NHS England launches Cyber Security Charter for suppliers

NHS England has launched a new voluntary Cyber Security Charter to enhance the digital safety and resilience of the NHS supply chain. In an open letter to its suppliers, the health body underscored the escalating threat of sophisticated cyberattacks, particularly ransomware, and called for a collective effort across the sector to bolster defences.

The charter comprises eight core cybersecurity commitments that suppliers are encouraged to adopt. These principles include updating systems and applying security patches, achieving and maintaining a minimum of 'Standards Met' status in the Data Security and Protection Toolkit (DSPT), and implementing Multi-Factor Authentication (MFA) for internal systems and products provided to the NHS. Suppliers are also expected to implement 24/7 cyber monitoring of critical infrastructure, maintain reliable backups, and conduct board-level cyber response exercises to gauge organisational readiness. Other responsibilities involve prompt incident reporting and adherence to secure software development practices recommended by UK government agencies.

While signing the Cyber Security Charter is voluntary and offers no direct legal or procurement advantages, it is presented as a vital step towards becoming a trusted NHS partner. NHS England plans to introduce a self-assessment form in the Autumn, allowing suppliers time to evaluate their alignment with the eight principles before making a public commitment.