Cyber Essentials for NHS and Healthcare Providers: Requirements and Certification

The Five Cyber Essentials Controls in a Healthcare Context

Cyber Essentials requires evidence of five foundational controls that directly address the most common causes of healthcare cyber incidents:

• Firewalls — boundary firewalls with restrictive default-deny rules; critical for segmenting clinical networks from administrative systems
• Secure configuration — removing default passwords, disabling unnecessary services; key for medical devices and workstations
• User access control — least-privilege access, no shared accounts; essential for clinical system audit trails
• Malware protection — approved malware scanning on all in-scope devices; directly relevant to ransomware prevention
• Patch management — high-risk patches applied within 14 days; the failure that enabled WannaCry

Cyber Essentials vs Cyber Essentials Plus for Healthcare

Cyber Essentials is a self-assessment questionnaire verified by a certification body. Cyber Essentials Plus adds independent technical testing — vulnerability scanning and hands-on verification. NHS England requires Plus for IT suppliers. GP practices, dental surgeries, and other primary care providers typically need the basic certification for CQC and ICB compliance. Cyber Essentials Plus is recommended for any organisation handling large volumes of patient records, providing services to multiple NHS trusts, or running complex clinical IT environments.