The Data Security and Protection Toolkit is an online tool that healthcare organisations can use to measure their performance against the Department of Health and Social Care’s (DHSC) data security and information governance requirements. The DSPT Standard has been reviewed for 2020-21 and is being implemented from 1 October 2020 – but what does this mean for you and how can CRIBB Cyber Security help?

Who must use the Toolkit?

One of the DHSC’s requirements stipulates that any organisation that has access to NHS patient data and systems must use the Toolkit to show that all information is dealt with in the correct manner and that they have a dedicated approach to data security.

There are four categories of organisation:

Category 1

NHS Trusts (Foundation, Acute, Ambulance, Mental Health, Community, Care Trusts)

Category 2

Arm’s Length Bodies, CCGs and CSUs

Category 3

AQP Clinical & Non-Clinical Services, Care Homes, Charities & Hospices, Companies, NHS & Private Dentists, Domiciliary Care Organisations, Local Authorities, NHS Business Partners, Opticians, Pharmacies, Prisons, Researchers, Secondary Use Organisations, Universities

Category 4

GP Practices

Top Tip

You must demonstrate compliance with the new data security and information governance requirements by 31 March 2021. The experts at CRIBB Cyber Security have an in-depth knowledge of the healthcare sector that is second-to-none – contact us today and we can either complete the DSPT online assessment on your behalf or we can help you to successfully navigate through it, getting you closer to total cyber resilience.

Changes to the toolkit

These have been implemented in direct response to user feedback and in light of various lessons that have been learnt during the DSPT’s second year, with new mandatory requirements involving the installation of Antivirus / anti-malware software in all internet connected devices and the need for regular data backups.

Other crucial new developments revolve around annual IT penetration testing and the introduction of Cyber Essentials as a mandatory element in the 2020-21 period.

What is Cyber Essentials?

It is a set of five baseline technical controls established by the UK government as a way of assisting organisations and companies of all sizes with their cyber security defences. The scheme is designed to address common forms of internet-based attacks that can be performed without great skill, and embracing it is also a good demonstration of your overall commitment to becoming cyber resilient and maintaining strong data integrity.

The 5 controls:

Secure configuration | Boundary firewalls & internet gateways | Access control & administrative privilege management | Patch management | Malware protection

Cyber Essentials is a self-assessment certification which is independently verified; for those seeking a more robust solution, however, there is always Cyber Essentials PLUS…

What is Cyber Essentials PLUS?

PLUS requires internal and external tests of networks and computers along with a visit to your site(s) and offers a much higher degree of assurance than the more basic Cyber Essentials Scheme; those certified in the PLUS scheme are also exempt from penetration test requirements.

Who are CRIBB Cyber Security?

As an IASME Consortium Gold Certified Company, CRIBB Cyber Security is an official certification body that can help you with both Cyber Essentials and Cyber Essentials PLUS certification.

Our certification programmes are all backed up by HP, the MoD and Cisco, and our experts have worked alongside the IASME Consortium to deliver Cyber Essentials and Cyber Essentials PLUS to clients in healthcare for many years.

In April 2020, our long-term faith in IASME was fully justified when they were announced as being the National Cyber Security Centre’s (NCSC) sole Cyber Essentials partner.

We can help you with penetration testing, vulnerability testing, completion of the DSPT online assessment, CE and CE PLUS – get in touch to take your first steps along theICEway

We enable theICEway ecosystem of companies to adopt a security by design approach from the outset, with a simple yet effective mantra: Be careful – Be defensive – Be compliant – Be Secure.


Arm’s Length Bodies – These establish national standards, regulate the health and social care system, protect patients and provide central services to the NHS

CCGs – Clinical Commissioning Groups, these are responsible for planning and purchasing NHS services and designing local health services

CSUs – Commissioning Support Units, these are responsible for supporting CCGs with the admin and performance of their functions

AQP Clinical & Non-Clinical Services – Any Qualified Provider, these currently include Musculo-skeletal services for neck and back pain, adult hearing aid services, continence services, diagnostic tests, wheelchair services, podiatry services, venous leg ulcer and wound healing and adult primary care psychological therapies