“Endemic Ransomware Drives NHS to Require Action from Suppliers”

England’s National Health Service (NHS) has issued a call to its suppliers to reinforce their cybersecurity measures in light of the increasing cyber threats facing patients and healthcare services.

The voluntary cybersecurity charter aims to enhance the protection of NHS operations from escalating cyber threats, particularly those associated with ransomware. An open letter addressed to existing and potential suppliers acknowledged the pervasive nature of ransomware attacks.

The letter highlighted the occurrence of several major ransomware incidents targeting the NHS supply chain in recent years. For instance, a ransomware attack on NHS pathology supplier Synnovis in June 2024, believed to be executed by the Russian group Qilin, led to the cancellation of numerous operations and appointments in London hospitals for several months, as well as significant blood shortages nationwide. Moreover, the attackers disseminated stolen patient data online, further exacerbating the situation.

The letter emphasized the growing frequency and severity of these attacks, stating, “The severity of incidents, and increasing frequency, has demonstrated a step change in recent months.”

Suppliers Urged to Commit to Eight Security Pledges

To address these challenges, NHS England has outlined eight cybersecurity pledges for suppliers to adhere to, especially when their services relate to NHS clinical systems or involve processing confidential information, such as patient data. The key commitments outlined in the charter include:

– Ensuring that all systems are up-to-date and patched to address known vulnerabilities.
– Achieving and maintaining at least a ‘Standards Met’ status as part of the Data Security and Protection Toolkit (DSPT).
– Implementing multi-factor authentication (MFA) across all internal networks and on provided products.
– Establishing 24/7 monitoring and logging of critical IT infrastructure to detect potential attacks.
– Reporting any cyber incidents impacting patient data or care to the NHS in a timely manner.
– Ensuring that all software provided to the NHS complies with the UK government’s software security Code of Practice.

The letter further clarified that the legal cybersecurity obligations still apply beyond the charter and include contractual agreements with NHS organizations, as well as statutory requirements such as Article 32 of UK GDPR, which mandates firms to maintain a security level appropriate to risks pertaining to personal data.

Additionally, the forthcoming Cyber Security and Resilience Bill, set to be enacted later this year, will introduce further supply chain security mandates.

Self-Assessment Form Available in the Autumn

A self-assessment form will be provided to suppliers by Autumn 2025, allowing them to formally sign the charter. This timeframe facilitates current and prospective suppliers in aligning their security strategies with the NHS’s expectations.

The initiative aligns with the UK government’s strategy to incentivize stronger cybersecurity measures through market pressure and consumer demands, highlighting the importance of collaboration between the NHS and its suppliers to safeguard patient safety and ensure the integrity of healthcare services.

Phil Huggins, Director in the Department of Health and Social Care, noted on a professional platform that the charter represents an initial step toward managing supply chain risk more effectively within the NHS. Huggins emphasized the commitment to supporting suppliers in meeting these expectations in pursuit of a safer healthcare environment.