NHS suppliers urged to sign cyber security best practice charter

Suppliers to the NHS have been urged to sign a charter of cyber security best practice to show their commitment to being trusted and secure partners to the health system.

An open letter, published on 15 May 2025, has been signed by Mike Fell, director of cyber operations at NHS England, Phil Huggins, national chief information security officer at the Department of Health and Social Care (DHSC), and Vin Diwakar, national director of transformation at NHSE.

The charter requests suppliers to take steps which include maintaining support for systems, applying patches to known vulnerabilities, applying multi-factor authentication to networks and systems, and keeping “immutable backups” of critical business data.

Further requirements laid out are around ensuring effective 24/7 cyber monitoring is deployed, logging critical IT infrastructure, reporting to NHS clients in a timely manner, and working “collaboratively, openly and in partnership with NHS England” if a cyber attack occurs.

In a LinkedIn post on 15 May 2025, Fell said: “The complexity of cyber security and the NHS’s supply chain alongside the endemic criminal cyber threat faced by the UK make partnership crucial”.

“This letter outlines our commitment to enhancing cyber security and ensuring the safety of our digital infrastructure.

“Collaboration through our supply chain is crucial and we must work together to protect healthcare and defend as one.

“Today we are setting out our expectation, abstract of contractual terms, of the key things required to help harden our systems and protect delivery of care.”

A self-assessment form will be launched in autumn 2025 where suppliers can sign the charter, allowing time for them to work through the eight statements outlined in the open letter and be ready to commit.

There are also a series of supplier summits and engagement opportunities scheduled to help suppliers understand how they can collaborate on keeping the NHS safe from and resilient to cyber attacks.

In April 2025, the government published its plans for the Cyber Security and Resilience Bill, which requires more organisations and suppliers, including data centres, managed service providers and critical suppliers, to meet robust cyber security requirements.

The legislation is intended to prevent attacks similar to the Synnovis ransomware attack in June 2024, which impacted London pathology services and lead to at least two incidents of severe patient harm.

In response to the open letter, Darren Williams, chief executive and founder of ransomware prevention firm and BlackFog, said: “Ransomware attacks on healthcare organisations continue to pose a significant risk – not just operationally, but also in terms of real human impact.

“For threat actors, sensitive data is the ultimate target and NHS suppliers are custodians of vast volumes of highly confidential information.

“In Q1 alone, healthcare was the most targeted sector by ransomware attacks globally, with 57 recorded incidents.

“It’s no surprise, then, that the NHS is urging its suppliers to step up their cybersecurity practices in response to escalating threats across the supply chain.

“Given the spate of ransomware attacks that has impacted both public and private sector, initiatives which incentivise providers are a necessary step.”