Production Perig - stock.adobe.c

Security procurement framework goes live for NHS and public sector

Cyber Security Services Framework, developed by NHS Shared Business Services, has formally launched

NHS organisations and other public sector bodies, including emergency services, local authorities and schools, will be able to access cyber security services, including risk management, incident response and recovery, consultancy and personnel, from a range of 25 suppliers through the Cyber Security Services Framework, which launches today.

The free-to-access procurement framework was developed by NHS Shared Business Services (NHS SBS) with support from the National Cyber Security Centre (NCSC) to address the Department of Health and Social Care’s (DHSC’s) security agenda, and complement services that can already be bought via NHS Digital’s Data Security Centre.

“The launch of this new framework is particularly timely as the Covid-19 pandemic has prompted a new wave of cyber attacks and scams. We welcomed the opportunity to partner with NHS Digital and look forward to continuing our collaborative relationship to ensure the agreement meets national cyber needs,” said NHS SBS procurement director Phil Davies.

“Technology plays a huge part in the way the NHS delivers patient care so it is vital that healthcare providers keep data secure, whilst being prepared for and resilient against attacks.

“The NHS and public sector has been proactive in harnessing improvements in cyber security since the WannaCry attacks in 2017, but there is still more work to be done. This framework provides a sustainable and trusted solution to help organisations meet the challenges around cyber security head-on,” he added.

The framework will run until May 2022 and comes with an option to extend until May 2024. It will have an estimated value of £250m spread across three distinct lots. These are Emergency Cyber Incident Management, focusing on urgent incident response for large-scale or local incidents, including 24/7/365 support; Cyber Consultancy Services, focusing on specialise support needed to enhance organisational security postures, including site assessments, testing, assurance, policy-making and user training; and Security Personnel, supporting specialist security experts to augment existing capability held in-house.

The specialist suppliers were awarded following a fully OJEU-compliant procurement exercise, including several small and medium-sized enterprises (SMEs) as per policy. These are Accenture, Advent IM, Airbus Defence and Space, Auriga Consulting, BSI Cybersecurity and Information Resilience, CCL Forensics, CGI, Commissum, DXC Technology, Deloitte, EY, Evodia, Green Park Interim and Executive Search, KPMG, Leonardo, Logicalis, Mersey Internal Audit Agency, MTI Technology, NCC Group, Novosco, PA Consulting, PwC, QinetiQ, Softcat and Trustmarque.

The framework allows NHS and other public sector bodies to directly award contracts without going through the time-consuming rigmarole of organising their own complex procurement processes at their discretion.

Alternatively, buyers will have the option to run their own mini-competitions and drive more competitive pricing should they have any bespoke cyber security needs that need to be met.

Read more about security in healthcare

  • Rapid growth in smart devices in healthcare shines a spotlight on security concerns. Healthcare providers and manufacturers must work together to protect patient security.
  • Healthcare IT professionals and medical device manufacturers must bolster IoT security with the growing number of connected devices, regulations and the future of remote care.
  • It’s especially important to secure data in healthcare environments, because patients’ information is on the line. Things get even more complex with BYOD in the mix.

Read more on IT risk management