We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
BETA – Data Security Standards
All NHS digital, data and technology services should achieve the Data Security Standards required through the Data Security and Protection Toolkit (DSPT).
Following its launch in April 2018, the DSPT must be completed by:
- any health and care organisation which shares access to patient data
- any organisation that accesses NHS Digital systems, such as NHSmail or the Spine
- any organisations that provide services under a standard NHS contract
The DSPT retains the general principle that organisations should demonstrate that they can be trusted with the confidentiality and security of personal information. It also supports organisations to meet the requirements of new legislation including the likes of the General Data Protection Regulation (GDPR) and Network and Information Systems (NIS) Directive.
The DSPT will continue to evolve over time to reflect emerging threats, changing policy and future legislative requirements.
The new DSPT framework comprises a core set of common standards and provides the following benefits:
Single source: It is the single assurance vehicle for security standards compliance and support for the health and social care sector, allowing the Department of Health and Social Care and its relevant arm’s length bodies (ALBs) to monitor and target improvement.
Proportionality: The number of evidence items requested from organisations are dependent on their scale, complexity and overarching information risk profile, so for example, a care home is asked to provide less evidence than a hospital.
Reduction in total costs to the system: The estimated burden of completing the DSPT collection in year one is reduced when compared to previous standards and frameworks. Organisations can complete one assessment for many central and local purposes thereby removing duplication.
Driving more cyber-conscious behaviours: The evidence being collected, following advice from National Cyber Security Centre, has been aimed at encouraging organisations to do the right things first and split out mandatory and best practice activities.
Increase in data accuracy: The increase in quantitative evidence items and the reduction of descriptive evidence provides less scope for organisations to game the assessment and makes the evidence much easier to check.
Mechanism for monitoring improvement: The information from DSPT assessments provides an ability to assess data security across sectors. This allows targeted improvements and support regulation and contract management. For example, it will be possible to report on the proportion of organisations having implemented appropriate patching by sector.
Equivalence: the DSPT is a convergence and equivalence model; organisations who operate an Information Security Management System and follow a recognised risk framework can prove relevance and coverage do not have to complete equivalent elements of the DSPT.
The NHS Digital Data Security Centre have mapped the controls within the DSPT against ISO and NIST international standards, with the DSPT including a reference column to the ISO27001 standard. This ensures that organisations that wish to undertake best practice are not penalised by having to adhere to separate divergent regimes.
The Data Security Standards
Read more detailed information about the 10 National Data Guardian standards in the Data Security and Protection Toolkit. The guides include suggestions and examples of how the standards might be achieved, how this relates to common current practises, together with useful resources.
Find an overview of each standard below:
Data Security Standard 1
All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form.
Personal confidential data is only shared for lawful and appropriate purposes. Staff understand how to strike the balance between sharing and protecting information, and expertise is on hand to help them make sensible judgments. Staff are trained in the relevant pieces of legislation and periodically reminded of the consequences to patients, their employer and to themselves of mishandling personal confidential data.
Data Security Standard 2
All staff must understand their responsibilities under the Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
All staff understand what constitutes deliberate, negligent or complacent behaviour and the implications for their employment. They are made aware that their usage of IT systems is logged and attributable to them personally. Insecure behaviours are reported without fear of recrimination and procedures which prompt insecure workarounds are reported, with action taken.
Data Security Standard 3
All staff complete annual security training that is followed by a test, which can be re-taken unlimited times but which must ultimately be passed. Staff are supported by their organisation in understanding data security and in passing the test. The training includes a number of realistic and relevant case studies.
Data Security Standard 4
Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
The principle of ‘least privilege’ is applied, so that users do not have access to data they have no business need to see. Staff do not accumulate system accesses over time. User privileges are proactively managed so that there is, as far as is practicable, a forensic trail back to a specific user or user group. Where necessary, organisations will look to non-technical means of recording IT usage (such as sign in sheets, CCTV, correlation with other systems, shift rosters).
Data Security Standard 5
Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
Past security breaches and near misses are recorded and used to inform periodic workshops to identify and manage problem processes. User representation is crucial. This should be a candid look at where high risk behaviours are most commonly seen, followed by actions to address these issues while not making life more painful for users (as pain will often be the root cause of an insecure workaround). If security feels like a hassle, it's not being done properly.
Data Security Standard 6
Cyber-attacks against services are identified and resisted and NHS Digital Data Security Centre security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
All staff are trained in how to report an incident, and appreciation is expressed when incidents are reported. Sitting on an incident, rather than reporting it promptly, faces harsh sanctions. Their Board understands that it is ultimately accountable for the impact of security incidents, and bear the responsibility for making staff aware of their responsibilities to report upwards. Basic safeguards are in place to prevent users from unsafe internet use. Anti-virus, anti-spam filters and basic firewall protections are deployed to protect users from basic internet-borne threats.
Data Security Standard 7
A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
A business continuity exercise is run every year as a minimum, with guidance and templates available from NHS Digital Data Security Centre. Those in key roles will receive dedicated training so as to make judicious use of the available materials, ensuring that planning is modelled around the needs of their own business. There should be a clear focus on enabling senior management to make good decisions, and this requires genuine understanding of the topic, as well as the good use of plain English.
Data Security Standard 8
No unsupported operating systems, software or internet browsers are used within the IT estate.
Guidance and support is available from NHS Digital Data Security Centre to ensure risk owners understand how to prioritise their vulnerabilities. There is a clear recognition that not all unsupported systems can be upgraded and that financial and other constraints should drive intelligent discussion around priorities. Value for money is of utmost importance, as is the need to understand the risks posed by those systems which cannot be upgraded. It’s about demonstrating that analysis has been done and informed decisions were made.
Data Security Standard 9
A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework. This is reviewed at least annually. NHS Digital Data Security Centre assists risk owners in understanding which national frameworks do what, and which components are intended to achieve which outcomes.
Security standard nine expands the organisations cyber security framework to detail the granular technical controls expected to meet mandated MCSS and NIS requirements. For example, DSPT assertion 9.3.6 mandates that the organisation is protecting data in transit (including email) using well configured TLS 1.2 or better.
There is a clear understanding that organisations can tackle the NDG Standards in whichever order they choose, and that the emphasis is on progress from their own starting points.
Data Security Standard 10
IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the Data Security Standards.
IT suppliers understand their obligations as data processors under the GDPR, and the necessity to educate and inform customers, working with them to combine security and usability in systems. IT suppliers typically service large numbers of similar organisations and as such represent a large proportion of the overall ‘attack surface’. Consequently, their duty to robust risk management is vital and should be built into contracts as a matter of course. It is incumbent on suppliers of all IT systems to ensure their software runs on supported operating systems and is compatible with supported internet browsers and plug-ins.
Assessing services against the standards
Health and social care organisations complete the DSPT as an online self-assessment against the National Data Guardian Standards. They are required to complete the self-assessment every financial year. The self-assessment provides the organisations with a level of Standards Not Met, Standards Met or Standards Exceeded. The result of the self-assessment is published Standards are published.
The questions in DSPT are split between overall assertions for a subject area such as ‘Supported systems are kept up-to-date with the latest security patches’ and then evidence items which demonstrate that the assertion has been met. The evidence items are split between mandatory and optional. The evidence items required vary proportionately depending on organisation type with a hospital asked to provide more evidence than a care home and more of the evidence items being mandatory for a hospital and optional for a care home. For each of the standards guidance and support materials are available.
To demonstrate they have met the standard, organisations must confirm that have met and provided evidence for all the mandatory evidence items.
Process and Governance
Once organisations complete their self-assessment, they publish the result of the self-assessment. They are required to publish every financial year but can publish more often if the self-assessment have changed. The publication of a toolkit covering data security is a well-established process in the NHS but less so in the care sector. Over 24,000 health and care organisations published their self-assessment during the last financial year. The self-assessment is completed by a nominated individual in the organisation with the governance being formal dependent on the scale of the organisation. In hospitals this self-assessment would typically be approved by a member of the board following a dedicated approval process within the organisation following an assurance process provided by an auditor. Whereas in a care home it would typically by the registered manager working on their own.
Upon publication of their self-assessment, whether they have met the standard is displayed on the DSPT website. This is available to the public, to be used by commissioners in contract management and regulators. Separately at the end of the financial year the status of organisations DSPT self-assessment is shared directly with the Care Quality Commission (CQC). The status of the DSPT is used as part of the organisation intelligence gathering by the CQC. Pilots have been taking place health care organisation with DSPT and other data security intelligence sources available to NHS Digital being used to support the CQC key lines of enquiry.
To help remediate non-compliance with standards and increase maturity across the health and social care sector, the NHS Digital Data Security Centre has created a Cyber Framework providing access to centrally funded services freely available to local organisations. These services include, but are not limited to;
Onsite Assessments: review of current security capability and posture against the industry standards followed by action plans and support to identify quick wins to improve security posture.
Training and DSC Associates: from board level GCHQ accredited training through to technical professional training, community of practice schemes, and front-line staff awareness campaigns.
Technical Remediation: using the onsite assessment findings to fix technical vulnerabilities and support organisations to increase their resiliency against the cyber threat.
Centralised Risk Framework: the embedding of a unified cyber risk framework that ensures that the organisation’s approach to cyber security is proportionate and aligned to clinical outcomes.
Cyber Operational Readiness Support teams: work with organisations to develop, implement, and embed cyber security strategy, policies, and culture.
Specialist Advice, Guidance, & Support: work with organisations to develop, implement, and embed cyber security strategy, policies, and culture.
Threat Intelligence & CSOC Services: including threat alerts, national protective monitoring and the delivery of NCSC services at the local level.
Cyber Design Authority
The Data Security Centre is currently building a Cyber Design Authority (CDA), to provide enterprise security architectural patterns, design reviews, and guidance to ensure consistency of quality, architectural robustness, and alignment to overarching architectural, platform, and technology strategies.
The CDA will collaborate with other Design Authority Boards to ensure that coherent and cohesive enterprise architecture, architectural principles, policies, strategies and standards are maintained.
- Minimum Cyber Security Standard is being fully incorporated into the DSPT for 2019/20 for larger NHS organisations and will be active from April 2019.
- NIS CAF is being partially incorporated into the DSPT for 2019/20 with additional elements being incorporated each subsequent year.
The DSPT structure increases maturity over time and acknowledges that different sectors are beginning at varying levels of maturity. The initial standard for a care home is lower than a hospital but the standard for both can be increased over time by incorporating additional evidence requirements and migrating evidence items from optional to mandatory. So, raising the bar up each year across all sectors whilst recognising the different starting points.
The inclusion of optional evidence items in the DSPT enables the standard to show ‘what good looks like’, rather than only the work required to demonstrate the standard. This allows organisations to demonstrate that they are exceeding the standard and encourage them to do more than the minimum required. Including the optional items can be used to assess the data security maturity of an organisation and compare organisations with their peers rather than listing organisations who have met the standard.
The NHS Digital Data Security Centre is liaising with the NCSC and DHSC to add only the CAF areas into the toolkit that are appropriate for NHS Trusts. The ambition is to focus on the key risks to the health and social care providers and to ensure the controls around privilege accounts, backup and forensic auditing capabilities are expanded. Under the NIS Directive organisations are required to comply with the NDG’s 10 data security standards, which are covered by the DSPT. The Toolkit doesn’t include all aspects of the CAF but we are working to incorporate appropriate aspects for 19/20 and will continue to do so in future years.