Cyber security charter for suppliers to the NHS

Current and potential IT suppliers to the NHS should commit in writing to abiding by these principles:

1. Our systems are kept in support and have the latest patches applied to address known vulnerabilities.¹
2. We will achieve and maintain at least 'Standards Met' as part of the Data Security and Protection Toolkit (DSPT).²
3. We will apply Multi-Factor Authentication (MFA) to our own networks and systems. To support our customers to meet the NHS England MFA policy, we will support identity federation or make MFA functionality available on the products that we provide.
4. We will deploy effective 24/7 cyber monitoring and logging of our critical IT infrastructure to prevent and detect cyber-attacks, which will allow investigation in the event of an incident.
5. We will ensure that we have immutable backups of our critical business data, with tested plans that ensure we can offer business continuity and rapid recovery of essential IT. We will also have immutable backups of our products to ensure the continued provision of the systems and services that we provide.
6. We have undertaken board level exercising to ensure we are confident of our ability to respond in the event of a cyber-attack.
7. We will report to our customers in a timely manner, adhering to (and supporting our customers to adhere to) all regulatory requirements, and work collaboratively, openly and in partnership with NHS England in the event of discovering a cyber-attack affecting patient care or data.
8. Where providing software to the NHS, we agree that the software has been produced in adherence to the Department for Science, Innovation and Technology (DSIT) / National Cyber Security Centre (NCSC) software code of practice and commit to meeting the principles of secure design and development, secure build environment, secure deployment and maintenance and communication with customers.

In return, NHS England and the Department of Health and Social Care will:

1. Work collaboratively with suppliers when developing national policy and regulation that affects the supply chain.
2. Support NHS providers to be informed buyers of products and services, so that they understand and value suppliers who demonstrate good cyber security practices.
3. Commit to working with NHS organisations in the event of an incident, and will adopt a Just Culture.

In March 2023, NHS England and the Department of Health and Social care published our strategy; A cyber resilient health and adult social care system in England: cyber security strategy to 2030.

Considering several recent high profile cyber incidents affecting the health and social care system’s supply chain, NHS England and the Department of Health and Social Care are offering current and potential suppliers an opportunity to publicly affirm their commitment to keeping the NHS and social care sector safe. The NHS, free at the point of use, is available to all, and suppliers working with the public sector have an obligation to ensure they are doing their utmost to secure their systems and data. 

Suppliers that sign up to the charter are only making a statement of intent. There is no commercial or contractual commitment, implied or otherwise, in being a signatory. Purchasers are advised to add specific clauses to their procurement contract to ensure that suppliers make available the required cybersecurity functionality and assurances.