UK NHS Introduces Voluntary Cybersecurity Charter for IT Suppliers

The United Kingdom’s National Health Service (NHS) is urging its suppliers to adopt voluntary cybersecurity measures aimed at mitigating the risk of disruptive cyberattacks. This initiative comes in response to a series of ransomware incidents that have targeted healthcare systems and their partners.

In an open letter published on May 15, 2025, the NHS called on vendors responsible for managing clinical and sensitive information systems to commit to a new cybersecurity charter. This charter is designed to help the NHS address the increasing and evolving landscape of cyber threats.

The proposed measures in this cybersecurity framework include regular patching of IT infrastructure, implementation of multifactor authentication, and mandates for suppliers to actively monitor and log their systems. By doing so, the NHS aims to enable swift responses to any security incidents that may arise.

While the NHS emphasized that signing the charter is a proactive step, it clarified that participation does not constitute a legal obligation. Currently, the agency is working on mapping its supply chain to better understand and minimize potential cybersecurity risks.

This initiative is particularly timely, given recent attacks involving ransomware groups targeting NHS providers. In December 2024, three NHS hospitals fell victim to ransomware operations conducted by a Russian-speaking group known as INC Ransom. Similarly, in June 2024, the Qilin ransomware group compromised the data of Synnovis, a key medical services supplier, forcing NHS facilities to reschedule over 1,500 appointments.

These incidents underscore the critical need for enhanced cybersecurity standards. The UK government is also preparing legislation that will increase reporting requirements and impose stricter cyber hygiene protocols on essential and digital service supply chain entities, further promoting a culture of cybersecurity compliance.

As such, the NHS’s voluntary measures provide a framework for suppliers not only to protect themselves but also to safeguard critical healthcare services against escalating threats. Addressing areas like initial access and privilege escalation, as outlined in the MITRE ATT&CK framework, will be crucial in fortifying defenses across the healthcare supply chain.