Call to Action for NHS Suppliers

Suppliers to the NHS are being encouraged to sign a charter of cyber security best practices to demonstrate their commitment to being reliable and secure partners within the health system.

Details of the Charter

An open letter released on May 15, 2025, has been endorsed by:

• Mike Fell, Director of Cyber Operations at NHS England
• Phil Huggins, National Chief Information Security Officer at the Department of Health and Social Care (DHSC)
• Vin Diwakar, National Director of Transformation at NHS England

The charter outlines several key actions that suppliers are expected to undertake, including:

1. Maintaining support for systems
2. Applying patches to known vulnerabilities
3. Implementing multi-factor authentication for networks and systems
4. Keeping “immutable backups” of critical business data
5. Ensuring effective 24/7 cyber monitoring
6. Logging critical IT infrastructure
7. Timely reporting to NHS clients
8. Collaborating with NHS England during cyber incidents

Importance of Collaboration

In a LinkedIn post on the same day, Mike Fell emphasized the necessity of partnership in addressing the complexities of cyber security within the NHS supply chain, stating:

“The complexity of cyber security and the NHS’s supply chain alongside the endemic criminal cyber threat faced by the UK make partnership crucial.”

He further noted that this letter signifies a commitment to enhancing cyber security and safeguarding digital infrastructure, highlighting the need for collaboration to protect healthcare services.

Next Steps for Suppliers

A self-assessment form will be introduced in autumn 2025, allowing suppliers to sign the charter after reviewing the eight outlined statements. Additionally, a series of supplier summits and engagement opportunities will be organized to facilitate collaboration in enhancing NHS cyber resilience.

Government Initiatives

In April 2025, the government announced the Cyber Security and Resilience Bill, which mandates that more organizations and suppliers, including data centers and managed service providers, adhere to stringent cyber security standards. This legislation aims to prevent incidents similar to the Synnovis ransomware attack in June 2024, which severely affected London pathology services and resulted in significant patient harm.

Industry Response

Darren Williams, CEO and founder of ransomware prevention firm BlackFog, commented on the ongoing threat of ransomware attacks in healthcare, stating:

“Ransomware attacks on healthcare organizations continue to pose a significant risk – not just operationally, but also in terms of real human impact.”

He noted that healthcare was the most targeted sector globally for ransomware attacks in Q1, with 57 recorded incidents. This underscores the urgency for NHS suppliers to enhance their cyber security practices in light of escalating threats.