As the Cyber Security and Resilience Bill continues its progress through the Wetsminster system, NHS digital leaders have called for their suppliers to sign up to a voluntary cyber security charter as it works to build up its resilience against threats such as ransomware, and better secure its supply chain.
The NHS has a long and sorry history of cyber breaches, perhaps most famously its systems came under sustained fire during the 2017 WannaCry incident. More recently, health services across south London were impacted by a cyber attack on Synnovis, a supplier of pathology lab services to various NHS trusts in the region.
In light of the growing and ever-changing threat landscape, and the growing frequency and severity of incidents, the NHS said there has been a step change in recent months
In an open letter to suppliers, Phil Huggins, national CISO for health and care at the Department of Health and Social Care (DHSC), Mike Fell, director of cyber operations at NHS England, and Vin Diwakar, national director of transformation at NHS England, said: “As valued partners to the NHS, it is important to us that we work together and defend as one.”
The NHS is asking suppliers that where reasonably necessary – such as in the case of organisations that support clinical systems or process confidential patient data – they commit to keeping their IT systems in support and patched, to achieve and maintain at least ‘Standards Met’ under the Data Security and Protection Toolkit (DSPOT), apply multifactor authentication alongside NHS England’s existing MFA policies, deploy always-on cyber monitoring and logging of critical infrastructure, and put in place immutable backups of critical data alongside appropriate business continuity and recovery plans.
The charter also requires suppliers to conduct board level exercising on incident response, report cyber attacks affecting NHS customers in a timely manner and work with them to resolve, and only supply software produced in adherence to the Department for Science, Innovation and Technology (DSIT) and National Cyber Security Centre (NCSC) software code of practice.
Huggins, Fell and Diwakar asked suppliers to commit to being an “outstanding and trusted partner” by agreeing to sign the charter.
“This voluntary charter will contain the asks outlined above and show your commitment to being a trusted and secure partner to the health and care system. We will be launching a self-assessment form in the autumn, whereby suppliers can sign the charter. This will allow time for suppliers to work through the eight statements and be ready to commit,” they said.
Continuous improvement a challenge
In recognition that making continuous improvements in cyber resilience in the present threat environment is a significant challenge, the NHS leaders also said they were ready and willing to ensure the health service plays its own part through, for example, developing bespoke tools that suppliers can use to audit their own supply chains in accordance with NHS needs, and defining requirements for a national supplier management platform and risk assurance model.
The NHS will also review the contractual frameworks that its own organisations use to enter contracts to ensure appropriate security schedules and expectations. This piece is part of a wider government initiative in this regard.
The health service plans to run a series of webinars in the coming months, and hopes to launch a supplier cyber security forum in the autumn.
“For threat actors, sensitive data is the ultimate target and NHS suppliers are custodians of vast volumes of highly confidential information. In Q1 alone, healthcare was the most targeted sector by ransomware attacks globally, with 57 recorded incidents,” said BlackFog founder and CEO Darren Williams.
“It’s no surprise, then, that the NHS is urging its suppliers to step up their cyber security practices in response to escalating threats across the supply chain.
“Given the spate of ransomware attacks that has impacted both public and private sector, initiatives which incentivise providers are a necessary step. It’s not only about safeguarding patient data but also ensuring the continuity of critical services.”
