Asked by: Graeme Downie (Labour - Dunfermline and Dollar)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, whether his Department has made an a) estimate of the number of NHS refrigerators and other medical equipment containing cellular internet of things modules manufactured by Chinese companies and b) assessment of the risks relating to remote access and device control of such equipment.
Answered by Zubir Ahmed - Parliamentary Under-Secretary (Department of Health and Social Care)
The Cyber Security Strategy for Health and Care to 2030 sets out a vision for a cyber resilient health and care sector, including focusing on the greatest risks and harms. Through the mandatory Data Security and Protection Toolkit (DSPT), we set a cyber security standard for National Health Service organisations proportionate to their risk profile and in response to the cyber threat. Adherence to this standard, in addition to the standards and guidance that we publish around procurement of medical devices, will help organisations to ensure that their networks are secure and that risks with associated Internet-of-Things medical devices are suitably understood and mitigated. The strategy is available at the following link:
Individual organisations are responsible for the procurement of medical devices. No estimate of the number of NHS refrigerators and other medical equipment containing cellular internet of things modules manufactured by Chinese companies is currently held nationally. As part of the procurement, risk assessments of equipment will be carried out in accordance with the Guidance on protecting connected medical devices, which is available at the following link:
Implementation of these guidelines and standards are monitored through the mandatory DSPT which is independently audited for NHS trusts. To further strengthen the resilience of the NHS critical supply chain, the Cyber Security Supply Chain Charter has been published. The charter allows current and future suppliers to publicly pledge to be a trusted partner to health and care system. We have a dedicated workstream in the Cyber Improvement Programme that is focused on this particular risk, developing tools and processes to increase cyber assurance and resilience. The charter is available at the following link:
Asked by: Graeme Downie (Labour - Dunfermline and Dollar)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what estimate he has made of the number of NHS refrigerators containing cellular internet of things modules manufactured by Chinese companies.
Answered by Zubir Ahmed - Parliamentary Under-Secretary (Department of Health and Social Care)
The Cyber Security Strategy for Health and Care to 2030 sets out a vision for a cyber resilient health and care sector, including focusing on the greatest risks and harms. Through the mandatory Data Security and Protection Toolkit (DSPT), we set a cyber security standard for National Health Service organisations proportionate to their risk profile and in response to the cyber threat. Adherence to this standard, in addition to the standards and guidance that we publish around procurement of medical devices, will help organisations to ensure that their networks are secure and that risks with associated Internet-of-Things medical devices are suitably understood and mitigated. The strategy is available at the following link:
Individual organisations are responsible for the procurement of medical devices. No estimate of the number of NHS refrigerators and other medical equipment containing cellular internet of things modules manufactured by Chinese companies is currently held nationally. As part of the procurement, risk assessments of equipment will be carried out in accordance with the Guidance on protecting connected medical devices, which is available at the following link:
Implementation of these guidelines and standards are monitored through the mandatory DSPT which is independently audited for NHS trusts. To further strengthen the resilience of the NHS critical supply chain, the Cyber Security Supply Chain Charter has been published. The charter allows current and future suppliers to publicly pledge to be a trusted partner to health and care system. We have a dedicated workstream in the Cyber Improvement Programme that is focused on this particular risk, developing tools and processes to increase cyber assurance and resilience. The charter is available at the following link:
Asked by: Graeme Downie (Labour - Dunfermline and Dollar)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what assessment she has made of the potential impact of cellular IoT modules used in areas of smart tech, healthcare medical devices and other connected systems on national security.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
It has not proved possible to respond to the hon. Member in the time available before Prorogation.
Asked by: Graeme Downie (Labour - Dunfermline and Dollar)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what estimate she has made of the proportion of critical national infrastructure reliant on cellular internet of things modules produced by Chinese technology firms.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
It has not proved possible to respond to the hon. Member in the time available before Prorogation.
Asked by: Graeme Downie (Labour - Dunfermline and Dollar)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what steps her Department is taking to diversify supply chains in strategically sensitive areas of technology like cellular internet of things modules.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
It has not proved possible to respond to the hon. Member in the time available before Prorogation.
Asked by: Graeme Downie (Labour - Dunfermline and Dollar)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what assessment she has made of trends in the level of telecommunications equipment containing components manufactured in countries deemed to pose a security risk.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
Telecoms supply chains are complex and international and are managed by industry. However, the government is committed to ensuring secure and resilient telecoms supply chains.
The robust Telecommunications (Security) Act 2021 regime places obligations on public communications providers to manage supply chain risks, including to identify, reduce and prepare for the risk of security compromises to their networks. Ofcom monitors compliance with these obligations through its information gathering powers, and the Secretary of State makes decisions on enforcement based on this information and additional advice. The Act also gives ministers powers to restrict the use of vendors in UK networks on national security grounds.
The previous government have used the Act’s national security powers to designate Huawei in 2022, and issue legally binding directions restricting their use in UK telecoms networks, supported by a strengthened underpinned by an enforcement regime including clear financial penalties for non-compliance.
The telecoms security Code of Practice was introduced in 2022, which sets out in detail the technical and organisational steps public communications providers must take to identify, reduce and manage supply chain and vendor‑related security risks, with compliance overseen and enforced by Ofcom. We are currently in the process of updating the Code of Practice to provide public telecoms providers with further guidance, reflecting recent changes in threats and technologies
We are also committed to growing the UK’s role in Advanced Connectivity Technology supply chains. The government is supporting targeted R&D programmes with UKRI and other partners to support the development and commercialisation of next generation technologies. This will enable UK firms to participate more fully in global telecoms supply chains and reduce UK dependence on other countries.
Telecoms supply chain risks are considered as part of cross-government efforts to improve the security and resilience of supply chains. The government works with business to address these risks, building the conditions required to deliver secure growth. The government continues to monitor and respond to turbulence in global sectors and supply chains that are crucial to the UK’s economic and national security.
Asked by: Graeme Downie (Labour - Dunfermline and Dollar)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what steps she is taking to ensure public sector data is secure where Cellular Internet Modules may originate from foreign suppliers.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The UK has strong safeguards to ensure that data is collected and handled responsibly and securely. Companies registered in the UK are subject to our legal framework and regulatory jurisdiction.
Public sector organisations are required to manage security and supply chain risks through established assurance and procurement frameworks, including the Technology Code of Practice, the Government Cyber Security Standard and following guidance from the National Cyber Security Centre. As threats to UK data are evolving, our response must be agile and proportionate. We actively monitor threats to UK data and will not hesitate to take action if necessary to protect our national security.
Any device with a cellular module that is incorporated into the network or systems of UK Critical National Infrastructure will need to comply with that network’s cyber security practices and standards and, as such, should have robust security controls in place.
The UK has one of the most robust data protection regimes in the world, with all organisations required to comply with our legislation to safeguard UK personal data when transferring it overseas. Failure to do so can result in enforcement action.
Our data regulator, the Information Commissioner’s Office, has powers to take enforcement action and issue fines. Individuals who consider that their data has been misused can also take legal action.
Asked by: Graeme Downie (Labour - Dunfermline and Dollar)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what steps her Department is taking to reduce UK reliance on technology manufactured in countries like China that pose a security risk.
Answered by Kanishka Narayan - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The Prime Minister has emphasised that national security is the first duty of our government. Supply chain resilience and security remains a core part of this, and multiple government departments are working closely with international partners to embed resilience into critical UK and global supply chains.
We take an actor‑agnostic, risk‑based approach to supply‑chain resilience. Instead of reacting to individual firms or components in isolation, we focus on the structural chokepoints and systemic dependencies that create national‑level vulnerability, regardless of where in the chain they arise.
Asked by: Graeme Downie (Labour - Dunfermline and Dollar)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what assessment his Department has made of the risk of the use of Chinese‑manufactured Cellular IoT Modules in defence‑adjacent supply chains.
Answered by Luke Pollard - Minister of State (Ministry of Defence)
The Ministry of Defence regularly assesses risks across defence‑adjacent supply chains, including those associated with connectivity‑enabled components. Any use of Cellular IoT technology is subject to proportionate security and assurance arrangements, with risks considered on a case‑by‑case basis in order to safeguard Defence and national security interests. In parallel, the Department supports onshoring and the development of assured supply chains to strengthen the resilience of both defence and wider civilian supply chains.
Asked by: Graeme Downie (Labour - Dunfermline and Dollar)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what assessment his Department has made of (a) trends in the level of Chinese-manufactured technology used in UK defence procurement and supply chains and (b) the potential impact of that technology on national security.
Answered by Luke Pollard - Minister of State (Ministry of Defence)
The Ministry of Defence regularly reviews its critical supply chains, to identify and mitigate risks to defence capability. While the department does not routinely comment on the origin of specific components of our planned or in service capabilities, we welcome business with foreign companies as long as it follows our strict procurement regulations and does not put our national security at risk.
Transactions continue to be monitored where there are potential national security concerns from any country, and the Department will investigate and apply appropriate mitigations where required.