In April 2018, NHS Digital introduced the new Data Security and Protection Toolkit. The DSP toolkit aims to help healthcare organisations achieve an appropriate level of cyber security to ensure patient data is protected.
The Data Security and Protection Toolkit is an online self-assessment tool that allows NHS Trusts and healthcare organisations measure their cyber security processes against the National Data Guardian’s 10 data security standards. (Scroll to the bottom to see these)
Why has the DSP Toolkit been introduced?
Ever since the catastrophic WannaCry attack in May last year, it became clear that the NHS needed to make some big adjustments to ensure their systems and processes are robust and impenetrable.
As we all know, this worldwide ransomware attack severely disrupted the NHS. Not only were 48 NHS trusts hit, a staggering 595 GP surgeries were also infected with the virus. The NHS was completely paralysed, systems were shut down, thousands of appointments were cancelled and important patient records were unavailable.
During this time the NHS received a lot of bad press for ‘not doing enough’ to secure their systems. However, for the past year NHS Digital have worked tirelessly to transform their cyber strategy. Dan Taylor head of the NHS cyber security programme said that “as a dress rehearsal – as a ‘lesson learned’ – WannaCry was good”, adding: “It raised awareness of how cyber security can actually impact patient-facing services.”
Who does this apply to and when is the deadline?
The DSP Toolkit will apply to all healthcare organisations, this includes NHS trusts and their industry partners. In order to comply with the DSP framework, healthcare organisations need to demonstrate that they are putting the ten data security standards recommended by the National Data Guardian Review into practice. They need to also ensure they are following GDPR best practice and comply with their data security standards.
While the deadline for submission is 31 March 2019, larger companies are asked to submit on the earlier deadline of October 2018. Although this may seem like a long way away, we all know how quickly the GDPR deadline arrived.
Data Security Standard 9 states: A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
Cyber Essentials is a government-backed cyber security certification scheme that sets out a baseline of cyber security suitable for all organisations. The scheme’s five security controls can prevent “around 80% of cyber-attacks”. The certification is a valuable indicator that the organisation has taken the necessary measures to bolster cyber security and reduce the risk of a cyber-attack.
Here at Equilibrium, we are one of the few Cyber Essentials certification bodies in the Midlands area. Equilibrium is a Certification Body under the accreditation body IASME. We can offer Cyber Essentials, Cyber Essentials Plus, IASME Governance and GDPR Readiness Assessments as a Certification Body.
The Cyber Essentials self-assessment is an excellent framework which allows you to review your security strategy and resilience against cyber threats. However, upgrading to Cyber Essentials Plus provides a much higher level of assurance than just the base self-assessment. It involves more rigorous testing and auditing of your security systems and policies. One of our security experts will validate the answers submitted in the self-assessment questionnaire, and perform an in-depth onsite assessment.
As part of the Cyber Essentials Plus process, one of our security experts will visit your site to conduct both internal and external tests of your network and computers. Achieving the Cyber Essentials Plus certification is an excellent way to prepare for the DSP Toolkit requirements as it allows you to prepopulate some criteria when completing the application. The CE+ tool actually surpasses the expected standard of the toolkit which helps you complete many of the compliance statements on the portal.
What are the standards which are being introduced?
A named senior executive who will be responsible for data and cyber security.
Completion of level 2 of current Information Governance Toolkit.
This will help NHS measure organisations’ progress against the 10 data security standards when the IG toolkit will be replaced by the new Data Security and Protection Toolkit from 2018-19.
Implementing GDPR requirements to ensure legal obligations are met in advance.
Information governance training to be imparted to all staff.
Acting on high severity CareCERT advisories within 48 hours.
A comprehensive business continuity plan must be in place to respond to data and cyber security incidents.
Reporting data security incidents to CareCERT in line with reporting guidelines.
Remove, replace or actively mitigate or manage the risks associated with unsupported systems by April 2018.
Undertake on-site cyber and data security assessments and act on the outcome of such assessments.
Checking whether IT systems suppliers have appropriate certification like Cyber Essentials Plus, Digital Marketplace or ISO/IEC 27001:2013 certification.
If you would like to discuss Cyber Essentials/ CE+ in more detail or would like to find out more about how we can help you with DSP Toolkit compliance please do get in touch! Our office number is 0121 663 0055, or you can email firstname.lastname@example.org.