Each year, the NHS Data Security and Protection Toolkit (DSPT) is updated to reflect the latest advancements in cybersecurity, data protection, and broader industry changes. Organisations must then submit their self-assessment with this data security and protection standard by June 30th, after which the DSPT typically receives its annual update. As we approach this year’s deadline, we’ve caught a glimpse of the upcoming changes in version 7 of the toolkit - and they are significant. 

Starting September 2024, some NHS suppliers will need to reassess how they tackle the toolkit as it begins to align with the UK government’s new Cyber Assessment Framework (CAF). In this blog post, we’ll explore what these changes entail for version 7 of the DSPT and how they’ll impact your organisation.

‍

Understanding the Shift: DSPT V7 and CAF

The Data Security and Protection Toolkit (DSPT), which sets the standard for ensuring that NHS suppliers and partners handle patient and service data securely, is going through some changes. From September 2024, DSPT V7 will adopt a more flexible, outcomes-based approach aligned with the principles of the Cyber Assessment Framework developed by the National Cyber Security Center (NCSC).

The CAF is structured around four overarching security objectives, each supported by a set of cybersecurity principles:

• Objective A: Managing Security Risk focuses on governance, risk management, asset management, and supply chain security at the organisational level.
• Objective B: Protecting against Cyber Attacks zeroes in on policies, processes, access control, data security, system security, resilient networks, and systems, ensuring robust defences at the system level.
• Objective C: Detecting Cyber Security Events outlines the necessity for security monitoring and proactive security event discovery, emphasising system-specific vigilance.
• Objective D: Minimising the Impact of Cyber Security Incidents addresses incident response, recovery planning, and lessons learned, targeting organisational resilience.

Organisations will be required to assess themselves via two profiles - baseline and enhanced - depending on their relative cyber risk exposure. For example, organisations processing large volumes of sensitive healthcare information will fall under the "advanced" profile, regardless of their size. Compliance will be measured as “Not achieved,” “Partially achieved,” and “Achieved,” with the goal not of perfection but continuous improvement and risk-based safeguarding.

-

Key Changes and What They Mean for You

One of the most notable changes in DSPT V7 is the move towards an outcome-based framework from the more prescriptive approach seen in previous versions of the toolkit. This shift will give organisations the flexibility to decide how to achieve specific security outcomes while adhering to certain must-do requirements.

For now, this change will predominantly affect larger NHS entities such as Trusts, CSUs, ALBs, and ICBs, with smaller organisations continuing under the current questionnaire-based system. From September, relevant organisations will encounter a new interface in the DSPT portal, guiding them through security goals aligned with the CAF principles. This self-assessment process will culminate in submission to NHS England, complemented by independent audits to verify adherence.

Readying for DSPT V7

• Comply with Version 6 of the Toolkit: For now, all NHS suppliers are still required to meet compliance with Version 6 of the NHS DSPT. As the CAF will only initially apply to Trusts, CSUs, ALBs, and ICBs, most NHS suppliers will continue to follow the current self-assessment process.

• Review the CAF Objectives and Principles: Familiarise yourself with the CAF’s core objectives and underlying principles to understand the types of requirements which will apply to your organisation once the DSPT changes take place. 

• Focus on Incident Response: One of the four objectives of the CAF is minimising the impact of cybersecurity incidents. The DSPT already emphasises robust incident management, but with the upcoming updates, it’s crucial to review and refine your incident response measures and ensure they are still appropriate and up to date. Ensure your staff are trained to deal with a security incident and regularly test the effectiveness of your incident response plan.

• Implement Continuous Cybersecurity Measures: To align with the CAF’s emphasis on continuous improvement, regularly update and patch software to defend against the latest security vulnerabilities. Conduct frequent training sessions to ensure staff are aware of current cyber threats and know how to handle and process data in line with the UK-GDPR. Moreover, your cybersecurity policies must be regularly reviewed and updated to ensure they stay up-to-date with new developments and changes within your organisation, including new systems, suppliers, responsible persons and more. Naq's platform streamlines this process by automatically updating all your compliance policies and providing ongoing cybersecurity and data protection training, ensuring continuous compliance.

The upcoming update to the Data Security and Protection Toolkit (NHS DSPT) marks a significant evolution in how the NHS, its suppliers and related organisations will manage their cybersecurity requirements moving forward. With DSPT V7, there is a clear move from stringent, prescriptive requirements to a more flexible, outcome-focused framework. This shift is designed to encourage not just the achievement of compliance but its ongoing maintenance through regular updates, tailored training, and adaptive security measures tailored to the specific risks each organisation brings to the NHS and its supply chain.

The transition to a more flexible model could pose an initial challenge for organisations accustomed to the current format of the toolkit. Rest assured, we are dedicated to keeping you informed and will offer detailed guidance on adapting to these changes. Expect comprehensive updates from us once the full revisions to the toolkit are released later this year.

If you still need to comply with this year’s DSPT deadline, download our free, in-depth guide on meeting compliance with version 6 of the NHS DSPT toolkit or book a 15-minute chat with one of our NHS compliance experts.