Resources and glossary

Active directory reviews (technical remediation)

Delivers a comprehensive review of active directory security; providing a vulnerability register and advice and guidance on how to fix issues. Also known as technical remediation.

Backup reviews

Ensure backups are robust and secure. Having secure and well tested backups in place are critical for getting up and running after an incident as data can be restored quickly.

Bitsight - cyber security risk rating

Think of this as an automated credit score. It produces a vulnerability risk rating and is available through an NHS England portal website to all NHS organisations.

Board level training - for NHS boards

This should be carried out on an annual basis, as per recommendations from the National Data Guardian. NHS England provides centrally funded board level training. Regional security leads can also offer bespoke Board training/awareness sessions.

Board level training - NCSC

NCSC also offers cyber governance training to enable boards to govern cyber risks with confidence.

Cyber and data security services and resources

A variety of resources, including some listed here.

Cyber Assurance Service

Provision of centrally funded assessments to help identify vulnerabilities and work towards achieving standards in the DSPT (data security and protection toolkit).

Cyber essentials

This is a government-backed certification scheme. It is designed to provide assurance that an organisation has controls in place protect it against most cyber-attacks. Since WannaCry, NHS trusts have been encouraged to apply for Cyber Essentials Plus certification (or equivalence through the DSPT). This involves a technical verification process carried out by approved third parties, usually as part of the on-site assessment process.

Cyber incident response exercises

NHS England’s cyber incident response exercises have been created to complement and build upon the National Cyber Security Centre (NCSC) exercise-in-a-box service; an online tool that helps organisations find out how resilient they are to cyber-attacks and practise their response in a safe environment.

Cyber Security Operations Centre (CSOC)

Part of NHS England’s central cyber security team. Provides services that enable cyber security within the NHS and the wider health and social care sector. Their mission is to support healthcare and keep vital digital systems and services running.

Data Security and Protection Toolkit

This is an annual self-assessment signed off by the organisation’s SIRO. The DSPT is designed to test whether organisations meet a baseline security standard. The board should be briefed on the key points.

CAF-DSPT guidance

Guidance for completing the DSPT.

Data security on-site assessments

At an organisation’s request, security experts provided by NHS England can visit to provide an assessment of your security. There is no charge for this service.

Emergency preparedness, resilience and response (EPRR)

EPRR is the over-riding framework for incident response in the NHS, within which any cyber response would sit. Your organisation should have existing incident response, business continuity, and other related plans and politicise that are regularly updated and exercised. Your organisation’s cyber security incident response plans should align and integrate with your wider plans and policies for incident response to meet obligations under legislation such as the Civil Contingencies Act 2004.

EPRR framework

Download the framework document.

High severity alerts

High severity alerts issued by NHS England are the means through which NHS organisations are notified of newly discovered vulnerabilities that have the potential to severely impact health and care systems. Local organisations are responsible for acknowledging the alerts immediately and then have 14 days to confirm that patches or other mitigations are in place (or that they are already protected against that vulnerability or do not use the impacted system or service).

Guidance for responding to an NHS cyber alert

How to use the 'Respond to an NHS cyber alert' service after an alert has been issued.

Immersive Labs

Online cyber security e-learning. Free licences available to health and care colleagues.

Run your own NHS Keep I.T. Confidential cyber security campaign

Run your own cyber security campaign. Includes printable resources, digital and social media assets and content. Two versions are available – one aimed at health and one aimed at adult social care.

Microsoft Defender for Endpoint (MDE)

MDE gives local organisations such as hospitals and GP surgeries better cyber security protection. It is also linked to the Data Security Centre (DSC), which improves cyber security protection for local health and care communities, and the NHS as a whole. MDE monitors the Microsoft Windows operating system on a PC, laptop or server to identify any indicators of cyber security comprise or attack, it can then take immediate action to address the problem before it spreads. It also alerts local system managers and the DSC. These alerts give an NHS-wide view of system status, to device level, in real time. This allows the DSC to more quickly and effectively coordinate the overall NHS response to cyber threats as they happen.

Penetration testing

A cyber penetration test is essential to provide assurance for an organisation as part of its annual financial audit. A penetration test involves getting a trusted, certified, and experienced third-party to attempt to breach your IT system's security, using the same tools and techniques that a hostile cyber actor might. The board should see a summary of the results of the most recent penetration test and what actions have been taken to mitigate any weaknesses detected. This is usually included as part of the on-site assessment.