By Trevor Dearing, Director of Critical Infrastructure at Illumio
On 15th May, NHS England launched its new voluntary cyber security charter for suppliers. With it, the NHS is sending out a strong message: cybersecurity is a shared responsibility, and suppliers are responsible for improving resilience.
The charter outlines eight security pledges that should be in place where “reasonably necessary.” These include ensuring all systems are supported and updated, applying multi-factor authentication (MFA), and deploying 24/7 monitoring and logging of critical IT infrastructure to detect attacks.
And it makes sense. These aren’t groundbreaking concepts; they’re proven security controls that should form the backbone of any robust cyber defence strategy. In fact, these practices should have already been implemented, rather than a charter prompting such changes.
The NHS needs robust security standards to avoid a repeat of the catastrophic cyberattacks we have seen on suppliers in the past. However, we’ve all watched well-intentioned security initiatives stumble not because the strategy was wrong, but because the execution fell short.
To be effective, the new cyber security charter must drive real, lasting change across the NHS, not just look good on paper. This requires proper funding, strong oversight, meaningful accountability, and consistent enforcement beyond annual box-ticking.
Ransomware crisis: understanding the reality facing NHS CISOs
In an open letter, Phil Huggins, the CISO for Health and Care at the Department of Health and Social Care, said that ransomware is an ‘endemic.’ And he’s not wrong.
The attack on pathology services provider Synnovis alone led to 10,152 postponed appointments, 1,710 cancelled procedures, 300 million patient records compromised, and an estimated financial cost of £32.7 million.
This is the damage caused by just one attack.
When you consider the additional incidents involving NHS Dumfries and Galloway, Wirral University Teaching Hospital, and more, the financial and operational impact is staggering.
Cybercriminals understand that attacking healthcare creates the perfect storm of high-value data, operational chaos, and intense pressure to pay.
The bottom line for CISOs is stark: attacks will continue, but you can reduce the impact. The question is no longer whether you will be targeted; it’s how prepared you are for when it happens.
Understanding supply chain risk
The reliance of the NHS on third-party software and services, combined with well-resourced attackers, has created a perfect storm of vulnerabilities and hard-to-detect risks.
Attackers know they can increase efficiency and profitability by targeting the supply chain, and they are focusing their efforts accordingly.
Strong internal defences mean little if suppliers have weak security. Even the best firewall fails when attackers enter through an unprotected vendor.
Yet, NHS Trusts still place too much implicit trust in suppliers to protect critical systems and patient data.
The problem is not unique to the NHS, with organisations across all sectors not aware of the risks from third-party providers, and overconfidence in supply chain security is commonplace.
Ponemon Institute research found that confidence in third parties’ privacy and security practices has increased to 47 per cent, from 33 per cent in 2021. That’s despite increasingly frequent and impactful supply chain attacks.
In healthcare, where lives are at stake, such risk is unacceptable. Every vulnerability must be identified, addressed, and mitigated. That doesn’t mean preventing every cyberattack – that’s unrealistic.
Instead, suppliers must be able to contain attacks and ensure NHS services remain operational.
Why containment is the NHS’ cure to its ransomware endemic
The irony with cybercrime is that, while we often hear the phrase “a sophisticated group” after an incident, attackers continue to succeed with the same playbook they’ve used for years.
They exploit basic misconfigurations, inadequate network segmentation, unpatched systems, and weak access controls to move laterally through networks and reach critical systems.
What’s changed isn’t their methodology, it’s the devastating scale of impact when they succeed.
The issue is not necessarily that attackers got in, it’s that they can move undetected to reach critical systems.
Yet, the cyber security charter neglects to mention implementation of breach containment measures like segmentation.
And while it may sound great on paper, arguably, it still places the emphasis on reactive responses to attacks rather than proactively building genuine cyber resilience. It encourages commitment, not action.
If we’re truly serious about protecting NHS operations, promises aren’t enough. We need substantial investment, decisive action, and a complete shift in how we approach security from inside out.
Prevention is still important, but breach containment is now non-negotiable for patient safety and operational continuity.
So, where do we go next?
One key point that must be highlighted is that the cyber security charter is currently not mandatory – it’s voluntary.
This effectively gives suppliers a “get out of jail free” card if they choose not to implement basic security practices.
Given the critical nature of healthcare, the charter should be mandatory – no supplier should be exempt from essential safeguards.
But we shouldn’t stop there. We need to see specific regulation for the healthcare sector, focused on driving ongoing improvements to cyber resilience.
Good examples are the EU’s Digital Operational Resilience Act (DORA) or HIPAA in the US.
Both regulations mandate a risk-based approach to cybersecurity and resilience, introducing more prescriptive mandates on security controls like segmentation, while encouraging organisations to understand their risks, prioritise actions, and make steady, measurable progress.
This includes knowing which assets are connected to your network, how they interact with systems, what threats those assets face, and which ones are most vulnerable. It also involves continuously assessing how those vulnerabilities could be exploited, and how prepared the organisation is to respond.
While the charter can serve as a useful baseline for assessing capabilities, it should not be viewed as a one-off task.
The real value lies in shifting suppliers from a reactive, gap-filling approach to a long-term, proactive strategy for building cyber resilience.
But this requires more than mere advice and direction. It requires a shift in mindset, one that assumes an attack from the supply chain is inevitable and plans accordingly.
Fighting the ransomware endemic
The NHS cyber security charter is a step in the right direction, but it doesn’t go far enough. It’s a well-overdue start to improving security in the supply chain, but certainly not the end.
To safeguard NHS operations and preserve patient care, we need to stop pretending we can keep attackers out and start planning for how to keep operations running when the inevitable breach happens.
Like any business risk, the focus must be on minimising impact, but in healthcare, impact is measured in lives, not just pounds.
Breach containment protects against worst-case scenarios, to be truly successful it demands real funding, leadership, penalties for non-compliance, and constant vigilance, not the failed checkbox approach.
