Cyber Essentials for NHS Suppliers and Healthcare Organisations

Cyber Essentials for NHS Suppliers and Healthcare Organisations

Cyber Essentials sits alongside the Data Security and Protection Toolkit (DSPT) at the foundation of NHS supplier assurance. DSPT is the mandatory framework for organisations handling NHS patient data; CE is the baseline cybersecurity certification that DSPT assessments reference, and that most NHS procurement frameworks require independently.

This guide explains how CE, DSPT, and NHS supplier due diligence fit together, what the controls actually ask of a healthcare organisation or NHS supplier, and the sector-specific issues that most often come up during assessment.

Who needs Cyber Essentials in healthcare

Three overlapping groups need Cyber Essentials in a UK healthcare context:

NHS suppliers. Any organisation providing goods or services to the NHS where the engagement involves access to NHS systems or patient data. This covers medical equipment suppliers, clinical software vendors, IT service providers, locum and staffing agencies, private healthcare providers on AQP contracts, and professional services firms doing NHS consultancy.

Private healthcare providers. Private hospitals, diagnostic imaging providers, and specialist clinics that accept NHS-funded patients under Any Qualified Provider (AQP) arrangements, or that conduct due diligence to NHS commercial standards as part of commercial hospital group expectations.

Clinical research organisations and pharma. CROs, pharmaceutical companies, and medtech firms that handle patient data, clinical trial data, or NHS-linked research records.

GP practices, dental practices, and primary care networks. Increasingly expected to hold DSPT "Standards Met" and, increasingly, Cyber Essentials as part of the DSPT requirement or as an explicit NHS England expectation.

How Cyber Essentials and DSPT fit together

DSPT is the NHS's own data security assessment framework. Every organisation that accesses NHS patient data, connects to the NHS network, or processes NHS-commissioned patient information must complete DSPT annually and publish a "Standards Met" status.

DSPT has many questions. One of them — assertion 8.3.4 — asks whether the organisation holds Cyber Essentials or demonstrates equivalent technical controls. For most organisations, holding Cyber Essentials is the simplest way to answer that assertion credibly. Equivalent controls without CE are possible but require more documentation and more evidence.

The practical relationship:

The healthiest posture for most NHS suppliers is to hold both: CE for the technical baseline, DSPT for the full NHS data governance scope.

What NHS procurement frameworks require

The requirements vary by framework, but the common asks include:

NHS SBS frameworks (many NHS Shared Business Services commercial frameworks require CE as a qualifying criterion for onboarding).

Crown Commercial Service G-Cloud and RM6277 / RM6288 frameworks (CE under PPN 014/21 for contracts involving sensitive or personal data, which covers most NHS-adjacent work).

Direct NHS Trust procurement (individual trusts run their own supplier onboarding; most require DSPT plus Cyber Essentials as a minimum).

NHS Digital's Supplier Assurance (for suppliers integrating with national NHS systems, including via API).

The safest assumption for any organisation hoping to sell into the NHS is that you will need both DSPT and Cyber Essentials before a procurement process can progress.

What healthcare infrastructure looks like for CE purposes

A typical NHS-adjacent organisation runs some mix of:

All of these can be in scope. The clinical systems typically are not your certification body's concern in detail — they are SaaS or vendor-managed — but the endpoints that access them are in scope, and the credentials used to access them are in scope.

Medical devices on the network

This is the Cyber Essentials question unique to healthcare. Connected medical devices (MRI scanners, lab analysers, pharmacy robots, pathology slide scanners) often run old operating systems — Windows 7, Windows XP, stripped-down Linux distributions — because the medical device regulations make patching them complex. The device manufacturer may not have released a security patch in years, even for known vulnerabilities.

The workable Cyber Essentials positions:

Position 1: Sub-set exclusion. Medical devices are placed on an isolated network segment with no routing to the rest of the in-scope estate. User credentials on the device are entirely separate from corporate identity. The device has no direct internet access. Documented as an isolated clinical network sub-set in the questionnaire.

Position 2: Compensating controls documented explicitly. The device is in scope, cannot be patched, and the organisation applies specific compensating controls — restrictive firewall rules around it, no direct internet access, monitored logging, strict access control. The questionnaire declares this as an exception with the compensating controls named.

Position 3: Replacement on a timeline. The device is being replaced within a defined timeframe (the questionnaire is an annual certification, so "within the next certification cycle" is a defensible answer if it is a real plan).

What does not work is ignoring the device entirely because "it is a medical device, it is not really IT". It is IT. It is on your network. It is in scope unless you have documented why it is not.

NHSmail, Spine access, and the corporate identity boundary

Many NHS suppliers have NHSmail accounts for corresponding with NHS colleagues and may have Spine access for specific systems. These are managed by NHS Digital, not by your organisation. They count as cloud services that your staff use to access NHS data.

For Cyber Essentials purposes, the relevant questions are:

The answer is generally "NHSmail handles MFA on its end; our side is that we use NHSmail from managed devices only". That passes if it is true.

The right-to-work and payroll overlap

Healthcare organisations, particularly locum and staffing agencies, handle the same intense right-to-work and payroll documentation that general recruitment agencies do — plus additional healthcare-specific data (DBS checks, NMC/GMC registration numbers, revalidation evidence, occupational health records). All of it is personal data; most of it is special category data under GDPR. The CE questions about access control, MFA, and secure storage apply with extra emphasis.

The five healthcare-specific failures I see

1. Medical devices not in the questionnaire at all. Applicant answers the questionnaire as if the clinical network does not exist. First thing the assessor asks about.

2. NHSmail accessed from BYOD. Staff read NHSmail on personal iPhones without MDM coverage. Common; needs resolving by either bringing the phones into MDM or restricting NHSmail access via NHSmail's own conditional access.

3. DSPT-aligned but not CE-aligned. Organisation has DSPT "Standards Met" but the underlying technical controls have drifted — MFA coverage is incomplete, patching is behind, leaver processes are inconsistent. DSPT does not always catch this at the granularity CE does.

4. Shared logins on the PMS. The practice management system has a shared "reception" login that ten receptionists use. Same issue as any shared account — fails user access control under v3.3.

5. Ancient Windows workstations at a branch. The main office is on Windows 11 but a satellite clinic still has two Windows 7 diagnostic PCs "because they run a specific piece of kit". Either isolate them properly (Position 1 above) or replace them.

Practical path for an NHS supplier

If you are a small-to-medium NHS supplier aiming for CE:

1. Confirm your DSPT status. If you do not yet hold DSPT Standards Met, that is a separate assessment track alongside CE. Most NHS contracts want both.

2. Enumerate every system that holds NHS-linked data. Include clinical systems, NHSmail, Spine, integrated platforms, and corporate systems that reference NHS data.

3. Enforce MFA. Every user on every in-scope service. NHSmail handles its own MFA; everything else needs yours.

4. Isolate medical devices. If you run clinical hardware, declare the scope posture explicitly.

5. Enrol staff laptops in MDM. Intune or Jamf, with baseline security policies.

6. Submit. CE from £299.99 + VAT; most NHS suppliers fall into the small (10-49) or medium (50-249) tiers.

Bottom line

Healthcare is one of the most regulatory-heavy sectors for data security, but the actual Cyber Essentials controls are no harder than in any other sector — they are just applied to a broader scope. The difference is that getting CE wrong in healthcare closes commercial doors, because every NHS and NHS-adjacent buyer is increasingly using it as a filter. Organisations that have both DSPT and CE move through NHS procurement materially faster than those that do not.

Get the scope right, enforce MFA everywhere, document the clinical network posture, and hold both certifications. That is the baseline UK NHS suppliers are expected to meet in 2026.

Check your readiness | View pricing | Talk to an assessor