Complete guide to NHS data security in the UK — DSPT (Data Security and Protection Toolkit) compliance, GDPR, NHS Spine security, cyber attack prevention, and ransomware protection.
The NHS faces 200+ cyber attacks per day. The 2017 WannaCry attack cost £92 million. DSPT compliance is mandatory for all NHS organisations. This guide covers everything you need to stay secure.
10 NHS Data Security Standards
| Area | Standards |
|---|---|
| Leadership | 1. Personal responsibility (Board-level), 2. Security policy, 3. Staff training |
| People | 4. Access control, 5. Staff screening, 6. Incident response |
| Technology | 7. Cyber security (firewall, encryption, patching), 8. Continuous monitoring, 9. Resilience (backup, recovery), 10. Supplier management |
GDPR Requirements for UK Hospitals
- Lawful basis: Article 9(2)(h) — provision of health care is the lawful basis
- Patient rights: Access (SAR), rectification, erasure, portability, objection
- DPIA: Data Protection Impact Assessment for new systems and processing
- Breach notification: Report to ICO within 72 hours of discovery
- Data Protection Officer: Mandatory for hospitals processing health data
- Privacy by design: Build privacy into all systems and processes
- Data minimisation: Only collect data needed for the purpose
- Retention policy: Define and enforce data retention periods
NHS Cybersecurity Best Practices
- DSPT compliance: Complete annual DSPT assessment and maintain 'Standards Met'
- Multi-factor authentication: MFA for all systems accessing patient data
- Encryption: AES-256 at rest, TLS 1.3 in transit for all patient data
- Patch management: Apply security patches within 14 days (critical: 48 hours)
- Network segmentation: Separate clinical and admin networks
- Backup and recovery: Immutable backups, tested recovery procedures
- Staff training: Annual cybersecurity training for all staff
- Incident response: Tested cyber incident response plan
- Supplier security: DSPT or equivalent for all IT suppliers
Frequently Asked Questions
- What is the DSPT (Data Security and Protection Toolkit)?
- The DSPT is the NHS's mandatory self-assessment tool for data security. All NHS organisations must complete it annually. It assesses 10 data security standards across 3 areas: leadership, people, and technology. 'Standards Met' rating is required for NHS contract compliance. Failure to complete DSPT can result in contract termination.
- How does GDPR affect UK hospitals?
- GDPR (General Data Protection Regulation) and UK Data Protection Act 2018 require hospitals to: 1) Lawful basis for processing patient data, 2) Patient rights (access, rectification, erasure), 3) Data Protection Impact Assessment for new systems, 4) 72-hour breach notification, 5) Data Protection Officer, 6) Privacy by design. Fines can reach £17.5 million or 4% of turnover.
- How many cyber attacks does the NHS face?
- The NHS faces 200+ cyber attacks per day. The 2017 WannaCry attack cost the NHS £92 million and disrupted 200 hospitals. In 2024, a ransomware attack on a major NHS trust disrupted services for 3 months. NHS England invested £150 million in cybersecurity for 2024-2026.