All UK healthcare providers must complete the NHS Data Security and Protection (DSP) Toolkit. We originally posted an update on the NHS DSP Toolkit in September 2020, which you can read here.

What is it?

The DSP Toolkit is an online self-assessment tool. It can be used to measure performance against the 10 data security standards set out by the National Data Guardian (NDG) and listed further below.

Who must use it?

Any organisation with access to NHS patient data and systems must then use the toolkit. It provides assurance that they are handling personal information in the correct manner. It is also a demonstration of the fact they adopt strong data security protocols. More information on the tool, which is subject to ongoing development, can be found on the NHS website.

The DSP Toolkit & IASME Governance

CRIBB Cyber Security is an official certification body that is backed by the UK government. When our experts discovered that the DSP Toolkit and IASME governance were very similar, they took steps to raise awareness. IASME governance includes Cyber Essentials, Cyber Essentials Plus and GDPR. Any organisation that has completed the DSP Toolkit would then be able to complete IASME in a very straightforward manner. This would equate to further certifications, which is ideal given the extremely volatile cyber security landscape we find ourselves in. Our team have spoken with exiting clients in this position, thus allowing them to take positive action.

IASME Governance & The DSP Toolkit

The link between the two also works in the other direction; any organisation that has completed IASME Governance is more than 90% of the way towards completing the DSP Toolkit.

What does this mean?

Simply put, any healthcare organisation yet to complete the NHS DSP Toolkit must look to do so in the near future, and CRIBB Cyber Security can help. At that same point, in order to build as robust a cyber defence as possible, IASME Governance should become a very real consideration.

Alternatively, any healthcare organisation with IASME in their sights should certainly consider increasing their scope to include the DSP Toolkit – and CRIBB Cyber Security can help. It is also worth noting that IASME certification will entitle you to free Cyber Liability Insurance with a £25,000 indemnity limit* through IASME.

*Terms apply, contact us for more information

National Data Guardian 10 data security standards

The NDG review of data security, consent and opt-outs led to the creation of these standards under three ‘leadership obligations’. The standards aim to address people, processes and technology issues.

Leadership obligation 1

People; you must ensure that staff are able to deal with information in a respectful and safe manner, in accordance with the Caldicott Principles.

Data security standard #1

All staff must handle, store and transmit personal data securely, either electronically or in paper format. This data can only be shared for lawful purposes.

Standard #2

All staff are obliged to understand their responsibilities under the NDG Data Security Standards. This includes the need to handle information responsibly, as well as their personal accountability for breaches deemed deliberate or avoidable.

Standard #3

Annual data security training must be completed, with a mandatory test from the revised Information Governance Toolkit passed.

Leadership obligation 2

Process; you must ensure that your organisation adopts a proactive approach to the prevention of data breaches. This stance should then continue with your incident response protocols.

Standard #4

Only staff required to handle personal confidential data should have access to it. This access must be directly attributable to them and removed once their task has been completed.

Standard #5

Annual reviews must be carried out on processes to identify those which have been breached or those which have demonstrated vulnerabilities.

Standard #6

Cyber-attacks must be identified and resisted, with any security advice responded to. In the event of a data breach, immediate action should be taken and a report made within 12 hours of detection.

Standard #7

You must implement a continuity plan to tackle data security threats. This plan should then be tested on an annual basis, with a report delivered to the senior management team.

Leadership Obligation 3

Technology; you must ensure that your technology is up to date and secure.

Standard #8

Your IT infrastructure must only include supported operating systems, software and internet browsers.

Standard #9

You must implement a proven cyber security framework (i.e. Cyber Essentials) and then ensure that it is tested on an annual basis.

Standard #10

All IT suppliers are accountable for the protection of personal confidential data processed using their systems.