Skip Navigation

Cyber and data security policy and good practice in health and care

The Data Security Centre provides template policies and good practice guidance for health and care organisations, to make sure data and systems are protected. We provide example policies, good practice guidance to feed into policy development and practice, and simple user reference guides on a range of data and cyber security topics for health and care. The guidance was designed for the NHS and can be used by any health and care organisation, or associated organisations that work with health and care data or systems.

You can view by topic below, or view all cyber and data security user guides, cyber and data security good practice guides or cyber and data security example policies. For additional guidance on a range of topics, please refer to the National Cyber Security Centre website.

A
B
C
D
E
F
H
I
L
M
N
P
R
S
T
V
a
Acceptable use of information systems and technology in health and care organisations

Guidance on the acceptable use of IT equipment and systems for staff and management.

Access control in health and care organisations

Guidance on good practice in controlling access to NHS and health and care systems and services.

Anti virus and malware guidance for health and care organisations

Guidance on good practice in using anti virus software and protecting against malware for health and care systems and services.

Application security guidance for health and care organisations

Guidance on good practice in implementing policy and practice on application security in health and care.

Asset management guidance for health and care organisations

Guidance on good practice in managing information assets in health and care organisations.

Audit guidance for IT systems in health and care organisations

Guidance on information technology audits to make sure that the necessary security controls are in place to guard an organisation's information, to make sure its information assets are protected and to provide warning of potential security vulnerabilities and security breaches.

b
Back up guidance for health and care organisations

Guidance on setting up back up policy and procedure to make sure an organisation's data is backed up, and can be restored, successfully.

Boundary protection guidance for health and care organisations

Guidance for health and care organisations on protecting the boundary of networks to make sure their security isn't compromised.

Bring Your Own Device (BYOD) guidance for health and care organisations

Guidance on staff using personal IT equipment such as smartphones, tablets and laptops for work purposes, to make sure access to data and systems is secure.

Business continuity guidance for health and care organisations

Guidance for health and care organisations on the factors to take into account when producing an IT and information security business continuity policy and plan, to maintain business functions at acceptable predefined levels following a disruptive incident.

c
Clear desk and screen guidance for health and care organisations

Guidance on making sure data and systems aren't compromised by being left open to viewing by people that aren't authorised to access them, by following a strict clear desk and screen policy.

Contract and supplier security guidance for health and care organisations

Guidance to make sure that the potential security risks that come with using an outsourced provider or supplier for IT or other services are assessed and managed correctly, so that systems and data are properly protected.

Cyber and data security resources

Guidance on terms used in cyber and data security and where to go for more information.

d
Data handling guidance for health and care organisations

Guidance on handling data correctly to make sure it is properly protected.

Disaster recovery guidance for health and care organisations

Guidance on putting an IT disaster recovery policy in place so that systems and data can be restored if a disruptive incident happens, through following a detailed disaster recovery plan.

e
Education and awareness guidance for health and care organisations

Guidance for health and care organisations on how to make sure their staff have a good level of awareness of IT security and understand its importance in their day to day jobs.

Encryption guidance for health and care organisations

Guidance on when and where encryption is needed, to make sure data is properly protected.

f
Forensic readiness guidance for health and care organisations

Guidance to make sure the organisation can enable any potential digital investigation to be supported without compromising evidence which may be relied upon during legal proceedings, through a Forensic Readiness Plan (FRP).

h
Hardware and software security guidance for health and care organisations

Guidance on how IT systems (hardware and software) should be configured and managed to maximise the protection of the confidentiality, integrity and availability of data processed.

i
Identification and authentication guidance for health and care organisations

Guidance for health and care organisations on making sure users are only allowed to access systems and data they are authorised to view, through appropriate identification and authentication mechanisms.

Information security classification guidance for health and care organisations

Guidance on the Government Security Classification Scheme (GSCS) which details how information should be classified and labelled to ensure it is dealt with at an appropriate level of protection.

Information security guidance for health and care organisations

Guidance on the overarching approach, methodology and responsibilities for preserving the confidentiality, integrity and availability of information.

Information security incident guidance for health and care organisations

Guidance on recognising information security incidents and dealing with them appropriately to reduce any damage caused by them and learn lessons to help prevent or mitigate similar incidents in the future.

l
Legacy IT hardware and software and unsupported platforms security guidance for health and care organisations

Guidance on using legacy (obsolete and /or unsupported) hardware and software.

m
Mobile and remote working guidance for health and care organisations

Guidance for users and organisations on using mobile computing safely and securely to protect data and systems.

n
Network security guidance for health and care organisations

Guidance for organisations on putting in place proper network security to ensure that networks and the systems and data on them are protected.

p
Passwords guidance for health and care organisations

Guidance on using passwords to make sure data and systems are protected from unauthorised access.

Patching guidance for health and care organisations

Guidance on designing and implementing a patching policy to make sure data and systems continue to be properly protected.

Protective monitoring guidance for health and care organisations

Guidance on how organisations should use protective monitoring to protect systems and data.

r
Removable media guidance for health and care organisations

Guidance on the use of removable media such as USB memory sticks or external hard drives.

s1
Sanitisation, reuse, disposal and destruction of electronic media: guidance for health and care organisations

Guidance to make sure IT equipment is cleared of sensitive data correctly before being reused and at the end of its life, so that information is appropriately protected from any unauthorised access.

Secure configuration guidance for health and care organisations

Guidance to help organisations configure IT systems securely to protect data and systems against unauthorised access or cyber attack.

Social media security guidance for health and care organisations

Guidance on the use of social media for health and care purposes and for use of social media on work systems and equipment.

Supply chain security guidance for health and care organisations

Guidance on making the supply chain for IT or other services as secure as possible so that data and systems are properly protected.

System acquisition security guidance for health and care organisations

Guidance on the secure source and supply of IT systems to make sure data and systems are properly protected.

t
Telecommunications security guidance for health and care organisations

Guidance on appropriate security measures when using telecommunications in support of health and care, so that data is properly protected.

v
Vulnerability assessment guidance for health and care organisations

Guidance on assessing potential vulnerabilities of new or upgraded IT systems to ensure there is adequate security and data and systems are properly protected.

Have a question? Call us on 0300 303 5678 or contact enquiries@nhsdigital.nhs.uk.

Tell us what you think of the new website beta.

We use cookies to provide you with a better service. Carry on browsing if you're happy with this, or find out how to manage cookies. Find out more