NHS England has announced a plan to adopt the Cyber Assessment Framework (CAF) as its main mechanism for assuring standards on cyber security.
It has made the announcement with the National Data Guardian for health and social care, saying this reflects an element of the Department of Health and Social Care’s (DHSC) cyber security strategy.
They said that work has begun to move away from using the National Data Guardian’s 10 data security standards as part of the NHS Data Security and Protection Toolkit (DSPT) and adopting CAF in their place.
CAF was developed by the National Cyber Security Centre (NCSC) for organisations to assess their levels of cyber resilience and is increasingly being used in the public sector.
NHS England said there will be two significant advantages in the transition. One is in providing organisations with a long term roadmap for yearly improvements, which should help them to understand what is expected over the next five years and support their strategic investments in cyber security.
The other is that the CAF places a focus on achieving outcomes rather than just passing or failing defined security controls, which helps organisations to apply strong information governance and cyber security principles and make informed decisions at a local level.
Positive evolution
National Data Guardian Dr Nicola Byrne said: “I fully support this transition to the CAF. It represents a positive evolution, offering organisations a more current framework for evaluating and improving their data protection and cyber resilience.
“I remain committed to supporting NHS England in maintaining and advancing the highest standards of data security across health and care.”
Initially the change will affect only a specific group of large health and care organisations, which have already been notified. It will eventually be extended to others, which will continue to use the 10 standards within the DSPT until they are notified.
Ultimately, all health and care organisations will be expected to adopt the CAF aligned version of the DSPT.
The change follows a detailed mapping exercise by NHS England and DHSC, which identified gaps relevant to health and social care in the original CAF. This led to the development of a ‘health and care overlay’ for the DSPT version.
In addition, a new objective has been added with information governance principles for the appropriate use and sharing of information, including confidential patient data.
Another version of CAF specifically for local government is also under development, with the work led by the Local Digital team in the Department for Communities, Housing and Local Government.