NHS Mandate: Independent DSPT Audits Required for IT Suppliers

1. Introduction to NHS England’s New IT Supplier Category and Audit Requirements

The NHS in England has introduced a vital categorisation known as “IT Supplier,” a significant recognition of external organisations that provide digital goods and services to the NHS or care organisations. This category is specifically designated for companies with over 50 employees and a turnover exceeding £10 million, highlighting their crucial role in the digital landscape of healthcare. A key aspect of this classification is the mandatory requirement for these IT Suppliers to undergo Independent Assurance Audits as part of their compliance with the Data Security and Protection (DSP) Toolkit.

2. Understanding the Data Security and Protection (DSP) Toolkit

The Data Security and Protection (DSP) Toolkit is a comprehensive framework designed to ensure that organisations involved with NHS patient data and systems uphold stringent data security standards. Here’s an expanded look at the key components of the DSP Toolkit:

2.1 National Data Guardian’s Ten Data Security Standards:

These standards form the core of the DSP Toolkit, setting out the essential criteria for data security in health and care services. They include aspects like leadership obligations, user training, data access management, and incident response strategies.

2.2 Legal and Regulatory Compliance:

The Toolkit ensures compliance with critical laws and regulations such as the General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Directive. This compliance is crucial for safeguarding patient data privacy and ensuring organisational accountability.

2.3 Annual Self-Assessment Feature:

Organisations are required to complete an annual self-assessment, which helps them evaluate their adherence to the set standards. This self-assessment is pivotal for continuous improvement and identification of areas requiring enhanced security measures.

2.4 Confidentiality, Integrity, and Availability of Data:

The Toolkit emphasizes maintaining the confidentiality and integrity of patient data while ensuring its availability for care purposes. It involves assessing and mitigating risks to data security, including unauthorized access and data breaches.

2.5 Adherence to Health and Care Policy:

The DSP Toolkit aligns with the broader Department of Health and Social Care policies, ensuring a unified approach to data security across the sector. This alignment helps in streamlining processes and creating a consistent data security culture within the NHS and affiliated organisations.

2.6 Continuous Improvement and Adaptation:

The Toolkit is designed to evolve in response to emerging threats and technological advancements. It fosters a culture of continuous improvement, encouraging organisations to regularly update and refine their data security practices.

3. Mandatory Independent Assurance Audits for IT Suppliers

For IT Suppliers meeting the specified criteria, undergoing an Independent Assurance Audit is not just a recommendation but a requirement. These audits delve deeper than standard compliance checks, assessing the effectiveness of an organisation’s data security and protection controls. This level of scrutiny is imperative in a sector where data sharing and security are paramount and where the risks associated with data breaches are increasingly significant.

4. The DSP Toolkit Independent Assessment Framework

The DSP Toolkit Independent Assessment Framework provides a structured methodology for conducting these crucial independent assessments. It encompasses a detailed overview of evidence texts and related assertions, along with indicative testing methodologies. This framework aims to promote uniformity in assessments across the healthcare sector and empowers assessors, like Deviceology, to apply their professional judgement effectively.

5. Deviceology’s Role in Conducting Independent Assurance Audits

Deviceology is highly experienced at conducting Independent Assurance Audits for IT Suppliers. Leveraging the detailed frameworks provided by the DSP Toolkit Deviceology ensures that its audits comprehensively evaluate the risk associated with clients’ data security and the accuracy of their DSP Toolkit submissions. This approach ensures that IT Suppliers are not just compliant but are effectively managing their data security and protection risks backed by independent verification of the controls. 

6. Engage with Deviceology

In the contemporary digital healthcare landscape, the role of IT Suppliers is increasingly critical. Deviceology offers its expertise to ensure that these suppliers meet the stringent requirements set by the NHS through comprehensive Independent Assurance Audits. 

For IT Suppliers seeking to fulfil their audit obligations, Deviceology invites them to reach out at compliance@deviceology.net or visit www.deviceology.info