The NHS Digital Data Security Centre provides advice and guidance to health and social care organisations. They offer best practice advice along with a knowledge base of security information for the day to day security operational functions to assist health and social care organisations in key infrastructure management decisions.
This links below provide further information on these services.
NHS cyber security and CareCERT
Caldicott Guardian
Note that the guidelines provided are general good practice, and should be applied regardless of the network used, whether HSCN, the internet, cloud service connectivity, regional wide area networks (WANs) or direct connectivity to a supplier's data centre.
The sections covered within the appendices of this document refer to various security principles and guidelines. These principles and guidelines should be taken into consideration when an NHS organisation begins the process to procure HSCN business applications.
In addition, it is important to protect your local service whenever using cloud services. The National Cyber Security Centre best practice provides support in this context:
10 Steps to Cyber Security
When procuring application services, listed below are areas that should be considered as support for requirements on the service provided by a commercial third party supplier, regardless of the network connectivity method.
Cloud security principles
The National Cyber Security Centre publishes guidance on implementing security in cloud applications. These principles are useful for all application deployments even if hosted locally.
These principles should be used to assess all remotely hosted/cloud hosted applications.
Government frameworks include assessments of services against these principles.
NCSC also provide guidance on:
ISO27001
A good example of a standard used for security governance and operational controls.
Data Security and Protection Toolkit Assessment
Any commercial third party provider of applications needs to produce an Data Security and Protection Toolkit This is no longer tied to connection agreements for a specific network, as this applies regardless of the networks used for data transit.
The Data Security and Protection Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian's ten data security standards.
All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.