Skip to main content

Data Security Centre assurance

We provide cyber security assurance for systems and services delivering the technology and data elements of vaccinations. Find out about the assurance process and get a summary of the findings.

Assurance activities

NHS Digital's Data Security Centre (DSC), supported by the National Cyber Security Centre (NCSC), have been delivering cyber security assurance for a defined scope of systems and services delivering the technology and data elements of mass vaccinations. This covers national components for which we’ve undertaken security assurance, assessment and remediation.

This work is being carried out under the existing and ongoing DSC Specialist Security Services, which provides expert assurance, remediation advice, and guidance. Several in scope systems involved in mass vaccinations are already regularly assured through this process, with additional security assurance and remediation being undertaken on newly identified systems.

We are also onboarding the in-scope systems and services into NHS Digital Cyber Security Operations Centre (CSOC) to provide advanced protective monitoring in addition to the incident oversight capability we provide.

Assurance scope and summary

Areas covered by assurance activities
  • Cyber assurance of component systems and suppliers involved in the centrally provisioned vaccination programme.
  • Ongoing remediation prioritisation activities to increase security posture where gaps or weaknesses are found.
  • Onboarding of supplier solutions into CSOC monitoring, either the full protective monitoring offering, or incident response support if protective monitoring is not possible for technical or contractual reasons.
  • Continual engagement with suppliers to ensure cyber security is not impacted as demand increases or architectural changes happen.
  • Input into threat modelling and end-to-end risk planning.
  • Mid to long-term goals: annual cyber assurance activities to be carried out on vaccination architecture as the programme moves into BAU.
Areas where we provided advice and guidance only
  • End-user devices used at point of care.
  • Vaccination centre network provision.
  • Supply chain of vaccination, including storage and transport.

Summary of findings 

These findings are the partial output of the assurance activities carried out on vaccination-specific systems and services under a targeted process created specifically for this piece of work.

Risks are scored between 1 (low) and 5 (high).

National Immunisation Management Service (NIMS) - system C

DSC S3 overall assurance risk rating 1
Other information Status Date
DSPT Return 2020 Standards met 31/03/2020
BitSight 780 - advanced 12/11/2020
Holds ISO 27001 Current Since 1999
Holds Cyber Essentials N/A N/A
Holds Cyber Essentials Plus Current 08/06/2020

 

National Immunisation Vaccination System (NIVS) (AGCSU)

DSC S3 overall assurance risk rating 2
Other information Status Date
DSPT Return 2020 Standards met 20/03/2020
BitSight 680 - intermediate 18/11/2020
Holds ISO 27001 No N/A
Holds Cyber Essentials Current 21/02/2020
Holds Cyber Essentials Plus No N/A

 

National Booking System (NHSD)

DSC S3 overall assurance risk rating 2
Other information Status Date
DSPT Return 2020 N/A N/A
BitSight N/A N/A
Holds ISO 27001 N/A N/A
Holds Cyber Essentials N/A N/A
Holds Cyber Essentials Plus N/A N/A

 

Pinnacle (EMIS)

DSC S3 overall assurance risk rating 2
Other information Status Date
DSPT Return 2020 Standards exceeded 30/09/2020
BitSight 670 - intermediate 02/12/2020
Holds ISO 27001 Current Since 13/02/2019
Holds Cyber Essentials Current 30/07/2020
Holds Cyber Essentials Plus Current 29/09/2020

 

Systems falling under the GP IT Framework

The Data Security Centre has a long-standing involvement in the GP IT Framework and is among those on the approval and onboarding boards.

The Specialist Security Services team oversee all submissions for new functionality and changes for each supplier listed on the framework. Many of these suppliers now offer functionality related to the vaccination effort and these specific functions have been reviewed and approved accordingly. 

Last edited: 30 March 2022 9:40 am