“Endemic” Ransomware Prompts NHS to Demand Supplier Action

England’s National Health Service (NHS) has urged its suppliers to commit to strong cybersecurity practices amid increased cyber threats to patients and services.

The voluntary cybersecurity charter aims to better protect the NHS from growing cyber threats via its supply chain, including ransomware.

The open letter to current and prospective NHS suppliers noted that the ransomware threat is “endemic.”

“We have experienced several significant ransomware attacks on our supply chain in recent years,” it read.

This includes a ransomware attack on NHS pathology supplier Synnovis in June 2024, thought to have been perpetrated by Russian gang Qilin.

The attack resulted in thousands of operations and appointments being cancelled in London hospitals over several months, as well as blood stock shortages across the country.

The attackers also published stolen data online, including sensitive NHS patient information.

“The severity of incidents, and increasing frequency, has demonstrated a step change in recent months,” the open letter continued.

Suppliers Urged to Commit to Eight Security Pledges

Through the voluntary cybersecurity charter, NHS England has set out eight security pledges that suppliers should have in place where “reasonably necessary.”

This includes if the service supports NHS clinical systems or involves the processing of confidential information, such as patient data.

The commitments in the charter include the following:

• Ensuring all systems are supported and updated with the latest patches to address known vulnerabilities
• Achieving and maintain at least ‘Standards Met’ as part of the Data Security and Protection Toolkit (DSPT)
• Ensuring multi-factor authentication (MFA) is applied across all internal networks and on products provided
• Deploying 24/7 monitoring and logging of critical IT infrastructure to detect attacks
• Report any cyber-attacks impacting patient data or care to the NHS in a timely manner
• Ensuring any software provided to the NHS has been produced in adherence to the UK government’s software security Code of Practice

The open letter to all current, potential or aspiring suppliers to the NHS emphasized that legal cybersecurity obligations will continue to apply outside of the charter.

This includes contractual terms with NHS organizations and statutory obligations, such as Article 32 of UK GDPR, which requires firms to ensure a level of security appropriate to the risks to personal data.

The letter also noted that the UK’s Cyber Security and Resilience Bill, expected to come into force later this year, will have further requirements around supply chain security.

Self-Assessment Form Available in the Autumn

NHS England said a self-assessment form will be available to suppliers from the Autumn of 2025, whereby they can sign the charter.

This gives time for current and prospective suppliers to update their security strategy in line with NHS expectations.

The move appears to be part of the UK government’s approach to incentivizing stronger cybersecurity through market pressure and consumer demand, as set out during the recent CYBERUK conference.

Writing on LinkedIn, Phil Huggins, Director in the Department of Health and Social Care, said the charter represents “the first step of many” to better manage supply chain risk in the NHS.

“Over time the expectations set out in the charter will make their way into assurance processes, contractual terms and regulatory obligations across the NHS, we will support our suppliers in meeting these wherever we can so that we can protect patient safety and the NHS together in partnership,” Huggins commented.

Image credit: Peter_Fleming / Shutterstock.com