Is Cyber Essentials Mandatory for the NHS and Healthcare Organisations?

What is Cyber Essentials?

Cyber Essentials is a UK government-backed cybersecurity certification scheme that sets out a baseline of cybersecurity controls that organisations can implement to help protect against common cyber threats, such as phishing attacks and malware. The scheme is designed to be accessible and affordable for organisations of all sizes, from small businesses to large corporations.

To achieve Cyber Essentials certification, organisations must demonstrate that they have implemented a set of basic technical controls related to network security, user access control, and device configuration, among others. The certification process involves a self-assessment questionnaire and an external vulnerability scan conducted by an accredited certification body.

While Cyber Essentials certification is not currently mandatory for most organisations in the UK, there are some government contracts and tenders that require organisations to have Cyber Essentials certification.

Start trial icon

Ready to start your journey to becoming compliant?

We can help you - let's have a chat.

Book a Meeting

Cyber Essentials and Healthcare

While Cyber Essentials is not currently mandatory for the NHS or healthcare organisations in the UK, in 2018, the UK government announced that all NHS organisations would be expected to meet a set of cybersecurity standards known as the 10 Steps to Cyber Security as part of their contractual obligations with the government.

In addition, some healthcare organisations may be required to achieve Cyber Essentials certification as part of their contractual obligations with other organisations, such as insurance providers or suppliers. For example, some insurance providers may require that healthcare organisations achieve Cyber Essentials certification as a condition of coverage.

Cyber Essentials and The Data Security and Protection Toolkit

The Data Security and Protection Toolkit (DSPT) is a UK government initiative that provides a similar framework for healthcare organisations to demonstrate that they are meeting national data security and protection standards, specifically, those set by the National Data Guardian.

"All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly."

DPS Toolkit, NHS UK

Developed by NHS Digital and the Department of Health and Social Care (DHSC) in response to a growing need to improve data security and protection within the NHS and other healthcare organisations, the toolkit consists of a self-assessment questionnaire that covers a range of topics related to data security and protection, including policies and procedures, access controls, data sharing, and staff training.

Organisations that complete the toolkit are awarded a rating of either 'standards met' or 'standards exceeded', based on their level of compliance with the toolkit's requirements. The toolkit is updated on an annual basis to reflect changes in national data security and protection standards.

Unlike Cyber Essentials, the Data Security and Protection Toolkit is mandatory for all NHS organisations and their partner organisations that handle NHS patient data. It is also recommended for other healthcare organisations, such as private hospitals and clinics, that handle sensitive personal data.

It is also worth noting, in a recent update, to "reduce the burden on individual organisations from having to respond to multiple standards, the requirements for Cyber Essentials have been included within the 2020-21 DSPT for NHS Trusts and Foundation Trusts." Meaning, the equivalence of Cyber Essentials Plus is gained when the Data Security and Protection Toolkit is completed.

Start trial icon

Try our GDPR Training for Free!

Start Now

Staff Training

While Cyber Essentials is not specific to healthcare organisations, it is applicable to all organisations that handle sensitive information, including those which handle patient data.

One of the five key controls required for Cyber Essentials certification is user access control, which involves ensuring that only authorized users have access to sensitive information. This is particularly relevant to healthcare organisations, as they handle great quantities of particularly sensitive patient data that must be protected against unauthorized access.

As the National Cyber Security Centre's 10 Steps to Cyber Security guidance explains, training and engagement is an essential step in mitigating risk, which is why at Hut Six we have developed effective and relevant training that gives staff the tools they need to make the correct security choices.

From detailed tutorials explaining the key concepts of information security, interactive tutorials in which users make practical decisions, to simulated phishing campaigns, Hut Six training is a great way to not only provide staff with necessary information security skills, but to also monitor users' progress and demonstrate compliance.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Free Trial Book a Meeting

Featured

Who Does GDPR Apply To?

Who Does GDPR Apply To? And Other Data Protection Questions/ Information Security blog by Information security awareness provider Hut Six Security.

Do AI Chatbots like ChatGPT Pose a Cybersecurity Risk?

Does ChatGPT Pose a Cybersecurity Risk

In this blog post, we explore whether AI chatbots like ChatGPT pose a cybersecurity risk. We delve into the potential vulnerabilities and threats posed by chatbots, and discuss measures that can be taken to mitigate these risks. Read on to discover how you can ensure the security of your organisation's chatbot interactions.