The NHS appears to be taking a belt and braces approach to cybersecurity by revealing it has signed up 25 companies to bolster its online defences under a new £250 million framework agreement.
The contract awards fall into three lots, incident management (£90 million), consultancy (£80 million), and personnel (£80 million), with nine of the contracts being awarded to the so-called "Big Four" consultancy firms. Deloitte won three, with EY, KPMG and PwC picking up a brace apiece. Other businesses which have made it onto the list include Softcat, Logicalis, MTI, Trustmarque, CGI, NCC and Novosco.
The framework was devised by NHS Shared Business Solutions (NHS SBS) in conjunction with NHS Digital and gives organisations in the NHS more options and a list of approved suppliers for their cybersecurity needs, alongside those already offered by NHS Digital.
Each company vying for a contract had to be certified to be Cyber Essentials Plus or higher, even though a National Audit Office (NAO) report published last week revealed that of the 204 trusts that had mandatory on-site cybersecurity inspections, only one got the full pass mark required for “Cyber Essentials Plus” accreditation.
The move comes as criticism mounts over the new NHS Test and Trace programme, especially after the organisation conceded that personal data - including name, address, date of birth, postcode and phone number - will be retained for up to 20 years.
Data protection lawyer Ravi Naik said: ”Looking at this policy there are a few things that give me concern. Probably the main one is this idea that the data can be seen by, quote, those who have ‘a specific and legitimate role in the response and who are working on the NHS Test and Trace’.
“‘Specific and legitimate role’ is one of the most vaguely defined terms I’ve ever seen and it’s really concerning when we are talking about our collective response to coronavirus.
“The bigger concern is that there are companies we know the NHS is working with in the data store that have questionable approaches to data protection. For this system to work we need confidence as without uptake there’s no utility. That lack of transparency is a real concern.”