The DSPT is Evolving: Key Changes and Why They Matter
In September 2024, the Data Security and Protection Toolkit (DSPT) will undergo a significant transformation by adopting the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as its basis for cyber security and information governance assurance.
What’s Changing?
- New Interface for NHS Trusts, CSUs, ALBs, and ICBs: These organizations will encounter a redesigned interface aligned with the CAF’s objectives, principles, and outcomes.
- Prescriptive Controls for Other Organizations: While other organizations will retain the current interface with a list of controls, these controls will be mapped to the CAF in the background to ensure consistency.
- Expectation Alignment: The overall expectations for cyber security and information governance controls are expected to remain reasonably comparable to the current DSPT, with adjustments only where higher standards are deemed necessary by NHSE and DHSC.
- Guidance and Support: To facilitate a smooth transition, guidance materials and webinars will be provided to help organizations understand the CAF-aligned DSPT’s content, approach, and expectations.
The Rationale Behind the Change
The decision to adopt the CAF as the primary cyber standard aligns with the 2023 health and care cyber security strategy. This shift is driven by several key benefits:
- Emphasizing Good Decision-Making: The CAF promotes a focus on informed decision-making over mere compliance, fostering a deeper understanding and ownership of information risks at the local level.
- Supporting a Culture of Evaluation and Improvement: By requiring organizations to assess the effectiveness of their practices in meeting desired outcomes, the CAF encourages a continuous cycle of evaluation and improvement.
- Creating Opportunities for Better Practice: The CAF framework prompts and enables organizations to stay ahead of emerging threats and risks by adopting new security measures.
How the CAF-Aligned DSPT Works
The new DSPT will be structured around a series of contributing outcomes, each supported by indicators of good practice categorized into three levels: “Not Achieved,” “Partially Achieved,” and “Achieved.” Organizations will continue to self-assess their compliance levels, and national assurance processes will remain largely unchanged, relying on independent audits and national sampling.
A Health and Care CAF Overlay
A custom “health and care CAF overlay” has been developed, adapting CAF terminology and expanding the framework to include eight additional contributing outcomes specifically addressing data protection, confidentiality, clinical coding, and other information governance disciplines. This results in a total of 47 contributing outcomes in the health and care CAF presented in the DSPT.
Flexibility and Directive Policies
While most indicators of good practice offer flexibility in implementation, certain outcomes deemed critical for national risk management will be subject to directive national policies. These policies will mandate specific approaches and will be integrated into the DSPT at launch.
CAF Profiles: Setting Minimum Achievement Levels
The CAF doesn’t expect all outcomes to be “Achieved” in all cases. Instead, the DSPT will define minimum achievement levels for each outcome, collectively forming a CAF profile. These profiles will vary depending on the organization type, the threats they face, and the outcome of consultations. Achieving the relevant CAF profile will be a prerequisite for a “Standards Met” grading on the DSPT.
Evolving CAF Profiles
One of the CAF’s advantages is its ability to evolve over time. The framework itself remains stable, while minimum achievement levels can be adjusted annually. This allows for better forecasting of future expectations and more effective planning by organizations.
Initial CAF Profile Development
The initial CAF profile for 24-25 has been drafted by mapping current DSPT requirements to the CAF, creating a “legacy profile.” Some outcome levels have been raised above this legacy profile to ensure at least the same level of stringency as the current DSPT. Frontline organizations are being consulted to gather feedback on this proposed profile.
Continued Prescriptive Approach for Smaller Organizations
It’s anticipated that the DSPT will maintain a more prescriptive, controls-based approach for smaller organizations, at least initially. However, these controls will eventually be derived from a CAF profile tailored to their specific organization type.
The Bigger Picture
By adopting the CAF, the health and care sector gains a standardized framework consistent with other sectors. This framework offers scalability and adaptability, enabling expectations to be adjusted over time to reflect changing threats and capabilities.