Cyber Essentials NHS and Healthcare Organisations

What is Cyber Essentials?

The Cyber Essentials scheme is a UK government-backed initiative designed to help organisations, large or small, shield themselves from common cyber threats. It is a self-assessment certification that helps you protect your organisation against cyber attacks. It outlines a straightforward set of technical security controls that, when appropriately implemented, can significantly reduce an organisation’s attack surface.This is particularly vital for NHS and healthcare organisations, which handle highly sensitive patient data. While the NHS Cyber Security Operations Centre (CSOC) works to monitor new threats and attacker activity 24/7 for hundreds of organisations across the healthcare network, laying down your own strong foundation of cybersecurity practices serves as a critical first line of defence against lurking online threats.

Is Cyber Essentials Mandatory For NHS Compliance?

While basic Cyber Essentials itself is not universally mandated by healthcare regulations, many NHS trust tenders and government contracts now demand it, making it practically essential for those working within or alongside the NHS to meet contractual obligations.

DTAC Requirements: Regulatory compliance requirements such as the Digital Technology Assessment Criteria (DTAC) specifically ask for Cyber Essentials, secure code practices, and penetration testing exercises to validate security controls
CE certifications closely align with NHS England’s security standards, signalling a commitment to data protection that patients, partners, and regulators expect.

DSPT Alignment: The Data Security and Protection Toolkit (DSPT) is a mandatory requirement for all NHS organisations and partner entities that handle NHS patient data. DSPT is updated annually to reflect changes in national data security standards and has been revised to closely align with external security standards, including Cyber Essentials, EU NIS, and the NCSC Cyber Assessment Framework (CAF). While having Cyber Essentials Plus can ease the evidence submission process for DSPT compliance, NHS Digital strongly recommends that healthcare organisations achieve Cyber Essentials and Cyber Essentials Plus accreditation and, where appropriate, extend this coverage across their cloud platforms.

Data Security Risks Associated Healthcare Organisations

NHS Foundation trusts and its supply chain handle millions of accounts, including patients, staff and approved third parties. Therefore, processes, people and technical controls should be dynamic and capable of responding to newer cyber security threats.

Healthcare organisations face unique cyber risks due to their responsibility to safeguard patients across both IT and OT networks. The lack of good data security practices opens the door to severe risks:

• Data breaches: Healthcare data is a primary target on the dark web, where threat actors profit from patient information leaks.
• Ransomware attacks: Malware can paralyze hospital networks, forcing staff to revert to manual processes and disrupting critical services.
• Phishing attacks: Successful phishing can harvest staff credentials to infiltrate deeper into networks.
• Supply chain attacks: Third-party vendor systems could be exploited to gain unauthorised access to broader NHS networks.

Cyber Essentials Plus Certification

• Protect sensitive data, protect your business
• Improve eligibility for new opportunities across regulated industries and public sector.

Get Cyber Essentials Certified

Benefits of Cyber Essentials NHS and Healthcare

Cyber Essentials Plus certification offers more business benefits than basic Cyber Essentials, a self-assessment certification. This is purely due to the stringent levels demanded by the certification criteria, an independent audit, and a basic push to adopt a proactive approach to key technical controls.

Some of these business benefits for a certified CE+ organisation are:

Demonstrating Cyber Security Compliance

A healthcare organisation or an NHS trust adhere to strong technical security controls aligned with NHS England’s (NHS digital is no more!) security standards to demonstrate compliance.

Building Trust

Securing this certification fosters trust with patients and stakeholders. The goal is clear: to safeguard sensitive health data, reduce the risk of cyberattacks, and ensure consistent security standards across all NHS partners.

Reduced Insurance Premiums

Many cyber insurance providers offer lower premiums to those with CE+ certification. Thorough security assessments also help streamline IT operations and guide smarter IT investments.

Competitive Advantage

CE+ is increasingly becoming a pre-requisite for NHS suppliers. Demonstrating verifiable cyber resilience provides a clear competitive edge in marketplace tenders. 

Enhanced Security Posture

By passing the stringent CE+ audit—which includes an external vulnerability scan to test internet-facing systems for weaknesses, IT teams can ensure that no critical or high-risk vulnerabilities are threatening the network. It is also actively recommended that NHS bodies extend this robust posture to encompass their cloud environments. 

Cyber Essentials Requirements for NHS and Healthcare Organisations

(Note: We cover the specific intricacies of the latest scheme changes in our dedicated Cyber Essentials Scheme Changes blog. However, organisations must ensure they are compliant with the newer version of Cyber Essentials (including CE scheme updates like Danzell) and align their environments with the Cyber Essentials IT infrastructure requirements guide.)

Cyber Essentials evaluates an organisation based on cybersecurity requirements across five technical control areas:

Firewalls

Secure hardening of Internet-facing firewalls to prevent unauthorised access to and from a network.

Secure Configuration

Secure configuration of software and systems to minimise the attack surface through authentication, encryption, and hardening-related security measures.

User Access Control

An effective user management access mechanism to limit access based on who requires what access to sensitive data and systems. This covers access controls and privilege access management areas.

Malware Protection

Endpoint protection against malware to limit and reduce the likelihood of infections.

Patch Management

Demonstrate effective patch management with 14 14-day window for high-risk vulnerabilities and an overall patch management process for fixing software vulnerabilities.

How Can NHS and Healthcare Organisations Achieve Cyber Essentials Certification?

Cyphere is an IASME-accredited certification body that can support organisations for Cyber Essentials Plus and ICA (IASME Cyber Assurance) certifications. We understand your requirements on a broader cyber security strategy level to help you with CE certification objectives with both time and cost-effective processes.

Achieving Cyber Essentials certification involves a straightforward process:

Step 1: Verified Self-Assessment (VSA or Cyber Essentials Basic)

A self-assessment questionnaire-based assessment that awards basic Cyber Essentials certification to the applicant organisation.

Step 2: External Assessment (for Cyber Essentials Plus)

For Cyber Essentials Plus, an external assessor such as Cyphere’s IASME accredited assessor conducts a technical audit to verify the implementation of the security measures against five key control areas. It includes an external vulnerability scan, authenticated vulnerability assessment of the systems in scope, secure communication, malware protection and user access control checks. This is a remote exercise often conducted over a Teams/Google meet session and conducted remotely on your external infrastructure.

Step 3: Certification

Upon successful completion, the organisation receives its Cyber Essentials Plus certificate. If any fixes are required, a 30-day window is provided to address the issues and resubmit. 

Our Cyber Essentials Plus Certification Process

From the initial consultation to the certification, our tried-and-true approach ensures successful outcomes without going into fail mode, retesting, or asking for new invoices—that’s not us. If required, the Cyber Essentials Plus certification process can also be mapped to your pen test demands.

Our CE+ certification process includes the following phases:

1. Initial consultation: We discuss your cybersecurity needs and goals to determine if Cyber Essentials Plus is right for the timing behind this and your annual security assessments. This includes understanding the most common cyber risks, such as phishing, malware, ransomware, mobile devices, medical devices and network security weaknesses and how CE can help mitigate these threats.
2. Gap analysis: We identify gaps between your security posture and the certification requirements through a readiness exercise.
3. Implementation support: Our team guides you through implementing the necessary controls and providing resources and recommendations.
4. Technical verification: Our IASME-accredited assessors conduct a thorough audit to verify the implementation of your technical controls and ensure your organisation successfully passes the certification.
5. Certification award: Upon completion, you’ll receive your official Cyber Essentials Plus certificate.

Cyber Essentials Or Cyber Essentials Plus?

While basic Cyber Essentials is a great starting point that offers security measures reactive to new threats, Cyber Essentials Plus provides a significantly higher level of assurance through an independent technical audit. CE+ is generally the preferred option for NHS suppliers and healthcare organisations handling highly sensitive patient data.

Important Note: You must time your self-assessment questionnaire submission carefully. You must hold the basic Cyber Essentials certification within a three-month window of applying for Cyber Essentials Plus. 

How Much Does NHS Cyber Essentials Cost?

Should you have security audits, compliance or penetration testing requirements, we will club both requirements in one proposal to offer heavily discounted cyber essentials plus certification. Our CE+ costs start from £899. Standalone Cyber Essentials certification costs vary depending on the size and complexity of the organisation and whether they opt for the basic or Plus certification. Cyphere’s costs are one for the entire certification process, including resubmission, a readiness audit, unlimited consultations and phone and web support. You can find about cyber essentials pricing here.

Summary

Cyber Essentials provides a great foundation for following cyber security best practices. Remember that having a certification does not guarantee that your data and systems are safe. However, it’s an essential step towards securing your organisation against the most common attacks. Organisations with mature security programs opt for a proactive approach to people, processes, and technical security controls.

Choosing between Cyber Essentials and Cyber Essentials Plus will depend on the organisation’s specific needs and risk appetite. Still, for many in the healthcare sector Cyber Essential Plus’s added assurance makes it the more compelling choice.