FAQs

Naq helps digital health innovators simplify the process of achieving compliance with frameworks like DSPT, DTAC, DCBR129, ISO13485, GDPR, and more. Our platform streamlines the requirements needed to comply with healthcare frameworks, saving innovators over 200 hours of work each year and thousands in compliance costs, allowing them to focus on developing their solutions while staying compliant.

The NHS provides various online toolkits, resources, and guidelines to help innovators meet DTAC compliance. Industry associations and networks offer advice and support, while health innovation networks and accelerators like the NHS Innovation Accelerator support innovators, particularly in areas like compliance, to accelerate market entry.

Failing to meet DTAC standards doesn’t permanently bar you from achieving compliance or selling to the NHS. You can make the necessary changes highlighted by the procurement team and reapply. However, repeated submissions can lead to delays and increased costs, hindering market entry. Partnering with someone experienced in navigating NHS requirements can streamline the process and reduce the chance of repeated submissions.

Implementing DTAC early in your product lifecycle is crucial. If you aim to sell to the NHS or other organisations following NHS guidelines, consider compliance with DTAC, DSPT, and Cyber Essentials from the outset. Building security measures into your product from the beginning ensures ongoing compliance with GDPR and DSPT, preventing the need for costly and time-consuming retroactive changes.

The cost of DTAC compliance can vary depending on whether you handle the process internally or outsource it. Internal efforts may require around 200 hours of work. Penetration testing can cost between £800 - £2500 a day, and Cyber Essentials certification costs vary based on the size of your organisation. Outsourcing compliance to a consultancy firm can cost between £10-30k.

The time and effort required can vary significantly depending on the complexity of your digital health technology and current compliance status. It typically involves a thorough review, information and evidence gathering, and working through all five pillars of the DTAC. Generally, innovators can comply within 3-6 months.

1. Clinical Safety: DCB 129 is the clinical risk management standard required by the DTAC , ensuring digital health technologies are safe for clinical use and don’t introduce new clinical risks.
2. Data Protection: Involves compliance with the GDPR and NHS DSPT, ensuring data is handled securely.
3. Technical Security: Demonstrates that measures are in place to protect the solution from cyberattacks, requiring evidence such as penetration testing and adherence to Cyber Essentials.
4. Interoperability: Ensures the technology can seamlessly communicate and exchange data across the NHS, benefiting patient care.‍
5. Usability and Accessibility: Ensures the product is compliant with NHS standards for accessibility and usability, creating inclusive products that are easy to use for all patients and users.

DTAC applies to digital health technologies intended for use within the NHS. This includes software, apps, and platforms that handle patient data, support clinical decisions, or provide digital health services.

A good place to start with DTAC is with the clinical risk management element. Setting up clinical risk management processes from the very start of your product’s life cycle is crucial. Next, focus on formulating your information security and privacy policies and procedures to ensure that information security risks are addressed early, and technical security measures are integrated from the beginning.

Completing DTAC isn’t a “one-off” process; it’s an ongoing compliance requirement. It is assessed at the point of procurement by the NHS and should be implemented from the start of a digital health product’s lifecycle. Digital health technologies should undergo a DTAC assessment whenever there are significant updates or changes to the technology. Continuous evaluation is crucial to maintaining compliance and ensuring patient safety.

DTAC assesses digital health technologies to identify potential risks or shortcomings, safeguarding patients from unsafe or ineffective solutions and ensuring they receive reliable, high-quality care. For example, DTAC requires manufacturers or innovators to appoint a clinical safety officer who understands clinical risk and can assess products against potential clinical hazards that may impact patients.

DTAC enhances patient safety and improves healthcare outcomes. If a digital health product lacks in any of the five areas that DTAC assesses, there’s an increased risk of negative outcomes such as cyberattacks, data breaches, clinical incidents, or exclusion of patients with certain accessibility needs. DTAC provides a standardised assessment framework, ensuring that all digital health technologies used within the NHS meet rigorous criteria.

DTAC stands for Digital Technology Assessment Criteria. The DTAC is a vital framework used by the NHS to evaluate digital health innovations based on five key criteria: Clinical Safety, Data Protection, Technical Security, Interoperability, and Usability and Accessibility. It ensures that digital technology procured by the NHS is secure, technically robust, clinically safe, and accessible for everyone.

The DSPT has three compliance levels:

1. Approaching Standards: You’ve met some requirements and are working towards full compliance.
2. Standards Met: You’ve met all required criteria.
3. Standards Exceeded: You’ve gone above and beyond, often due to additional certifications like ISO27001 or Cyber Essentials Plus.

Failure to meet the standards will be reflected in the publicly accessible DSPT database, indicating your organisation's compliance status for the year. Likewise, your status will also be reflected in the database if you meet or exceed standards.

Two challenging aspects for innovators are:

1. Supplier Management: DSPT requires organisations to verify their suppliers' security certifications and compliance with relevant data protection standards, often through due diligence questionnaires.‍
2. DPIA (Data Protection Impact Assessments): DPIAs are a requirement under GDPR, requiring organisations to assess risks to individuals' rights and freedoms when processing data. The detailed documentation and continuous review required for DPIAs can be time-consuming and complex, especially for those new to the process.

In a cloud-first world, cybersecurity is foundational to all other forms of compliance. NHS suppliers, eHealth and social care providers, and any organisation managing NHS data must comply with DSPT. Meeting DSPT standards ensures that an organisation handles data securely, adheres to legal and regulatory requirements, and plays a vital role in maintaining trust and safeguarding patient data within the NHS ecosystem.

Yes, Article 25 of the UK GDPR mandates data protection by design and by default, meaning data protection measures should be integrated from the beginning of business processes, systems, and product development. For organisations working with the NHS, it's advisable to build these requirements into your product from the start, including cybersecurity measures like encryption and regular security testing, to ensure your product is secure and compliant.

Submitting the DSPT is free. However, achieving compliance may require investment in security measures, staff training, and possibly external consultancy. Costs can vary widely, with pen testing ranging from £800-£2,500 per day and Cyber Essentials certification costing £300-£500. Cyber Essentials Plus may cost several thousand pounds, while external consultancy fees can range from a few thousand to tens of thousands of pounds.

The time and effort required depend on the size, complexity, and existing security maturity of your organisation. Starting from scratch may take around 200 hours to implement the standard's requirements, more for complex organisations or products. It's important to continuously maintain and update your policies, controls, and processes throughout the year, not just for the deadline.

Begin by familiarising yourself with the DSPT criteria, which can be downloaded from the NHS website. Conduct a gap analysis to assess your current security measures, identify areas where you need external help, and create a timeline for implementing necessary changes. Regularly review your progress and adjust as new requirements emerge.

You must submit the DSPT annually, with the deadline on June 30th. However, maintaining DSPT compliance is an ongoing process, requiring year-round attention. The toolkit changes yearly to address evolving threats, so it's crucial to stay updated and continuously comply with new requirements.

The DSPT is fundamental to patient safety in two ways:

1. It ensures that suppliers and those handling health and social care data have the necessary security controls to reduce the risk of cyberattacks and data breaches.
2. By implementing the data protection requirements of the NHS DSPT, organisations can guarantee that patients' rights as data subjects are respected, including transparency in data usage and ensuring that only necessary data is collected and kept secure.

Penetration tests, or ethical hacking, are critical for verifying your organisation's security. There are three types of penetration tests required by the NHS, depending on your risk profile:

1. Infrastructure Pen Testing: Ensures attackers cannot access your IT network, servers, and computers.
2. Application/Product Testing: Protects web applications, online pharmacies, websites, etc., from unauthorised access and modification.
3. API Security Testing: Ensures that APIs used in NHS operations are secure and cannot be exploited by hackers.

GDPR is a legal requirement; non-compliance is illegal. The UK GDPR sets the standard for data protection across the UK, and the DSPT incorporates GDPR requirements to ensure organisations meet legal standards of data privacy and security. This includes practices like data minimisation, robust access controls, and ensuring the rights of data subjects are protected. Most health innovators must also meet additional GDPR requirements for processing special categories of data.

The National Cyber Security Centre (NCSC) recently released their Cyber Assessment Framework (CAF), which is less prescriptive than Cyber Essentials and DSPT. From September 2024, the DSPT will adopt the NCSC’s CAF, creating two versions of DSPT: one for suppliers and smaller organisations, and one for larger NHS organisations like Trusts, ICBs, and CSUs. Smaller organisations will continue with the current version, while larger ones will align with the CAF, offering more flexibility, similar to ISO 27001.

No, DTAC is focused on specific technical products being implemented in an NHS organisation, while DSPT is concerned with the overall security and privacy status of your company. However, DSPT covers essential measures such as data protection, technical security, incident management, staff training, and information governance.

It's straightforward. If you supply anything to the NHS that processes any form of data, including usernames and email addresses, you need to meet the DSPT requirements. To confirm your need for DSPT, you can visit the relevant NHS resources.

The DSPT is crucial because it ensures that patient data is handled securely, protecting patient privacy and trust. With a 300% rise in cyber incidents since 2019, robust data protection practices are more critical than ever within the NHS. The DSPT enables NHS suppliers and the NHS itself to maintain a strong cybersecurity posture.

The 10 standards are mandatory standards for all health and social care providers, including their suppliers. They are divided into three overarching pillars: people, processes, and technology. These standards cover fundamental cybersecurity measures, such as training, business continuity planning, access controls, monitoring, and continuous improvement.

The DSPT stands for the Data Security and Protection Toolkit. Previously known as the Information Governance (IG) Toolkit, it's an online assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. It verifies compliance with cybersecurity and privacy requirements. The NHS uses it to ensure that organisations handle data securely and meet their legal obligations. The DSPT assesses compliance across several key areas, including data protection, confidentiality, information security, staff training, incident management, and technical security.

Naq supports a wide range of compliance standards, including:

• GDPR
• Cyber Essentials
• Cyber Essentials Plus
• ISO 27001
• NHS DSPT
• DTAC
• DCB0129/0160
• ISO 9001
• ISO 13485
• NEN 7150
• ISO 82304-2
• SOC 2
• HIPAA
• MOD Secure By Design
  and more!

Naq is designed for startups, SMEs, enterprises, and government organisations that need to meet stringent compliance standards but wish to avoid the complexity and high costs typically associated with the process. Whether you are just beginning to lay the foundations of your compliance journey or you are a large organisation seeking to consolidate and streamline your compliance programs into a single platform, Naq provides a scalable and efficient solution.

Naq’s platform automates the creation of policies, procedures, and training essential for compliance with your chosen standards and streamlines the collection and management of your compliance evidence. Additionally, Naq acts as your organisation's compliance hub, enabling you to manage all compliance-related processes from one single platform. Automate risk assessments, generate Data Protection Impact Assessments (DPIAs), train your team, and manage audit findings to build and enhance your quality management system (QMS) - all through Naq.

Naq is an automated compliance platform that simplifies and streamlines the complex process of achieving and maintaining compliance across various standards. From essential data security and privacy regulations like GDPR and Cyber Essentials to standards such as DTAC, ISO 13584, ISO 7001, and ISO 9001, Naq's platform offers a comprehensive solution to manage your organisation's entire compliance programme, from security and privacy to quality, clinical safety, risk, and more.