In a decisive move underscoring the evolving nature of cyber threats, the U.K.’s NHS England has issued an open letter to current and prospective suppliers across its digital ecosystem, calling for immediate and concerted action to enhance cybersecurity standards. The letter marks a critical juncture in the nation’s health system’s battle against increasingly sophisticated ransomware attacks and signals a more unified stance on securing vital healthcare infrastructure.
Co-signed by Phil Huggins, national chief information security officer for health and care at the Department of Health and Social Care, Mike Fell, director of cyber operations at the NHS England, and Vin Diwakar, national director of transformation at the NHS England, the letter represents a rare joint appeal at the highest levels of the NHS’s cyber leadership. It outlines various expectations for suppliers that engage with the health and care system, particularly those involved in clinical system support or the processing of confidential patient data.
“The severity of incidents and increasing frequency have demonstrated a step change in recent months,” the letter said.
The communication describes ransomware as ‘endemic,’ pointing to recent high-profile incidents that have disrupted services and exposed critical vulnerabilities across the NHS supply chain. NHS England’s intervention reflects an intensifying risk landscape, where cyber intrusions are not merely IT issues but frontline threats to patient care and operational continuity.
Additionally, it noted that the Cyber Security and Resilience Bill aims to expand the remit of cyber regulation, including the Network and Information Systems (NIS) Regulations, to protect more digital services and supply chains against the growing threat.
Suppliers are urged to adhere to a new voluntary Cyber Security Charter, which codifies baseline requirements into eight key actions. These include maintaining up-to-date systems with applied security patches, deploying multi-factor authentication (MFA), implementing round-the-clock cyber monitoring, and ensuring immutable, regularly tested backups for business data and software products.
Organizations must have immutable backups of critical business data that are maintained, with tested plans in place to support business continuity and enable rapid system recovery. Immutable backups of products will also be maintained to ensure the continued provision of systems and services.
While the charter remains non-binding, it aligns closely with statutory obligations and contractual requirements of NHS organizations. NHS England is clear that participation in the charter does not equate to preferential treatment in procurement. Nonetheless, the move is designed to foster a culture of transparency, resilience, and collaboration.
Further, suppliers are expected to demonstrate board-level readiness to respond to cyber incidents and report any breaches swiftly and in compliance with legal standards. Developers providing software to the NHS must also commit to the Department for Science, Innovation and Technology (DSIT) and National Cyber Security Centre (NCSC) Software Code of Practice, ensuring secure development practices across the lifecycle.
The letter encouraged organizations to commit to being outstanding and trusted partners to the NHS by signing up to the public charter on cybersecurity good practice. The voluntary charter will include various commitments and demonstrate a supplier’s commitment to being a trusted and secure partner to the health and care system. A self-assessment form will be launched in the autumn, enabling suppliers to sign the charter. The timeline allows suppliers sufficient time to review the eight statements and prepare to make their commitment.
NHS England also encouraged participation in future supplier summits and engagement opportunities to explore collaborative approaches for enhancing the NHS’s resilience to cyber threats. In addition, suppliers were encouraged to engage with their local NHS customers to mutually strengthen incident preparedness and understanding.
Apart from the voluntary commitment made by signing the Cyber Security Charter, organizations delivering services under arrangements with NHS bodies also have legal obligations to maintain the cyber security of the systems and processes they operate. These obligations include contractual requirements set by NHS organizations, as well as statutory duties, which mandate the implementation of appropriate technical and organizational measures to ensure a level of security commensurate with the risks to personal data.
While signing the Cyber Security Charter is a positive and constructive step, it is not a legal requirement and does not confer any priority or enhanced status in the procurement or tendering process for NHS contracts. The Data Security and Protection Toolkit (DSPT) requirements remain applicable regardless of participation in the Cyber Security Charter.
In support of this cyber uplift, NHS England is preparing a range of strategic enablers. These include a national supplier management platform to map and assure supply chain resilience, updated contractual frameworks incorporating robust security clauses, and creating a cyber supplier forum and webinar series to deepen engagement.
This systemic initiative dovetails with the broader Cyber Security Strategy for Health and Adult Social Care (2023–2030), which seeks to establish a resilient digital backbone across England’s healthcare sector.
The NHS England letter stated that it recognizes that continuous improvement in cyber resilience, especially in the wake of increasing and evolving threats, is a significant challenge. To play its part nationally, the NHS is developing tools that providers can use to identify their critical suppliers and carry out appropriate assurance, and define the requirements for a national supplier management platform to help map the supply chain, alongside developing a risk assurance model to identify and mitigate concentration risk.
It also intends to review the contractual frameworks that NHS organizations use to enter into contracts, to ensure they include appropriate security schedules and clearly defined expectations. This forms part of a wider cross-government initiative to review contractual cybersecurity schedules and clauses.
As NHS England opens the door to self-assessments and the formal charter sign-up this Autumn, the call to suppliers is both urgent and collaborative. “We are here to support our suppliers every step of the way,” the letter concludes, adding “we will continue to engage with suppliers on our work and policies, which will include issuing further communications, including details of the upcoming charter and future engagements.”
Earlier this month, the U.K. government introduced a voluntary Software Security Code of Practice to enhance the security and resilience of software used by organizations and businesses. It aims to help software vendors and their customers reduce the likelihood and impact of supply chain attacks and other resilience-related incidents, which often stem from avoidable weaknesses in software development and maintenance. Poor communication between organizations and software suppliers can further worsen these issues.
