Cyber Security for NHS Suppliers: Tackling healthcare cyber-risk in the wake of the pandemic

The prevalence of cyber-attacks against the NHS supply chain, has significantly accelerated in the past 12 months. When the healthcare sector were under immense pressure at the onset of the pandemic, cyber-criminals took the opportunity to attack an industry in crisis. Although they have always been a prime target for internet criminals, last year we saw a markable rise in ransomware, phishing and IOT attacks.

The NHS supply chain is an extensive list of companies who supply many critical products and services to hospitals across the UK. This includes: lifesaving medical equipment, medicine/vaccines, software, hardware, applications, connectivity, consultancy, food, uniforms and much more. Although these companies are critical to the effective running of our healthcare system, they also pose significant cyber-risks to the NHS.

Hackers are frequently targeting these companies as a way of finding a ‘back-door’ into NHS systems. For instance, by exploiting vulnerabilities in a mobile healthcare application, an outdated version of firmware or an unprotected IOT medical device, they can then try to gain access to the wider network and patient data. The stark reality is that medical records are more valuable to cyber criminals than financial data.

Unlike bank details which can easily be modified in the event of card fraud, medical records are unique to an individual and cannot be easily changed. As these risks are only growing in frequency, NHS Trusts need assurance that their suppliers are implementing adequate security measures to defend themselves against attacks.

Supply chain attacks during the pandemic

In the height of the pandemic last year, cyber-criminals turned their attention to the firms who were developing lifesaving vaccines. These malicious attacks were particularly prevalent after the first vaccine was announced in the autumn. Hackers from around the globe bombarded pharmaceutical companies like Pfizer and AstraZeneca, in a desperate attempt to steal valuable research and treatment data. In one particular phishing scam which targeted AstraZeneca, fraudsters used a faux job listing which they shared on Linkedin and WhatsApp. This aimed to lure employees into downloading malware or providing confidential information which could be used to craft a spear phishing attack. Sadly, cyber-criminals did not stop there. In December 2020, security researchers at IBM discovered large-scale phishing attempts targeting logistics firms who were in charge of distributing the vaccine.

Unfortunately, the healthcare supply chain are targeted from all angles. They face daily disruption due to email spoofing, business email compromise and endless phishing attacks. During the pandemic, bad actors have targeted a wide range of companies linked to healthcare, these include: The World Health Organisation (who have been plagued with email impersonation attempts), construction firms in charge of building emergency hospitals, NHS appointment conferencing software, companies who manufacture dry ice for vaccine storage, universities/research institutions and pharmaceutical companies.

As an NHS supplier, it is important to take extra precaution in order to remain resilient against developing threats. Although all firms should follow the necessary steps to prevent cyber-breaches, businesses who operate within the healthcare space are particularly in the line of fire. As a healthcare supplier, having a bullet-proof security strategy not only improves the security of your critical systems, it also improves overall trust in your business. After all, a security breach which exposes NHS data, could be hugely detrimental to your ongoing supplier relationship.

So what are the top 4 ways NHS suppliers can improve security?

Preventing email spoofing:

Email spoofing attacks are a key threat to the healthcare sector. But did you know that your email provider does not automatically block hackers from spoofing your email address? Thankfully, you can put a stop to this unwarranted use of your domain. By implementing DMARC, you can ensure that all emails from your private domain are fully authorised and from legitimate sources. DMARC implementation is one of the mandatory requirements for the DSP Toolkit for Category 1 and Category 2 companies, it is also recommended by the National Cyber Security Centre as a key step for following Cyber Security best practice. You can find out more about the NCSC DMARC recommendations here.

Besides the benefit of protecting your own email domain, there are numerous other advantages of implementing DMARC. For example, the NHS will have assurance that your emails are from a trusted and credible source, this will help strengthen customer/supplier relationship, make the payment process more seamless and demonstrate that your company is committed to delivering robust security measures.

Achieving Cyber Essentials Plus

The Cyber Essentials Certification Scheme, is another security measure which is recommended by the NCSC and the DSP Toolkit. The government backed Cyber Essentials standard helps companies comply with many of the requirements outlined in the NHS DSP Toolkit. The Cyber Essentials basic certification is an industry-supported scheme that helps businesses protect themselves against the growing threat of cyber-attacks, it also sets out the basic controls organisation’s should have in place to protect themselves.

The Cyber Essentials Plus Assessment, is the next stage on from this. It tests an organisations security against the information obtained in the Cyber Essentials self-assessment questionnaire. As part of the certification we will run a series of penetration tests and carefully managed attacks to test your controls to protect against hackers. Here at Equilibrium, we have worked alongside The IASME Consortium Ltd delivering Cyber Essentials, Cyber Essentials Plus and Iasme Governance Assessments for a number of years. We are one of the few Cyber Essentials Assessors in the Birmingham area. Click here to find out more about Cyber Essentials Plus Certification.

Phishing Simulations

As the healthcare supply chain are heavily targeted with phishing scams, it is important to regularly test the cyber-awareness of your employees in a ‘real life’ scenario. The question is: would they really click on the malicious link? By running regular phishing simulation exercises, you can gain visibility into how savvy your employees are when it comes to malicious emails.

Our phishing simulation services allows you to send tailored faux-phishing campaigns to your work force. This allows you to see who will click on links, download files or enter their credentials. Those staff who do fall for the scam are redirected to training videos and cyber-awareness questionnaires. You are then provided with a comprehensive report which details the findings of the assessment, and how you can mitigate the weaknesses discovered.

Penetration Testing and Vulnerability Scanning

How often do you test the cyber resilience of your security defences? Regular CREST Penetration Tests and Vulnerability Scans are an effective way of uncovering security weaknesses would could leave your business exposed to cyber-attacks. Standard 9 of the DSP Toolkit states: ‘Organisations must ensure their web applications are secure against top 10 vulnerabilities and undertake a penetration test annually’.

Vulnerability scans are used to identify a list of known vulnerabilities (The OWASP Top 10) in your applications, whereas penetration tests involve exploiting security weaknesses to determine whether a hacker would be able to access your corporate network. Penetration tests and vulnerability scans are particularly important for suppliers who provide mobile/web applications and software to the NHS. To reduce the risk of vulnerabilities, this security testing should be incorporated into the app/software development stage as well as regular testing post-development. This will help to reduce the risk of an NHS breach caused by application flaw. Although not all NHS suppliers need to comply with the DSP Toolkit, regular testing of your IT environment is a crucial component to any effective security strategy. Find out more about our CREST Penetration Testing Services here.

    Are you looking for a healthcare Cyber Security company?

    Here at Equilibrium, we are Cyber Essentials Certification Body, CREST Certified Penetration Testers and have worked alongside many NHS Trusts, and healthcare organisations as a trusted security partner. If you would like to find out more about the Cyber Essentials Certification cost or further healthcare Cyber Security services we offer please call our office on 0121 663 0055, or register your details below.


    If you would like to chat to a member of our team you can call us on 0121 663 0055 or email