The NHS has over 1.7 million devices in action across its network and many sensitive data, making it a top target for hackers worldwide. As recently as June 2023, the NHS came under attack, which resulted in more than one million patient records being compromised after a ransomware attack.
At Creative Networks, we are commonly asked whether NHS practices require suppliers and other operators to be certified by Cyber Essentials. Additionally, there are many queries as to whether the NHS needs to be accredited with the Cyber Essentials marker of excellence.
Carry reading to learn more about this topic and to find out exactly what level of security compliance your company should have if you plan on working with the NHS.
What Does the NHS Cyber Security Programme Consist Of?
The NHS digital programme has been created to publish the latest guidance on statutory and recommended standards within the UK’s digital services part of health and social care.
The cyber security strategy for health and adult social care was launched in March 2023 to promote cyber resilience across the entire sector at a robust level by 2030. You may think this sounds like a long time. Still, the reality is that any form of security management takes time to become completely resilient, especially as threats and risks are constantly changing across all industries. The NHS is also a top target for many groups, so the approach must be much more stringent than how some other companies may act and operate.
The NHS website outlines the aims of the programme as being the following:
- To enact lessons learned from previous cyber security incidents
- To ensure that actions related to “Critical” cyber alerts are completed
- To assure that cyber security is being considered at the board level and managed as an ongoing board-level risk
Each of these points represents the NHS’s understanding of the need for the effort to be collaborative and relevant to modern threats. Not only will this assist in mitigating risk, but it will create a culture of cyber security-aware individuals that will be paramount to achieving long-term safety goals.
Are Cyber Essentials Required by the NHS?
As a government-backed scheme, Cyber Essentials is often regarded as being compulsory by the NHS. If you have looked this question up online, you may be more confused than before you started typing, as the information available does not make this clear.
The NHS requires organisations with access to NHS data and/or systems to complete The Data Security and Protection Toolkit. This online, self-assessed training tool allows companies to ascertain whether or not their cyber security processes comply with the levels required by the NHS to operate safely.
In recent years, the Cyber Essentials markers have been integrated into this assessment due to the scheme’s effectiveness. Experts commented, “to reduce the burden on individual organisations from having to respond to multiple standards, the requirements for Cyber Essentials have been included within the 2020-21 DSPT for NHS Trusts and Foundation Trusts.” This means organisations undertaking the self-assessment must essentially operate to the same level of excellence that Cyber Essentials offers.
Does this mean that companies don’t need to hold Cyber Essentials? Theoretically, yes, but it’s not as black and white as that.
Although companies don’t have to hold the certification, they still need to comply with all of the security pillars fully. This means that a Cyber Essentials strategy and adoption process must be followed. What is the best way to achieve this? By becoming certified!
With the right processes and strategies for dealing with risks as a business grows and scales, it will quickly become suitable for working with the NHS. In summary, although the certification is not explicitly asked for, all of its operations are required, which means companies should have achieved the standard before completing the DPS.
What Cyber Security Challenges Does the NHS Face and How Can Cyber Essentials Support This?
The reason for the NHS specifying that Cyber Essentials five core security controls should be included within their DPS is that the measures in place directly combat some of the most common cyber risks that the organisation faces.
Patient information must be protected. Patient information is the main target for hackers as this is the sensitive data that holds power. Cyber Essentials ensures that data access and security settings are always up-to-date, so data cannot be easily accessed.
Hackers often target employees. Another benefit of the pillars is that access also covers employee processes, which have previously been depicted as one of the main risks for the NHS. Whether employees are on-site or access remotely, their information must be secure.
The information must be safely transferred between organisations. Over 40 million people have NHS logins, accounting for patients, staff, and approved third parties. The malware and firewalls included within Cyber Essentials protect information from the NHS networks. The security settings required to be integrated within the platforms also make for safer access.
Processes need to be dynamic and reactive to change. One of the main benefits of Cyber Essentials is that it offers a set of security measures that are reactive to changes and new threats. Once a business is compliant, making changes without incurring a high risk will be easier. Cyber Essentials can offer great relief in this scenario as the NHS is subject to constant changes due to its pressures.
How Can Companies Become Cyber Essentials Certified if They Wish to Work With the NHS?
Becoming Cyber Essentials accredited is simple when you have the right support.
Cyber Essentials costs £300+ vat, which is a price that increases in line with company size and employee count. This cost covers a 12-month certification, and contrary to some people’s thoughts, Cyber Essentials does indeed expire.
The time taken to achieve Cyber Essentials will again differ depending on the company, as the state of current security processes will greatly impact the work that still needs to be done to become compliant. If a business plans on working with the NHS, this stage is even more important as the sensitivity of data requires stringent structures and strategies to be in place.
To start the process, you should ideally select a professional IT agency that can guide you through everything. Cyber Essentials is also self-assessed, so a company-wide understanding of the measures is important to be able to showcase.
Once a business achieves the status, ongoing work is also needed to maintain positive structures, which can be simple with the right mindset and professional tools.
What Are the Wider Benefits of Being Cyber Essentials Accredited?
Is Cyber Essentials worth having even if you don’t plan on working with the NHS? We would say yes!
Not only is the certification known worldwide, but it also opens up opportunities within many sectors. Competitors, suppliers, customers, and employees will all be able to see that the business in question is a cyber-safe option to align with.
You also have the opportunity to become Cyber Essentials plus certified if you hold the Cyber Essentials certificate which again opens up more doors.
Reduced cyber risk also means less chance of haemorrhaging money on issues. Furthermore, having suitable security measures in place means less spending is wasted on insufficient tools or outdated software.
Reduced Operating Risk
The pillars included within Cyber Essentials also reduce risk as all bases are covered. From efficient firewalls to educated teams, companies are given a way to take back the power from malicious attackers.
How Can Creative Networks Support Me in Achieving Cyber Essentials?
Contact us today to learn more about our complete Cyber Essentials service, which can help your company become compliant. We can support you if you have failed Cyber Essentials or want to know how to achieve the Cyber Essentials certificate.
You can also learn more by clicking here on our complete guide to Cyber Essentials.