How are the people in your organisation handling data? Who has access to confidential data, who approved it and why? What processes are in place to prevent and/or detect security breaches and what processes ensure that confidential patient data is well protected and being treated with appropriate care? Is the technology you are using secure and up to date?
In this article, we are going to examine the National Data Guardian’s 10 data security standards and how the DSP Toolkit is used to ascertain compliance with these standards. We will explore who is required to complete the DSP Toolkit as well as the challenges in doing so. Further, we will demonstrate how the access management softwaretenfold can be used to help implement the compliance requirements of the 10 security standards and thus help you prove that you are practicing good data security.
The Data Security and Protection Toolkit (DSPT), provided by NHS Digital, is a free online self-assessment questionnaire based on the 10 Data Security standards. It consists of assertions (i.e. statements) which are again divided into 179 evidence items (sub-questions). All organisations in the healthcare sector – from NHS trusts to nursing homes to GPs – must complete the DSP Toolkit annually (or twice a year for larger organisations) to measure their level of compliance with the data and information governance requirements, as stipulated by the Department of Health and Social Care, in particular the 10 Data Security Standards set out by the National Data Guardian.
These standards were formulated as a response to the WannaCry ransomware attack, which took place in 2017 and affected several organisations around the world – including NHS trusts. The 10 security standards are designed to address basic cyber vulnerabilities and to ensure that attacks such as WannaCry can be better prevented in the future.
As data security standards are constantly changing, the DSP Toolkit and its requirements are reviewed on a regular basis and updated to ensure they are always aligned with current best practices. This is why annual or semi-annual completion is mandatory.
As of April 2018, the DSP Toolkit has replaced the previous Information Governance (IG) toolkit.
What Is the Purpose of the DSP Toolkit?
The keywords here are: accountability and compliance.
The field of data privacy and confidentiality is a growing area of interest to organisations as people are becoming more aware of their data protection rights.
The purpose of the DSPT is to demonstrate to these people and the people you work with – GPs, NHS services, commissioners, regulators – that your organisation can be trusted to handle confidential patient data appropriately and securely. A higher level of accountability raises public confidence that the NHS and its partner organisations can be trusted with confidential data. This, in turn, reduces the likelihood that patients will withdraw their consent for sharing personal information with such organisations.
Once completed, organisations can publish their completed DSPT to further increase that trust.
Who Is Required to Complete the DSPT?
All organisations who have/need or would like to have access to confidential NHSpatient dataand systems, or who provide services to the NHS and have direct or indirect access to national informatics services, must complete the DSP Toolkit in order to demonstrate that they are practicinggood data security and that they are handling confidential patient information correctly.
Organisations required to complete the DSPT are sorted into four categories:
Category 1 – NHS trusts (e.g. hospitals);
Category 2 – Arm’s length bodies, CCGs and CSUs;
Category 3 – All other sectors;
Category 4 – GP practice.
Each category is required to demonstrate compliance with the 10 Security Standards. However, the DSP Toolkit does distinguish between categories: for example, while Category 4 organisations are only required to answer 42 of the 179 evidence items, Category 1 organisations must provide 116 evidence items to prove compliance.
Also, Category 1 and 2 organisations are required to complete the DSPT twice a year, while Category 3 and 4 organisations are required to complete it only once per year.
Furthermore, the completed DSP Toolkits submitted by Category 1 and 2 organisations are subject to independent annual audits.
The classifications and differing requirements are supposed to reflect the varying levels of data security risk, IT arrangement and digital maturity between categories.
What Is the Process of Completing the DSP Toolkit?
First, you must register your organisation and determine the category it falls under by supplying information. Based on the data you provide here, the questions included in the DSP Toolkit will be tailored to your organization. You can then access the DSPT and feed it with information as you go along. Your aim should be to complete a so-called “standards met”, which essentially means that you must respond to all mandatory questions of the DSPT.
It is advisable not to procrastinate this task until the very last minute. The deadline for submission is usually 31st March of each year (and 31st October for those who are required to complete the DSPT semi-annually). However, due to the Covid crisis, the deadline for submission in 2020/2021 has been pushed back from March to 30th June, 2021.
For a more detailed overview of how to complete the DSP Toolkit, click here.
What Are the National Data Guardian’s 10 Data Security Standards?
The 10 Data Security Standards are organised under three so-called leadership obligations (i.e. topics):
People – Process – Technology
Leadership Obligation 1: People: ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
Leadership Obligation 2: Process: ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
Leadership Obligation 3: Technology: ensure technology is secure and up-to-date.
Data Security Standard 1. All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes.
Data Security Standard 4. Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals
Data Security Standard 8. No unsupported operating systems, software or internet browsers are used within the IT estate.
Data Security Standard 2. All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
Data Security Standard 5. Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
Data Security Standard 9. A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
Data Security Standard 3. All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit.
Data Security Standard 6. Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
Data Security Standard 10. IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.
Data Security Standard 7. A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management
What Are the Challenges in Completing the DSP Toolkit?
The DSPT is an extensive and detailed questionnaire. The 179 evidence items, of which 166 are mandatoryfor Category 1 organisations, are called evidence items because they require you to provide evidence to support your answers. Some items will require you to provide a written answer, while other will ask you to provide a document of some sort to support your answer, such as an Excel spreadsheet or PDFfile.
Doing so for 166 questions is a time-consuming process that demands a high level of meticulousness and great organizational skills, as well as insight from the person or persons completing it. As mentioned earlier, completing the DSPT is a big task that should not be left until the deadline. It should be an on-going process where information is added and updated regularly throughout the whole year.
If you are a medium to large-scale organization and do not have the appropriate processes and workflows in place to aid you in providing evidence wherever the DSP Toolkit demands it, you have a problem. You will find yourself frantically skimming through digital mountains of information and lists to find the very one you need. x166.
How Does tenfold Come Into play?
tenfold is an access management tool that automates and simplifies complex access management processes. The software is aimed at organisations with 100 users or more and therefore best suited to aid Category 1 and 2 organisations, who handle a large amount of patient data and users, in completing the DSP Toolkit. Some examples of how tenfold can aid such organisations:
Assertion 1.6.2 stipulates that “there are technical controls (e.g. access control) that prevent information from being inappropriately copied or downloaded.”
Solution: One of tenfold’skey features is that it uses automated workflows to assign privileges to users and withdraws them again when they are no longer needed. This ensures users only ever have the privileges they actually need to perform their job duties – which in essence is the core value of the Principle of Least Privilege, or POLP. By implementing POLP, tenfold guarantees that critical (patient) data cannot be copied or downloaded by people who do not have the appropriate privileges to do so.
Assertion 1.8 stipulates that “there is a clear understanding and management of the identified and significant risks to sensitive information and services” and goes on to ask organisations to list their “top three data security and protection risks” (evidence item 1.8.3).
One such risk that exists in every organisation where data is shared among users is the insider threat. An insider threat might be an irate employee or business associate who has access to critical data and steals it (e.g. for financial or personal gain or simply for revenge). VPN access also falls into this category, especially now during the Covid crisis, where many companies are allowing their employees to work remotely, often using their own unsafe home networks. These internal risks are hard to recognise and often overlooked, as most companies are focussed on preventing external attacks, rather than internal ones.
Solution: tenfold allows you to govern who has access to what resource and automatically removes privileges (e.g. VPN access) which are no longer needed. So, when the irate employee returns to the office, their VPN rights will automatically be withdrawn.
[FREE WHITE PAPER]
Best Practices for Access Management in Microsoft® Environments
Read our white paper to learn how best to treat access rights in Microsoft® environments.
While tenfold addresses various aspects of all three leadership obligations (People – Process – Technology), its core mostly covers Leadership Obligation 2: Process. Click on the evidence items below to see how tenfold can assist you in achieving compliance with the DSP Toolkit.
Does the organisation understand who has access to personal and confidential data through your systems, including any systems which do not support individual logins?
Solution in tenfold: Virtually every function in tenfold applies here, as the item perfectly summarises what the software was designed for in the first place. tenfold allows you to control who has access to what data and for how long. It maintains detailed records of every decision made with regard to data access. These reports can be exported as PDFs and uploaded to your DSP Toolkit as proof that you know exactly who has or had access to what data and why, and who approved and granted these privileges.
Are users in your organisation only given the minimum access to sensitive information or systems necessary for their role?
Solution in tenfold: As mentioned previously, this too is one of tenfold’skey features. tenfold conducts all processes in accordance with the principle of least privilege, which demands that users only have access to data they really need to perform their jobs. Therefore, minimum user access is always guaranteed with tenfold.
When was the last audit of user accounts held? (An audit of staff accounts from your organisation, to make sure there aren’t any inappropriate access permissions.)
Solution in tenfold: In tenfold, you can appoint data owners (usually department managers or persons of similar authority) to be in charge of certain data and who can decide who shall be granted access to this data. As part of regularly occurring user access reviews, these data owners will be prompted to review the access rights that fall within their purview and to either reconfirm or remove them. The user access review in itself is an internal audit of accounts and privileges. tenfold keeps detailed records of the decisions made, which can be used for internal and externalaudits.
Provide a summary of data security incidents in the last 12 months caused by a mismatch between user role and system accesses granted.
Solution in tenfold: With tenfold, such data security incidents would not occur in the first place because mismatches between user roles and privileges usually happen when the person assigning the privilege (e.g. an IT admin) is clueless as to what the user’s job encompasses and which privileges they need. Instead, tenfolddelegates this task to data owners, who know exactly who needs what privilege within their department. Data owners are further required to regularly review the privileges they are responsible for as part of a user access review. This further ensures that unnecessary or outdated privileges do not exist.
Are unnecessary user accounts removed or disabled?
Solution in tenfold:tenfold keeps track of user lifecycles, from start to finish. Anytime a person joins the organisation, moves to another department within it or leaves altogether, tenfold knows. It knows because it can be set to synchronise with the connected HR system. Anytime that system is fed with new information, the data is passed on to tenfoldautomatically. So, when tenfold receives news that someone has been let go, tenfoldremoves all of that person’s privileges and locks the account. It can also be set to only disable the account for a specified time period, for instance when a user goes on parental leave.
Has the Head of IT, or equivalent, confirmed that IT administrator activities are logged and those logs are only accessible to appropriate personnel?
Solution in tenfold:tenfoldlogs all types of activities and produces detailed reports on them. It assigns privileges automatically on the basis of user roles (referred to as “profiles” in the software itself), meaning that persons who do not have the required authority or do not match the characteristics of the profile (e.g. department or job position) cannot access these logs.
Multifactor authentication is used [wherever technically feasible].
Solution in tenfold: Logging into tenfold can be secured using multi-factor authentication (MFA). Approval workflows can also be configured to require MFA for individual workflow steps that protect very sensitive data.
Does your organisation grant limited privileged access and third party access only for a limited time period, or is it planning to do so?
Solution in tenfold: In larger organisations, where many, many privileges are granted every day, this is a hard task to come by if it has to be achieved manually, as it requires admins to keep lists of whose rights must be withdrawn and when. tenfold can be used to review the access rights of third-party accounts on a regular basis as part of a user access review.
To summarise, tenfold can be of great assistance to your organization in meeting the requirements of the 10 Data Security Standards, especially Standards 1 and 4. Many of the user management tasks your admins would usually waste valuable time on doing manually can be automated. tenfold provides detailed reports on privileges and who has access to what and why as well as who granted it. These reports can be uploaded to the DSP Toolkit to corroborate that you are practicing good data security.
Sign up for our webinar!
“How to achieve compliance with the DSP Toolkit”
held by Helmut Semmelmayer, tenfold Software
Anna works as a translator for tenfold and sometimes writes content about cybersecurity and other IT related subjects. In her free time, she enjoys a good film and debating with her 5-year-old about whether the day calls for socks or no socks.