Cyber and data security policy and good practice in health and care
The Data Security Centre provides template policies and good practice guidance for health and care organisations, to make sure data and systems are protected. We provide example policies, good practice guidance to feed into policy development and practice, and simple user reference guides on a range of data and cyber security topics for health and care. The guidance was designed for the NHS and can be used by any health and care organisation, or associated organisations that work with health and care data or systems.
You can view by topic below, or view all cyber and data security user guides, cyber and data security good practice guides or cyber and data security example policies. For additional guidance on a range of topics, please refer to the National Cyber Security Centre website.
Guidance on the acceptable use of IT equipment and systems for staff and management.
Guidance on good practice in controlling access to NHS and health and care systems and services.
Guidance on good practice in using anti virus software and protecting against malware for health and care systems and services.
Guidance on good practice in implementing policy and practice on application security in health and care.
Guidance on good practice in managing information assets in health and care organisations.
Guidance on information technology audits to make sure that the necessary security controls are in place to guard an organisation's information, to make sure its information assets are protected and to provide warning of potential security vulnerabilities and security breaches.
Guidance on setting up back up policy and procedure to make sure an organisation's data is backed up, and can be restored, successfully.
Guidance for health and care organisations on protecting the boundary of networks to make sure their security isn't compromised.
Guidance on staff using personal IT equipment such as smartphones, tablets and laptops for work purposes, to make sure access to data and systems is secure.
Guidance for health and care organisations on the factors to take into account when producing an IT and information security business continuity policy and plan, to maintain business functions at acceptable predefined levels following a disruptive incident.
Guidance on making sure data and systems aren't compromised by being left open to viewing by people that aren't authorised to access them, by following a strict clear desk and screen policy.
Guidance to make sure that the potential security risks that come with using an outsourced provider or supplier for IT or other services are assessed and managed correctly, so that systems and data are properly protected.
Guidance on terms used in cyber and data security and where to go for more information.
Guidance on handling data correctly to make sure it is properly protected.
Guidance on putting an IT disaster recovery policy in place so that systems and data can be restored if a disruptive incident happens, through following a detailed disaster recovery plan.
Guidance for health and care organisations on how to make sure their staff have a good level of awareness of IT security and understand its importance in their day to day jobs.
Guidance on when and where encryption is needed, to make sure data is properly protected.
Guidance to make sure the organisation can enable any potential digital investigation to be supported without compromising evidence which may be relied upon during legal proceedings, through a Forensic Readiness Plan (FRP).
Guidance on how IT systems (hardware and software) should be configured and managed to maximise the protection of the confidentiality, integrity and availability of data processed.
Guidance for health and care organisations on making sure users are only allowed to access systems and data they are authorised to view, through appropriate identification and authentication mechanisms.
Guidance on the Government Security Classification Scheme (GSCS) which details how information should be classified and labelled to ensure it is dealt with at an appropriate level of protection.
Guidance on the overarching approach, methodology and responsibilities for preserving the confidentiality, integrity and availability of information.
Guidance on recognising information security incidents and dealing with them appropriately to reduce any damage caused by them and learn lessons to help prevent or mitigate similar incidents in the future.
Guidance on using legacy (obsolete and /or unsupported) hardware and software.
Guidance for users and organisations on using mobile computing safely and securely to protect data and systems.
Guidance for organisations on putting in place proper network security to ensure that networks and the systems and data on them are protected.
Guidance on using passwords to make sure data and systems are protected from unauthorised access.
Guidance on designing and implementing a patching policy to make sure data and systems continue to be properly protected.
Guidance on how organisations should use protective monitoring to protect systems and data.
Guidance on the use of removable media such as USB memory sticks or external hard drives.
Guidance to make sure IT equipment is cleared of sensitive data correctly before being reused and at the end of its life, so that information is appropriately protected from any unauthorised access.
Guidance to help organisations configure IT systems securely to protect data and systems against unauthorised access or cyber attack.
Guidance on the use of social media for health and care purposes and for use of social media on work systems and equipment.
Guidance on making the supply chain for IT or other services as secure as possible so that data and systems are properly protected.
Guidance on the secure source and supply of IT systems to make sure data and systems are properly protected.
Guidance on appropriate security measures when using telecommunications in support of health and care, so that data is properly protected.
Guidance on assessing potential vulnerabilities of new or upgraded IT systems to ensure there is adequate security and data and systems are properly protected.