In a significant change to how health and social care organisations measure and self-report their cyber security posture, NHS England (NHSE) and the national data guardian (NDG) have jointly announced that the NHS Data Security and Protection Toolkit (DSPT) will transition away from using the NDG’s 10 data security standards as its underpinning assessment mechanism.
The National Cyber Security Centre’s Cyber Assessment Framework (CAF) will instead be used, given its “more advanced approach”. The transition started yesterday (2 September), first with ‘large’ NHS organisations who have already been informed of the switch.
When it is everybody else’s turn to complete the transition, NHSE will similarly inform them.
The 10 data security standards
The 10 data security standards were conceived in 2016 as part of the NDG’s review of data security, consent and opt-outs, before being adopted as the benchmark for the DSPT in 2018.
The government says the standards have been essential in protecting patient information by focusing on three key areas:
- People
- Process
- Technology
The adoption of CAF was set out in last year’s cyber strategy, evolving the approach in two key ways.
A high bar of achievement (in comparison to previously) will now be in place and organisations will have a long-term roadmap for annual improvements.
The new DSPT will also centre around achieving outcomes, rather than merely passing or failing defined security controls, in turn enhancing local autonomy.
Advancing data security standards
“I fully support this transition to the CAF,” said NDG, Dr Nicola Byrne. “It represents a positive evolution, offering organisations a more current framework for evaluating and improving their data protection and cyber resilience.
“I remain committed to supporting NHS England in maintaining and advancing the highest standards of data security across health and care.”
The infamous WannaCry ransomware attack cost the NHS almost £100m in lost activity back in 2017. More recently, several sites in London were impacted when a cyber-attack hit lab services provider, Synnovis.
The attack occurred in early June and, a month later, the two most affected trusts (King’s College Hospital and Guy’s and St Thomas’) have been forced to postpone 6,200 acute outpatient appointments and 1,500 elective procedures collectively.
The NDG, NHSE, and the Department of Health and Social Care say they will continue to collaborate on the development and implementation of CAF.
Image credit: iStock