The NHS DSP Toolkit
Do you have access to NHS patient records? If you do, you must be following the recommendations outlined in the digital toolkit
NHS Digital launches new toolkit to help ensure patient data is safe
In April 2018, NHS Digital introduced the new Data Security and Protection Toolkit. The DSP toolkit aims to help healthcare organisations achieve an appropriate level of cyber security to ensure patient data is protected. The Data Security and Protection Toolkit is an online self-assessment tool that allows NHS Trusts and healthcare organisations measure their cyber security processes against the National Data Guardian’s 10 data security standards.
Why has the DSP toolkit been introduced?
Ever since the catastrophic WannaCry attack in May 2017, it became clear that the NHS needed to make some big adjustments to ensure their systems and processes are robust and impenetrable. As we all know, this worldwide ransomware attack severely disrupted the NHS. Not only were 48 NHS trusts hit, a staggering 595 GP surgeries were also infected with the virus.
The NHS was completely paralysed, systems were shut down, thousands of appointments were cancelled and important patient records were unavailable. During this time the NHS received a lot of bad press for ‘not doing enough’ to secure their systems. However, for the past year NHS Digital have worked tirelessly to transform their cyber strategy.
“As a dress rehearsal – as a ‘lesson learned’ – WannaCry was good, it raised awareness of how cyber security can actually impact patient-facing services.”Dan Taylor Head of the NHS Cyber Security Programme
How can Equilibrium help with DSP toolkit compliance?
Data Security Standard 9 states: A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
Cyber Essentials is a government-backed cyber security certification scheme that sets out a baseline of cyber security suitable for all organisations. The scheme’s five security controls can prevent “around 80% of cyber-attacks”. The certification is a valuable indicator that the organisation has taken the necessary measures to bolster cyber security and reduce the risk of a cyber-attack.
Here at Equilibrium, we are one of the few Cyber Essentials certification bodies in the Midlands area. Equilibrium is a Certification Body under the accreditation body IASME. We can offer Cyber Essentials, Cyber Essentials Plus, IASME Governance and GDPR Readiness Assessments as a Certification Body.
The Cyber Essentials self-assessment is an excellent framework which allows you to review your security strategy and resilience against cyber threats. However, upgrading to Cyber Essentials Plus provides a much higher level of assurance than just the base self-assessment. It involves more rigorous testing and auditing of your security systems and policies. One of our security experts will validate the answers submitted in the self-assessment questionnaire, and perform an in-depth onsite assessment. The CE+ tool actually surpasses the expected standard of the toolkit which helps you complete many of the compliance statements on the portal.
Standard 9 states that: A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework. As part of this organisations must ensure their web applications are secure against top 10 vulnerabilities and undertake a penetration test annually.
Our Penetration Testing service is an excellent way to work towards achieving compliance for Standard 9 of the toolkit. The aim of a penetration test is to simulate a malicious hack on a network to evaluate the effectiveness of the security in place.
Here at Equilibrium, we are CREST-accredited ethical penetration testers. This accreditation is what the DSP toolkit would call a ‘proven cyber security framework’ which can be used to protect your infrastructure from cyber threats. It also demonstrates that we have up to date knowledge of the latest vulnerabilities and techniques used by real attackers. In order to achieve this certification you must undertake a series of thorough examinations which are assessed and approved by GCHQ and NCSC.
AppCheck Vulnerability Scanning
AppCheck Vulnerability Scanning is also an excellent tool which can help you achieve compliance for Standard 9. It is a best-in-class Web Application and Infrastructure vulnerability scanner. Designed and developed by experienced penetration testers, it provides the capability to carry out regular scans to identify vulnerabilities which, if left unchecked, could quickly become a significant business risk.
AppCheck tests for all the critical vulnerabilities in the OWASP Top 10 including SQL Injection and XSS
Web application vulnerabilities are not the only threat to your network perimeter. Unpatched software, configuration weaknesses and software vulnerabilities also need to be managed effectively. In addition to the web application scanning Equilibrium can perform vulnerability scans across your external network infrastructure.
What standards are being introduced?
Data Security Standard 1
All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes
Data Security Standard 2
All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
Data Security Standard 3
All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit.
Data Security Standard 4
Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
Data Security Standard 5
Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
Data Security Standard 6
Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
Data Security Standard 7
A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
Data Security Standard 8
No unsupported operating systems, software or internet browsers are used within the IT estate.
Data Security Standard 9
A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
Data Security Standard 10
IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.