NHS DSP Toolkit
The DSP (Data Security and Protection) Toolkit is an online self-assessment tool that enables healthcare organisations to measure their performance against the National Data Guardian’s ten data security standards.
Any organisation that handles health and social care information must use this toolkit as an assurance framework to evidence that they are practising good data security and that personal information is managed correctly.
“Data security incidents, such as the May 2017 global ransomware attack which affected NHS services, as well as other public services and private companies in many other countries, have highlighted the potential for cyber-attacks to disrupt services by having a direct impact on the availability of care for patients and service users.”
- Department of Health
Importance of penetration testing in the healthcare sector
Healthcare is an attractive target for cyber criminals for two reasons: it is a rich source of valuable data and the connectivity of healthcare technology creates significant risks. Breaches include stealing health information, and attacks include ransomware, or attacks on implanted medical devices.
How does penetration testing fit into the DSP Toolkit?
The need for annual penetration testing is highlighted in Standard 9 (data security). It details the need to have a strategy in place for protecting IT systems from cyber threats. Specific components that refer to penetration testing requirements include:
- Data Security Standard 9.2: Web applications owned by the organisation are secure against OWASP (Open Web Application Security Project) Top 10 vulnerabilities.
Applications often communicate directly with your internal database. This can offer cyber criminals a gateway to your systems and some of your most sensitive and valuable data.
Penetration testing is the most effective method to ensure that applications have been secured against the top ten most critical web application security risks, such as injection, cross-site scripting and broken authentication.
- Data Security Standard 9.3: All organisations receive a penetration test annually, whether commercially sourced or in-house. The scope of the pen-test is articulated to the SIRO [Senior Information Risk Owner] and signed by them.
The Standard also states that a penetration test should be undertaken at least annually and include the following elements:
- All web servers used by the organisation.
- Checking the security of network components that have been changed.
The pressure on healthcare organisations to improve their interconnectivity often results in inadequate security controls. Typical security gaps include the use of default passwords, remote code execution, unsigned firmware and failure to address known vulnerabilities in medical software. Default accounts, and vulnerabilities in web servers are also serious issues, along with systems running on old software.
Speak to an expert
For more information and guidance on penetration testing or packages that IT Governance offers, please contact our experts who will be able to discuss your needs further.