Cyber Essentials for Healthcare and NHS Suppliers

‍​‌‌​‌​‌​‌‌​​​​‌‌‌​​‌‌‌‌​​​​​‌‌​‌‌​‌​​​‌​‌​‌​​‌​​​‌​‌‌‌‌‌‌​​‌‌‌​‌‍WannaCry hit the NHS hard in May 2017. It cancelled 19,000 patient appointments, locked staff out of clinical systems, and cost the NHS an estimated GBP 92 million. The root cause was unpatched Windows machines running a known vulnerability. It was not a sophisticated attack or a state-sponsored operation targeting health records. A worm that exploited a vulnerability Microsoft had already patched two months earlier.

That was nine years ago, and not much has changed. The 2025 UK Cyber Security Breaches Survey found 43% of businesses identified a breach or attack in the past year. 85% of those breaches involved phishing as the vector. Healthcare organisations handle some of the most sensitive data that exists: patient records, medical histories, mental health notes, genetic information. All of it classified as special category data under GDPR, which means higher regulatory expectations and heavier penalties when things go wrong.

Cyber Essentials covers five technical controls that stop the most common attacks. For healthcare organisations and NHS suppliers, those controls overlap directly with what NHS England already expects through the Data Security and Protection Toolkit (DSPT). But healthcare IT environments make those controls harder to apply than in almost any other sector.

What does the NHS actually require from suppliers?

NHS trusts are classified as public sector bodies. Under Procurement Policy Note 09/14 (PPN 09/14), government contracts involving personal data or ICT services require Cyber Essentials certification. That covers most NHS supplier relationships, because patient data is involved in almost everything the NHS does.

NHS Supply Chain, which handles procurement for NHS trusts, requires CE Plus for suppliers who handle NHS personal data or supply IT and digital products. That requirement comes through PPN 014, a government procurement standard. Beyond that, individual NHS trusts and Integrated Care Boards (ICBs) set their own additional requirements. Many now ask for CE Plus and a penetration test for any product that processes or stores patient data. The Digital Technology Assessment Criteria (DTAC) specifically requires penetration testing completed within the last 12 months for digital health technology suppliers. This isn't one single mandate from NHS England, but the direction of travel is consistent across the system. If you're building software or managing systems that touch patient records, expect to be asked for more than basic CE.

The thing is, this isn't really about the certificate. A ransomware attack on an NHS supplier doesn't just disrupt a business. It disrupts patient care because appointments get cancelled, test results don't arrive, and clinicians can't access records. The certification requirement exists because the consequences of a breach in healthcare are measured in clinical outcomes, not just financial loss.

How does the DSPT fit with Cyber Essentials?

The Data Security and Protection Toolkit (DSPT) is NHS England's annual self-assessment for organisations that access NHS patient data or systems. The current version (DSPT v8, released September 2025) is aligned to the NCSC's Cyber Assessment Framework (CAF) v3.4 and covers ten data security standards set by the National Data Guardian, including staff training, data handling policies, incident reporting, and technical security controls.

Cyber Essentials covers a narrower scope than the DSPT. Five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. But those five controls sit squarely inside what the DSPT expects on the technical side.

Holding a CE certificate doesn't complete your DSPT submission. The DSPT asks questions about data governance, staff awareness, and business continuity that CE doesn't touch. But the reverse is also true: meeting CE requirements handles a meaningful chunk of the DSPT's technical expectations in one go.

For NHS suppliers, the practical approach is to treat CE as the technical foundation and the DSPT as the broader governance wrapper. Getting CE sorted first means you've already answered most of the DSPT's technical questions with documented, independently verified evidence.

Why is healthcare IT so difficult for Cyber Essentials?

Every sector has its challenges, but healthcare has more than most. The five CE controls are the same for a GP surgery as they are for a logistics company. The difference is the environment you're trying to apply them in.

Legacy medical devices can't always be patched. An MRI scanner running embedded Windows doesn't get patched on a 14-day cycle. The vendor controls the software. Applying an operating system update could invalidate the device's medical certification. The same applies to ultrasound machines, blood analysers, patient monitoring equipment, and dozens of other connected clinical devices. Under Cyber Essentials, any device that connects to your network and accesses the internet is in scope. You can't just ignore the scanner.

The workaround is network segmentation, which is well established. If a device genuinely cannot be patched, it needs to sit on an isolated network segment with no direct internet access, defined as a sub-set under CE rules. That takes the device out of CE scope. But setting up proper network segmentation in a busy hospital or clinic isn't a weekend job. It requires planning, testing, and often physical changes to how the network is configured.

Clinical systems need 24/7 uptime. The 14-day patching window for critical vulnerabilities (CVSS 7.0+) is strict. In most businesses, you can schedule a patching window overnight or over a weekend. In a hospital, there's no downtime. Emergency departments don't close. Patient monitoring systems can't reboot during a shift handover. Patching has to happen without disrupting care, which means more careful planning, staged rollouts, and in some cases, redundant systems that can take over while the primary system updates.

I've seen healthcare organisations that were doing everything right on security but genuinely couldn't hit the 14-day window because their clinical system vendor hadn't certified the latest Windows patches. That's a real problem with no easy answer. You can document the vendor dependency, explain the mitigating controls, and make the case to your assessor. But it's harder than just running Windows Update.

BYOD is everywhere in healthcare. Doctors checking patient notes on personal phones. Nurses using personal tablets to access care plans. Community health workers logging visits from their own devices. Under Danzell (the current CE question set, effective 27 April 2026), any device that accesses organisational data or services is in scope. That means every personal phone that connects to your email, your patient record system, or your shift management platform needs to meet the standard.

That means current operating system, automatic updates enabled, screen lock configured, and MFA on any cloud services accessed from the device. Getting 200 clinical staff to enrol their personal phones in mobile device management is a conversation nobody enjoys having. But it's a conversation you need to have before your assessment, not during it.

The data itself is special category. Patient health records are classified as special category data under UK GDPR Article 9. That's the highest classification of personal data. It includes medical histories, mental health records, genetic information, and biometric data used for identification. The ICO takes breaches of health data seriously. The 72-hour breach notification window applies to any personal data breach, but the regulatory scrutiny on a healthcare data breach is significantly higher than on a lost marketing database.

What do the five controls look like in a healthcare organisation?

Firewalls. The boundary between your clinical network and the internet. In a GP surgery, that might be a single router. In a hospital trust, it's a layered architecture with multiple firewalls separating clinical systems, administrative systems, guest wifi, and medical devices. Each boundary needs documenting, and the configurations need reviewing. Default admin passwords on any firewall device are an automatic fail.

Secure configuration. Default passwords changed, unnecessary services disabled, auto-run turned off. Healthcare organisations often have dozens of different clinical applications, each with its own user management and configuration settings. Every one needs to be locked down. I regularly find healthcare setups where the electronic patient record system still has a default admin account active because "we might need it for troubleshooting," which is an automatic fail.

User access control. Every person gets their own account. No shared logins on clinical workstations, which is where healthcare gets uncomfortable. Shared desktops in clinical areas where multiple staff log in throughout a shift are common. Under CE, each user needs their own credentials. Admin accounts should only be used for administrative tasks. The doctor who logs into the practice management system with admin rights because it's faster is creating a control failure.

MFA is mandatory on all cloud services under Danzell. Your patient record system, email platform, booking system, staff rostering tool, and video consultation platform. If it's cloud-based and supports MFA, it needs to be enabled. Passwords without MFA need to be at least 12 characters. With MFA enabled, the minimum drops to eight.

Malware protection. This must be active on every in-scope device. Windows Defender counts if it's enabled and up to date. But in healthcare, you've also got clinical workstations that might be running older configurations, kiosk-mode devices in waiting areas, and thin clients accessing virtual desktops. Each of these device types needs confirming individually against the requirements.

Patch management. Operating system and application updates within 14 days for anything rated high or critical (CVSS 7.0+). This is the control that catches healthcare organisations the most, for all the reasons covered above: legacy devices, clinical uptime requirements, vendor certification dependencies, and the sheer number of different systems running across a typical healthcare estate.

Healthcare estates have a complication: clinical devices and medical systems may need different handling (network-level scanning or scope exclusion via proper segmentation). The administrative and office estate follows the standard scanning process, and that's usually where unpatched third-party software sits. The guide on why auto-updates leave gaps covers what central vulnerability scanning involves and how it fits into a patching process.

Where do healthcare organisations actually fail?

The failure patterns I see in healthcare assessments tend to cluster around four areas.

Unpatched clinical systems. This is not because anyone's negligent. Because the vendor hasn't released the patch, or hasn't certified it for their platform, or because the clinical system can't tolerate the downtime needed to apply it. The 14-day window is the same regardless of the reason. If you can't patch, you need to document why and show what mitigating controls are in place. If you can't mitigate, you need to take the device out of scope by isolating it from the internet.

BYOD devices not accounted for. Clinical staff accessing work systems from personal devices that nobody has inventoried or configured. Under Danzell, these devices are in scope. If you don't know they exist, you can't demonstrate compliance.

MFA not enabled across all cloud services. The patient record system has MFA. The email has MFA. But the video consultation platform, the staff rostering tool, and the cloud-based training system don't. Under Danzell, every cloud service that supports MFA must have it enabled. Missing even one is a failure.

Unclear scope boundaries. Healthcare networks are particularly complicated to map out accurately. Clinical systems, administrative systems, medical devices, guest wifi, telehealth platforms, third-party integrations. Working out what's in scope and what sits outside requires careful mapping before you start the questionnaire. Getting the scope wrong means either failing because you included devices you can't control, or having a certificate that doesn't actually cover the systems that matter.

What about the GBP 25,000 cyber insurance?

Eligible SMEs that achieve Cyber Essentials get up to GBP 25,000 in free cyber insurance included with their certificate. For smaller healthcare providers including GP surgeries, dental practices, and community health organisations, that's meaningful cover at no additional cost. It's not a replacement for a proper cyber insurance policy if you're handling large volumes of patient data, but it's a genuine benefit. (consistent with the 2025 exposure evaluation criteria).

How do you get started?

The process is the same as any other sector, but the preparation is where healthcare is genuinely different.

1. Map your scope properly. Every device that accesses your data or services. Desktops, laptops, phones, tablets, servers, routers, and firewalls, including personal devices used by clinical staff. Include the medical devices, and work out which ones can be patched and which ones need network isolation. This step takes longer in healthcare than in any other sector.

2. Check MFA across every cloud service. Patient record system, email, video consultations, staff rostering, training platforms, and booking systems. Go through each one and confirm MFA is enabled for all user accounts.

3. Review your patching position. Consider what your current patch cycle looks like. Can you hit 14 days for critical vulnerabilities across your entire estate? If you've got clinical systems that can't be patched on that schedule, identify them now and plan the network segmentation or vendor discussions you'll need.

4. Deal with BYOD. Do you know which personal devices are accessing your systems? If not, that is the first problem to solve. Mobile device management isn't expensive, but enrolling personal devices requires policy decisions and staff cooperation that take time.

5. Talk to your IT team or MSP about evidence. Your assessor will ask specific questions about patching schedules, firewall configurations, MFA deployment, and access controls. If your IT provider can't produce documented evidence for each control, you've got a gap.

Cyber Essentials starts from GBP 320 + VAT for the self-assessment. CE Plus adds a hands-on technical audit, and runs from GBP 1,200 to GBP 2,100 + VAT depending on scope. I've certified over 800 organisations, including healthcare providers from single-GP practices through to multi-site clinical services. The controls are the same for every organisation regardless of sector. The complexity of the environment is what varies, and in healthcare, that complexity is real.

---

Related articles

• Cyber Essentials for Law Firms
• Cyber Essentials for Financial Services
• 14-Day Patching: What the Requirement Actually Means
• BYOD Device Classification Under Danzell

netsec-canary-dcd70ea27d5a.