Full Report
The UK’s National Health Service (NHS) is asking its IT suppliers to commit to better cybersecurity by signing a public charter. In a May 15 open letter to suppliers, top UK and NHS cyber officials urged suppliers to sign the NHS charter and pledge to adopt cybersecurity best practices that could help address a wave of crippling ransomware attacks that have hit NHS hospitals and healthcare facilities. A self-assessment form will be launched in the fall allowing suppliers to sign the NHS charter. That gives them several months to adopt the eight practices outlined in the open letter. NHS Charter Outlines 8 Cybersecurity Practices The eight cybersecurity practices outlined in the letter include: Keeping systems up to date with the latest patches for known vulnerabilities; Achieving and maintaining at least “Standards Met” as part of the Data Security and Protection Toolkit (DSPT); Applying Multi-Factor Authentication (MFA) to networks and systems and supporting identity federation or MFA functionality on products; Deploying effective around-the-clock cyber monitoring and logging of critical IT infrastructure; Implementing immutable backups of critical business data and products, with tested business continuity and rapid recovery plans; Board-level exercises “to ensure you are confident of your ability to respond in the event of a cyber attack”; Reporting to clients in a timely manner, adhering to all regulatory requirements, and working collaboratively with NHS England in the event of a cyberattack affecting patient care or data; Producing any software for NHS in adherence to the Department for Science, Innovation and Technology (DSIT)/National Cyber Security Centre (NCSC) software code of practice and committing to meeting the principles of secure design and development, secure build environment, secure deployment and maintenance and communication with customers. NHS Pledge Is Voluntary – And Doesn’t Change Legal Requirements While the NHS charter pledge is voluntary, the letter notes that organizations “will also have legal obligations to maintain the cyber security of the processes and systems you operate under arrangements with NHS organisations.” That includes contractual terms and other obligations such as Article 32 of UK GDPR requirements for appropriate technical and organizational measures appropriate to the risks to personal data. And DSPT requirements “remain whether or not you sign-up to the cyber security charter.” The letter – from Phil Huggins, National Chief Information Security Officer for Health and Care at the Department of Health and Social Care; Mike Fell, NHS England Director of Cyber Operations; and Vin Diwakar, National Director of Transformation for NHS England – noted that additional steps are also under development that include: Developing tools that providers can use to identify their critical suppliers to carry out appropriate assurance; Defining requirements for a national supplier management platform to map the supply chain and develop a risk assurance model “allowing us to identify and mitigate concentration risk”; And reviewing the contractual frameworks that NHS organizations use to enter contracts so they have appropriate security schedules and clear expectations, which is part of a cross-government initiative. The letter also referred to the planned Cyber Security and Resilience Bill that is under development and aimed at protecting critical infrastructure. The bill is expected to be introduced to Parliament later this year.
Analysis Summary
# Best Practices: Third-Party Cybersecurity Assurance in Healthcare/Regulated Environments
## Overview
These best practices focus on establishing robust cybersecurity accountability and risk management for technology vendors and suppliers operating within sensitive environments, such as those serving the NHS. The core objective is to enforce essential security hygiene, mitigate supply chain risks (especially ransomware threats), and ensure compliance with existing legal and contractual obligations (like Article 32 of UK GDPR and DSPT requirements).
## Key Recommendations
### Immediate Actions
1. **Mandate Current Compliance Review:** For all active vendors serving critical systems, immediately confirm written documentation demonstrating adherence to existing security standards (e.g., DSPT requirements).
2. **Review Existing Contracts:** Audit all current vendor contracts to identify and flag clauses related to cybersecurity responsibilities, security schedules, and breach notification requirements.
3. **Establish Vendor Contact List:** Create a definitive, centralized list of all third-party suppliers who handle sensitive data or connect to critical systems.
### Short-term Improvements (1-3 months)
1. **Implement Supplier Identification Tools:** Begin assessing and procuring tools that enable the organization to effectively identify and map all critical suppliers within the operational ecosystem.
2. **Develop a Risk Assurance Model Baseline:** Create an initial framework for assessing supplier risk based on the criticality of the service provided and the sensitivity of the data accessed.
3. **Strengthen Contractual Frameworks:** Revise standard contract schedules (Security Schedules) for new and renewing contracts to include clear, non-negotiable security expectations reflective of regulatory baseline requirements.
### Long-term Strategy (3+ months)
1. **Develop Concentration Risk Mitigation:** Define and implement a risk assurance model designed to identify and mitigate concentration risk (over-reliance on a single vendor for critical functions).
2. **Establish a National Supplier Management Platform (If applicable to sector):** If working within a large ecosystem like the NHS, actively participate in or pilot the standardization and deployment of a centralized platform for supply chain mapping and ongoing risk assurance.
3. **Prepare for Legislative Changes:** Proactively design security governance processes to meet anticipated requirements under forthcoming legislation, such as the **Cyber Security and Resilience Bill**, focusing on critical infrastructure protection.
## Implementation Guidance
### For Small Organizations
- **Prioritize Legal Minimums:** Focus implementation efforts primarily on satisfying Article 32 of UK GDPR and any existing contractual Data Security and Protection Toolkit (DSPT) obligations, as these carry immediate legal weight.
- **Use Checklists for Assurance:** Since bespoke assurance tools may be unaffordable, develop rigorous security review checklists based on established benchmarks (like CIS Controls) to use during vendor onboarding and annual review.
- **Limit Supplier Scope:** Aggressively rationalize the vendor list, reducing the number of suppliers accessing sensitive systems where possible.
### For Medium Organizations
- **Begin Automated Mapping:** Investigate small-scale Software as a Service (SaaS) solutions for basic asset discovery and vendor inventory management to support the identification of critical suppliers.
- **Standardize Security Schedules:** Create template security schedules to be appended to all vendor contracts, clearly outlining technical and organizational measures (TOMs) required.
- **Focus on Remediation Tracking:** Establish a formal process for tracking and managing risk remediation identified during supplier audits or questionnaires.
### For Large Enterprises
- **Implement Centralized Platform:** Adopt or contribute to the development of a national/sector-specific supplier management platform for comprehensive supply chain mapping and continuous risk assurance.
- **Model Concentration Risk:** Utilize advanced GRC tools to model concentration risk, ensuring that the failure of any single vendor does not critically incapacitate operations.
- **Integrate Policy with Legislation:** Ensure the governance framework is fully aligned with anticipated requirements of forthcoming security legislation (e.g., C&R Bill), setting expectations ahead of mandatory enforcement.
## Configuration Examples
*(The context provided does not include specific technical configuration settings for software or hardware. The focus is on policy, contracts, and process development.)*
**Process Configuration Example (Vendor Security Review Gates):**
| Phase | Required Evidence/Action | Owner |
| :--- | :--- | :--- |
| **Onboarding** | Signed Security Schedule Attachment; Evidence of ISO 27001 or equivalent certification summary. | Procurement/Legal |
| **Annual Review**| Completed Security Questionnaire (based on criticality); Evidence of patch management adherence. | Risk/Compliance Team |
| **Incident Response** | Signed bilateral Information Sharing Agreement (ISA) defining breach notification timelines. | CISO/Incident Response |
## Compliance Alignment
- **UK GDPR Article 32:** Requires "appropriate technical and organizational measures" to ensure a level of security appropriate to the risk. Vendor contracts must reflect this requirement.
- **DSPT (Data Security and Protection Toolkit):** Vendor compliance must be continuously verified against existing DSPT requirements, even if the organization signs supplier charters.
- **Cyber Security and Resilience Bill (Anticipated):** Practices should align with anticipated requirements for protecting critical infrastructure, which will necessitate stricter supply chain controls.
## Common Pitfalls to Avoid
- **Assuming Voluntary Compliance is Enough:** Relying solely on vendors signing a voluntary charter without embedding these requirements into legally binding contracts and conducting assurance activities.
- **Ignoring Existing Legal Duties:** Believing that signing a charter supersedes pre-existing legal obligations (like Article 32 of UK GDPR or DSPT).
- **Failing to Map Concentration Risk:** Allowing mission-critical reliance on a small set of vendors without having backup contracts or immediate mitigation plans in place.
- **Treating Security as a Box-Ticking Exercise:** Accepting vendor attestation without implementing ongoing assurance tools or processes to verify security posture over time.
## Resources
- **UK GDPR Article 32 Documentation:** Review specific guidance on technical and organizational measures.
- **DSPT Requirements Documentation:** Use current NHS Data Security and Protection Toolkit standards as a baseline for vendor assessment.
- **Cyber Security and Resilience Bill Policy Statement:** Monitor updates to prepare for future legislative requirements impacting suppliers of critical services.
- **Risk Assurance Tools:** Research appropriate vendor risk management platforms to facilitate supplier mapping and concentration risk analysis.