Adopting the Cyber Assessment Framework

What it Means for NHS DSPT in 2024

‍

In September 2024, we will see a significant shift in how data security is managed across the healthcare sector. The Data Security and Protection Toolkit (DSPT) is undergoing changes to align with the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). This update is a direct result of the Department of Health and Social Care’s (DHSC) commitment to bolster cyber resilience as part of its cyber security strategy through 2030.

‍

But what exactly does this alignment mean for organisations, and how will it impact the way cyber security and information governance (IG) are approached?

‍

The Shift to CAF-Aligned DSPT: A Focus on Outcomes

‍

The move towards a CAF-aligned DSPT brings a fresh approach to cyber security in the healthcare sector. The framework is designed to focus less on rigid compliance checklists and more on principles and expert judgment. This will allow organisations to make informed decisions about their security measures, ensuring they focus on achieving key outcomes rather than simply meeting minimum standards.

‍

In essence, this shift will influence how people, processes, and technology are evaluated and assured within an organisation. It’s not just about having the right tools in place—it’s about making sure those tools are being used effectively, and that the organisation as a whole is well-equipped to manage and mitigate cyber risks.

‍

Why the Change Matters: Three Key Goals

‍

This update to the DSPT isn’t just about making a change for the sake of it. The goals behind aligning the toolkit with the CAF are designed to drive meaningful improvements in how organisations think about and approach cyber security. Here’s what those goals look like:

‍

1. Good Decision-Making Over Compliance:The CAF-aligned DSPT encourages organisations to shift their focus from simply ticking compliance boxes to understanding and managing information risks at a local level. Cyber risks are dynamic and complex, so having a one-size-fits-all approach doesn’t work. By fostering better understanding and ownership of these risks, local organisations can make more informed decisions about what security measures are truly necessary.
2. Building a Culture of Evaluation and Improvement:Rather than settling for a compliance pass, organisations will need to regularly assess how effective their practices are at achieving the desired outcomes. This promotes a culture of continuous improvement, where the focus is on what works rather than what’s easiest to implement. This kind of iterative approach is essential in a world where cyber threats are constantly evolving, and organisations must stay ahead of the curve.
3. Creating Opportunities for Better Practice:Finally, the CAF-aligned DSPT opens the door for organisations to adopt better practices by staying current with new security measures. As the threat landscape changes, so too must the strategies organisations use to protect themselves. The CAF framework enables organisations to adapt to these changes, ensuring that they are always equipped to meet emerging risks head-on.

‍

How to Prepare for the Transition

‍

With the changes set to take effect in September 2024, organisations need to start preparing now. While the shift towards a CAF-aligned DSPT will require adjustments, it also presents a valuable opportunity to rethink how cyber security is handled at a local level.

‍

Here are a few steps organisations can take to prepare:

‍

• Assess Current Practices: Begin by reviewing your existing cyber security and IG practices. Are they focused on compliance, or are they truly effective in managing risks?
• Engage with Leadership: Ensure that decision-makers within the organisation understand the importance of this shift. Moving from a compliance-driven model to a more flexible, outcome-focused approach will require buy-in at all levels.
• Invest in Training: Equip your team with the skills and knowledge they need to understand and implement the CAF principles effectively. This will be key in ensuring a smooth transition and in maintaining strong security measures moving forward.
• Stay Informed: The threat landscape is constantly changing, and so too will the security measures required to protect against those threats. Stay up to date with the latest developments in cyber security and ensure your organisation is prepared to adapt as needed.

‍

Conclusion

‍

The upcoming changes to the DSPT, aligned with the CAF, signal a transformative moment for data security in the healthcare sector. By shifting the focus from compliance to outcomes, these changes will empower organisations to take ownership of their information risks and continuously improve their security measures.

‍

For organisations willing to embrace this shift, the benefits are clear: more effective cyber security, a stronger culture of improvement, and the ability to stay ahead of evolving threats. As September 2024 approaches, now is the time to start preparing for a more flexible, future-proof approach to data security.