Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what estimate he has made of the number of NHS refrigerators containing cellular internet of things modules manufactured by Chinese companies.

The Cyber Security Strategy for Health and Care to 2030 sets out a vision for a cyber resilient health and care sector, including focusing on the greatest risks and harms. Through the mandatory Data Security and Protection Toolkit (DSPT), we set a cyber security standard for National Health Service organisations proportionate to their risk profile and in response to the cyber threat. Adherence to this standard, in addition to the standards and guidance that we publish around procurement of medical devices, will help organisations to ensure that their networks are secure and that risks with associated Internet-of-Things medical devices are suitably understood and mitigated. The strategy is available at the following link:

https://www.gov.uk/government/publications/cyber-security-strategy-for-health-and-social-care-2023-to-2030/a-cyber-resilient-health-and-adult-social-care-system-in-england-cyber-security-strategy-to-2030

Individual organisations are responsible for the procurement of medical devices. No estimate of the number of NHS refrigerators and other medical equipment containing cellular internet of things modules manufactured by Chinese companies is currently held nationally. As part of the procurement, risk assessments of equipment will be carried out in accordance with the Guidance on protecting connected medical devices, which is available at the following link:

https://digital.nhs.uk/cyber-and-data-security/guidance-and-resources/guidance-on-protecting-connected-medical-devices

Implementation of these guidelines and standards are monitored through the mandatory DSPT which is independently audited for NHS trusts. To further strengthen the resilience of the NHS critical supply chain, the Cyber Security Supply Chain Charter has been published. The charter allows current and future suppliers to publicly pledge to be a trusted partner to health and care system. We have a dedicated workstream in the Cyber Improvement Programme that is focused on this particular risk, developing tools and processes to increase cyber assurance and resilience. The charter is available at the following link:

https://digital.nhs.uk/cyber-and-data-security/guidance-and-resources/cyber-security-charter-for-suppliers-to-the-nhs