The UK’s National Health Service (NHS) is asking its IT suppliers to commit to better cybersecurity by signing a public charter.
In a May 15 open letter to suppliers, top UK and NHS cyber officials urged suppliers to sign the NHS charter and pledge to adopt cybersecurity best practices that could help address a wave of crippling ransomware attacks that have hit NHS hospitals and healthcare facilities.
A self-assessment form will be launched in the fall allowing suppliers to sign the NHS charter. That gives them several months to adopt the eight practices outlined in the open letter.
NHS Charter Outlines 8 Cybersecurity Practices
The eight cybersecurity practices outlined in the letter include:
- Keeping systems up to date with the latest patches for known vulnerabilities;
- Achieving and maintaining at least “Standards Met” as part of the Data Security and Protection Toolkit (DSPT);
- Applying Multi-Factor Authentication (MFA) to networks and systems and supporting identity federation or MFA functionality on products;
- Deploying effective around-the-clock cyber monitoring and logging of critical IT infrastructure;
- Implementing immutable backups of critical business data and products, with tested business continuity and rapid recovery plans;
- Board-level exercises “to ensure you are confident of your ability to respond in the event of a cyber attack”;
- Reporting to clients in a timely manner, adhering to all regulatory requirements, and working collaboratively with NHS England in the event of a cyberattack affecting patient care or data;
- Producing any software for NHS in adherence to the Department for Science, Innovation and Technology (DSIT)/National Cyber Security Centre (NCSC) software code of practice and committing to meeting the principles of secure design and development, secure build environment, secure deployment and maintenance and communication with customers.
NHS Pledge Is Voluntary – And Doesn’t Change Legal Requirements
While the NHS charter pledge is voluntary, the letter notes that organizations “will also have legal obligations to maintain the cyber security of the processes and systems you operate under arrangements with NHS organisations.”
That includes contractual terms and other obligations such as Article 32 of UK GDPR requirements for appropriate technical and organizational measures appropriate to the risks to personal data. And DSPT requirements “remain whether or not you sign-up to the cyber security charter.”
The letter – from Phil Huggins, National Chief Information Security Officer for Health and Care at the Department of Health and Social Care; Mike Fell, NHS England Director of Cyber Operations; and Vin Diwakar, National Director of Transformation for NHS England – noted that additional steps are also under development that include:
- Developing tools that providers can use to identify their critical suppliers to carry out appropriate assurance;
- Defining requirements for a national supplier management platform to map the supply chain and develop a risk assurance model “allowing us to identify and mitigate concentration risk”;
- And reviewing the contractual frameworks that NHS organizations use to enter contracts so they have appropriate security schedules and clear expectations, which is part of a cross-government initiative.
The letter also referred to the planned Cyber Security and Resilience Bill that is under development and aimed at protecting critical infrastructure. The bill is expected to be introduced to Parliament later this year.
