Penetration testing and achieving DSP Toolkit compliance

Over the past few years there has been an unprecedented number of attacks which have targeted healthcare organisations. These cyber-attacks have caused extreme disruption, interrupting patient access to appointments, medication and crucial care.

To address the growing threat of cybercrime and prevent a repeat of WannaCry, NHS digital have created a new statutory framework called the Data Security and Protection toolkit. Click here to read our previous blog which discusses the toolkit in more detail.

Do you have access to NHS patient records?

If you do, you must be following the recommendations outlined in the digital toolkit. In order to achieve compliance you will need to follow and implement each standard and fill in detailed answers on an online portal.

This toolkit it comprised of 10 standards. Standard 9 states that: A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework. As part of this organisations must ensure their web applications are secure against top 10 vulnerabilities and undertake a penetration test annually.

NHS Trusts collect and store a large amount of important data such as medical records and personal information.

For the successful running of our NHS, it is essential that this information is completely protected and can be  accessed by healthcare professionals at all times.

What is penetration testing and why is it recommended by the DSP toolkit?

The cyber threat landscape is constantly changing and new strains of malware are being developed and distributed on a daily basis. Therefore, no matter how sophisticated your security defences are, there is always a possibility that someone is able to penetrate your defences.

The aim of a penetration test is to simulate a malicious hack on a network to evaluate the effectiveness of the security in place.  With the permission of an organisation, skilled ‘white hat’ security engineers try to gain access to networks and systems protected by security controls. Pen tests exploit software and hardware for any vulnerabilities found in a safe controlled environment. Once the test is complete, a detailed report is put together which identifies the vulnerabilities found and the gaps in your security armour.

How can Equilibrium help with this?

Here at Equilibrium, we are CREST-accredited ethical penetration testers. This accreditation is what the DSP toolkit would call a ‘proven cyber security framework’ which can be used to protect your network from cyber threats. It also demonstrates that we have up to date knowledge of the latest vulnerabilities and techniques used by real attackers.  In order to achieve this certification you must undertake a series of thorough examinations which are assessed and approved by GCHQ and NCSC.

Whilst most pen testing services simply provide a report of the findings. We work alongside our customers to remediate the issues found and help to build their security defences.

Equilibrium Security have been undertaking security tests of varying types over many years and as security experts we’re well equipped to understand the practicalities of implementing secure systems without inhibiting business productivity.

Although the toolkit recommends a pen test should be undertaken annually, we don’t recommend just undertaking penetration testing as a one-off activity. In order to protect your infrastructure you must have a proactive approach to tackling emerging threats.

Our Penetration Testing service is an excellent way to work towards achieving compliance for Standard 9 of the toolkit.

Features of our Penetration Testing as a service:

  • Using the AppCheck vulnerability scanning tool we will regularly scan your web applications for vulnerabilities such as out of date software (this tool would have recognised that NHS trusts were running out of date Microsoft software pre-WannaCry)

  • Crest accredited penetration tests will be undertaken every quarter

  • We will provide a quarterly penetration testing report and face to face meeting to run through the vulnerabilities found and our suggestions for remediation steps

  • It will help you understand key vulnerabilities and their exploitability

  • It can identify unknown zero-day attack vulnerabilities

  • Identify all known web application vulnerabilities and provide exploit capabilities

  • Demonstrate their impact and eradicate false positives

  • Tests for all the critical vulnerabilities in the OWASP Top 10 including SQL Injection and XSS

  • Tests can be run continually through contract term

  • Authenticated Scans: access the systems through authentication to determine user risks

If you would like to test out the effectiveness of AppCheck and see how secure your web applications are, you can set up your free scan today! If you are interested in setting up a scan or would like to discuss the DSP toolkit/our penetration testing service in more detail please do get in touch. Our office number is 0121 663 0055, or you can email gemmab@equilibrium-security.co.uk.

Contact us

Would you like to speak to an expert about Penetration Testing or the DSP Toolkit?