The UK’s National Health Service (NHS) has outlined plans to proactively work with suppliers to improve cybersecurity resilience across the healthcare and social care system in an open letter issued on January 22.
The move follows the voluntary cybersecurity supply chain charter issued by NHS England and the Department of Health and Social Care (DHSC ) in response to the ‘endemic’ of ransomware attacks against health services. The charter published last year, introduced additional measures to help secure IT supply chains across sector.
“Cyber-attacks are a persistent and system-wide risk across the UK, and the health and care sector is not exempt,” said the January open letter, jointly published by Phil Huggins, National CISO for health and care at the DHSC, and Mike Fell, executive director of National Cyber Operations for NHS England
“While the charter provides an important foundation, the scale and endurance of the threat mean that we now need to build on that voluntary commitment through more direct, proportionate engagement with suppliers to safeguard essential services.”
The letter noted how the Cyber Security and Resilience Bill and the recently published Government Cyber Action Plan reinforced the need for stronger, proactive risk management across essential NHS services, including the supply chain.
To achieve this, the letter detailed how NHS England, or relevant contracting authorities, will contact suppliers to discuss key cybersecurity controls and potential supply chain risks to patient care or operational continuity.
The letter also noted that the scheme “is not an audit” or a “pass and fail exercise”. Rather the programme is “is about identifying risk and working in partnership to agree proportionate remediation activity, that strengthens resilience for everyone.”
Ahead of these discussions on supply chain security, NHS England has outlined expectations of actions which health and social care bodies should take to ensure they are as resilient as possible against cyber-attacks. These include:
- Keeping systems supported and patched against known vulnerabilities
- Maintaining ‘Standards Met’ in the Data Security and Protection Toolkit (DSPT)
- Applying multi-factor authentication (MFA) and enabling it on NHS-facing products where appropriate
- Deploying effective monitoring and logging of critical IT infrastructure
- Ensuring backups that cannot be changed and having tested recovery plans
- Conducting board-level exercising
“We are grateful for the substantial effort many suppliers already make to strengthen cyber security. By working together we can reduce risk, protect essential services, and build confidence across the sector,” said the open letter.
Image credit: Piotr Swat / Shutterstock.com
