The National Data Guardian (NDG) and NHS England have announced a significant update to how health and social care organisations measure and self-report their data security capabilities.
This change, part of the Department of Health and Social Care’s cyber security strategy for health and social care: 2023 to 2030, aims to align health and care with cyber resilience standards across other sectors.
Starting from 2 September 2024, the NHS Data Security and Protection Toolkit (DSPT) will gradually transition from using the NDG’s 10 data security standards to the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as its underpinning assessment mechanism.
DSPT is an online self-assessment tool health and care organisations use to demonstrate compliance with date security standards.
NHS England will notify organisations when it is their turn to transition and guide them through the process.
Introduced in the National Data Guardian’s 2016 review of data security, consent, and opt-outs, the 10 data security standards have been essential in protecting patient information by encouraging a focus on three key areas: people, process and technology.
NHS England and NDG said that keeping data safe is a "continually evolving challenge as it adapts to new threats and innovations".
While these core principles remain fundamental within the CAF, the rapidly changing landscape of technology and cyber threats requires the more advanced approach the CAF provides.
Dr. Nicola Byrne, the National Data Guardian, said: "I fully support this transition to the CAF. It represents a positive evolution, offering organisations a more current framework for evaluating and improving their data protection and cyber resilience. I remain committed to supporting NHS England in maintaining and advancing the highest standards of data security across health and care."
You can read the full statement here.