Is Cyber Essentials Mandatory for the NHS and Healthcare Organisations?
What is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity certification scheme that sets out a baseline of cybersecurity controls that organisations can implement to help protect against common cyber threats, such as phishing attacks and malware. The scheme is designed to be accessible and affordable for organisations of all sizes, from small businesses to large corporations.
To achieve Cyber Essentials certification, organisations must demonstrate that they have implemented a set of basic technical controls related to network security, user access control, and device configuration, among others. The certification process involves a self-assessment questionnaire and an external vulnerability scan conducted by an accredited certification body.
While Cyber Essentials certification is not currently mandatory for most organisations in the UK, there are some government contracts and tenders that require organisations to have Cyber Essentials certification.
Ready to start your journey to becoming compliant?
We can help you - let's have a chat.
Cyber Essentials and Healthcare
While Cyber Essentials is not currently mandatory for the NHS or healthcare organisations in the UK, in 2018, the UK government announced that all NHS organisations would be expected to meet a set of cybersecurity standards known as the 10 Steps to Cyber Security as part of their contractual obligations with the government.
In addition, some healthcare organisations may be required to achieve Cyber Essentials certification as part of their contractual obligations with other organisations, such as insurance providers or suppliers. For example, some insurance providers may require that healthcare organisations achieve Cyber Essentials certification as a condition of coverage.
Cyber Essentials and The Data Security and Protection Toolkit
The Data Security and Protection Toolkit (DSPT) is a UK government initiative that provides a similar framework for healthcare organisations to demonstrate that they are meeting national data security and protection standards, specifically, those set by the National Data Guardian.
"All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly."
Developed by NHS Digital and the Department of Health and Social Care (DHSC) in response to a growing need to improve data security and protection within the NHS and other healthcare organisations, the toolkit consists of a self-assessment questionnaire that covers a range of topics related to data security and protection, including policies and procedures, access controls, data sharing, and staff training.
Organisations that complete the toolkit are awarded a rating of either 'standards met' or 'standards exceeded', based on their level of compliance with the toolkit's requirements. The toolkit is updated on an annual basis to reflect changes in national data security and protection standards.
Unlike Cyber Essentials, the Data Security and Protection Toolkit is mandatory for all NHS organisations and their partner organisations that handle NHS patient data. It is also recommended for other healthcare organisations, such as private hospitals and clinics, that handle sensitive personal data.
It is also worth noting, in a recent update, to "reduce the burden on individual organisations from having to respond to multiple standards, the requirements for Cyber Essentials have been included within the 2020-21 DSPT for NHS Trusts and Foundation Trusts." Meaning, the equivalence of Cyber Essentials Plus is gained when the Data Security and Protection Toolkit is completed.
Try our GDPR Training for Free!
While Cyber Essentials is not specific to healthcare organisations, it is applicable to all organisations that handle sensitive information, including those which handle patient data.
One of the five key controls required for Cyber Essentials certification is user access control, which involves ensuring that only authorized users have access to sensitive information. This is particularly relevant to healthcare organisations, as they handle great quantities of particularly sensitive patient data that must be protected against unauthorized access.
As the National Cyber Security Centre's 10 Steps to Cyber Security guidance explains, training and engagement is an essential step in mitigating risk, which is why at Hut Six we have developed effective and relevant training that gives staff the tools they need to make the correct security choices.
From detailed tutorials explaining the key concepts of information security, interactive tutorials in which users make practical decisions, to simulated phishing campaigns, Hut Six training is a great way to not only provide staff with necessary information security skills, but to also monitor users' progress and demonstrate compliance.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Who Does GDPR Apply To? And Other Data Protection Questions/ Information Security blog by Information security awareness provider Hut Six Security.
In this blog post, we explore whether AI chatbots like ChatGPT pose a cybersecurity risk. We delve into the potential vulnerabilities and threats posed by chatbots, and discuss measures that can be taken to mitigate these risks. Read on to discover how you can ensure the security of your organisation's chatbot interactions.
Learn how to obtain Cyber Essentials certification and enhance your organization's cybersecurity posture with our comprehensive guide. Our expert insights will help you navigate the certification process to meet the requirements for Cyber Essentials.
Starting a security awareness training campaign? Here are 5 essential steps to help ensure information security success.
Malicious insider threats can cause massive problems. Here we examine some of the motivations behind attacks and methods of detection organisations can use to reduce risk.
Five of the biggest and most significant data breaches, hacks, and information security attacks of 2022 (so far).
Questions to consider when auditing your business or SME for General Data Protection Regulation (GDPR) compliance.
With human error responsible for many breaches and attacks, we offer some helpful areas for improving employee security compliance.
Essential cyber tips for helping your business or SME improve information and cyber security.
By maintaining compliance for your business you can ensure operational efficiency, reduce financial risk, enhance public trust, engage your employees and realise your mission.