Cyber, information governance and data protection guidance

Guidance on the statutory and recommended standards for Digital Services in health and care.

Legal responsibilities

Cyber security (also called data security within health and social care) and data protection are crucial factors in providing services over the public internet. Consumers and suppliers of Digital Services are both responsible for ensuring they meet minimum standards in these areas, especially when they are enforced by legal and regulatory obligations (where the law or relevant government regulation says certain standards have to be met).

Consumers must understand these legal and regulatory obligations when commissioning either new services or remediation. Consumers can also specify adherence to recommended standards, or specific certifications, as a condition of the contracts awarded.

This guidance will help suppliers of Digital Services build secure services that comply with the law and regulations for health and social care. You must consider how you will meet these requirements in your planning and implementation.

You will need to demonstrate that you have met the required standards by showing how you comply with the compulsory outcomes for cyber security and data protection in the Digital Services you consume or supply. NHS Digital reserves the right to audit any supplier to health and social care for compliance.

Network security principles

The Internet First policy sets out the following network security requirements, which consumers and suppliers need to be aware of:

Internet connectivity must have boundary security protection with context-based access control and stateful firewall capabilities. If your internet connectivity is provided as an HSCN service, it will already have these features
Where internet connectivity is not provided as an HSCN service, consideration should be given to additional security protection such as the NHS secure boundary service. This includes, but is not limited to, detection and reporting of anomalous network traffic. Guidance is provided by the National Cyber Security Centre.
An organisation must perform a data protection impact assessment (DPIA) before providing Digital Services over its internet connection.

Most Digital Services in health and care are currently accessed using the HSCN. Although it includes the NHS Secure Boundary Service, it is not classed as a secure network. Health and care Digital Services accessed using the HSCN must install all security measures at the Digital Services layer.

Network security guidance

ARTICLE

Health and Social Care Network

HSCN is the centrally managed national private network with internet breakout capability. Organisations are likely to have HSCN in place (primarily as a requirement to access national Digital Services). HSCN connectivity can be procured as a preferred internet service provision.

ARTICLE

NHS Secure Boundary service

Provides a perimeter security solution offering protection against security threats. The solution uses next generation firewall (NGFW) and web application firewall (WAF) protection to protect internet traffic from digital and cloud-based threats.

Compulsory outcomes

Outcomes you must meet as a supplier of Digital Services.

Cyber security

Cyber security (also called data security) is an important outcome to be met when delivering Digital Services to health and social care settings. Suppliers will be expected to show that they describe their services against the Cloud Security Principles (which are currently required for G-Cloud and PSN Services). These are the recommended format to detail how your Digital Service delivers cyber security.

ARTICLE

NCSC Cloud Security Principles

The National Cyber Security Centre (NCSC) Cloud Security Principles represent best practice from the UK government’s national technical authority for Cloud security. NHS Digital requires that all Digital services completes an assessment of their Digital services against these principles by any supplier providing services to the NHS.

ARTICLE

Cyber security 10 steps guidance

The National Cyber Security Centre (NCSC) 10 steps to cyber security present best practice from the UK national technical authority on cyber security and the key areas to address. You must perform an assessment of these areas before you supply a Digital Service.

Ways to evidence your assessment of your Digital Service

As well as self-assessment of the Digital Service against the 10 steps guidance, you can use one or more of the following options to provide additional assurance for these areas.

ARTICLE

Cyber essentials

Cyber Essentials provides a scheme which allows organisations to obtain a formal certification that they have either conducted a self-assessment (Cyber Essentials) or obtained an audit (Cyber Essentials Plus) of their compliance against the requirements of the 10 steps guidance.

ARTICLE

PSN Service Security Standard

Assess your Digital Service against the PSN Service Security Standard and get a compliance certificate.

ARTICLE

G-Cloud requirements

Assess your Digital Service for compliance against G-Cloud requirements.

ARTICLE

ISO/IEC-27001: 2013/2017

Certify your Digital Service as an Information Security Management System (ISMS) under ISO/IEC-27001:2013/2017 which incorporates the requirements from the 10 steps guidance.

ARTICLE

Data Security and Protection Toolkit

You can evidence the assessment of your Digital Service through completion of the Data Security and Protection toolkit (DSPT) as a category 3 organisation. The Data Security and Protection Toolkit (DSPT) is designed to ensure that all organisations within health and social care can evidence their compliance to cyber security and data protection requirements within a UK setting, and ensures compliance to the National Data Guardian Data Security Standards (aligned with relevant data standards for health informatics and the Data Protection Act). The DSPT uses different categories of organisations that have access to NHS patient data and systems to define the requirements for the different types of organisations, ranging from NHS Trusts, through to suppliers and GPs. Completion of this toolkit is required by December 2021 by suppliers to provide assurance that they are practising good data security and that personal information is handled correctly.

Technical audit

Compliance of the Digital Service against the 10 steps guidance must be obtained by the use of a CHECK, Crest or Tiger testing company. The scope of this testing must meet the current testing requirements from the Government Digital Service.

Digital service suppliers must have conducted this assessment prior to selling services to health and social care consumer, and this can be evidenced by:

completed assessment of the Digital Service by a CHECK, Crest or Tiger organisation
certification of the Digital Service to Cyber Essentials Plus

Data protection

Your Digital Service must comply with data protection requirements for health and social care in the UK.

ARTICLE

Data Protection Act 2018

The Data Protection Act 2018 (DPA 2018) was used to implement the General Data Protection Regulation (called the applied GDPR in the UK), and the Information Commissioner’s Office (ICO) detailed 12 steps to consider in preparation for the compliance with these requirements, allied with GDPR security outcomes published to define security of processing within the UK. You must assess your Digital Service against these areas before you supply it.

Ways to evidence your data protection assessment of your Digital Service

ICO GDPR 12 steps guidance

pdf

You can self-assess your digital service against the ICO's 12 steps guidance.

ARTICLE

GDPR security outcomes

You can self-assess your Digital Service against the GDPR outcomes published by the ICO and NCSC. These identify outcomes to be met for Article 32 in the applied GDPR for security of processing personal data. These outcomes are also met within the DSPT.

ARTICLE

Data Security and Protection Toolkit

You can evidence compliance in your DSPT submission.

Compliance approach

We will not be running a compliance regime for Internet First but may audit any supplier of Digital Services to health and care, for compliance with any standards they say they are compliant with (compliance assertions).

The outcomes in this guidance detail the requirements for cyber security and data protection for Digital Service suppliers, but it should also be recognised that the Network and Information Systems Regulations 2018 is a requirement on NHS trusts who have to comply with the DSPT as a category 1 organisation.

Because of this, Digital Service suppliers should be aware that consumers may ask for their help in meeting their own obligations within the DSPT, as set out in the Internet First policy.

Consumers may request that a supplier complies with one or more of the options from the compulsory outcomes, for example by holding certification in recommended standards or working towards certification to Cyber Essentials.

Recommended data quality standards for Digital Services

ARTICLE

International Organisation for Standardisation ISO 9000-1: Quality Management

ISO 9001 sets out the criteria for a quality management system and is the only standard in the family that can be certified to (although this is not a requirement). It can be used by any organization, large or small, regardless of its field of activity. It is based on a number of quality management principles, including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement.

ARTICLE

International Organisation for Standardisation ISO 8000-1: Data Quality

ISO 8000 is the global standard for Data Quality and Enterprise Master Data. It describes the features and defines the requirements for standard exchange of Master Data among business partners. It provides assurance that your data management and architecture controls are of a high standard – this is especially important in health and care settings.

Last edited: 8 March 2022 1:19 pm