There needs to be a shift in the NHS and public
I worked in the NHS for 15 years in IT and Cybersec.
The problem is the focus on privacy, yet they never fully adopt the necessary controls and standards to properly manage data security while maintaining confidentiality. The need to access and share always trumps security and privacy, always.
Now look at recent breaches, when those organisations responded the focus was getting operations back up and running, not privacy.
So during BAU we are obsessed with privacy, but when the brown stuff actually hits the fan the focus moves entirely on restoration of service. That's the problem - they need to follow other sectors within the NIS Regs and focus on availability of the essential service.
I'm convinced privacy won't actually be negatively impacted by this, they play at doing it anyway, but with more resilience built in, focusing on availability, when incidents do happen they will be less impactful so the core "service" will still be able to deliver health care.
This however is a public relations disaster even if privacy isn't impacted, as the ICO cannot see past it's nose.