The NHS is one of the most targeted organisations in the UK for cyberattacks. This is not coincidental — it holds extraordinarily sensitive personal and medical data, it operates critical life-safety systems, and historically its security posture has been inconsistent. The 2017 WannaCry attack, which disrupted NHS services for days and cancelled thousands of appointments, remains the most prominent example of what happens when security is treated as secondary to operational continuity.

In response, NHS England and NHS Digital (now NHS England) have significantly tightened supply chain security requirements. If your organisation supplies goods or services to any NHS body — including trusts, CCGs, GP practices and NHSE directly — this guide is for you.

The Data Security and Protection Toolkit (DSPT)

The DSPT is the NHS's self-assessment framework for organisations that handle NHS patient data or connect to NHS networks. Completing the DSPT is a contractual requirement for all NHS suppliers with access to patient data, and many NHS bodies now require it from all suppliers regardless of data access.

DSPT Standards Explained

The toolkit assesses against 10 data security standards derived from the National Data Guardian's guidelines. Key areas include:

  • Standard 1: People — all staff receive annual data security training; completion is tracked and verified
  • Standard 2: Processes — formal data security policies exist, are accessible and are reviewed annually
  • Standard 3: Technology — software is patched within defined timescales; critical patches within 14 days
  • Standard 5: Records — you can account for all personal data you hold, process and share
  • Standard 9: Responding — you have a tested process for responding to data security incidents and have completed the mandatory Cyber Alerts review

Assessment Levels

The DSPT has three assessment levels: Approaching Standards, Standards Met, and Standards Exceeded. Most NHS contracts require at minimum "Standards Met". Achieving "Standards Exceeded" demonstrates leadership and is increasingly requested by NHS bodies for higher-risk supplier relationships.

Cyber Essentials and Cyber Essentials Plus

Cyber Essentials is a UK government-backed certification covering five technical controls: firewalls, secure configuration, user access control, malware protection and patch management. It is a minimum baseline, not a comprehensive security framework.

Cyber Essentials Plus includes independent technical verification — an assessor actually tests your controls rather than relying on self-assessment. NHS England now requires Cyber Essentials Plus for suppliers handling personal data or connecting to NHS systems.

Practical Steps to Achieve Compliance

  1. Map your NHS data flows: Identify exactly what NHS data you access, process or store, and where it goes
  2. Complete annual Data Security Awareness training: Every staff member, documented with completion records
  3. Implement a patch management process: Critical vulnerabilities within 14 days, high within 30 days — this is explicitly assessed
  4. Document your policies: Data protection, acceptable use, incident response — all need to exist in writing
  5. Achieve Cyber Essentials Plus: Budget 6–8 weeks for the assessment and remediation cycle
  6. Complete your DSPT submission: Annual deadline is typically 30 June; submit early to allow time for remediation if gaps are identified

Baycop has helped over a dozen NHS supply chain organisations achieve DSPT Standards Met and Cyber Essentials Plus certification. Get in touch to discuss your compliance requirements.