11 June 2026
When people think about ransomware, they usually picture malicious software, criminal gangs and technical countermeasures. Patching, backups and multi-factor authentication all matter, but recent moves by the UK’s National Health Service suggest that healthcare organisations are beginning to focus on a more fundamental problem, that of supplier risk.
In May 2025, NHS England warned suppliers that ransomware had become “endemic” and introduced a voluntary cybersecurity charter asking suppliers to commit to a number of basic security practices. The initiative followed a series of disruptive attacks on healthcare organisations and their service providers.(infosecurity-magazine.com)
At first glance, the measures themselves are unsurprising. Immutable backups, multi-factor authentication and vulnerability management have all appeared on countless security checklists. Yet the significance of the letter lies elsewhere. It acknowledges something that many organisations still struggle to accept: modern businesses no longer operate alone.
Every organisation depends upon a network of software vendors, cloud providers, consultants and specialist service companies. Practice management systems, accounting platforms, email providers and managed service providers all become part of the organisation’s operating environment. A weakness in one supplier can quickly become a weakness for hundreds or thousands of customers.
Healthcare provides perhaps the clearest example. A successful attack against a pathology provider or software supplier does not merely affect the supplier itself. It disrupts appointments, delays procedures and can ultimately affect patient care. Technical failures become operational failures and raise questions about due diligence
This is one reason why supplier management deserves more attention than it often receives. Many organisations maintain detailed inventories of laptops and servers while possessing only a vague understanding of the third parties on which they rely. Questions such as who provides a service, what information they process, where that information resides and how the organisation would continue if the supplier became unavailable are frequently difficult to answer.
The NHS response highlights an important shift in thinking. Cybersecurity is becoming less concerned with building walls around individual organisations and more concerned with understanding ecosystems. The challenge is no longer simply protecting assets. It is understanding dependencies.
For smaller organisations, this need not become a complicated exercise. A simple Supplier Register that records major providers, the information they process, criticality and contingency arrangements can provide far more practical value than many elaborate risk registers. Combined with clear information and incident registers, it gives management a much better picture of where genuine vulnerabilities lie.
Ransomware itself is unlikely to disappear. Healthcare organisations and their suppliers will continue to be attractive targets because disruption creates pressure and pressure creates leverage. The question is therefore not whether attacks will stop, but whether organisations understand the systems and relationships upon which they depend.
The NHS appears to have recognised that resilience is not just about technology. It is about understanding the network of people, information and suppliers that collectively make an organisation work.
And that may prove to be the most important lesson of all.
