As the Cyber Security and Resilience Bill makes its way through Westminster, NHS digital leaders are urging suppliers to join a voluntary cyber security charter. They want to boost defenses against threats like ransomware and tighten the supply chain’s security.
NHS has faced numerous cyber breaches over the years, notably during the 2017 WannaCry incident. Recently, a cyber attack on Synnovis, a pathology lab supplier, disrupted health services in south London. With threats growing in frequency and severity, NHS leaders emphasize the need for immediate action.
In an open letter, Phil Huggins, national CISO at the Department of Health and Social Care, Mike Fell from NHS England, and Vin Diwakar, also from NHS England, expressed the importance of collaboration: “As valued partners to the NHS, it is important to us that we work together and defend as one.”
They’re asking suppliers—especially those handling clinical systems or sensitive patient data—to keep their IT systems updated. Suppliers should aim for ‘Standards Met’ under the Data Security and Protection Toolkit, implement multifactor authentication per NHS policies, maintain continuous cyber monitoring and logging, and establish unalterable backups of critical data alongside recovery plans.
The charter demands that suppliers conduct board-level drills on incident response and promptly report any cyber incidents affecting NHS customers. They also need to ensure their software complies with the Department for Science, Innovation, and Technology and the National Cyber Security Centre’s standards.
Huggins, Fell, and Diwakar want suppliers to commit to being an “outstanding and trusted partner” by signing the charter. They plan to launch a self-assessment form in the autumn, giving suppliers time to prepare to meet the charter’s requirements.
Continuous improvement in cyber resilience is a tough challenge. NHS leaders are ready to support this, stating they will develop tools to help suppliers audit their own supply chains and establish clearer security expectations in contracts. This effort is part of a broader government initiative.
The NHS also intends to host webinars and plans to launch a supplier cyber security forum in the autumn. As BlackFog’s CEO Darren Williams pointed out, healthcare is under attack; in the first quarter alone, it faced 57 ransomware incidents globally.
With these escalating threats, the NHS recognizes the crucial role its suppliers play in protecting sensitive data. Initiatives that encourage providers to improve security practices are vital. This isn’t just about patient data—it’s about ensuring essential services continue to run smoothly.