NHS Cyber Leaders Call on Providers to Follow Basic Steps

share
Header image

NHS Cyber Leaders Call on Providers to Follow Basic Steps

share

An open letter details eight steps, and makes commitments, to offer a more secure NHS.


Technology and security leaders from the NHS have called on partners to “work together and defend as one.” 

In an open letter ‘to all current, potential or aspiring suppliers to the NHS’, it calls on them to follow eight steps to ensure cybersecurity best practises. A year on from the ransomware attack against Synnovis that impacted NHS trusts in London, the eight steps are listed as the following:

  • Your systems are kept in support and have the latest patches applied to address known vulnerabilities.

  • You will achieve and maintain at least 'Standards Met' as part of the Data Security and Protection Toolkit (DSPT).

  • You will apply Multi-Factor Authentication (MFA) to your own networks and systems.

  • You will deploy effective 24/7 cyber monitoring and logging of your critical IT infrastructure to prevent and detect cyber-attacks, which will allow investigation in the event of an incident.

  • You will ensure that you have immutable backups of your critical business data, with tested plans that ensure you can offer business continuity and rapid recovery of essential IT. You will also have immutable backups of your products to ensure the continued provision of the systems and services that you provide.

  • You have undertaken board level exercising to ensure you are confident of your ability to respond in the event of a cyber-attack.

  • You will report to your clients in a timely manner, adhering to all regulatory requirements, and work collaboratively, openly and in partnership with NHS England in the event of discovering a cyber-attack affecting patient care or data.

  • Where providing software to the NHS, you will agree that the software has been produced in adherence to the Department for Science, Innovation and Technology (DSIT) / National Cyber Security Centre (NCSC) software code of practice and commit to meeting the principles of secure design and development, secure build environment, secure deployment and maintenance and communication with customers.

Signed by Phil Huggins, national CISO for Health and Care at the Department of Health and Social Care, Mike Fell, director of cyber operations at NHS England, and Vin Diwakar, national director of transformation at NHS England, the letter is intended “to highlight the growing and ever-changing cyber security threat level that we collectively face.”

Legal Obligations

On top of the voluntary commitment that any supplier makes by signing up to the cyber security charter, the open letter also said organisations also have legal obligations to maintain the cybersecurity of the processes and systems they operate under arrangements with NHS organisations.

“These include the contractual terms with such NHS organisations as well as the statutory obligations including (but not limited to) Article 32 of UK GDPR to have in place appropriate technical and organisational measures to ensure a level of security appropriate to the risks to personal data.”

Tools and Frameworks

On top of the steps, the undersigned said they would:

  • Develop tools that providers can use to identify their critical suppliers to carry out appropriate assurance.

  • Define requirements for a national supplier management platform to help us map the supply chain, alongside developing a risk assurance model allowing us to identify and mitigate concentration risk.

  • Review the contractual frameworks that NHS organisations use to enter contracts, so they have the appropriate security schedules and expectations are clear. 


Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Network SecuritySupply ChainVulnerabilities and Flaws Published: 16 May Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Upcoming Events

No events found.

Related content

Iran and the New CNI Threat

Iran and the New CNI Threat

 Vulnerability Management and the AI Challenge

Vulnerability Management and the AI Challenge

 Identity-Based Attacks: The Threat and How to Mitigate It

Identity-Based Attacks: The Threat and How to Mitigate It
Critical Apache Struts 2 bug could enable data theft, SSRF intrusions

Critical Apache Struts 2 bug could enable data theft, SSRF intrusions

 The 4 Worst Vulnerabilities of 2025 – And How To Boost Patch Management in 2026

The 4 Worst Vulnerabilities of 2025 – And How To Boost Patch Management in 2026

 Critical Citrix NetScaler Flaw Threatens Over 28k Instances

Critical Citrix NetScaler Flaw Threatens Over 28k Instances
Preparing Network Convergence for Security Consolidation

Preparing Network Convergence for Security Consolidation