Why Is The NHS Focusing On Suppliers’ Cyber Security?

At the end of 2025, the British government introduced its Cyber Security and Resilience Bill, which is designed to improve the cyber security of NHS organisations, as well as organisations operating in the water and transport sectors. 

One of the ways in which the bill is bolstering cyber security for the NHS and other organisations is by regulating third-party suppliers to ensure they meet minimum criteria around their own cyber security protocols. 

There will also be a greater obligation for such suppliers to report any breaches or cyber attacks promptly to the government so that action can be taken swiftly. In addition, the bill proposes introducing turnover-based penalties for failings. 

The government believes this renewed focus on cyber security is essential for national security. What’s more, research shows that the average cost of a cyber attack in the UK has hit over £190,000, which equates to billions being lost from the economy each year. 

In addition, the National Cyber Security Centre in the UK recorded 50 per cent more nationally significant cyber security incidents in 2024 than it did in 2023. This highlights the level of the threat and how this is escalating as technology evolves and more of our lives are digitised.

Therefore the other reason cyber security is in the spotlight is due to the renewed focus on digitising the NHS.

What is the plan for digital record keeping in the NHS?

The government also unveiled its 10 Year Health Plan for the NHS at the end of 2025. A significant element of this plan is moving all patient records from analogue to digital. 

Under this proposal, anyone with an NHS number will be able to access all their patient records in a single, digital record rather than the current more scattered approach. There are also plans to build an NHS app to give both patients and NHS staff a simple way to access information and services. 

Naturally with so much more patient data being digitised, it’s essential to ensure its security not just in the short term but for decades to come. 

Is this just about digital record keeping?

No, there are plans to enact a widespread digital transformation across the NHS, making use of innovative new technologies in the medical field. This could potentially mean there are more suppliers of NHS IT services.

There is also a significant drive for investment to modernise the IT systems being used in the NHS. In many locations across the country, outdated technology is still being used. 

This not only slows down work because staff are forced to use outdated systems that are not fit for purpose, but also makes the NHS more susceptible to cyber attacks as operating systems and other technology falls out of use and no longer receives regular security updates. 

What does the new focus on cyber security in the NHS mean for suppliers?

Since the beginning of this year, all suppliers providing services to the NHS have been required to share evidence of their compliance with cyber security best practice if asked. This follows all NHS suppliers being asked to sign a charter of cyber security best practice in 2025. 

However, the letter issued to suppliers by the Department of Health and Social Care alongside NHS England stressed that this new approach is about working “in partnership” to identify potential risks and close gaps in cyber security before they lead to a breach. 

The aim is to protect essential services within the NHS, as well as to ensure continuity of operations and care for patients. 

Suppliers who provide services to the NHS may therefore want to revisit their own cyber security protocols to ensure that they are following best practice and that they are up to date with the latest guidance.

Engaging with dedicated cyber security support services could also be advisable, especially if this is not an area that your organisation specialises in. This can also help ensure compliance with the new rules being introduced around best practice in this area. 

Ensuring that all of your staff undergo appropriate training in both how to use digital technology as well as cyber security best practices is essential. Attacks are becoming more sophisticated, so it’s vital that both those working for the NHS and their suppliers know what to look out for.

As both the UK and the rest of the world come to rely ever more on digital tools, in addition to the introduction of new AI-powered technology, it is becoming more crucial than ever before to focus on cyber security at every level.