Each year, the NHS Data Security and Protection Toolkit (DSPT) is updated to reflect the latest advancements in cybersecurity, data protection, and broader industry changes. Organisations must then submit their self-assessment with this data security and protection standard by June 30th, after which the DSPT typically receives its annual update. As we approach this year’s deadline, we’ve caught a glimpse of the upcoming changes in version 7 of the toolkit - and they are significant.
Starting September 2024, some NHS suppliers will need to reassess how they tackle the toolkit as it begins to align with the UK government’s new Cyber Assessment Framework (CAF). In this blog post, we’ll explore what these changes entail for version 7 of the DSPT and how they’ll impact your organisation.
The Data Security and Protection Toolkit (DSPT), which sets the standard for ensuring that NHS suppliers and partners handle patient and service data securely, is going through some changes. From September 2024, DSPT V7 will adopt a more flexible, outcomes-based approach aligned with the principles of the Cyber Assessment Framework developed by the National Cyber Security Center (NCSC).
The CAF is structured around four overarching security objectives, each supported by a set of cybersecurity principles:
Organisations will be required to assess themselves via two profiles - baseline and enhanced - depending on their relative cyber risk exposure. For example, organisations processing large volumes of sensitive healthcare information will fall under the "advanced" profile, regardless of their size. Compliance will be measured as “Not achieved,” “Partially achieved,” and “Achieved,” with the goal not of perfection but continuous improvement and risk-based safeguarding.
-
One of the most notable changes in DSPT V7 is the move towards an outcome-based framework from the more prescriptive approach seen in previous versions of the toolkit. This shift will give organisations the flexibility to decide how to achieve specific security outcomes while adhering to certain must-do requirements.
For now, this change will predominantly affect larger NHS entities such as Trusts, CSUs, ALBs, and ICBs, with smaller organisations continuing under the current questionnaire-based system. From September, relevant organisations will encounter a new interface in the DSPT portal, guiding them through security goals aligned with the CAF principles. This self-assessment process will culminate in submission to NHS England, complemented by independent audits to verify adherence.
The upcoming update to the Data Security and Protection Toolkit (NHS DSPT) marks a significant evolution in how the NHS, its suppliers and related organisations will manage their cybersecurity requirements moving forward. With DSPT V7, there is a clear move from stringent, prescriptive requirements to a more flexible, outcome-focused framework. This shift is designed to encourage not just the achievement of compliance but its ongoing maintenance through regular updates, tailored training, and adaptive security measures tailored to the specific risks each organisation brings to the NHS and its supply chain.
The transition to a more flexible model could pose an initial challenge for organisations accustomed to the current format of the toolkit. Rest assured, we are dedicated to keeping you informed and will offer detailed guidance on adapting to these changes. Expect comprehensive updates from us once the full revisions to the toolkit are released later this year.
If you still need to comply with this year’s DSPT deadline, download our free, in-depth guide on meeting compliance with version 6 of the NHS DSPT toolkit or book a 15-minute chat with one of our NHS compliance experts.
Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.