NHS Digital launches new toolkit to help ensure patient data is safe

In April 2018, NHS Digital introduced the new Data Security and Protection Toolkit. The DSP toolkit aims to help healthcare organisations achieve an appropriate level of cyber security to ensure patient data is protected.

The Data Security and Protection Toolkit is an online self-assessment tool that allows NHS Trusts and healthcare organisations measure their cyber security processes against the National Data Guardian’s 10 data security standards. (Scroll to the bottom to see these)

Ever since the catastrophic WannaCry attack in May last year, it became clear that the NHS needed to make some big adjustments to ensure their systems and processes are robust and impenetrable.

As we all know, this worldwide ransomware attack severely disrupted the NHS. Not only were 48 NHS trusts hit, a staggering 595 GP surgeries were also infected with the virus. The NHS was completely paralysed, systems were shut down, thousands of appointments were cancelled and important patient records were unavailable.

During this time the NHS received a lot of bad press for ‘not doing enough’ to secure their systems. However, for the past year NHS Digital have worked tirelessly to transform their cyber strategy. Dan Taylor head of the NHS cyber security programme said that “as a dress rehearsal – as a ‘lesson learned’ – WannaCry was good”, adding: “It raised awareness of how cyber security can actually impact patient-facing services.”

The DSP Toolkit will apply to all healthcare organisations, this includes NHS trusts and their industry partners. In order to comply with the DSP framework, healthcare organisations need to demonstrate that they are putting the ten data security standards recommended by the National Data Guardian Review into practice. They need to also ensure they are following GDPR best practice and comply with their data security standards.

While the deadline for submission is 31 March 2019, larger companies are asked to submit on the earlier deadline of October 2018. Although this may seem like a long way away, we all know how quickly the GDPR deadline arrived.

Data Security Standard 9 states: A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.

Cyber Essentials is a government-backed cyber security certification scheme that sets out a baseline of cyber security suitable for all organisations. The scheme’s five security controls can prevent “around 80% of cyber-attacks”. The certification is a valuable indicator that the organisation has taken the necessary measures to bolster cyber security and reduce the risk of a cyber-attack.

Here at Equilibrium, we are one of the few Cyber Essentials certification bodies in the Midlands area. Equilibrium is a Certification Body under the accreditation body IASME. We can offer Cyber Essentials, Cyber Essentials Plus, IASME Governance and GDPR Readiness Assessments as a Certification Body.

The Cyber Essentials self-assessment is an excellent framework which allows you to review your security strategy and resilience against cyber threats. However, upgrading to Cyber Essentials Plus provides a much higher level of assurance than just the base self-assessment. It involves more rigorous testing and auditing of your security systems and policies. One of our security experts will validate the answers submitted in the self-assessment questionnaire, and perform an in-depth onsite assessment.

As part of the Cyber Essentials Plus process, one of our security experts will visit your site to conduct both internal and external tests of your network and computers. Achieving the Cyber Essentials Plus certification is an excellent way to prepare for the DSP Toolkit requirements as it  allows you to prepopulate some criteria when completing the application. The CE+ tool  actually surpasses the expected standard of the toolkit which helps you complete many of the compliance statements on the portal.