The role of Cyber Essentials Plus in care settings

Data security is an increasing priority for many organisations. The EU General Data Protection Regulation (GDPR), high-profile data breaches and new sector-specific frameworks such as the Data Security and Protection (DSP) Toolkit mean that many are looking for ways to improve data security practices and demonstrate their compliance with contractual and regulatory requirements.

‘Basic’ data security

There are three main new contractual and regulatory obligations facing healthcare organisations in 2018.

  • The GDPR superseded the UK Data Protection Act 1998 on 25 May 2018. Significant and wide-reaching in scope, the new law expands the rights of individuals to control how their personal data is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection.
  • The Directive on security of network and information systems (NIS Directive) aims to achieve a high, common level of network and information systems security across the EU. This Directive was transposed into UK law as The Network and Information Systems Regulations 2018 (NIS Regulations) on 10 May 2018.
  • The DSP Toolkit superseded the Information Governance (IG) Toolkit from April 2018 as the standard for cyber and data security for healthcare organisations. Compliance with the DSP Toolkit requires organisations to demonstrate that they are implementing the ten data security standards recommended by the National Data Guardian Review as well as complying with the requirements of the GDPR.

The underlying goal of these frameworks is to improve basic data security – a welcome objective for the sector with the highest number of data breaches globally.

In 2014, the National Cyber Security Centre (NCSC) developed the Cyber Essentials programme, backed by the UK government, to define the controls that comprise ‘basic’ cyber security.

Cyber Essentials is a world-leading, cost-effective assurance mechanism for companies of all sizes. Achieving Cyber Essentials certification demonstrates to potential clients and suppliers that the fundamental cyber security controls have been implemented.

The controls identified in the Cyber Essentials scheme are:

Secure configuration


Access Controls

Patch management

Malware protection






Minimum requirements for care settings

Recent reviews have recommended Cyber Essentials Plus as the minimum standard for healthcare providers and partners to demonstrate that they have implemented the most basic cyber security controls. In addition to a self-assessment of the five security controls and an external vulnerability scan, Cyber Essentials Plus includes an internal network vulnerability scan and an on-site assessment to thoroughly check whether the solutions you have in place comply with the control requirements.

Cyber Essentials certification is required for any organisation looking to bid for government contracts that involve handling sensitive and personal information, which includes most health and social care contracts, or for the provision of some technical services and products.

Achieving Cyber Essentials Plus certification also allows organisations to bypass many of the requirements of the DSP Toolkit, reducing the workload and time required to achieve compliance. Speak to a healthcare expert about the DSP Toolkit and how to plan your compliance programme >>

To get started on a Cyber Essentials Plus project speak to a healthcare expert or visit the web page >>

If you haven’t heard of the GDPR…

It’s unlikely that the GDPR will have gone unnoticed and, with the Regulation now in effect, organisations must bring their practices in line with the new law or risk sanctions imposed by supervisory authorities, such as the Information Commissioner’s Office (ICO).

IT Governance offers a checklist of activities that health and social care organisations should complete to meet the requirements of the GDPR. View the checklist now >>

Most health and social care organisations will need to appoint a data protection officer (DPO). IT Governance is launching a DPO service that addresses the requirements faced by organisations that process patient data and the restricted budgets that are often a barrier for the health and social care sector. For more information or to discuss a pre-launch package, contact us at