What is the NHS Data Security and Protection Toolkit (DSPT) and who needs to complete it?

The DSPT is an annual self-assessment that all organisations handling NHS patient data must complete, including GP practices, dental networks, private healthcare providers, and NHS supplier organisations. It maps to the National Data Guardian's ten data security standards. Achieving a 'Standards Met' rating requires Cyber Essentials certification as a minimum. AMVIA helps healthcare providers achieve and maintain DSPT compliance.

How do ransomware attacks affect patient safety in healthcare organisations?

Ransomware attacks on healthcare systems can lock clinical staff out of patient records, appointment systems, and prescribing platforms — directly disrupting patient care. The 2017 WannaCry attack affected a third of NHS England trusts, cancelling thousands of appointments. Rapid incident response, network segmentation, and tested backup recovery are essential controls for protecting clinical continuity.

What Cyber Essentials level is required for DSPT Standards Met?

DSPT Standards Met requires organisations to have Cyber Essentials certification (or Cyber Essentials Plus for higher-tier assessments). CE+ provides independently-assessed verification that is required for NHS organisations seeking Standards Exceeded status and for suppliers handling sensitive personal data. AMVIA guides healthcare providers through CE and CE+ certification as part of DSPT preparation.

How should healthcare organisations protect patient data under UK GDPR?

UK GDPR requires healthcare organisations to implement appropriate technical and organisational measures to protect patient data. Health data is classified as special category data requiring stronger protections. This includes encryption at rest and in transit, strict access controls, staff training, and documented breach response procedures. The ICO must be notified within 72 hours of any breach involving patient personal data.

How do I secure clinical workstations and devices that access patient records?

Clinical workstations accessing patient records should run up-to-date endpoint protection, be managed through a Mobile Device Management (MDM) platform, and have MFA enforced on all clinical system access. Legacy devices running outdated operating systems — common in clinical environments — should be isolated on separate network segments with restricted internet access. AMVIA provides clinical device management as part of its healthcare IT service.

Healthcare IT

IT Services & Cybersecurity for UK Healthcare

Healthcare organisations process some of the most sensitive personal data in existence. AMVIA delivers managed IT and cybersecurity services aligned to the NHS Data Security and Protection Toolkit (DSPT), ICO requirements, and the specific operational needs of clinical and administrative environments.

View Cybersecurity Services

Cyber Essentials Plus

DSPT Aligned

ISO 27001

Cybersecurity in UK Healthcare

90%of healthcare orgs targeted by ransomware

Healthcare is one of the most heavily targeted sectors globally. The combination of valuable patient data and pressure to restore systems quickly makes it an attractive target.

DSPTAnnual compliance requirement for NHS suppliers

All organisations with access to NHS patient data must complete the Data Security and Protection Toolkit annually — with Cyber Essentials Plus required for higher-tier assessments.

72hICO breach reporting window

Breaches involving patient data must be reported to the ICO within 72 hours. Clinical incidents may also trigger CQC reporting obligations.

DSPT Compliance and NHS Data Security

The NHS Data Security and Protection Toolkit (DSPT) is a self-assessment tool that all organisations handling NHS patient data must complete annually. It maps to the National Data Guardian's ten data security standards and requires organisations to demonstrate that they have appropriate technical, organisational, and human controls in place. For suppliers and GP practices, DSPT completion is a contractual requirement. Meeting a 'Standards Met' rating requires Cyber Essentials or Cyber Essentials Plus certification as a minimum. AMVIA helps private healthcare providers, GP practices, dental networks, and NHS supplier organisations achieve and maintain DSPT compliance alongside day-to-day IT management.

Managed IT Services for Healthcare Organisations

From GP practices to private hospital groups and NHS supplier organisations, AMVIA delivers IT services built around clinical availability, patient data security, and regulatory compliance.

DSPT Compliance Support

End-to-end support for the NHS Data Security and Protection Toolkit, including gap analysis, technical remediation, and submission support to achieve Standards Met or higher.

Clinical Device Management

Managed endpoint protection and device management covering clinical workstations, nursing station PCs, and mobile devices accessing patient records.

Patient Data Backup & Recovery

Immutable offsite backups of clinical and administrative systems. Tested recovery procedures to minimise disruption to patient care following an incident.

Secure Network Infrastructure

Segmented networks separating clinical and administrative traffic, with managed firewalls and 24/7 monitoring to detect anomalous activity.

Data Security Awareness Training

DSPT-aligned data security training for clinical and administrative staff — meeting the National Data Guardian's training standards and supporting annual DSPT completion.

24/7 Security Operations Centre

Continuous monitoring with healthcare-specific detection playbooks. Ransomware attacks on healthcare systems can be identified and contained before clinical operations are disrupted.

Healthcare IT & DSPT Compliance Checklist

Key controls from the NHS Data Security and Protection Toolkit and the National Data Guardian's ten data security standards.

DSPT submission completed annually

Standards Met rating achieved and submitted before the 30 June deadline. Evidence documented for each assertion.

Cyber Essentials Plus certification held

Required for NHS organisations seeking Standards Exceeded status and for suppliers handling sensitive personal data.

Staff data security training completed

All staff with access to patient data complete annual data security awareness training as required by the National Data Guardian.

Data Security and Protection policy in place

Current, board-approved DSP policy covering data handling, incident reporting, and acceptable use of clinical systems.

Backup and recovery tested within 12 months

Clinical and administrative system backups tested for restoration. Recovery time objectives documented and validated.

Data Protection Impact Assessments completed

DPIAs completed for new systems or significant changes to data processing, as required under UK GDPR.

Frequently Asked Questions

Book a Healthcare IT & DSPT Review

AMVIA's healthcare IT team will assess your current controls against DSPT requirements and provide a clear roadmap to Standards Met compliance.

Related Resources

Pillar Guide

The Complete UK Cybersecurity Guide

Foundation cybersecurity principles and controls applicable to healthcare organisations and NHS suppliers.

Certification

Cyber Essentials Certification

How Cyber Essentials Plus supports DSPT compliance and NHS supply chain security requirements.

Microsoft 365

Microsoft 365 Security for Healthcare

Securing Microsoft 365 for clinical and administrative teams handling patient data.

Comparison

MDR vs EDR for Healthcare

Why healthcare organisations need 24/7 managed detection and response rather than endpoint protection alone.

FAQ

How Much Does Managed Cybersecurity Cost?

Cost guidance for GP practices, dental networks, and private healthcare providers considering managed security.