Data Security Centre assurance
We provide cyber security assurance for systems and services delivering the technology and data elements of vaccinations. Find out about the assurance process and get a summary of the findings.
Assurance activities
NHS Digital's Data Security Centre (DSC), supported by the National Cyber Security Centre (NCSC), have been delivering cyber security assurance for a defined scope of systems and services delivering the technology and data elements of mass vaccinations. This covers national components for which we’ve undertaken security assurance, assessment and remediation.
This work is being carried out under the existing and ongoing DSC Specialist Security Services, which provides expert assurance, remediation advice, and guidance. Several in scope systems involved in mass vaccinations are already regularly assured through this process, with additional security assurance and remediation being undertaken on newly identified systems.
We are also onboarding the in-scope systems and services into NHS Digital Cyber Security Operations Centre (CSOC) to provide advanced protective monitoring in addition to the incident oversight capability we provide.
Assurance scope and summary
- Cyber assurance of component systems and suppliers involved in the centrally provisioned vaccination programme.
- Ongoing remediation prioritisation activities to increase security posture where gaps or weaknesses are found.
- Onboarding of supplier solutions into CSOC monitoring, either the full protective monitoring offering, or incident response support if protective monitoring is not possible for technical or contractual reasons.
- Continual engagement with suppliers to ensure cyber security is not impacted as demand increases or architectural changes happen.
- Input into threat modelling and end-to-end risk planning.
- Mid to long-term goals: annual cyber assurance activities to be carried out on vaccination architecture as the programme moves into BAU.
- End-user devices used at point of care.
- Vaccination centre network provision.
- Supply chain of vaccination, including storage and transport.
Summary of findings
These findings are the partial output of the assurance activities carried out on vaccination-specific systems and services under a targeted process created specifically for this piece of work.
Risks are scored between 1 (low) and 5 (high).
National Immunisation Management Service (NIMS) - system C
| DSC S3 overall assurance risk rating | 1 | |
|---|---|---|
| Other information | Status | Date |
| DSPT Return 2020 | Standards met | 31/03/2020 |
| BitSight | 780 - advanced | 12/11/2020 |
| Holds ISO 27001 | Current | Since 1999 |
| Holds Cyber Essentials | N/A | N/A |
| Holds Cyber Essentials Plus | Current | 08/06/2020 |
National Immunisation Vaccination System (NIVS) (AGCSU)
| DSC S3 overall assurance risk rating | 2 | |
|---|---|---|
| Other information | Status | Date |
| DSPT Return 2020 | Standards met | 20/03/2020 |
| BitSight | 680 - intermediate | 18/11/2020 |
| Holds ISO 27001 | No | N/A |
| Holds Cyber Essentials | Current | 21/02/2020 |
| Holds Cyber Essentials Plus | No | N/A |
National Booking System (NHSD)
| DSC S3 overall assurance risk rating | 2 | |
|---|---|---|
| Other information | Status | Date |
| DSPT Return 2020 | N/A | N/A |
| BitSight | N/A | N/A |
| Holds ISO 27001 | N/A | N/A |
| Holds Cyber Essentials | N/A | N/A |
| Holds Cyber Essentials Plus | N/A | N/A |
Pinnacle (EMIS)
| DSC S3 overall assurance risk rating | 2 | |
|---|---|---|
| Other information | Status | Date |
| DSPT Return 2020 | Standards exceeded | 30/09/2020 |
| BitSight | 670 - intermediate | 02/12/2020 |
| Holds ISO 27001 | Current | Since 13/02/2019 |
| Holds Cyber Essentials | Current | 30/07/2020 |
| Holds Cyber Essentials Plus | Current | 29/09/2020 |
Systems falling under the GP IT Framework
The Data Security Centre has a long-standing involvement in the GP IT Framework and is among those on the approval and onboarding boards.
The Specialist Security Services team oversee all submissions for new functionality and changes for each supplier listed on the framework. Many of these suppliers now offer functionality related to the vaccination effort and these specific functions have been reviewed and approved accordingly.
Last edited: 30 March 2022 9:40 am