Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Cyber, information governance and data protection guidance

Guidance on the statutory and recommended standards for Digital Services in health and care.

Consumers must understand these legal and regulatory obligations when commissioning either new services or remediation. Consumers can also specify adherence to recommended standards, or specific certifications, as a condition of the contracts awarded.

This guidance will help suppliers of Digital Services build secure services that comply with the law and regulations for health and social care. You must consider how you will meet these requirements in your planning and implementation.

You will need to demonstrate that you have met the required standards by showing how you comply with the compulsory outcomes for cyber security and data protection in the Digital Services you consume or supply. NHS Digital reserves the right to audit any supplier to health and social care for compliance.

Network security principles

The Internet First policy sets out the following network security requirements, which consumers and suppliers need to be aware of:

  1. Internet connectivity must have boundary security protection with context-based access control and stateful firewall capabilities.  If your internet connectivity is provided as an HSCN service, it will already have these features
  2. Where internet connectivity is not provided as an HSCN service, consideration should be given to additional security protection such as the NHS secure boundary service. This includes, but is not limited to, detection and reporting of anomalous network traffic.  Guidance is provided by the National Cyber Security Centre.
  3. An organisation must perform a data protection impact assessment (DPIA) before providing Digital Services over its internet connection.

Most Digital Services in health and care are currently accessed using the HSCN. Although it includes the NHS Secure Boundary Service, it is not classed as a secure network. Health and care Digital Services accessed using the HSCN must install all security measures at the Digital Services layer.

Network security guidance

Compulsory outcomes

Outcomes you must meet as a supplier of Digital Services.

Cyber security

Cyber security (also called data security) is an important outcome to be met when delivering Digital Services to health and social care settings. Suppliers will be expected to show that they describe their services against the Cloud Security Principles (which are currently required for G-Cloud and PSN Services). These are the recommended format to detail how your Digital Service delivers cyber security.

Ways to evidence your assessment of your Digital Service

As well as self-assessment of the Digital Service against the 10 steps guidance, you can use one or more of the following options to provide additional assurance for these areas.

Technical audit

Compliance of the Digital Service against the 10 steps guidance must be obtained by the use of a CHECK, Crest or Tiger testing company.  The scope of this testing must meet the current testing requirements from the Government Digital Service.

Digital service suppliers must have conducted this assessment prior to selling services to health and social care consumer, and this can be evidenced by:

  • completed assessment of the Digital Service by a CHECK, Crest or Tiger organisation
  • certification of the Digital Service to Cyber Essentials Plus

Data protection

Your Digital Service must comply with data protection requirements for health and social care in the UK.

Ways to evidence your data protection assessment of your Digital Service

Compliance approach

We will not be running a compliance regime for Internet First but may audit any supplier of Digital Services to health and care, for compliance with any standards they say they are compliant with (compliance assertions).

The outcomes in this guidance detail the requirements for cyber security and data protection for Digital Service suppliers, but it should also be recognised that the Network and Information Systems Regulations 2018 is a requirement on NHS trusts who have to comply with the DSPT as a category 1 organisation.

Because of this, Digital Service suppliers should be aware that consumers may ask for their help in meeting their own obligations within the DSPT, as set out in the Internet First policy.

Consumers may request that a supplier complies with one or more of the options from the compulsory outcomes, for example by holding certification in recommended standards or working towards certification to Cyber Essentials.

Recommended data quality standards for Digital Services

Last edited: 8 March 2022 1:19 pm