The government is working towards a cyber-resilient health and social care sector between now and 2030. Due to the complex systems, there are different risks and requirements across the sector. To create a common base of cyber security standards, there is a new set of requirements for the NHS Data Security Protection Toolkit. These requirements are underpinned by the Cyber Assessment Framework (CAF) which is the National Cyber Security Centre’s (NSCS) standard, designed for organisations responsible for vitally important services and activities, such as hospices.
The NHS Data Security Protection Toolkit (DSPT) has been updated to reflect the new criteria and is being rolled out in a phased manner.
As of September 2024, the NHS Data Security Protection Toolkit will start to adopt the CAF framework as the basis for its cyber security and information governance assurance.
This will initially be rolled out to NHS Trusts, CSUs, ALBs and ICBs who use the DSPT portal, with new CAF-aligned requirements set out in terms of objectives, principles & outcomes. Independent providers of essential key services along with key IT suppliers will be moved to CAF as of Summer 2025. Other organisations, including hospices, are currently expected to move over summer 2026 although this is still open to review.
This new framework will be split into three sections, “Not Achieved”, “Partially Achieved” or “Achieved”. As with the current DSPT, organisations will self-assess their level of compliance against the indicators of best practice. Organisations will have flexibility to determine how they meet each outcome. However, for a small number of outcomes where the national risk is deemed too great, organisations will be required to use a particular approach to achieve the desired outcome – like the multi-factor authentication policy.
An interesting point of note is that the CAF is not design with the expectation that organisations should (ever) reach “Achieved” on all outcomes. Instead it will set a minimum achievement level for each outcome to create a CAF profile. These levels of compliance will be established proportionately based on the type of organisation and threats they normally face. Initially, the CAF profiles will start off with a similar requirement level to DSPT and made progressively more stringent over time to increase security.
If you’d like to find out more specific details about the changes to the framework, you can book a one-to-one workshop with our Hospice IT Specialist who can take you through the full framework and advise you on how best to prepare.
Get FREE advice on the changes in the NHS DSP Toolkit
Book a one-on-one workshop with our experienced Hospice IT Specialist today. This no-obligation session is designed to inform you about the new framework and offer guidance on how your hospice can best prepare. We’ll cover the questions below
Thank you!
A member of our team will be in touch shortly.
Uh Oh!
Something went wrong, please see errors below:
