An open letter signed by Mike Fell, director of cyber operations at NHSE; Phil Huggins, national CISO for health and care at the DHSC; and Vin Diwakar, national director of transformation at NHSE; has asked suppliers to sign a charter of cyber security best practice, representing a voluntary commitment to a series of measures covering support, standards, multi-factor authentication (MFA), monitoring, and reporting.
Steps that suppliers are asked to take under the charter include maintaining support for systems, applying patches to known vulnerabilities, maintaining DSPT standards, applying MFA to networks and systems, and keeping backups of critical data to ensure business continuity and rapid recovery. 24/7 monitoring and logging of critical IT infrastructure to support detection and investigation, along with reporting to clients and working collaboratively with NHSE in the event of an attack, are also set out as requirements.
“This letter outlines our commitment to enhancing cyber security and ensuring the safety of our digital infrastructure,” Mike Fell shared in a LinkedIn post. “Collaboration through our supply chain is crucial and we must work together to protect healthcare and defend as one. Today we are setting out our expectations, abstract of contractual terms, of the key things required to help harden our systems and protect delivery of care.”
A self-assessment is due to be launched in Autumn, with a series of webinars also scheduled for the coming months. Noting the “significant challenge”, the letter also shares commitments to developing tools to help providers identify their critical suppliers and carry out assurance, as well as to defining requirements for a national supplier management platform to map the supply chain, establishing a risk assurance model to identify and mitigate risk, and reviewing contractual frameworks used by NHS organisations to enter contracts.
Wider trend: Cyber security in health and care
We were joined for a recent HTN Now webinar focusing on sharing best practices around cyber security, by an expert panel including Neill Crump, digital strategy director at The Dudley Group NHS Foundation Trust; Nasser Arif, cyber security manager at London North West Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust; and Martin Knight, privileged access management at Imprivata. The session focused on key considerations for NHS organisations in their approach to cyber security, assessing cyber security maturity, good cyber security practice, the challenges in this area and tips to overcome them.
NHS Cornwall and Isles of Scilly’s cyber security strategy to 2026 has been put forward for board endorsement, looking to identify and manage risk; strengthen governance; embed cyber awareness and culture; critical IT systems and suppliers; and prediction, prevention, detection, response and recovery. Outlining the current situation in C&IoS, the ICS highlights that implementing the Cornwall Cyber Security Operations Centre has been “advantageous”, enabling greater value around cyber security operations and offering improvements around compliance, risk and governance. It also notes challenges around ongoing funding to support the ICS’s cyber plans, with limited finances or resources often meaning tech assets are utilised for “longer than originally designed”.
The Department for Science, Innovation and Technology has outlined plans for the Cyber Security and Resilience Bill, noting measures to enhance oversight, regulating the supply chain, and progressing CAF’s basic and enhanced profiles. It first looks to bring more entities under the scope of the regulatory framework, to “better recognise the increasing reliance on digital services and the vulnerabilities posed by supply chains” including interconnectedness, which it states can have “cascading effects on our essential services”. Managed service providers offering core IT services will also be brought into the scope, whilst the government is similarly looking to enable regulators to designate “critical suppliers” and set stronger duties for the supply chain.
