Home / Services / NHS DTAC

NHS DTAC · Digital Health Suppliers

NHS DTAC Penetration Testing for Digital Health Suppliers

NHS DTAC · Digital Health Suppliers NHS DTAC Penetration Testing for Digital Health Suppliers The DTAC requires independent evidence of your product's technical security. We provide it: a manual penetration test, findings mapped to OWASP and rated with CVSS, and a report written for your DTAC submission.

Overview

Where digital health suppliers get stuck

The Digital Technology Assessment Criteria (DTAC) is the baseline every NHS organisation uses to assess a digital health product before they buy or deploy it. It covers clinical safety, data protection, technical security, interoperability and usability, and its technical security section is where most suppliers get held up, because it asks for evidence you can't produce overnight.

If you build a patient-facing app, a clinical SaaS platform or an API that touches NHS data, you'll be asked for this evidence during due diligence. We provide the independent penetration testing and reporting that clears the gate, so your NHS deal keeps moving.

What you'll receive

  • Scoping: a test plan aligned to the DTAC technical assurance criteria and your product architecture
  • Testing: application, API, infrastructure and cloud testing covering the DTAC security requirements
  • Executive report: a summary suitable for NHS buyers and your DTAC submission
  • Technical report: findings rated by CVSS with clinical-safety-aware context
  • Remediation: prioritised guidance to close gaps before your DTAC assessment
  • Retest & evidence: a retest of fixes and evidence formatted for your DTAC response

Technical Security Section

What the technical security section expects

The DTAC scores five areas. Technical security is the one that needs an independent partner. Here is what NHS assessors look for, and how we cover each part.

Cyber Essentials baseline

The DTAC expects a current Cyber Essentials certificate, and Cyber Essentials Plus for higher-risk systems handling patient data. We assess your environment against both and guide you through certification.

Independent testing evidence

Assessors want a manual assessment carried out by an external party against recognised standards, not an automated scan. Our consultants examine your application, API and infrastructure in depth.

A DTAC-ready report

An executive summary and a technical report, every finding mapped to OWASP and scored with CVSS, with clear remediation guidance. This is the artefact you hand to your NHS buyer.

Fix and re-verify

The DTAC is about showing you act on what is found. We re-verify your Critical and High findings and confirm closure in writing, so your evidence pack holds up under review.

One Engagement

How we run a DTAC engagement

01

Scope

Tell us your stack, whether that is a web app, API, mobile or cloud. We agree a clear scope and return a fixed quote, with no obligation to proceed.

02

Assess

Our consultants carry out a thorough manual assessment against OWASP, concentrating on the areas NHS buyers weigh most heavily: how you handle authentication, restrict access, separate tenants and protect data.

03

Report

You receive an executive summary and a CVSS-scored technical report, prepared so it fits directly into your DTAC submission and information-governance due diligence.

04

Re-verify and confirm

We re-verify your Critical and High findings and provide written confirmation of closure, so the evidence you hand over holds up when your buyer reviews it.

DTAC Assessment Areas

The five DTAC assessment areas

01

Clinical Safety

Confirms the supplier has established a clinical safety management system and named clinical safety officer in line with DCB0129, ensuring the product is safe for use in a clinical setting.

02

Data Protection & Privacy

Assesses compliance with UK GDPR and the Data Protection Act, covering lawful basis, data flows, DPIAs and appropriate handling of personal and special-category data.

03

Technical Security

The core of our engagement. Penetration testing and security assessment against Cyber Essentials and NHS technical standards, producing the assurance evidence the DTAC requires.

04

Interoperability

Reviews adherence to recognised interoperability standards so your technology can integrate and exchange data reliably within the wider NHS ecosystem.

05

Usability & Accessibility

Confirms the product meets accessibility standards and usability expectations, so it works for the full range of NHS staff and patients who will rely on it.

FAQ

Frequently asked questions

Is penetration testing mandatory for the DTAC?

The technical security section asks for evidence of penetration testing and how regularly it is carried out. In practice, NHS buyers expect an independent test against recognised standards such as OWASP before procurement progresses, so while the wording is about evidence, a test is effectively required. We deliver both the test and a report built for exactly this.

What is a DTAC-ready penetration test report?

An executive summary alongside a full technical report: every finding mapped to OWASP, rated with CVSS, paired with practical remediation advice, and backed by written confirmation that your Critical and High issues have been re-verified. It is prepared to fit directly into your DTAC submission and your buyer's due diligence.

What types of product can you test for the DTAC?

We cover the full range of digital health products, including web applications, iOS and Android apps, APIs, cloud environments such as AWS, Azure and GCP, and the infrastructure behind them. Whichever applies to you, our attention goes to the questions NHS buyers press hardest on: how users are authenticated and sessions managed, how access is controlled, how one customer's data is kept separate from another's, and how well your APIs and third-party integrations are secured.

What is the difference between the DTAC and the DSPT?

The DTAC assesses whether a specific product is fit for an NHS buyer to adopt. The Data Security and Protection Toolkit (DSPT) assesses whether your organisation is fit to handle NHS patient data, and is renewed annually. The DTAC applies when you put a product in front of an NHS buyer; the DSPT applies if your organisation handles NHS patient data; both apply if you are doing the two together. They overlap on security evidence, and each expects an independent penetration test, so we support suppliers with both.

What are the most common issues you find?

Recurring findings include gaps against Cyber Essentials, weak authentication and access control, insufficient separation of patient data in multi-tenant systems, insecure APIs, and a lack of independent testing evidence, all of which NHS buyers probe during due diligence.

Speak to us before your next NHS milestone

Your buyer's due diligence will ask for security evidence. Talk to a consultant about the technical security testing you need, or get a fast, transparent quote.