NHSE have sent a letter to all CEOs of suppliers to the NHS, urging them to sign their charter of cyber security best practice.
Ransomware has affected several parts of NHSE’s supply chain in recent years. High profile cyber attacks over the last few weeks against the likes of M&S and Co-op demonstrate the need to be aware of the dangers of cyber security more than ever.
The Cyber Security and Resilience Bill is currently going through Parliament, which will enact more robust laws to implement better protection. BIVDA will keep members informed when the legislation passes.
In the short-term, NHSE seeks to bring together all partners in the NHS to defend as one. They are therefore asking companies to ensure where reasonably necessary, for example, if your service to an NHS organisation supports clinical systems or involves processing (including storage) of confidential information including confidential patient information, that:
- your systems are kept in support and have the latest patches applied to address known vulnerabilities
- you will achieve and maintain at least ‘Standards Met’ as part of the Data Security and Protection Toolkit (DSPT)
- you will apply Multi-Factor Authentication (MFA) to your own networks and systems. To support our customers to meet the NHS England MFA policy, you will support identity federation or make MFA functionality available on the products that you provide
- you will deploy effective 24/7 cyber monitoring and logging of your critical IT infrastructure to prevent and detect cyber-attacks, which will allow investigation in the event of an incident
- you will ensure that you have immutable backups of your critical business data, with tested plans that ensure you can offer business continuity and rapid recovery of essential IT. You will also have immutable backups of your products to ensure the continued provision of the systems and services that you provide
- you have undertaken board level exercising to ensure you are confident of your ability to respond in the event of a cyber attack
- you will report to your clients in a timely manner, adhering to all regulatory requirements, and work collaboratively, openly and in partnership with NHS England in the event of discovering a cyber attack affecting patient care or data
- where providing software to the NHS, you will agree that the software has been produced in adherence to the Department for Science, Innovation and Technology (DSIT) / National Cyber Security Centre (NCSC) software code of practice and commit to meeting the principles of secure design and development, secure build environment, secure deployment and maintenance and communication with customers
Webinars to help support companies, alongside a self-assessment tool to track your progress, are set to be released in the comings months. In the meantime, please contact england.cyber@nhs.net for any queries.
