Data and information are critical business assets that are fundamental to the continued delivery and operation of health and care services across the UK. The health and social care sector must have confidence in the confidentiality, integrity and availability of their information assets and must ensure that any personal data collected, stored and processed by public bodies are aligned to specific legal and regulatory requirements.
The need to demonstrate an ability to defend against, block and withstand cyber-attacks and data breaches has been amplified by the introduction of the Network and Information Systems (NIS) Regulations and the UK General Data Protection Regulation (GDPR).
As such, it is essential that health and social care sector organisations impacted by those regulations take proactive measures to defend themselves from cyber-attacks and data breaches and evidence their ability to do so in line with regulatory and legal requirements.
The CAF aligned Data Security and Protection Toolkit (DSPT) is one of several mechanisms in place to support health and social care organisations in their ongoing journey to manage security and governance of information risk.
The CAF aligned DSPT allows organisations that have access to NHS patient data and systems to measure their performance against the Cyber Assessment Framework (CAF)’s 5 objectives, providing valuable insight into the technical and operational security and governance of information control environment and relative strengths and weaknesses of those controls.
Another mechanism is to independently assess the security and governance of information control environments of health and social care organisations.
Independent assessment providers help to strengthen the trust placed on the CAF-aligned DSPT submissions by health and social care organisations boards, Department of Health and Social Care and NHS England by assessing the effectiveness of the organisation’s security and governance of information controls.
This approach ensures that the controls in place are effective in securing patient data throughout the organisation’s estate, including staff handling of data and safe storage on the organisation’s systems.
The CAF-aligned DSPT independent assessment guide must be followed by all organisations required to complete an annual CAF-aligned DSPT audit/assessment. It provides a basis for the efficient and consistent delivery of CAF-aligned DSPT independent assessments. The guide is applicable to version 2024/25 of the toolkit.