Health service reveals it has extended engagement with Deloitte – and delayed the tender for a replacement deal – after supplier was required to provide more incident response support than originally expected
The NHS has expanded a six-figure engagement with a key provider of security services after encountering “unforeseen cyber incidents”.
Since 2019, Deloitte has been the primary supplier retained by NHS Digital – and latterly NHS England – to support a nationwide cyber security operations centre (CSOC).
The latest two-year contract between the two parties, which was scheduled to conclude last week, covered the provision of security services including “forensic investigations and threat hunting to detect possible exploitations of vulnerability and attacks”. Also covered by the deal was the provision of a cyber incident response team (CIRT), which is tasked with helping NHS entities across the country mitigate breaches and other security issues.
- National Grid unit seeks partner for on-demand cyberattack response ahead of nationalisation
- Revealed: Cabinet Office signed deal last month for ‘immediate cyber incident response’
- Minister tight-lipped on number of government cyberattacks and malware infections
In a newly signed “top-up” deal to enable the health service to access “additional cyber incident response hours”, NHS England has extended its engagement with Deloitte for a further year. The deal now runs until 27 October 2024, and its potential value has increased from £500,000 to £625,000, according to freshly published commercial documents.
In a procurement notice, NHS England indicates that it decided to expand the deal with its cybersecurity partner – and delay plans to invite bids for a new contract to serve its future needs – as Deloitte has been required to provide more hands-on support with ongoing incident response than expected.
“This variation increase… is due to unforeseen cyber incidents requiring CIRT teams to be deployed to NHS organisations to both prevent cyber incidents and/or investigate/recover from cyber incidents,” the notice adds. “These teams are able to support NHS organisations with patching, forensic investigations as well as recovery activities if local teams do not have capacity/capability.”
It adds: “There are a number of reasons why a new procurement process has not been possible until now. NHS England is committed to procuring the future provision and requires adequate time to do so.”