News

Planned transition from DSPT to Cyber Assessment Framework, with mandatory supplier audit highlighted

NHS England and the National Data Guardian have released a joint statement describing changes to the Data Security and Protection Toolkit (DSPT) to be phased out and replaced by the National Cyber Security Centre’s Cyber Assessment Framework (CAF). The update also notes the move for NHS IT suppliers to align to the standards and move from a voluntary to mandatory audit.

NHSE emphasises that the CAF “sets a high bar for achievement” and will help in providing a long-term roadmap of yearly improvements, with clear visibility around expectations over the next five years to support long-term planning and investment. It centres around five key objectives: managing risk; protecting against cyber attacks and data breaches; detecting cyber security events; minimising the impact of events; and using and sharing information appropriately.

“This approach allows professionals to use their own judgment to implement the data protection measures that best serve their organisation, patients, and service users,” NHSE adds, and it “encourages professionals to apply best practice tactics against new and emerging threats”.

NHSE and the Department of Health and Social Care have conducted a mapping exercise to ensure that CAF protections are at least equivalent to the DSPT “and in some instances stronger”, which also sought to identify any healthcare-related gaps in the original CAF. This work has led to a “health and care overlay” being added to the CAF-aligned DSPT “to make the framework fully inclusive of information governance as a discipline”. Additionally, the fifth objective around using and sharing information appropriately was developed as a result of this exercise.

Initially, the change is to impact a specific group of larger organisations who have already been notified. It will gradually extend to other types of organisations, with NHSE to notify and provide support with transitioning through the process.

Dr Nicola Byrne, National Data Guardian, comments that the transition to the CAF “represents a positive evolution, offering organisations a more current framework for evaluating and improving their data protection and cyber resilience”.

A range of resources and guidance have been made available here, including information about educational webinars to be held from September onwards.

Cyber security in the spotlight

In other news around cyber security in healthcare, HTN reported how NHSE partnered with the North East Business Resilience Centre on a pilot project designed to tackle cyber threats by delivering ‘digital health checks’ for SMEs in the social care sector in the North East and Yorkshire, including free cyber services and training.

We shared how a team from the University of Huddersfield is working on the development of a secure threat intelligence sharing platform with the aim of helping to protect AI-enabled diagnostic tools from cyber attacks.

And in July, we interviewed security evangelist for Cynerio Chad Holmes, to talk all things cyber security in the healthcare space.