The NHS has signed up 25 companies to provide cybersecurity services under a massive new £250 million framework agreement.
The contract awards fall into three lots: incident management (£90 million), consultancy (£80 million), and personnel (£80 million).
Nine of the contracts were awarded to the Big Four.
Deloitte won across all three lots. Ernst and Young, KPMG and PWC won two each. The NHS had received 60 tenders; 19 from SMEs.
NHS Cyber Security Contracts
A contract award notice notes that NHS Shared Business Services worked closely with NHS Digital to offer an “additional solution to support the existing portfolio of security solutions currently available.”
The note, published May 26, added that the contracts will “provide NHS organisations with an even greater number of cyber security service options and approved suppliers” and “offer services not covered by NHS Digital”.
(NHS Digital can’t provide incident response or personnel).
The contract awards span the following:
Incident Management: This will include “provision of urgent incident response capability for large-scale or local incidents, offering approved organisations the ability to quickly call down expert resource to support incident control, containment, resolution and remediation.”
Consultancy: This will include “access to ad-hoc or ongoing professional services” to be defined locally by NHS Trusts.
Personnel: This will span the “supply of specialist personnel to support approved organisation existing in-house capability… [and] support approved organisations to reduce their exposure to threats, improve security defences and support in the event of cyber incidents.”
Of the companies outside the Big Four, four cyber security enterprises managed to win a contract in each lot; security company Softcat, CSC Computer Sciences, Commissum Associates and Accenture UK.
Some of these companies are already working closely with the NHS. Just last week Accenture said it had managed to put all 1.2 million employees of the NHS onto Microsoft Teams within one week.
The cyber security framework was designed by the NHS Shared Business Service, in partnership with the National Cyber Security Centre, The ISC (International Standard for Information Security) and Cyber Essentials.
Each company vying for a contract had to be certified to be Cyber Essentials Plus or higher. The entire procurement process took six to nine months at the approximated cost of £25,000 per each contracting authority.
The NHS Shared Business Authority has explained in a report on the cyber security framework released earlier this month, that as technology plays such a large part in the way the NHS delivers patient care, the use of cloud services and mobile devices is ever increasing, making it important to ensure that patient data is secured and that services and systems remain available.
The contract awards come as a mere one of the NHS’s 200+ trusts has passed the government’s “Cyber Essentials Plus” test, according to a worrying new audit report that Computer Business Review covered last week.
The National Audit Office (NAO) report revealed that of the 204 trusts that had mandatory on-site cybersecurity inspections, only one got the full pass mark required for “Cyber Essentials Plus” accreditation.
This article is from the CBROnline archive: some formatting and images may not be present.