When looking to supply services to the NHS, demonstrating a solid commitment to data security and compliance is paramount. With a rise in security incidents across the NHS, coupled with the increasingly digital landscape of healthcare and a growing number of third-party suppliers, it is now crucial for current and prospective NHS suppliers to sufficiently prove that they can handle NHS data securely. For most NHS suppliers, this means meeting compliance with the NHS Data Security and Protection Toolkit (NHS DSPT).
For this blog, we’ll be focusing on the role of Cyber Essentials in meeting the NHS DSPT requirements. For an in-depth guide on NHS DSPT compliance and what the framework entails, take a look here.
On the journey toward NHS DSPT compliance, organisations must implement various data security frameworks, including Cyber Essentials. Cyber Essentials is a UK government-backed cyber security scheme providing organisations with a solid data security foundation, aligning them with several of the necessary standards to achieve NHS DSPT compliance.
In this blog post, we will delve into the pivotal role that Cyber Essentials plays in meeting the NHS DSPT requirements. We’ll demystify the certification process and provide some crucial considerations for NHS suppliers. By understanding the significance of Cyber Essentials and its connection to NHS DSPT compliance, you will be well-prepared to enhance your data security measures, navigate NHS supplier requirements with confidence, and safeguard the integrity of valuable patient data.
The UK government introduced the Cyber Essentials scheme in 2014 to bolster the cybersecurity posture of businesses throughout the country. This scheme, also known as CE, allows organisations to receive a government-backed certification, highlighting that they have implemented the security controls outlined in the Cyber Essentials guidance. After successful completion, organisations are awarded a certificate and badge as tangible proof that they meet the scheme’s standards.
To ensure ongoing compliance and protection against evolving threats, organisations are required to renew their certification annually. This renewal process reflects the scheme’s commitment to promoting continuous improvement and ensuring that organisations stay updated with the latest cybersecurity practices.
It’s worth noting that compliance with Cyber Essentials has become a requirement for organisations bidding on government contracts, including those with the NHS. So, if you’re aiming to become an NHS supplier, Cyber Essentials is a key component you need to consider. Depending on the nature of the data you handle, you may also need to meet the requirements of Cyber Essentials Plus, which involves an external auditor verifying your security measures.
Naq automates compliance for companies looking to work with the NHS. From Cyber Essentials and NHS DSPT to DTAC and clinical risk frameworks like DCB 0129, Naq gets NHS suppliers compliant in weeks, not months, by automating over 80% of the process. Accelerate your way to NHS supplier success with Naq. Learn more here.
The Cyber Essentials scheme outlines the fundamental cybersecurity measures organisations can adopt to safeguard themselves from cyber threats. Notably, many of the cybersecurity requirements outlined within the NHS Data Security and Protection Toolkit (DSPT) are directly influenced by Cyber Essentials.
Cyber Essentials focuses on five essential security controls organisations should have in place to defend against the most common cyber risks. These controls include firewalls, secure configuration, access control, antivirus and anti-malware, and software updates. If you’ve seen the NHS DSPT questionnaire, you’ll recognise these controls as some of the things suppliers must do to meet the NHS standards.
Beyond being a requirement under the NHS DSPT, obtaining Cyber Essentials certification offers several additional benefits for organisations aspiring to become NHS suppliers. Firstly, achieving the Cyber Essentials certification enhances the credibility and trustworthiness of your business, not only as an NHS supplier but also as an organisation that takes the handling of your customer’s data seriously. This recognition instils confidence in customers and partners, assuring them of your commitment to robust cybersecurity practices.
The initial step on your certification journey is determining your organisation’s certification scope. While Cyber Essentials is generally adequate for most NHS suppliers, those handling sensitive information may be required to comply with Cyber Essentials Plus. Once you have identified the appropriate certification level, the next step is understanding the necessary actions needed to meet the certification requirements. A helpful approach is to review this year’s Cyber Essentials questionnaire, which outlines each specific requirement for compliance.
After familiarising yourself with the Cyber Essentials requirements, it is essential to conduct a thorough assessment of your organisation’s current cybersecurity practices. This assessment will help identify any gaps or areas that require improvement as they relate to the Cyber Essentials security controls.
For instance, you can begin by reviewing your access controls, identifying which individuals within your business have access to critical or sensitive systems and whether their access level is appropriate. Keep a detailed document trail of your findings, the gaps you’ve identified and the steps you’ve taken to resolve them, as this will serve as your evidence for certification.
To support your responses in the self-assessment questionnaire, you must provide evidence demonstrating your organisation’s implementation of the CE security controls. This evidence can include documentation, screenshots, policies, or other proof which validates that your organisation has the necessary security controls to meet the Cyber Essentials requirements.
You must ensure that the evidence you provide as part of the self-assessment aligns with the specific cyber security controls being assessed and that it adequately demonstrates your organisation’s adherence to those controls. Simply stating that users within your organisation use secure passwords isn’t enough; you will also be required to provide details of your organisation’s password policy and how you ensure that adherence to this policy is maintained.
Once you’ve understood the CE requirements, addressed any security gaps, and collected the necessary evidence, it’s time to complete the self-assessment questionnaire. You have two options: you can complete the certification yourself through the IASME website or enlist the assistance of an IASME-verified certification body like Naq. Working with a certification body offers the advantage of having experts review your application, spot any potential shortcomings, and guide you towards successful certification.
Naq saves NHS suppliers over 180 hours of manual NHS compliance work annually and thousands in consulting fees. Click here to discover how Naq can automate your compliance with Cyber Essentials, NHS DSPT, DTAC and more.
Once you have completed the self-assessment questionnaire and gathered the required evidence, you will submit your application for review. Certified Cyber Essentials assessors will evaluate your submission, assessing the evidence provided and verifying whether your organisation meets the requirements for certification.
If your organisation meets the requirements, you will be awarded either Cyber Essentials certification or Cyber Essentials Plus certification, depending on the level of assurance achieved. This certification validates that your organisation has implemented the essential security controls and met the necessary criteria for Cyber Essentials compliance. If your organisation has failed to meet the requirements, you’ll be provided feedback as to why, and you’ll be given the opportunity to clarify any gaps in your certification.
When pursuing Cyber Essentials certification as an NHS supplier, there are essential factors to bear in mind:
Additional compliance requirements: While most suppliers will be focused on NHS DSPT compliance, it’s important to note that certain organisations will have additional compliance obligations. These include organisations handling particularly sensitive information or supplying software, applications or medical devices to the NHS. These organisations must meet additional compliance frameworks such as NHS Digitial Technology Assessment Criteria (DTAC), Cyber Essentials Plus, ISO27001 and clinical risk frameworks such as DCB 0129.
Additional Requirements within the NHS DSPT: While Cyber Essentials covers some fundamental security controls, it’s important to note that the NHS Data Security and Protection Toolkit (NHS DSPT) includes additional obligations such as staff training and specific data compliance measures. To achieve comprehensive compliance, you must ensure your organisation understands and implements these other requirements alongside Cyber Essentials.
Yearly Renewal and Continuous Compliance: Cyber Essentials and the NHS DSPT require annual renewal and often feature new security and data compliance controls. However, simply renewing your certification and forgetting it until the following year can lead to unnecessary stress and potential compliance issues.
To avoid this, we highly recommend that suppliers aim for continuous compliance. This involves actively monitoring the Cyber Essentials and NHS DSPT requirements throughout the year rather than treating compliance as a one-time task.
Continuous compliance offers several benefits. Firstly, it reduces the burden of gathering additional evidence and making changes during renewal. Instead, you can focus on addressing the new requirements introduced each year. Secondly, it helps your organisation stay aligned with the evolving cybersecurity landscape. By regularly reviewing and updating your compliance measures, you can proactively mitigate risks and ensure the security of sensitive information.
In conclusion, Cyber Essentials plays a vital role in achieving compliance with the NHS DSPT and meeting the security requirements set by the NHS. However, it is crucial to understand that compliance with Cyber Essentials or the NHS DSPT should not be viewed as the final destination for NHS suppliers.
In addition to Cyber Essentials, there are other essential requirements that all suppliers must fulfil to comply with the NHS DSPT. This includes implementing a robust data compliance program that aligns with the UK-GDPR and data protection regulations and a comprehensive staff security training program that keeps up with the NHS DSPT requirements. These additional measures ensure that sensitive patient information is handled and protected appropriately and that patient privacy is safeguarded.
While achieving compliance with Cyber Essentials and the NHS DSPT is crucial, it is equally important for suppliers to strive for continuous compliance. This means actively monitoring and addressing any changes in security threats and data protection laws and continuously improving their security practices accordingly. By maintaining a continuous compliance approach, suppliers can ensure the ongoing protection of patient data and the security of their own business data.
Accelerate your journey to becoming an NHS supplier with Naq. Our compliance automation platform empowers British and European companies to meet their NHS supplier requirements effortlessly. By automating compliance with frameworks such as NHS DSPT, DTAC, Cyber Essentials, ISO27001, and more, Naq enables organisations to grow by positioning themselves as trusted NHS suppliers. Click here to learn more.