Overview
The United Kingdom’s National Health Service (NHS) has announced new plans to collaborate more closely with its suppliers to enhance cybersecurity resilience across the healthcare and social care sectors. This initiative was set out in an open letter issued on 22 January, which aims to address the growing cybersecurity challenges facing the NHS and its supply chain.
Background and Rationale
The announcement follows the introduction of the Cybersecurity Supply Chain Charter, which was voluntarily launched last year by NHS England and the Department of Health and Social Care (DHSC). The charter was designed in response to an escalating number of ransomware and cyber-attacks targeting healthcare organisations both within the UK and globally.
The NHS and DHSC had previously noted that the healthcare sector was facing an ‘endemic’ of ransomware activity, where critical services were being disrupted, patient data was at risk, and the continuity of care was threatened. The newly outlined approach seeks to transform this earlier voluntary framework into a more engaged process between the NHS and its suppliers.
Statements from NHS and DHSC Leadership
The open letter was jointly signed by Phil Huggins, the National Chief Information Security Officer (CISO) for health and care at the DHSC, and Mike Fell, Executive Director of National Cyber Operations for NHS England.
They explained that:
“Cyber-attacks are a persistent and system-wide risk across the UK, and the health and care sector is not exempt. While the charter provides an important foundation, the scale and endurance of the threat mean that we now need to build on that voluntary commitment through more direct, proportionate engagement with suppliers to safeguard essential services.”
Government Alignment and Policy Context
The timing of the NHS’s announcement aligns with wider government initiatives to improve national cybersecurity standards. The newly proposed Cyber Security and Resilience Bill, together with the recently released Government Cyber Action Plan, both reinforce the importance of proactive risk management and system-wide resilience across all critical sectors, particularly healthcare.
Supplier Engagement and Objectives
According to the letter, NHS England and other relevant contracting authorities will begin reaching out to suppliers to discuss cybersecurity measures, existing controls, and any potential risks within the supply chain that could affect patient care or operational continuity.
Importantly, the document clarifies that this initiative is not an audit or a pass/fail compliance exercise. Instead, it is a collaborative process intended to identify risks and agree on practical, proportionate remediation efforts. The goal is to strengthen cybersecurity resilience collectively rather than penalise individual organisations.
Also see: Are My emails Protected?
Key Cybersecurity Expectations
Ahead of these engagements, NHS England outlined a series of baseline expectations for health and social care providers. These actions are designed to ensure that organisations remain as resilient as possible to potential cyber threats. The guidance includes:
- Keeping systems supported and patched against known vulnerabilities
- Maintaining ‘Standards Met’ status within the Data Security and Protection Toolkit (DSPT)
- Applying multi-factor authentication (MFA) and ensuring it is enabled for all NHS-facing systems where appropriate
- Implementing active monitoring and logging of critical IT infrastructure
- Maintaining secure, immutable backups (that cannot be altered) and regularly testing recovery procedures
- Conducting board-level cybersecurity exercises to strengthen leadership awareness and preparedness
Advertisement
Collaborative Approach and Sector Response
The letter acknowledges the significant effort already made by many suppliers in improving cybersecurity standards. It emphasises that the new initiative seeks not to replace these efforts but to coordinate and enhance them under a national framework.
In their concluding remarks, Huggins and Fell noted:
“We are grateful for the substantial effort many suppliers already make to strengthen cybersecurity. By working together, we can reduce risk, protect essential services, and build confidence across the sector.”
Conclusion
The NHS’s move represents an important step towards building a more robust, collaborative cybersecurity culture within the UK’s health and social care systems. By engaging directly with suppliers and emphasising shared responsibility, the NHS aims to ensure that digital threats do not compromise patient safety or disrupt essential healthcare delivery.
References (UK and Official Sources)
NHS Digital / DSPT — Data Security and Protection Toolkit Guidance
NHS England — Cyber Security and Resilience resources
Department of Health and Social Care (DHSC) — Official publications and cybersecurity updates
UK Government — Cyber Security and Resilience Bill (Draft Policy Framework)
