NHS England is calling on suppliers to sign up to a new cybersecurity charter, asking them to implement measures aimed at countering 'endemic' ransomware threats.
In a letter to suppliers, it warned that incidents are often very severe and are becoming increasingly frequent. To address the issue, the health service is asking them to make eight security commitments.
"The complexity of cybersecurity and the NHS's supply chain alongside the endemic criminal cyber threat faced by the UK make partnership crucial. Collaboration through our supply chain is crucial, and we must work together to protect healthcare and defend as one," wrote Mike Fell, NHS director of cyber, in a post on LinkedIn.
"Today we are setting out our expectations, abstract of contractual terms, of the key things required to help harden our systems and protect delivery of care."
Suppliers signing the charter should make sure their systems are properly supported and have the latest patches applied to deal with known vulnerabilities. They should achieve and maintain at least 'Standards Met' as part of the Data Security and Protection Toolkit (DSPT).
They're also asked to use multi-factor authentication (MFA) on their own networks and systems, and to support identity federation or make MFA functionality available on the products they provide.
Infrastructure improvements are a key focus of the charter, with the health service asking suppliers to deploy effective 24/7 cyber monitoring techniques and log their critical IT infrastructure.
A key aim here is to ensure suppliers are better equipped to prevent and detect cyber attacks, and make incidents easier to investigate.
Backups and software security in the spotlight
The importance of backups were highlighted in particular, with the charter calling on organizations to keep immutable backups of critical business data.
Suppliers should also plan for business continuity and rapid recovery of essential IT systems in the event of a breach or incident.
Similarly, suppliers should carry out board-level exercises to make sure they're confident in their ability to respond in the event of a cyber attack.
If an incident occurs, they must report promptly to their clients, working with NHS England and adhering to all regulatory requirements.
Finally, software suppliers to the NHS must make sure that the software has been produced in adherence to the software code of practice from the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC).
The charter requires them to adhere to the principles of secure design and development, secure build environment, secure deployment and maintenance, and communication with customers.
Closer collaboration
NHS England said it will do what it can to help its supply chain comply, developing tools to help providers identify their critical suppliers to carry out appropriate assurance, defining requirements for a national supplier management platform, and developing a risk assurance model.
It will also review its contractual frameworks to include appropriate security schedules and make expectations clear.
This will include the launch of a self-assessment form later this year, giving time for suppliers to work through the eight statements and be ready to commit. It's also planning a series of webinars over the coming months, with a supplier forum for cybersecurity scheduled for the autumn.
The charter follows a series of high profile supply chain attacks. Last summer, for example, a Russian-speaking ransomware group attacked blood testing company Synnovis.
The attack on Synnovis disrupted services at NHS King's College and Guy's and St. Thomas'.
Later this year, the Cyber Security and Resilience Bill will come into force, tightening supply chain security within essential services, infrastructure and digital services, including the NHS.
MORE FROM ITPRO
- US healthcare data breaches are out of control
- Healthcare systems are rife with exploits — and ransomware gangs have noticed
- Healthcare organizations need to shake up email security practices
-
Jensen Huang thinks the UK has immense AI potential – but it still has a lot of work to doNews The Nvidia chief exec described the UK as a “fantastic place for VCs to invest” but stressed hardware has to expand to reap the benefits
-
Crayon targets mid-market gains with expanded Google Cloud partnershipNews The collaboration will enable mid-market channel partners to deliver Google Cloud’s AI technologies and cloud solutions
-
Two more NHS Trusts have been hit with cyber attacks – here’s what we know so farNews A flaw in a third-party device management tool appears to be the source of the incident
-
NHS supplier hit with £3m fine for security failings that led to attack
News Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
Cyber attack delayed cancer treatment at NHS hospital
News A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Alder Hey Children’s Hospital confirms hackers gained access to patient data through digital gateway serviceNews Europe’s busiest children’s hospital confirmed attackers were able to steal data from a compromised digital gateway service
-
Major incident declared as Merseyside hospitals hit by cyber attackNews The incident, which has led to cancelled appointments, is just the latest in a series of attacks on healthcare organizations
-
Thousands of procedures canceled at London hospitals as Qilin releases blood test dataNews The attack on blood testing company Synnovis continues to affect patients, while the ransomware group follows through with its threats
-
Ransomware group threatens to publish 3TB of stolen NHS Scotland data after posting proof of attackNews NHS Dumfries and Galloway has confirmed some of the sensitive data stolen during the 15 March attack has been published by a known ransomware operator
-
Attack on third-party software vendor disrupts NHS ambulance servicesNews The ambulance services serve more than 10 million people across the south of England
