Ensuring Data Security in Healthcare: Mandatory DSPT Audits for 2023-24

NHS England has reinforced the critical importance of data security and protection by mandating DSPT audits for all NHS Trusts, ICBs, CSUs, DHSC Arm's Length Bodies, Independent Providers, and IT Suppliers.

The DSPT Independent Assurance and Audit for 2023-24 provides comprehensive guidance to ensure standardisation and better assurance of DSPT submissions, facilitating a deeper understanding of data security risks across the healthcare system.

Organisational Requirements:

All relevant organisations must complete an annual DSPT audit/independent assessment, following the specified guidance to meet the mandated scope and framework methodology. The key areas of focus include:

1. Lawfulness, Fairness, and Transparency: Ensuring a framework is in place to support these principles.
2. Staff Responsibilities: Clearly defined in contracts.
3. Training and Awareness: Comprehensive understanding of information governance and cyber security.
4. Incident Management: Proactive engagement and open culture for data security incidents.
5. Privileged Access Management: Close management of privileged user access.
6. Process Reviews: Regular reviews following data security incidents.
7. Device and Email Protection: Anti-virus protections and spam filtering.
8. Incident Response: Defined and communicated response plans for data security incidents.
9. Vulnerability Management: Proactive management of known vulnerabilities.
10. Penetration Testing: Regular testing and secure configuration of networks and information systems.
11. Supplier Due Diligence: Basic due diligence for suppliers handling personal information.

Mandatory Scope for Audit Providers:

Audit providers must follow the DSPT Independent Assessment Guide, which mandates a comprehensive review including:

• Risk ratings against each of the 10 data security standards.
• An overall risk rating and confidence rating.
• Detailed methodology for consistent audit practices.??

Steps for Organisations:

1. Engage an External Auditor: Provide access and instruct them to submit audit details via the DSPT.
2. Manage User Access: Add external auditors as 'Auditor' users in the DSPT.
3. Submit Audit Information: Ensure all audit information is submitted on time. If unavailable, detailed explanations must be provided via the DSPT.

Addressing Audit Challenges:

If your organisation cannot complete an audit for the current year, include this in your DSPT Improvement Plan and provide detailed explanations. If auditors cannot issue a report on time, they should contact NHS England immediately.

It's time to ensure robust data security practices across the healthcare sector. As independent experts in conducting information security audits, RMS have extensive experience of undertaking and reporting audits on behalf of healthcare clients and within the NHS. We are committed to supporting the use of DSPT audits as standard practice to safeguard patient information and enhance overall data protection.

Contact us through our website (www.robinsonmanagement.co.uk) at [email protected] or call us on 01908 269536 to discuss your requirements

#DataSecurity #NHS #DSPT #HealthcareCompliance #CyberSecurity #DataProtection #PatientSafety #ContinualImprovement #RiskManagement

?