Moorfields Eye Hospital NHS Foundation Trust is the leading provider of eye health services in the UK. It is a national and international centre for research, leading one of the most progressive eye disease research programmes in the world. The Trust required information governance, data protection and cyber security experts to assess their compliance with new data protection and cyber security requirements outlined in the Data Security & Protection Toolkit (DSPT). Completion of the DSPT is a contractual requirement specified in the NHS England Standard Conditions. It remains Department of Health and Social Care policy that all bodies processing NHS patient information for whatever purpose provide assurances via the DSPT. Completion is also necessary for organisations which use national systems such as NHSmail and the e-referral service.
As data security standards evolve, the requirements of the DSPT are reviewed and updated to ensure they are aligned with current best practice, knowledge and the current cyber threat landscape. The output from the DSPT is to provide assurances that measures are in place to keep personal and sensitive information safe and secure. As a result, requirements of the Data Security & Protection Toolkit (DSPT) for organisations such as Moorfields are extensive. It’s mandated for undertaking such an assessment to measure its performance against the National Data Guardian’s ten data security standards. This includes the security responsibilities outlined in the NIS regulations and is independently audited on an annual basis utilising rigorous methodology as mandated by NHS.
Gemserv supported Moorfields as they successfully completed a comprehensive DSPT submission, due to the expertise and skills held by our consultants. We provided resources and solutions to address technical remediation activities, governance and operational management support that aligned with Trust’s governance and reporting requirements. The Trust’s DSPT submission came with an associated action plan that demonstrated its cyber security posture at Board level and nationally against the National Data Guardian’s ten data security standards.
Gemserv’s approach was to operationally deploy a team of experienced consultants to determine the baseline position relating to Moorfields’ cyber security posture with the DSPT requirements. We then undertook a gap analysis and engaged with operational colleagues to ascertain its baseline position that highlighted several risks. As a result of our analysis, we identified that a number of remediation activities were required. Extra consultants were deployed within a short timescale to support the Trust with these activities based on a risk-based approach at an operational level. They worked closely with senior management and colleagues in the IT Department.
Due to our involvement, the Trust has finished all the requirements outlined and are fully compliant with the DSPT requirements. Moorfields created a submission with an associated action plan that showed its cyber security posture at board level and nationally against the National Data Guardian’s ten data security standards. The expertise and skills held by our consultants enabled us to provide resources and solutions to address technical remediation activities, governance and operational management support that aligned with the Trust’s governance and reporting requirements at a senior level.
We supported the Trust in its strategy to show that Moorfields’ digital infrastructure across technical and organisational boundaries within healthcare ensures all data is safe, secure and processed fairly. We also helped the Trust to demonstrate that its use of technology across clinical and business processes improves patient experience, and is trusted and compliant with NHS data protection and security standards. Gemserv received a thank you from Moorfields for our hard work on the submission and associated action plan as the Trust had completed all the requirements outlined and were fully compliant with DSPT requirements.