NHS England has introduced a Cyber Security Charter, hopefully improving the digital safety and resilience of the health service’s supply chain
In an open letter addressed to current, prospective, and aspiring suppliers, the health body highlighted the growing threat posed by increasingly sophisticated cyberattacks, particularly ransomware, and called for joint action across the sector.
This new voluntary charter sets clear expectations for all suppliers handling NHS-related systems or confidential information. With the frequency and severity of cyber incidents on the rise, the charter is a key part of NHS England’s strategy to better cyber resilience across health and social care.
Eight core cyber security commitments
A big part of the charter is the eight core principles that suppliers are encouraged to adopt. These include regular system updates and security patches, achieving and maintaining at least ‘Standards Met’ status in the Data Security and Protection Toolkit (DSPT), and implementing Multi-Factor Authentication (MFA) across internal systems and products supplied to the NHS.
Suppliers are also expected to deploy 24/7 cyber monitoring of critical infrastructure, maintain immutable and tested backups to ensure rapid recovery and conduct cyber response exercises at the board level to assess organisational preparedness.
Other key responsibilities include timely incident reporting and compliance with secure software development practices outlined by UK government agencies.
Support from NHS England and the Government
In return, NHS England and the Department of Health and Social Care (DHSC) have pledged to collaborate closely with suppliers in shaping national cyber security policies and frameworks.
They aim to support NHS organisations in making informed procurement decisions by showing the importance of working with security-conscious partners.
During cyber incidents, NHS England also offers operational support while promoting a Just Culture, focusing on transparency and learning rather than blame.
Voluntary but important
While signing the Cyber Security Charter is voluntary and does not carry legal or procurement advantages, it is presented as a significant step toward becoming a trusted NHS partner. NHS England will launch a self-assessment form in the autumn, giving suppliers time to evaluate and align with the eight principles before publicly committing.
The charter does not override existing legal and contractual obligations, such as compliance with UK GDPR and DSPT requirements. NHS England advises organisations to incorporate robust cyber clauses into their contracts to ensure suppliers can deliver necessary assurances and protections.
To build resilience, NHS England is developing tools to help healthcare providers identify and assess critical suppliers. Plans are also underway to launch a national supplier management platform and introduce a risk assurance model to address supply chain vulnerabilities. In addition, a series of engagement opportunities, including webinars and a supplier cyber forum, are set to roll out later in the year.
This initiative follows the March 2023 release of the NHS’s long-term cyber security strategy, which outlined goals for a resilient digital health and social care system by 2030. Against high-profile supply chain attacks, NHS England invites suppliers to step forward and publicly commit to a shared responsibility: protecting the nation’s health services from evolving cyber threats.
