Information Security Requirements for Suppliers

Information Security Requirements for Suppliers

Keeping Information Safe and Building Trust

Suppliers need to keep our information safe at all times. This means they must protect important data about our business, our ideas, and personal details about our staff and customers. Suppliers should use strong security measures like locking down data, using encryption, and making sure only the right people can access important information. They must follow all laws and rules about privacy and data protection, and be ready to spot and report any problems or breaches right away. Staff should be trained to handle information securely, and suppliers should use safe ways to communicate with us. In short, we expect our suppliers to take information security seriously, keep things confidential, and work with us to stay ahead of cyber risks.

So if you are wanting to provide a service or product to Elysium Healthcare please review the below questions. 

Q1. Will you be processing CONFIDENTIAL PATIENT INFORMATION? We deem this to be: Information which is ‘Confidential’ (above), AND: Identifies an individual; Is held in confidence; and that conveys information relating to health condition, diagnosis and/or treatment of an individual.

Q2. Will you be processing CONFIDENTIAL data, which we deem to be:  Personal Data or Sensitive Personal Data (not patient health data), as defined by the Data Protection Act 18 and General Data Protection Regulation 18. Personal Data relates to information, or a collection of information, which enables the identification of a single living person. Examples include HR and personnel financial records; Information relating to security investigations, incidents, risks and/or baseline security controls; Highly commercially sensitive, proprietary or patented information; Information which could be considered valuable to criminals and/or competitors;  Information which may facilitate improper gain or disadvantage to individuals and/or organisations.

Q3. Will you be processing Business Use Information? This is deemed to be information such as internal data that is not meant for public disclosure; E.g., Organisational Charts; minutes of meetings, which does not include Confidential or Confidential Patient Information.

If your answer is “yes” to one or more of the above then we would expect the attached NHS Digital Technical Assessment Criteria to be completed and returned: https://transform.england.nhs.uk/key-tools-and-info/digital-technology-assessment-criteria-dtac/

It is important to note the DTAC opens up conversations between suppliers and Elysium Healthcare’s SME’s, it should not be viewed as “Pass” or “Fail”.

Elysium Healthcare offer services to the NHS and are required to comply with cyber security charter for suppliers: https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/cyber-security-charter-for-suppliers-to-the-nhs.  As a result any potential IT suppliers should commit in writing to abiding by the following principles:

  1. Our systems are kept in support and have the latest patches applied to address known vulnerabilities.
  2. We will achieve and maintain at least ‘Standards Met’ as part of the Data Security and Protection Toolkit (DSPT).
  3. We will apply Multi-Factor Authentication (MFA) to our own networks and systems. To support our customers to meet the NHS England MFA policy, we will support identity federation or make MFA functionality available on the products that we provide.
  4. We will deploy effective 24/7 cyber monitoring and logging of our critical IT infrastructure to prevent and detect cyber-attacks, which will allow investigation in the event of an incident.
  5. We will ensure that we have immutable backups of our critical business data, with tested plans that ensure we can offer business continuity and rapid recovery of essential IT. We will also have immutable backups of our products to ensure the continued provision of the systems and services that we provide.
  6. We have undertaken board level exercising to ensure we are confident of our ability to respond in the event of a cyber-attack.
  7. We will report to our customers in a timely manner, adhering to (and supporting our customers to adhere to) all regulatory requirements, and work collaboratively, openly and in partnership with NHS England in the event of discovering a cyber-attack affecting patient care or data.
  8. Where providing software to the NHS, we agree that the software has been produced in adherence to the Department for Science, Innovation and Technology (DSIT) / National Cyber Security Centre (NCSC) software code of practice and commit to meeting the principles of secure design and development, secure build environment, secure deployment and maintenance and communication with customers.