Top cybersecurity officials within the UK government and the National Health Service (NHS) are asking CEOs of tech suppliers to pledge their allegiance to sound security by signing a public charter.
The letter refers to ransomware being an “endemic” threat to the NHS, with several disasters hitting healthcare facilities and the health org’s supply chain in recent years.
Signed by the NHS’s Vin Diwakar and Mike Fell, director of transformation and director of cyber operations respectively, and the government’s healthcare CIO Phil Huggins, the letter states: “the severity of incidents, and increasing frequency, has demonstrated a step change in recent months.
“The complexity of cybersecurity and the NHS’s supply chain alongside the endemic criminal cyber threat faced by the UK make partnership crucial,” said Fell via LinkedIn.
“This letter outlines our commitment to enhancing cybersecurity and ensuring the safety of our digital infrastructure. Collaboration through our supply chain is crucial, and we must work together to protect healthcare and defend as one.”
Without naming any attacks specifically in the letter, in just the past 12 months, two major incidents were declared at NHS trusts. Three if you go back a few months further and count INC’s attack on NHS Scotland in February 2024.
Perhaps the most infamous of these was the attack on pathology services provider Synnovis last summer, which led to thousands of appointment cancellations across London and unexpected, last-minute changes to major surgeries.
More recently, the November hit on Wirral University Teaching Hospitals caused it to miss cancer care targets, a follow-up report revealed, and that’s not factoring in the deplorable attack on Liverpool’s Alder Hey children’s hospital later that same month.
The accumulation of attacks has left insiders believing the NHS has a security culture problem, one that’s years in the making, which can only be solved by changes at the board level.
Vendors being asked to sign the charter comes as Britain waits for the Cyber Security and Resilience Bill to take final shape and be implemented. The new legislation will expand the scope of the current Network and Information Systems regulations to promote substantially better protection of supply chains, including those related to the NHS.
The healthcare leaders are making a special appeal to suppliers whose services support clinical systems or process sensitive data on behalf of NHS organizations.
The charter’s requirements of vendors are detailed fully in the open letter, but here’s a quick summary:
- Systems are fully patched against the latest vulnerabilities
- Achieve and maintain compliance with the NHS’ Data Security and Protection Toolkit (DSPT)
- MFA applied to networks and systems
- Deploy effective 24/7 cyber monitoring
- Reliable, immutable backups to minimise impact to business continuity
- Run board-level incident response exercises
- Timely reporting of incidents to clients and regulators
- Software provided to the DHS [Department of Health and Social Care] meets the Software Code of Practice launched by the NCSC and DSIT last week
The NHS will be launching a self-assessment form at an unspecified time during the autumn months, at which point tech suppliers can sign up to the charter.
“This will allow time for suppliers to work through the eight statements and be ready to commit,” the letter reads.
Should these suppliers sign up to the charter, it is purely voluntary – the associated obligations are not legally binding. However the NHS is also reminding them of the legal obligations they already have, such as the contractual agreements with the Service and GDPR.
“Signing up to the Cyber Security Charter is a helpful and positive step, but it does not amount to a legal obligation and does not result in priority or enhanced status in terms of the tendering process for contracts with NHS organizations.
“The requirements of the DSPT remain whether or not you sign up to the Cyber Security Charter.”
Suppliers will also be asked to join future summits and other engagements to share ideas with the NHS and others intended to help secure the UK’s healthcare systems.
The expectations set out in the letter will ultimately make their way into NHS contracts, similar to how the Software Code of Practice aims to introduce new standards via industry bodies.
Huggins said: “Over time, the expectations set out in the charter will make their way into assurance processes, contractual terms, and regulatory obligations across the NHS.”
NHS contracts are also under review, as part of a cross-government push, so that the cybersecurity expectations of awardees are clear. ®
