IT service providers need to ensure that digital services they provide for use in health and social care are, by default, securely accessible and have the performance and integrity to operate over the internet.
This also applies to a health and social care organisation providing digital services to other organisations.
1. An information security management system must be maintained to ensure security of assets and sensitive information and conforms to the:
All organisations that have access to NHS patient data and systems MUST publish a Data Security and Protection Toolkit (DSPT) self-assessment to provide assurance that they are practicing good data security and that personal information is handled correctly.
2. A security policy must be maintained which sets out the security measures to be implemented and maintained in accordance with either DSPT or BS ISO/IEC 27001, BS ISO/IEC 27002 and the Information Security Management System.
The security policy must be reviewed and updated by the service provider in a timely fashion and will be reviewed annually.
3. Tests must be conducted in accordance with the provisions of the service provider’s security policy relating to security testing. The tests must be independently audited by either an accredited third party or representatives of the customer. Further advice is provided by the National Cyber Security Centre about using a Check Service provider.
4. Either party (service provider or customer) must notify the other immediately upon becoming aware of any breach of security. This includes an actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services.
5. All traffic traversing the internet should be encrypted using Transport Layer Security (TLS) version 1.2 or better for secure communication.
6. Organisations should ensure they have taken into consideration reliance on internet connectivity to access systems as part of their clinical risk assessments as part of DCB 0129 Clinical Risk Management: its Application in the Manufacture of Health IT Systems.
IT service suppliers must support interoperability across the health and social care system by ensuring that the national standards to develop and support exchange of information and data are adopted and implemented. NHS Digital provides further information on the use of Fast Healthcare Interoperability Resources (FHIR) based Application Programming Interfaces (APIs).