organizational and individual level, is critical so health professionals can carry on saving lives, safely and securely. Yet this support is currently missing and the health services may be ill-prepared to deal with the aftermath of potential cyberattacks.

When the NHS was hit by the Wannacry ransomware attack in 2017 - one of the largest cyberattacks the UK has witnessed to date – it caused massive disruption, with at least 80 of the 236 trusts across England affected and thousands of appointments and operations cancelled. Fortunately, a ‘kill-switch’ activated by a cybersecurity researcher quickly brought it to a halt.

But the UK’s National Cyber Security Centre (NCSC), has been warning for some time against a cyber attack targeting national critical infrastructure sectors, including the health sector. A similar attack, known as category one (C1) attack, could cripple the UK with devastating consequences. It could happen and we should be prepared.

Although the NHS has taken measures since Wannacry to improve cybersecurity, its enormous IT networks, legacy equipment and the overlap between the operational and information technology (OT/IT) does mean mitigating current potential threats are beyond its ability.

And the threats have radically increased. More NHS staff with access to critical systems and patient health records are increasingly working remotely. The NHS has also extended its physical presence with new premises, such as the Nightingale hospital, potentially the largest temporary hospital in the world.

Radical change frequently means proper cybersecurity protocols are not put in place. Even existing cybersecurity processes had to be side-stepped because of the outbreak, such as the decision by NHS Digital to delay its annual cybersecurity audit until September. During this audit, health and care organizations submit data security and protection toolkits to regulators setting out their cybersecurity and cyber resilience levels.

The decision to delay was made to allow the NHS organizations to focus capacity on responding to COVID-19, but cybersecurity was highlighted as a high risk, and the importance of NHS and Social Care remaining resilient to cyberattacks was stressed.

The NHS is stretched to breaking point. Expecting it to be on top of its cybersecurity during these exceptionally challenging times is unrealistic, and could actually add to the existing risk.

Now is the time where new partnerships and support models should be emerging to support the NHS and help build its resilience. Now is the time where innovative public-private partnerships on cybersecurity should be formed.

Similar to the economic package from the UK chancellor and innovative thinking on ventilator production, the government should oversee a scheme calling on the large cybersecurity capacity within the private sector to step in and assist the NHS. This support can be delivered in many different ways, but it must be mobilized swiftly.

The NCSC for instance has led the formation of the Cyber Security Information Sharing Partnership (CiSP)— a joint industry and UK government initiative to exchange cyber threat information confidentially in real time with the aim of reducing the impact of cyberattacks on UK businesses.

CiSP comprises organizations vetted by NCSC which go through a membership process before being able to join. These members could conduct cybersecurity assessment and penetration testing for NHS organizations, retrospectively assisting in implementing key security controls which may have been overlooked.

They can also help by making sure NHS remote access systems are fully patched and advising on sensible security systems and approved solutions. They can identify critical OT and legacy systems and advise on their security.

The NCSC should continue working with the NHS to enhance provision of public comprehensive guidance on cyber defence and response to potential attack. This would show they are on top of the situation, projecting confidence and reassurance.

It is often said in every crisis lies an opportunity. This is an opportunity for the UK government to show agility in how it deals with cyber threats and how it cooperates with the private sector in creating cyber resilience.

It is an opportunity to lead a much-needed cultural change showing cybersecurity should never be an afterthought.

The World Health Organization, US Department of Health and Human Services, and hospitals in Spain, France and the Czech Republic have all suffered cyberattacks during the ongoing COVID-19 crisis.

In the Czech Republic, a successful attack targeted a hospital with one of the country’s biggest COVID-19 testing laboratories, forcing its entire IT network to shut down, urgent surgical operations to be rescheduled, and patients to be moved to nearby hospitals. The attack also delayed dozens of COVID-19 test results and affected the hospital’s data transfer and storage, affecting the healthcare the hospital could provide.

In the UK, the National Health Service (NHS) is already in crisis mode, focused on providing beds and ventilators to respond to one of the largest peacetime threats ever faced. But supporting the health sector goes beyond increasing human resources and equipment capacity.

Health services ill-prepared

Cybersecurity support, both at organizational and individual level, is critical so health professionals can carry on saving lives, safely and securely. Yet this support is currently missing and the health services may be ill-prepared to deal with the aftermath of potential cyberattacks.

When the NHS was hit by the Wannacry ransomware attack in 2017 - one of the largest cyberattacks the UK has witnessed to date – it caused massive disruption, with at least 80 of the 236 trusts across England affected and thousands of appointments and operations cancelled. Fortunately, a ‘kill-switch’ activated by a cybersecurity researcher quickly brought it to a halt.

But the UK’s National Cyber Security Centre (NCSC), has been warning for some time against a cyber attack targeting national critical infrastructure sectors, including the health sector. A similar attack, known as category one (C1) attack, could cripple the UK with devastating consequences. It could happen and we should be prepared.

Although the NHS has taken measures since Wannacry to improve cybersecurity, its enormous IT networks, legacy equipment and the overlap between the operational and information technology (OT/IT) does mean mitigating current potential threats are beyond its ability.

And the threats have radically increased. More NHS staff with access to critical systems and patient health records are increasingly working remotely. The NHS has also extended its physical presence with new premises, such as the Nightingale hospital, potentially the largest temporary hospital in the world.

Radical change frequently means proper cybersecurity protocols are not put in place. Even existing cybersecurity processes had to be side-stepped because of the outbreak, such as the decision by NHS Digital to delay its annual cybersecurity audit until September. During this audit, health and care organizations submit data security and protection toolkits to regulators setting out their cybersecurity and cyber resilience levels.

The decision to delay was made to allow the NHS organizations to focus capacity on responding to COVID-19, but cybersecurity was highlighted as a high risk, and the importance of NHS and Social Care remaining resilient to cyberattacks was stressed.

The NHS is stretched to breaking point. Expecting it to be on top of its cybersecurity during these exceptionally challenging times is unrealistic, and could actually add to the existing risk.

Now is the time where new partnerships and support models should be emerging to support the NHS and help build its resilience. Now is the time where innovative public-private partnerships on cybersecurity should be formed.

Similar to the economic package from the UK chancellor and innovative thinking on ventilator production, the government should oversee a scheme calling on the large cybersecurity capacity within the private sector to step in and assist the NHS. This support can be delivered in many different ways, but it must be mobilized swiftly.

The NCSC for instance has led the formation of the Cyber Security Information Sharing Partnership (CiSP)— a joint industry and UK government initiative to exchange cyber threat information confidentially in real time with the aim of reducing the impact of cyberattacks on UK businesses.

CiSP comprises organizations vetted by NCSC which go through a membership process before being able to join. These members could conduct cybersecurity assessment and penetration testing for NHS organizations, retrospectively assisting in implementing key security controls which may have been overlooked.

They can also help by making sure NHS remote access systems are fully patched and advising on sensible security systems and approved solutions. They can identify critical OT and legacy systems and advise on their security.

The NCSC should continue working with the NHS to enhance provision of public comprehensive guidance on cyber defence and response to potential attack. This would show they are on top of the situation, projecting confidence and reassurance.

It is often said in every crisis lies an opportunity. This is an opportunity for the UK government to show agility in how it deals with cyber threats and how it cooperates with the private sector in creating cyber resilience.

It is an opportunity to lead a much-needed cultural change showing cybersecurity should never be an afterthought.