DSP Toolkit for NHS
Supporting the evolution of the NHS DSP Toolkit
Cyber attacks pose a significant threat to the UK’s National Health Service (NHS), which has been demonstrated repeatedly in recent months. The combination of organisational complexity, valuable data, security debt from outdated systems and medical devices, and the life-or-death nature of healthcare make it an appealing target for cyber attacks.
This environment provides the backdrop to the requirement for the NHS to adhere to the 10 National Data Guardian (NDG) standards for data security, the performance of which is measured by the annual Data Security and Protection Toolkit (DSPT). The DSPT provides a mechanism for the NHS to demonstrate that they can be trusted to maintain the confidentiality and security of personal information.
The DSPT is Changing
In September 2024, the DSPT will be changing to adopt the Cyber Assessment Framework (CAF) as its basis for cyber security and IG assurance. This change will initially only affect NHS Trusts, Arm’s-Length Bodies (ALBs), Commissioning Support Units (CSUs) and Integrated Care Boards (ICBs). Large private sector organisations in scope of the DSPT will come into line 2025/26.
The DSPT will move from the current ‘assertions’ to CAF-aligned ‘Objectives, Principles and Outcomes’. This provides broad principles to drive good decision-making, rather than a “compliance checklist”.
What is the Cyber Assessment Framework
The Cyber Assessment Framework (CAF) was developed by the UK’s National Cyber Security Centre (NCSC) to provide a systematic and comprehensive approach to assessing the extent of an organisations ability to maintain cyber resilience.
Cyber Resilience – the ability of an organisation to prepare for, respond to, and recover from, cyber attacks and security breaches – is key to maintaining operational resilience and business continuity.
The DSPT has implemented CAF with a “Health and Care CAF Overlay”. This extends the CAF by primarily adding a fifth objective –Using and Sharing Information Appropriately – as well as adding minor revisions to the names of the other four objectives to broaden their scope.
Why is DSPT Changing
The reasons for moving to a CAF-aligned DSPT is to primarily emphasis stronger decision-making over compliance, where risks can be managed more effectively at a local organisational level and provide better understanding and ownership of information risks.
Importantly, organisations should adopt state-of-the-art security measures that are industry-standard to meet new threats and risks, not just protect against common threats.
How Can Sapphire Help
Understanding and adapting to a revised requirement such as the CAF-aligned DSPT can seem daunting. Sapphire is here to support you.
Sapphire recommends a stepped approach to avoid making any unnecessary investment.
CAF Gap Analysis
Before you can get somewhere, you must first know where you are. Conducting a CAF Gap Analysis is the first step.
A CAF gap analysis from Sapphire provides a thorough assessment of your organisation’s current cyber security posture against the core principles of CAF and the “Health and Care CAF Overlay”.
- Managing Security Risk
- Defending systems against cyber attack
- Detecting cyber security events
- Minimising the impact of cyber security incidents
- Using and Sharing Information Appropriately
This analysis will identify areas where existing controls meet the CAF standards and highlights gaps that need to be addressed. By systematically evaluating these gaps, you can prioritise your cyber security efforts, ensuring a focused and efficient approach to achieving alignment with the CAF.
In scope organisations will be assessed against each of the CAF profiles.
CAF Compliance Report
On completion of the Gap Analysis, you will be provided with a CAF Compliance Report, which will detail the core findings of the analysis presented at both an executive-level and a technical-level, as well as providing a roadmap to achieving full compliance with CAF with actionable recommendations.
CAF-Relevant Sapphire Services
If the Compliance Report identifies areas that need improvement, Sapphire offers a range of relevant services to meet your needs, assist your security transformation and increase operational resilience through a focussed security improvement program.