NHS England is calling on suppliers to sign up to a new cybersecurity charter, asking them to implement measures aimed at countering ‘endemic’ ransomware threats.
In a letter to suppliers, it warned that incidents are often very severe and are becoming increasingly frequent. To address the issue, the health service is asking them to make eight security commitments.
“The complexity of cybersecurity and the NHS’s supply chain alongside the endemic criminal cyber threat faced by the UK make partnership crucial. Collaboration through our supply chain is crucial, and we must work together to protect healthcare and defend as one,” wrote Mike Fell, NHS director of cyber, in a post on LinkedIn.
“Today we are setting out our expectations, abstract of contractual terms, of the key things required to help harden our systems and protect delivery of care.”
Suppliers signing the charter should make sure their systems are properly supported and have the latest patches applied to deal with known vulnerabilities. They should achieve and maintain at least ‘Standards Met’ as part of the Data Security and Protection Toolkit (DSPT).
They’re also asked to use multi-factor authentication (MFA) on their own networks and systems, and to support identity federation or make MFA functionality available on the products they provide.
Infrastructure improvements are a key focus of the charter, with the health service asking suppliers to deploy effective 24/7 cyber monitoring techniques and log their critical IT infrastructure.
A key aim here is to ensure suppliers are better equipped to prevent and detect cyber attacks, and make incidents easier to investigate.
Backups and software security in the spotlight
The importance of backups were highlighted in particular, with the charter calling on organizations to keep immutable backups of critical business data.
Suppliers should also plan for business continuity and rapid recovery of essential IT systems in the event of a breach or incident.
Similarly, suppliers should carry out board-level exercises to make sure they’re confident in their ability to respond in the event of a cyber attack.
If an incident occurs, they must report promptly to their clients, working with NHS England and adhering to all regulatory requirements.
Finally, software suppliers to the NHS must make sure that the software has been produced in adherence to the software code of practice from the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC).
The charter requires them to adhere to the principles of secure design and development, secure build environment, secure deployment and maintenance, and communication with customers.
Closer collaboration
NHS England said it will do what it can to help its supply chain comply, developing tools to help providers identify their critical suppliers to carry out appropriate assurance, defining requirements for a national supplier management platform, and developing a risk assurance model.
It will also review its contractual frameworks to include appropriate security schedules and make expectations clear.
This will include the launch of a self-assessment form later this year, giving time for suppliers to work through the eight statements and be ready to commit. It’s also planning a series of webinars over the coming months, with a supplier forum for cybersecurity scheduled for the autumn.
The charter follows a series of high profile supply chain attacks. Last summer, for example, a Russian-speaking ransomware group attacked blood testing company Synnovis.
The attack on Synnovis disrupted services at NHS King’s College and Guy’s and St. Thomas’.
Later this year, the Cyber Security and Resilience Bill will come into force, tightening supply chain security within essential services, infrastructure and digital services, including the NHS.
