NHS England is letting a contract worth £4.3 million to “enhance cyber risk visibility, assurance and resilience” throughout the NHS supply chain.
An invitation to tender, published by NHSE on 20 June 2024, said the supplier selected will help to develop a “national supplier management platform” to track cyber security risks.
It added that they must have “significant experience in the shaping of cyber functions and capabilities, through robust identification and assurance of suppliers”.
The contract will last three years, with an option to extend by 12 months.
The tender has been in the works for months, but the issue of cyber security in the NHS has become more prominent than ever following the attack on pathology system supplier Synnovis, which has hugely impacted services in London and led to data leaked online by hackers.
NHSE said the project sets out to address the “increasing cyber threat” posed by “vulnerabilities in suppliers’ systems”.
“Mapping of our critical and common suppliers will enable the identification and coordinated management of systemic and aggregate cyber supply chain risks to government,” NHSE said in its tender.
It added: “Supply chain cyber security principles and assurance will establish clear requirements for these suppliers, with the expectation that they provide transparent statements of adherence.
“Improved understanding of suppliers and their dependencies will also enable government to better respond to cyber security incidents that emanate from the supply chain.
“Such understanding will provide oversight of cross-government impacts and enable more focused and efficient engagements with the suppliers, ensuring that any incident is managed swiftly and efficiently.”
The contract is part of NHSE’s £200 million cyber improvement programme, which sits within its supply chain management workstream, with a commitment to deliver strategic outcomes by 2025.
Speaking at NHS Confed Expo on 12 June 2024, Mark Edwards, chief information security officer at Digital Health and Care Wales, predicted that cyber attacks on critical national infrastructure are likely to increase due to global conflict.
Meanwhile, NHS Dumfries and Galloway has warned almost 150,000 patients to assume that their personal data is likely to have been stolen and published online following a major cyber attack in March 2024.