Simplifying Digital Security and Protection Compliance in the NHS

Mark Warren

Digital Security and Protection is critical, but how can you prevent it becoming a resource hog?
Digital Security and Protection (DSP) is a key priority for any NHS organisation or any business that wants to do business with the NHS. The DSP Toolkit is a rich set of requirements to ensure all organisations that may have access to private or confidential data have good protections in place.

Clearly, it's been particularly challenging for NHS agencies to complete their assessments this year and it will soon be time to complete the assessments for 2021. Importantly, some DSPT requirements have changed for 2021. In particular, DSPT version 3 (required for new assessments) makes Cyber Essentials a mandatory requirement for all relevant organisations.
It's a good recommendation. Previously, the requirement was that all relevant agencies move towards Cyber Essentials Plus compliance as a result of the investigations into the WannaCry attacks. With DSPT V3, Cyber Essentials is now mandatory. Osirium recently published a free whitepaper on reducing the effort to achieve Cyber Essentials compliance.
The role of Privileged Access Management in DSPT and Cyber Essentials
Privileged account management is at the core of the Cyber Essentials requirements and DSPT. Indeed, it's fundamental to all security strategies; if you can't control access to the security tools, then those tools are vulnerable. In DSPT, section 4 is most directly relevant as it includes requirements such as "The organisation does not allow users with wide ranging or extensive system privilege to use their highly privileged accounts for high-risk functions, in particular reading email and web browsing" and "You record and store all privileged user sessions for offline analysis and investigation." How could you monitor, manage, and (importantly) prove compliance with such requirements?
In a very stretched environment with these increased requirements, all data security and IT operations managers should be working on how to reduce the effort required to complete the DSPT assessment and produce the required evidence items as easily as possible.
The whitepaper mentioned above highlights how many of the key requirements can be automated using modern privileged access management (PAM) and automation (for Osirium, that means Privileged Process Automation - PPA).
Opportunities for IT Productivity Gain
It's not just about complying with regulations (although, that's clearly important). Good privileged access management can be a positive gain for productivity.
For example,
- PAM can allow partners or suppliers to safely access internal systems without needing complex remote access infrastructure.
- The "MAP Server" in Osirium PAM allows legacy applications to be accessed via a browser on any workstation or laptop, allowing the number of old, perhaps out of support systems, to be greatly reduced.
- PPA automation can be used to simplify management tasks (e.g. recertifying who has access to which systems).
That's just a few examples. PPA is so flexible it can help solve many challenges in IT and across the organisation. It's limited only by your imagination.
Osirium will be discussing these topics and demonstrating the solution with their specialist partner ITHealth in a webinar, please register to find out more.

If you'd like to discuss how your next DSPT assessment can be simplified, please get in touch.