Calling for convergence
Are organisations missing an opportunity to bring security and dedicated counter-fraud specialists closer together in order to share skills, insight and expertise? Alex Rothwell determines to answer that intriguing question in the context of how current operations are addressed in the National Health Service.
As today’s organisations continue to grapple with what are now increasingly complex and interconnected threats, ongoing debates around the need for convergence have centred on aligning security, cyber, technology and resilience functions, yet the subject of fraud is routinely treated as a separate issue.
This is somewhat striking given that fraud is fundamentally a risk management discipline and, in principle at least, no different from security. Now appears to be the right moment to consider whether greater convergence would be beneficial.
Security and counter fraud disciplines share core capabilities – among them investigative interviewing, intelligence management and evidential analysis – and often work along the same lines of enquiry. For example, a dedicated fraud investigation may rely on access control data, while the theft of equipment might involve the fraudulent alteration of records.
This overlap is already evident in the work of the NHS Counter Fraud Authority (NHSCFA), which operates at the intersection of intelligence, investigation and assurance to address fraud risks that cut across organisational and disciplinary boundaries.
Independent body
What is the NHSCFA and how does the work of security specialists align with its role?
The NHSCFA is an independent arm’s-length body, funded by the Department of Health and Social Care, and leads on the prevention, detection and investigation of fraud, bribery and corruption across the NHS in England.
As an intelligence-led organisation, we use a wide range of information to build a more accurate picture of the fraud risks facing the NHS, inform preventive action and support investigations.
We investigate the most serious, complex and high-profile cases of fraud and work closely with the police and the Crown Prosecution Service to bring offenders to justice. Our specialist financial investigators have powers to recover NHS money lost to fraud.
We also operate a digital-forensics-focused computing team whose members diligently collect and analyse digital evidence.
Importantly, the NHSCFA develops a range of targeted fraud prevention solutions to address identified fraud risks. This may include reviewing and redesigning whole systems or developing tailored guidance or other solutions.
The Fraud Hub has been orchestrated to act as the focal point of contact between the NHSCFA and the counter fraud community across the NHS. Its purpose is to support and enable health bodies to effectively tackle fraud.
Assessing the threat
Each year, the NHSCFA assesses the evolving fraud threat and associated risk through its Strategic Intelligence Assessment, estimating financial vulnerability and using this insight to prioritise activity.
Many people are surprised to learn that, in an organisation providing care that is free at the point of service, exposure to fraud is estimated to be around £1.346 billion per year.
Transparency International suggests that, on a global basis, around 7% of total healthcare spending is lost to corruption.
Although the NHS estimate represents less than 1% of the overall NHS budget in England, this level of loss equates to funding that could otherwise support an additional 26 million General Practitioner (GP) appointments or 433,000 ambulance deployments.
Viewed in this context, reducing financial loss can therefore have a direct and positive impact on patient care and outcomes.
At present, circa 1.5 million individuals are directly employed by the NHS in England, excluding GPs, dentists, opticians, pharmacists and many support staff working in community settings.
Even without these groups, the NHS remains one of the largest employers in the world (and the largest in Europe).
The sheer scale and complexity of the NHS as an organisation – including extensive estates, major construction programmes and a £70 billion annual non-pay procurement spend – creates a broad exposure to the risk of fraud, bribery and corruption.
Inevitably, this risk profile also shapes the organisation’s security challenges.
Risk landscape
What, then, does the risk landscape look like? The risk landscape encompasses attempts at unauthorised access, compromised credentials, weak stock or drug controls and the potential for the misuse of NHS premises or systems.
Recent examples have included a former ward manager at an NHS mental health unit who was convicted of Fraud by Abuse of Position and sentenced to 18 months’ imprisonment.
The fraud was uncovered by a local counter fraud specialist who cross-checked claimed shifts against biometric security entry records, identifying no fewer than 185 falsely claimed shifts and losses of £72,000.
In another case, a registrar was jailed for declaring himself unfit to work night duties while secretly working night shifts for other hospitals, resulting in losses of more than £200,000.
In the wake of concerns about missing stock, a former nurse in Wales was convicted of stealing prescriptions from a hospital and presenting them at pharmacies to obtain drugs.
We also conducted a high-profile investigation involving a doctor who practised as a psychiatrist for some 20 years without ever having qualified, resulting in convictions for fraud and forgery.
Concerns have also been raised about the integrity of some overseas English language tests, leading in a small number of cases to reassessment or termination of employment where requirements could not be met.
Security controls
Identity remains a shared concern. The UK does not operate a national identity card system and, while passports and driving licences are commonly used, they were not designed for this purpose.
The Government’s move to require digital identity for ‘right to work’ checks represents a significant shift, particularly for large-scale employers such as the NHS.
At an operational level, everyday security controls remain critical. Measures such as robust ID card issuance and appropriate staff photographs can have a material impact.
These controls are sometimes undermined by inconsistent practices, including allowing individuals to submit their own photographs without adequate verification. Photographs using beauty filters are not permitted.
Recent cases have included a nurse who was suitably qualified overseas but not registered to practise in the UK and was convicted after using another member of staff’s ID. The discrepancy was identified by a patient.
Cyber attacks
Cyber-enabled attacks present both security and fraud risks. Stolen data can be used to carry out phishing attacks, impersonate patients or illegally obtain prescription medication.
Such activity can harm patients by corrupting records or delaying care, while also creating financial loss.
In 2024, a cyber attack on an NHS pathology provider was found to have contributed to an unexpected patient death due to delays in critical diagnostic information.
The Cyber Security Operations Centre protects healthcare systems from threats through monitoring and alerts, while the NHSCFA gathers and analyses cyber-related intelligence and delivers staff awareness activity.
Machine learning and artificial intelligence are increasingly used to identify emerging fraud patterns, delivering more than £60 million in prevention savings.
Common mission
Ultimately, fraud and security share a common mission: protecting assets, including people, finances, information, systems and organisational reputation.
Fraud diverts funding from frontline care, while security incidents can disrupt services and compromise sensitive information.
There is a strong case for these functions to work together more closely – not necessarily through structural merger, but through a shared approach.
Alex Rothwell is chief executive of the NHS Counter Fraud Authority (NHSCFA).