Senior officials of England’s health service have written to suppliers to the NHS urging them to meet the requirements of a new cyber security charter.
They have published an open letter to CEOS of current and potential supplier highlighting the severity of the threats from cyber attacks and asking them to sign the charter.
Phil Huggins, national chief information security officer for health and care in the Department of Health and Social Care, Mike Fell, director of cyber operations at NHS England and the organisation’s national director of transformation Vin Diwakar have signed the letter.
It comes in response to rising anxieties about cyber attacks on the health service, with incidents over the past year affecting hospital trusts in south-east London and NHS Dumfries and Galloway.
The letter sets out the key requirements for companies and organisations that support clinical systems or process or store confidential information. These include that systems are kept in support with the latest patches, the organisation achieves the ‘Standards Met’ as part of the Data Security and Protection Toolkit (DSPT), and they apply multi-factor authentication.
They should also deploy 24/7 monitoring and logging of critical IT infrastructure, ensure they have immutable back-ups of critical data, carry out board level exercising and report any cyber attacks to clients in a timely manner.
In addition, any software suppliers should agree it has been produced in adherence to the software code of practice from the National Cyber Security Centre, and commit to meeting the principles of secure design and development.
“Signing up to the cyber security charter is a helpful and positive step, but it does not amount to a legal obligation and does not result in priority or enhanced status in terms of the tendering process for contracts with NHS organisations,” the letter says.
“The requirements of the DSPT remain whether or not you sign-up to the cyber security charter.”
It also makes the point that the charter is voluntary for suppliers, but says it is an important element of the effort to ‘defend us one’ in the NHS, and points to the Cyber Security and Resilience Bill – to be submitted to Parliament this year – expanding the remit of relevant regulations.
The signatories also refer to plans to run a series of relevant webinars, develop a supplier forum and define requirements for a national supplier management platform to help map the supply chain.
