NHS cyber security: what suppliers need to consider

For the NHS, cyber security is critical. Handling patient records and running services that an entire nation depends upon makes the system one of the biggest possible targets for cyber criminals.

One of the major challenges facing the NHS in combating threats is the complexity of the system itself, from neighbourhood GPs to large trusts. The system also relies on the products and services of a huge network of suppliers around the country – NHS Supply Chain suggests that there are around 1,500 businesses working with the health service.

As the volume and scope of cyber attacks increases, the NHS is now calling upon these suppliers to pledge their commitment to securing patient data and clinical systems.

If your business works with, or intends to work with, parts of the NHS, this is what you need to know.

What is the NHS England cyber security charter?

In May 2025, NHS England’s cyber security charter was issued, appealing to all current and potential suppliers to the NHS to sign up.

In a statement, the NHS highlighted the growing number of ransomware attacks that the system has faced in recent years, and set out a range of steps that suppliers can take to ensure that their services keep clinical systems and confidential patient data safe.

These include having up-to-date and patched systems, meeting the standards of the NHS data security and protection toolkit, having 24/7 monitoring and immutable backup in place, and implementing the appropriate processes for business continuity and incident reporting.

While the charter itself is voluntary, the statement from NHS England also made reference to legal obligations that any organisation should adhere to with regard to personal data, such as Article 32 of UK GDPR, which requires you to have appropriate measures to ensure a level of security appropriate to the risks. It also highlighted the obligations outlined in the Network and Information Systems (NIS) Regulations to secure networks and systems.

What is the NHS data security and protection toolkit?

One of the principles of the charter calls upon suppliers to “achieve and maintain at least ‘Standards Met’ as part of the Data Security and Protection Toolkit (DSPT)”.

The NHS DSPT is a set of tools that allows organisations to assess their performance against the National Data Guardian’s security standards, and must be completed by any organisation that has access to NHS data and systems.

In the coming years, the NHS DSPT is set to be aligned more closely to the National Cyber Security Centre’s Cyber Assessment Framework – some larger NHS organisations and IT providers are already being phased on to the new version of the framework.

A response to NHS cyber security incidents

As the statement sets out, the NHS England cyber security charter is a response to the growing volume and complexity of threats facing the healthcare system. Not all of these attacks are direct attacks on software vulnerabilities – many begin elsewhere in the supply chain.

One example was Interserve, a facilities management and construction contractor providing services such as cleaning, maintenance and building services. A phishing attack led to the personal and financial data of more than 100,000 staff and workers being leaked, and a huge fine for Interserve.

A more recent incident disrupted pathology services at Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospital, and primary care services across South East London, when diagnostic joint venture Synnovis fell victim to a ransomware attack. Thousands of surgeries and procedures were postponed.

It’s also worth noting that sound data management isn’t always a digital issue. In 2019, the pharmacy supplier Doorstep Dispensaree was fined £275,000 by the Information Commissioner’s Office after it left around 500,000 documents unsecured on its premises, many containing personal and special category data.

Supporting cyber security for healthcare sector suppliers

It’s clear that the standards of cyber security for healthcare sector suppliers matter for patients, providers and the businesses themselves. The NHS England cyber security charter highlights just how vital the healthcare system sees the role of every participant in protecting individuals’ data and health.

For its part, the NHS promises to support suppliers with these expectations by working with them collaboratively when developing policy – and helping NHS providers to be informed buyers of services.

At Thinc we understand that cyber security can be a challenge for many SMEs, whether it’s preparing your business to comply with supply chain requirements or reviewing your existing systems and processes.

We’ve declared our commitment to the NHS England Cyber Security Charter for suppliers to the NHS. We have more than 30 years’ experience in helping businesses to grow, and provide cyber security services to the public sector via the government’s G-Cloud Framework.

Whether you’re looking to supply to the NHS or just want to assess your current security, we’re here to help. We can support you with getting Cyber Essentials and Cyber Essentials Plus in place, managing you through the whole process.

Book a cyber health check for advice from our expert consultants or, for a quick start, take our cyber quiz for an instant score and bespoke report.