Scoping essential functions

Before you begin your Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT) submission, you need to conduct a scoping exercise to understand which information, systems and networks support your essential functions, and should therefore be included in the scope of your DSPT return. 

This guidance explains what essential functions are in the context of health and care, how you should conduct your scoping exercise, and what other important factors you should consider. 

Your essential functions are all the parts of your organisation that are necessary to deliver your organisation’s services. Where relevant, this will include consideration of: 

• any essential services for operators of essential services designated under the Network and Information System (NIS) Regulations 
• any statutory purposes for statutory organisations
• the purposes for which your organisation is constituted 

In practice, your essential functions may equate to all your critical business processes.

Your CAF-aligned DSPT return should cover all your essential functions and critical systems. Some indicative examples are provided at the end of this guidance.

Some elements of the DSPT return will also require consideration of non-essential functions, for example data protection considerations which apply to any service, and underlying information, systems or networks, where personal data is handled.

If the data is subject to the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018, as will be the case with all confidential patient information, the underlying information, system or network should be included in your DSPT assessment.

You must own and manage the process of scoping essential functions and critical systems. To do this, you need to undertake a scoping exercise which identifies:

• what your essential functions are –  the phrasing of whether it is an essential function, service or critical business process should not matter, it is the fact that the compromise or failure of that function, service or process would lead to unacceptable consequences
• all information, systems and networks which support your essential functions - and which could result in a significant impact on the continuity of an essential service if compromised by an incident

You should maintain a clear, demonstrable and risk-based justification of the scope, which should be considered an evolving document that will change over time in response to increased knowledge, changes in operating systems or following incidents.

The information required for your scoping assessment is likely to already exist in business continuity impact assessments, such as the emergency preparedness, resilience and response (EPRR) NHS business impact template, information assets and flows registers, asset registers, network architecture diagrams, and similar internal documentation which has been required under previous iterations of the DSPT.

The output of your scoping exercise which captures your essential functions and the information, systems and networks supporting them must be recorded on the prescribed template and must be uploaded for the final submission, but we would also encourage organisations to submit it as part of the interim submission. The prescribed template is available via the DSPT platform.

Your DSPT auditors, NHS England and the Department of Health and Social Care may ask to review, provide input and where necessary, challenge scoping assessments.

Based on the previous practical example template, the prescribed template allows organisations to systematically and consistently submit information on their essential functions, including third-party or supplier involvement in the delivery of essential functions. This will enable DHSC and NHSE to:

• better understand the nature of the essential functions, and information, networks and systems that need protecting
• collect structured data on third party and supplier dependencies in essential functions to inform future national and local oversight and assurance approaches

Scoping activities should include multi-disciplinary stakeholders, representative of your whole organisation, who have a deep understanding of your services and systems and any wider touch points.

Third party dependencies such as suppliers which support your essential function should be identified within your scope. Further information on expectations regarding understanding and managing security risks to information, systems and networks supporting the operation of essential functions that arise because of dependencies on external suppliers is set out in contributing outcome A4.a of the CAF-aligned DSPT. This includes assurance of suppliers involved in the delivery of essential functions. 

This should be a process of inclusion and exclusion. For example, a trust might undertake a review of its commercial activity, some of which is undertaken for the purposes of NHS healthcare services and some of which is for income generation purposes. If the network and information systems used for letting retail space are:

• properly segmented, such that an attack or failure would not spread or have a cascade effect: the trust could formally de-scope the retail letting space from their essential functions scope
• not properly segmented, such that an attack or failure would spread to other networks and information systems: the trust could not formally de-scope the retail letting space from their essential functions scope

Consideration should be given to varying periods of: 

• service failure – systems or networks being unable to support the operation of the essential function
• degradation - systems or networks suffering a decrease in function or performance
• compromise – unauthorised access to systems or networks
• aggregation of all the above with other services – where the systems or networks are impacted at the same time as the failure, degradation or compromise of other services

Through business tolerance or continuity measures some systems may only come into scope if disrupted for days, weeks or months, rather than hours. This is normally determined through conducting a business impact assessment for each business function and determining criticality. 

If you consider that it would take a considerably long time for a particular system or network to impact your essential function(s), and you have mitigations in place to prevent a disruption of such significant length, you may consider de-scoping that system or network from your DSPT assessment. However, before taking the decision to de-scope the system or network you should consider scenarios where other services are also experiencing outages, which may have a more severe impact. 

Although the focus of the DSPT is your corporate entity, you should consider your essential functions that underpin your organisation’s role in providing services at scale that support other organisations’ essential functions. All organisations that handle NHS patient data and systems must complete and publish a DSPT return setting out how the organisation practices good cyber security and information governance.

Essential functions and underlying information, systems and networks may have different impacts per organisation given their intended objective, configuration and reliance or available alternatives, hence the importance of local reviews. 

NHS trusts and foundation trusts

Essential services include, but are not limited to, for example, elective care, urgent and emergency care, mental health care and community care. This may be further broken down, for example, diagnostics, surgery and rehabilitative care. Critical systems may include those supporting, for example, access to medical records and imagery, sterilisation, patient transportation, laboratory, administration, finance, HR and payroll services.

Integrated care boards (ICBs)

The Network and Information Systems (NIS) Regulations establish that all services provided by ICBs are considered essential services for the purposes of the NIS Regulations. For example, this includes managing budgets and allocating resources, commissioning services, planning, arranging and tracking services, and providing services such as the system co-ordination centre. Critical systems may include those supporting, for example, accounting and invoicing services and third-party management.

Further information is available in DHSC’s NIS Guide, see the section ‘How the NIS Regulations apply to ICBs’. 

Commissioning support units (CSUs)

CSUs are a delivery partner for a variety of essential functions such as business intelligence, business support, digital, communications and engagement, and procurement services. Critical systems may include those supporting, for example, analytical and transformation support, deployment and ongoing support of information technology for customers in national teams and across the health and care system.

Arm’s-length bodies (ALBs)

ALBs deliver a variety of essential functions, such as directly supporting people’s care across the health and care sector, as well as undertaking regulatory compliance activity, delivering HR and financing services and protecting sensitive information. Critical systems may include those supporting, for example, national health and care IT infrastructure, data management and customer relationship management tools.

Independent Operators of Essential Services (OES)

For independent providers designated as OES under the NIS Regulations 2018, essential services and functions are likely to include similar areas to those of NHS trusts and foundation trusts (see above for more information).

Genomics organisations as nominated by the Department of Health and Social Care

For Genomics organisations, essential services are likely to include research and healthcare services, which may be broken down into, for example, genome sequencing, imaging, and clinical genomics. Critical systems may include those supporting, for example, research environments and healthcare records.