Digital healthcare update: NHS launches new cyber security framework .

https://cssassure.com/wp-content/uploads/sites/5/2022/03/Protect-It-white.png
Published: 12th November 2024
Area: Med Tech

NHS bolsters cyber defenses with new DSPT framework for patient data protection

In September 2024, the Data Security and Protection Toolkit (DSPT) transitioned to using the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) as the foundation for its cybersecurity and information governance assurance, to strengthen the protection of patient data and healthcare systems in response to increasing cyber threats. As healthcare becomes increasingly digital and interconnected, safeguarding vast amounts of sensitive information and ensuring the uninterrupted delivery of critical services has never been more crucial.

What are the changes healthcare organisations need to be aware of?

  1. CAF Alignment: The Cyber Assessment Framework (CAF), developed by the National Cyber Security Centre (NCSC), provides a more robust and detailed approach to assessing cybersecurity readiness. The DSPT will start incorporating more CAF-aligned measures to strengthen security posture. This includes:
    • Risk Management: A stronger focus on identifying and managing cyber risks across healthcare organisations.
    • Security Controls: Enhanced security measures that mirror CAF’s stringent guidelines, particularly on incident management, asset protection, and supply chain security.
    • Reporting & Assurance: CAF’s structured reporting standards will be integrated into DSPT, improving transparency and providing clearer metrics on compliance levels.
  2. More Detailed Incident Management: A shift towards requiring healthcare organisations to have more comprehensive incident response plans and business continuity strategies. The aim is to ensure that organisations are prepared for cyber incidents and can quickly recover while maintaining patient care and safety.
  3. Supply Chain Management: An emphasis on managing third-party risks, as required under the CAF. Healthcare organisations will need to demonstrate that their suppliers and partners meet high security standards.
  4. Governance and Accountability: Greater scrutiny on the role of leadership in cybersecurity, ensuring that senior management understands and actively oversees cybersecurity risks.

Who is affected by these changes?

As of September 2024, those named below are expected to meet the CAF-aligned requirements by the end of 2024.

  • NHS Trusts and Foundation Trusts
  • Commissioning Support Units (CSUs)
  • Arm’s Length Bodies (ALBs) of the Department of Health and Social Care (DHSC)
  • Integrated Care Boards (ICBs)

Other organisations such as GP’s, dentists and IT suppliers will not be moving to the CAF-aligned DSPT in 2024-2025 and will instead transition to the CAF-aligned DSPT over the next few years. These organisations will continue using the existing framework until they receive guidance from NHS England for their transition.

How will the toolkit impact your healthcare organisation?

  • An important change for the 2024/2025 DSPT is that ‘baseline submissions,’ now called ‘interim submissions,’ are due by 31 December 2024.
  • Guidance on the new CAF-aligned DSPT standards released in September 2024 will give NHS organisations approximately three months to familiarise themselves with the new requirements and complete their gap analyses before the December Interim submission deadline.
  • The deadline for publishing your full 24-25 DSPT is 30 June 2025.
  •  Organisations are required to have an independent audit assessment.

How we can help you in preparing to use the CAF 

At CSS Assure, we can help your healthcare organisation navigate the transition from the DSPT to the CAF framework by providing expert guidance and support. Our services include conducting thorough gap analyses to identify areas needing improvement, providing a clear roadmap for a successful submission. We can also assist you with the new CAF-aligned DSPT requirements, and help you prepare for the earlier interim submission deadlines, as well as conducting a gap analysis of where the CAF-based requirements go beyond the current regime to highlight where your organisation may fall short of the new requirements and provide a roadmap to ensure your Data Security and Protection Toolkit (DSPT) submission includes these changes.

With the introduction of independent audit requirements, we offer audit preparation services to ensure compliance with the new standards and our team is on hand to ensure you are fully prepared to meet these evolving data protection and cybersecurity obligations, minimising risks while maintaining operational efficiency.

Summary

This transition represents a critical advancement in cybersecurity and information governance across NHS Trusts, Foundation Trusts, and related healthcare bodies, aligning the DSPT with CAF standards to reinforce risk management, incident response, and supply chain security. Proactive gap analysis and audit preparation will support healthcare providers in meeting these heightened standards and adapting to the evolving digital landscape. Contact a member of our team today for step-by-step support through the process.