What is Cyber Essentials?

Cyber Essentials scheme is a UK government-backed initiative designed to help organisations, large or small, shield themselves from common cyber threats. It outlines a straightforward set of technical security controls that, when appropriately implemented, can reduce an organisation’s attack surface.

This is particularly vital for NHS and healthcare organisations. They handle NHS data that needs robust protection. Think of it as laying down a strong foundation of cybersecurity practices, a first line of defence against lurking threats online.

Is Cyber Essentials Mandatory For NHS Compliance?

Yes, many NHS trusts tenders and government contracts now call for Cyber Essentials certification, making it practically essential (such as DTAC ) for those working within or alongside the NHS to meet their contractual obligations with insurance providers or suppliers. In short, it’s becoming the go-to standard for showcasing cyber resilience in the healthcare sector.

Regulatory compliance requirements such as DTAC specifically ask for Cyber Essentials, secure code and penetration testing exercise to validate the security controls. 

CE certifications align with NHS England’s security standards and signal a commitment to data protection that patients, partners, and regulators increasingly expect. However, unlike CAF-aligned DSPT or DTAC, CE certifications are not part of healthcare regulations. DSPT is a UK government initiative that is mandatory for all NHS organisations that handle NHS patient data.

Having a Cyber Essentials Plus certification can ease compliance statements within the Data Security and Protection Toolkit submission process, reducing compliance efforts.

Data Security Risks Associated Healthcare Organisations

NHS Foundation trusts and its supply chain handle millions of accounts, including patients, staff and approved third parties. Therefore, processes, people and technical controls should be dynamic and capable of responding to newer cyber security threats.

NHS and healthcare organisations face unique cyber risks due to their responsibility to safeguard patients and patient data across IT and OT networks. The Synnovis attack in June 2024 is a classic example of healthcare supply chain risks. This event led to cancelled appointments, reverting to manual processes, and patient data (PHI) leaked onto the dark web.

The lack of good data security practices involves several risks, such as:

• Data breaches: Healthcare data is a primary target and the most expensive item on the dark web, and threat actors profit from patient information leaks.
• Ransomware attacks: Malware and ransomware attacks affect healthcare and hospital networks and disrupt critical services.
• Phishing attacks: A successful phishing attack could harvest staff credentials, which could be used to infiltrate further into the networks or sell information on the dark web.
• Supply chain attacks: Third-party systems could be exploited to gain unauthorised access to NHS networks or disrupt OT networks.

Benefits of Cyber Essentials NHS and Healthcare

Cyber Essentials Plus certification offers more business benefits than basic Cyber Essentials, a self-assessment certification. This is purely due to the stringent levels demanded by the certification criteria, an independent audit, and a basic push to adopt a proactive approach to key technical controls.

Some of these business benefits for a certified CE+ organisation are:

Demonstrating Cyber Security Compliance

A healthcare organisation or an NHS trust adhere to strong technical security controls aligned with NHS England’s (NHS digital is no more!) security standards to demonstrate compliance.

Building Trust

Securing Cyber Essentials certification fosters trust with patients, partners, and stakeholders and sends a strong message about cyber hygiene.

Reduced Insurance Premiums

Did you know many cyber insurance providers offer lower premiums to those with Cyber Essentials Plus certification? There are other cost savings also where thorough security assessments point towards IT investments and streamlining IT ops.

Competitive Advantage

Cyber Essentials Plus is a pre-requisite for regular industries in many tenders and contracts, thereby providing a competitive advantage in the marketplace.

Enhanced Security Posture

Cyber Essentials Plus significantly bolsters an organisation’s defences against the most common cyber threats. The IT team’s achievement in improving the organisation’s security posture is not having critical or high risks.

Cyber Essentials Requirements for NHS and Healthcare Organisations

Cyber Essentials evaluates an organisation based on cybersecurity requirements across five technical control areas:

Firewalls

Secure hardening of Internet-facing firewalls to prevent unauthorised access to and from a network.

Secure Configuration

Secure configuration of software and systems to minimise the attack surface through authentication, encryption, and hardening-related security measures.

User Access Control

An effective user management access mechanism to limit access based on who requires what access to sensitive data and systems. This covers access controls and privilege access management areas.

Malware Protection

Endpoint protection against malware to limit and reduce the likelihood of infections.

Patch Management

Demonstrate effective patch management with 14 14-day window for high-risk vulnerabilities and an overall patch management process for fixing software vulnerabilities.

How Can NHS and Healthcare Organisations Achieve Cyber Essentials Certification?

Cyphere is an IASME-accredited certification body that can support organisations for Cyber Essentials Plus and ICA (IASME Cyber Assurance) certifications. We understand your requirements on a broader cyber security strategy level to help you with CE certification objectives with both time and cost-effective processes.

Achieving Cyber Essentials certification involves a straightforward process:

Step 1: Self-Assessment Cyber Essentials

A self-assessment questionnaire-based assessment that awards basic Cyber Essentials certification to the applicant organisation.

Step 2: External Assessment (for Cyber Essentials Plus)

For Cyber Essentials Plus, an external assessor such as Cyphere’s IASME accredited assessor conducts a technical audit to verify the implementation of the security measures against five key control areas. It includes an external vulnerability scan, authenticated vulnerability assessment of the systems in scope, secure communication, malware protection and user access control checks. This is a remote exercise, or it could be an on-site assessment.

Step 3: Certification

Upon completing the assessment, the organisation receives its Cyber Essentials Plus certificate. If any fixes are required, 30 days are allowed to address the issues and resubmit for the certification.

Our Cyber Essentials Plus Certification Process

From the initial consultation to the certification, our tried-and-true approach ensures successful outcomes without going into fail mode, retesting, or asking for new invoices—that’s not us. If required, the Cyber Essentials Plus certification process can also be mapped to your pen test demands.

Our CE+ certification process includes the following phases:

1. Initial consultation: We discuss your cybersecurity needs and goals to determine if Cyber Essentials Plus is right for the timing behind this and your annual security assessments. This includes understanding the most common cyber risks, such as phishing, malware, ransomware, mobile devices, medical devices and network security weaknesses and how CE can help mitigate these threats.
2. Gap analysis: We identify gaps between your security posture and the certification requirements through a readiness exercise.
3. Implementation support: Our team guides you through implementing the necessary controls and providing resources and recommendations.
4. Technical verification: Our IASME-accredited assessors conduct a thorough audit to verify the implementation of your technical controls and ensure your organisation successfully passes the certification.
5. Certification award: Upon completion, you’ll receive your official Cyber Essentials Plus certificate.

Cyber Essentials Or Cyber Essentials Plus?

While basic Cyber Essentials offers a good starting point, Cyber Essentials Plus provides a higher level of assurance through an independent technical audit. Cyber Essentials Plus is generally the preferred option for NHS and healthcare organisations handling highly sensitive data. It offers more robust verification and demonstrates a more significant commitment to cybersecurity. You must time your self-assessment questionnaire submission to ensure you hold cyber essentials basic certification within a three-month window of submitting a Cyber Essentials Plus application.

How Much Does NHS Cyber Essentials Cost?

Cyber Essentials certification costs vary depending on the size and complexity of the organisation and whether they opt for the basic or Plus certification. Cyphere’s costs are one for the entire certification process, including resubmission, a readiness audit, unlimited consultations and phone and web support. You can find about cyber essentials pricing here.

If your organisation plans to conduct security assessments or pen tests, contact us to save time and money and ensure we provide a tailored quote.

Summary

Cyber Essentials provides a great foundation for following cyber security best practices. Remember that having a certification does not guarantee that your data and systems are safe. However, it’s an essential step towards securing your organisation against the most common attacks. Organisations with mature security programs opt for a proactive approach to people, processes, and technical security controls.

Choosing between Cyber Essentials and Cyber Essentials Plus will depend on the organisation’s specific needs and risk appetite. Still, for many in the healthcare sector Cyber Essential Plus’s added assurance makes it the more compelling choice.