When investigating and designing new cloud solutions within the healthcare sector, there are multiple important standards, principles and guidelines to consider regarding security, access, permissions and controls. It’s vital to consider these carefully with respect to the management of your cloud-based applications and associated patient data. UKCloud Health and our extensive ecosystem of partners can help you design fully compliant solutions that deliver quality healthcare services ensuring the security and integrity of patient information.
This interactive page highlights the standards that, from our experience, are the most relevant, and how our people, processes and technology can help you comply with them.
Listed below are the three key standards you need to be aware of. To learn more about each one and how UKCloud Health can assist, click on the boxes below:
What is the Minimum Cyber Security Standard?
The Minimum Cyber Security Standard (MCSS) was published in June 2018 as the new minimum set of cyber security standards that the government expects its departments to adhere to, and exceed wherever possible. These standards also apply to any third-party supplier that provides services to a department and, as part of the process of following the MCSS, customers need to identify which standards are required to be evidenced by their supply chain.
Within the table below, we help customers understand the mature capabilities that can be recognised by using UKCloud Health. It is important to note that over time, these requirements are expected to evolve to continually ‘raise the bar’, address new threats or classes of vulnerabilities and incorporate the use of new Active Cyber Defence measures.
The standards relate to five key areas:
Departments shall put in place appropriate cyber security governance processes, and identify and catalogue sensitive information they hold. Departments shall identify and catalogue the key operational services they provide. The need for users to access sensitive information or key operational services shall be understood and continually managed.
| Standard: | Customer Responsibilities: | How UKCloud Health can assist you: | More information: |
|---|---|---|---|
| Cyber security governance | Customers need to be able to demonstrate clear responsibilities and accountabilities, effective policies and processes, risk management, supply chain security and training and awareness. |
When selecting a supplier, customers can be assured that UKCloud meets the requirements set out in the MCSS as detailed in the information in this table. We have significant experience in demonstrating compliance with a wide variety of standards and frameworks and will be able to provide the assurance evidence to support or reinforce your own department’s position. |
UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request. UKCloud’s own Data Security and Protection Toolkit (DSPT) is available on request. A review of the “Minimum Cyber Security Standard”, blog written by UKCloud’s Director of Compliance & Information Assurance. The highest standards for the UK Public Sector page on our website explains our approach and shows adherence to compliance frameworks. System Interconnect Security Policy (SISP) page on our website provides an overview of the SISP and explains the respective roles and responsibilities as the customer and the cloud service provider (UKCloud) We comply with the following ISO standards: Information Security Management (ISO27001) Security Controls for Cloud Services (ISO27017) Personal Data in the Cloud Security (ISO27018) |
| Sensitive Information | Customers are required to have a full understanding of sensitive information assets, why and where they are being processed and stored, and the impact if any of them were to be breached or compromised. |
UKCloud is fully aware that the data sets of health care customers are likely to contain sensitive information. As such, and as detailed elsewhere in this table, we provide a range of controls and functions to ensure that customer’s sensitive information is securely processed, stored and managed at all times.
The UKCloud platforms is subject to constant protective monitoring (which aligns with GPG13) and our 24/7 Network Operations Centre /Security Operations Centre capability provides near real time updates to customers. |
UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request.
Monitoring the UKCloud platform - Knowledge Centre article, provides information on the security incident monitoring system that scans for potential security incidents 24 hours a day. |
| Operational service | Customers must have the details of key operational services being provided, knowledge of technology and other dependencies which they rely upon, and the impact of unavailability. Customers have a responsibility to understand the availability requirements of their data and systems and to ensure that they select an appropriate level of cloud service resilience to meet these objectives. |
To help our customers understand the nature and suitability of our cloud services we provide comprehensive Service Definitions. If required for assurance purposes, we can also provide RMADS and Residual Risk Statements for each cloud service. We also have a comprehensive Knowledge Centre containing articles and guidance on all our services.
Our platform enables customers to implement resilient solutions depending on the priority of the service. If a particular solution requires absolute uptime, customers can design for resilience and high availability by utilising UKCloud’s multiple sites (each with government network connectivity, including HSCN and PSN), which provide multiple instances of the same service to avoid downtime in the unlikely event of service failure in one location. In addition, customers can call on our free of charge team of Cloud Architects, who can help design the right solution depending on requirements and objectives. Status page To let customers, know of any updates to UKCloud services including new releases, planned maintenance and incidents. |
UKCloud Knowledge Centre – provides technical documentation on UKCloud’s products and services.
UKCloud Service Definitions – provides customers with a high-level introduction to the service outlining what it is, why the customer would choose this service and links to the supporting materials on the KC. Sites, Regions and Zones – Knowledge Centre article, which explains how customers can design applications that are highly resilient. UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request. |
| User and access management | Customers are required to ensure that their users have only the minimum level of access to systems and information which are required for them to undertake their authorised duties. All such access should be monitored and logged and subject to regular review. |
The UKCloud Portal enables its customers to determine the level of access and privileges that their users have within the virtual environment.
The System Administrator has the authority to remove users using the self-service UKCloud Portal if they have left the company or no longer need access. Only security cleared personnel can access the underlying UKCloud platform in strict accordance with Role Based Access Control (RBAC). Such access is only authorised for valid business purposes, is subject to protective monitoring and logging and is regularly reviewed for compliance. By default, UKCloud personnel cannot access its cloud customers virtual environments. |
We comply with the following ISO standard:
Information Security Management (ISO27001)
UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request. Getting Started Guide for the UKCloud Portal – Knowledge Centre article, which provides an overview of what customers can do in the Portal. Monitoring the UKCloud platform - Knowledge Centre article, provides information on the security incident monitoring system that scans for potential security incidents 24 hours a day. Portal user access - Knowledge Centre article, which explains the facilities available on the UKCloud Portal to manage user access. |
Access to sensitive information and key operational services shall only be provided to identified, authenticated and authorised users or systems. Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities. Highly privileged accounts should not be vulnerable to common cyber-attacks.
| Standard: | Customer Responsibilities: | How UKCloud Health can assist you: | More information: |
|---|---|---|---|
| Protecting access |
Customers need to ensure that only authorised and known users can access sensitive data and associated systems, and that appropriate access control, authentication and monitoring mechanisms are in place.
It is recommended that customers review log files regularly and address any suspicious events. |
The UKCloud Portal, which provides access to UKCloud’s services, is restricted to registered customer user accounts. The permissions for each user must be set by an authorised customer administrator within the UKCloud Portal.
UKCloud provides authentication mechanisms to its customers, which include: • Memorable words • 2FA (two-factor authentication) - users may only login with a correct 2FA response • IP address restriction: users may only login to the UKCloud Portal from a pre-registered IP address. |
UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request.
2-Factor authentication – Knowledge Centre article, which provides a detailed overview of the security processes taken to access the UKCloud Portal. Portal permissions – Knowledge Centre article, which provides a detailed overview of the permissions page that only system administrators can access to set the account users’ permissions |
| Vulnerability management |
Customers will need to demonstrate that they are effectively protecting enterprise technology, end-user devices, digital services and email communications through effective organisational and technical controls.
This includes the identification, assessment and application of patches, upgrades and other updates to effectively manage all applicable cyber threats and vulnerabilities. |
To ensure customers meet this standard, UKCloud’s services can be accessed using properly managed corporate/enterprise devices only. The use of such devices must comply with all
applicable controls specified within the UKCloud SISP (System Interconnect Security Policy), including asset management, device configuration, acceptable use, security incident reporting, and so on.
The UKCloud platform is subject to constant monitoring such that all patches, upgrades and other updates are assessed, implemented and managed in a timely manner. |
UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request.
System Interconnect Security Policy (SISP) page on our website provides an overview of the SISP and explains the respective roles and responsibilities as the customer and the cloud service provider (UKCloud). Status Page - To let customers, know of any updates to UKCloud services including new releases, planned maintenance and incidents. |
| Protecting privileged accounts | Customers will need to demonstrate that privileged accounts are only used for authorised administrative purposes and are not used for daily tasks. Their use should be protected by multi-factor authentication and complex passwords and be subject to protective monitoring. |
Internally, UKCloud’s Access Control Policy places specific responsibilities on UKCloud administrative accounts, which are privileged and not to be used routinely for normal support or development tasks. Super user accounts are tracked and recorded within the UKCloud protective monitoring system, clearly identifying the access and actions undertaken using the privileged account.
The super user can then activate UKCloud’s additional security features, such as 2FA, ensuring protection for all privileged accounts. |
UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request.
Monitoring the UKCloud platform - Knowledge Centre article, provides information on the security incident monitoring system that scans for potential security incidents 24 hours a day. 2-Factor authentication – Knowledge Centre article, which provides a detailed overview of the security processes taken to access the UKCloud Portal. Portal permissions – Knowledge Centre article, which provides a detailed overview of the permissions page that only system administrators can access to set the account users’ permissions. |
Departments shall take steps to detect common cyberattacks including monitoring systems that evolve with the Department’s business and technology changes, as well as changes in threats.
| Standards | Customer Responsibilities: | How UKCloud Health can assist you: | More information: |
|---|---|---|---|
| Detecting common cyber-attacks |
Customers are advised to undertake effective protective monitoring activities, including capturing and analysing events, which can then be assessed using threat intelligence sources such as CISP and CareCERT.
It is also recommended that customers undertake periodic IT health checks to ensure that systems and applications are resilient against the current threat landscape. |
Monitoring and preventing common cyber-attacks is crucial to our operation. At UKCloud we offer DDoS mitigation and protective monitoring on customer’s external endpoints as standard to monitor and detect threats.
The UKCloud Customer platform is monitored by a GPG13-aligned protective monitoring system, operating at minimum DETER level, alongside perimeter packet analysis, a monthly external and general vulnerability scan and an annual NCSC-approved ITSHC CHECK Test. These measures applied build up defensive capabilities for customers through monitoring and detection. We are also part of the CISP platform and actively monitor and share threat information with customers. As part of our protective monitoring activities, we gather insight and knowledge from credible sources such as the CISP and CareCERT bulletins. Our technical personnel receive regular comprehensive training on the identification and management of cyber threats and vulnerabilities to ensure that the team are updated with the current threat landscape. |
Visit this NCSC website to learn more about the Cyber Security Information Sharing Partnership (CISP)
UKCloud receive and act upon regular CareCERT bulletins.
The benefits of protective monitoring This blog reviews the need for protective monitoring and the preventative measures that can be taken to avoid and resolve vulnerabilities. Application-tuned DDoS protection FAQ – Knowledge Centre article, which provides answers regarding what the service is and the effects of its use. Application-tuned DDoS protection service scope – Knowledge Centre article, which provides additional information regarding the optional Application-tuned DDoS protection service, used for protecting UKCloud services in addition to UKCloud’s own standard DDoS protection |
Departments shall have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services.
| Standards: | Customer Responsibilities: | How UKCloud Health can assist you: | More information: |
|---|---|---|---|
| Responding to cyber security incidents | Customers must implement effective plans to respond to incidents including defined responsibilities, communication plans, investigation and mitigation actions, incident reporting and plan testing. | Building upon the preparations outlined in standard 8 (above), UKCloud is committed to providing professional expert assistance to its customers to assist them to respond to cyber security incidents. This also includes cooperation in notifying the relevant authorities and cooperating in subsequent investigative and remedial activities. | UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request. |
Departments shall have well defined and tested processes in place to ensure the continuity of key operational services in the event of failure or compromise.
| Standards: | Customer responsibilities: | How UKCloud Health can assist you: | More information: |
|---|---|---|---|
| Recovery of services | Customers need to ensure contingency plans are in place for unavailability of services or cyber security breaches and to ensure prompt restoration of normal service are well rehearsed, and that post incident reviews effectively remediate the cause to prevent recurrence. |
As per standard 3, customers have the option of choosing UKCloud services and configuring them in a way that enables them to achieve their own resilience or availability requirements through native backup or restore solutions if workloads are on UKCloud.
Customers also have the option of implementing their own business continuity solutions if desired. UKCloud’s Zerto-powered services enable customers to recover from disaster scenarios such as cyber security breaches and provide test failover options to enable them to test how systems respond in the event of a disaster. |
Sites, Regions and Zones – Knowledge Centre article, which explains how customers can design applications that are highly resilient.
The Disaster Recover as a Service This case study shows how Zerto technology can help restore services following cyber security breaches. UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request. |
What is the NHS digital, data and technology standards framework?
The NHS digital, data and technology standards framework, which is currently in draft format, describes the new expectations around the use of data, interoperability, and design standards within the NHS. This has an impact across all NHS organisations and within the supplier community to strive to achieve these more demanding standards. UKCloud always takes a proactive approach to data security and we have reviewed our services keeping in mind the new draft standards published by NHS Digital.
The framework outlines the key standards for the use of data, clinical safety, interoperability and design interactions:
Patient records must use the unique patient identifier called the NHS number Patient information stored electronically should comply with NHS clinical information standards NHS Digital reference data registers are the reference data source in NHS systems IT systems must be designed, developed and operated to conform with clinical safety standards
| Standard: | Description: | How UKCloud Health can assist you: | More information: |
|---|---|---|---|
| Patient records for all health and care settings must use the NHS Number wherever possible | This information standard sets out the scope and use of the NHS Number, which is the unique identifier for a patient within the NHS in England and Wales. | (Complying with this standard is the responsibility of NHS organisations) | (Complying with this standard is the responsibility of NHS organisations). |
| Patient information held in electronic health records should comply with NHS clinical information standards | Clinical information standards define how a patient’s information is recorded, shared and analysed so that every clinician, care provider, NHS organisation and arms-length body (ALB) can be confident in the fidelity of the information they see to the information provided by the treating clinician. | (Complying with this standard is the responsibility of NHS organisations) | (Complying with this standard is the responsibility of NHS organisations). |
| NHS Digital Reference Data Registers are the reference data source of choice in NHS systems | Registers are lists of information. They can also commonly be known as 'lookup' tables and are used to categorise data in databases, for example organisation codes or postcodes. In certain cases, registers underpin operational working, such as access control or messaging. Each register is the most reliable list of its kind and represents the approved version of that data, typically managed and approved by a government department. | (Complying with this standard is the responsibility of NHS organisations) | (Complying with this standard is the responsibility of NHS organisations). |
| All health software and health IT systems must be designed, developed and operated safely to conform with clinical safety standards | The design, development and operation of health apps, software and IT solutions should be safe. | (Complying with this standard is the responsibility of NHS organisations) | (Complying with this standard is the responsibility of NHS organisations). |
Approved authentication systems Compliance with Data Security Standards (DSS) through the Data Security and Protection Toolkit (DSPT)
| Standard: | Description: | How UKCloud Health can assist you: | More information: |
|---|---|---|---|
| Logging in to NHS systems should be through an approved authentication system | All NHS systems used by patients should check personal details using the NHS Login system. | UKCloud can provide user authentication solutions that have been approved by the NHS. | Contact UKCloud Health for further guidance and information. |
| All NHS digital, data and technology services should achieve the Data Security Standards required through the Data Security and Protection Toolkit (DSPT) | All organisations that have access to NHS patient data and systems must use the toolkit to provide assurance that they are practicing good cyber security and publish their performance against the National Data Guardian's ten data security standards. |
Customers who are authorised users of the NHS Digital DSPT website can search for UKCloud Ltd (8J561) to view our latest DSPT assessment online. This document is also available on request through our website.
UKCloud Health only works with proven technology partners who can evidence a satisfactory completed DSPT. This makes UKCloud an ideal cloud services provider to host NHS workloads directly or in conjunction with an approved UKCloud partner, and work with customers to implement the right solution whilst adhering to these standards. NHS organisations should plan to use agreed FHIR APIs so that they can deliver joined up care to their patients. Global Digital Exemplars and Local Health and Care Records are expected to implement these APIs. |
Contact us to find out more. |
Services support FHIR-based APIs to enable delivery of seamless care across organisational boundaries Services should be operated with an enabling infrastructure supporting technical evolution, financial investment and resilience
| Standard: | Description: | How UKCloud Health can assist you: | More information: |
|---|---|---|---|
| All NHS digital, data and technology services should support Fast Healthcare Interoperability Resources (FHIR) -based APIs to enable the delivery of seamless care across organisational boundaries | NHS organisations should plan to use agreed FHIR APIs so that they can deliver joined up care to their patients. Global Digital Exemplars and Local Health and Care Records are expected to implement these APIs. | UKCloud supports APIs that have been approved by the NHS including the FHIR APIs. It should be noted that the implementation of these APIs is the responsibility of application providers. | Contact us to find out more. |
| NHS Services should be operated with an enabling infrastructure that supports technical evolution, financial investment and resilience | Infrastructure decisions should consider public cloud in adherence to the Government's Cloud First Policy. Such decisions should be underpinned through an understanding of the total cost of ownership of operating services for their full lifecycle including exit, together with maximising the benefits that cloud options can offer. |
UKCloud has developed a true NIST defined public cloud, which consists of a range of technologies that offer a choice of solutions to better match customer requirements.
Our public cloud offers best value for money, with customers paying only for what they use without being committed to CAPEX and minimum contracts. Customers can scale up or down on a self-serve on-demand basis ensuring that they only consume the minimum required resources at any given time to satisfy shrinking budgets.
As we standardise on known technologies, such as VMWare and Microsoft Azure, there are no barriers to exiting the platform both from a financial and technical perspective. Our platform is constantly monitored in terms of security assurance and patching, and is regularly updated to ensure it offers the latest features and functionality. This is combined with the implementation of the platform over separate sites and regions offering customers the ability to design their workloads with the resilience and performance that they require. |
UKCloud can offer cloud support for the design of services including blueprints and reference architectures. A range of transition services are available to help customers on the journey to achieve true cloud. These include; assessment, migration, optimisation and transformation. The cloud strategy can incorporate a mix of private, public and hybrid clouds to suit the customer’s needs. UKCloud Pricing Guide - provides detailed information on pricing. Use our Pricing estimation tool to calculate the costs of using UKCloud. Sites, Regions and Zones – Knowledge Centre article explaining how customers can design applications that are highly resilient. |
Design of services in line with principles of Digital Service Standard and Technology Code of Practice Services contracted for in accordance with the commercial standards
| Standard: | Description: | How UKCloud Health can assist you: | More information: |
|---|---|---|---|
| All NHS digital, data and technology services should be designed to meet user needs in line with the principles of the Digital Service Standard and Technology Code of Practice. | NHS digital systems must be designed in accordance with the principles of the Government Digital Service (GDS) Digital Service Standard and the Technology Code of Practice. |
UKCloud delivers choice and flexibility through safe and trusted cloud technologies, including VMware, Microsoft Azure, OpenStack, OpenShift and Oracle, in accordance with the principles of GDS and NHSX. Our platform is dedicated to UK Public Sector and health services which facilitates collaboration and joint working within government. As a true cloud provider, customers benefit from lower operating costs and access to a flexible cloud that scales based on user requirements. |
The power of cloud economics page on our website explains how cloud can help to create solutions that benefit from lower operating costs and increased flexibility. UKCloud. The multi-cloud experts brochure provides an overview of UKCloud and our multi-cloud services. Use cloud first provides information on the government’s cloud first policy. See examples of UKCloud use cases. We comply with the following ISO standards: Information Security Management (ISO27001) Security Controls for Cloud Services (ISO27017) Personal Data in the Cloud Security (ISO27018) |
| NHS digital, data and technology services should be contracted for in accordance with the commercial standards | It is intended that all NHS organisations, along with their suppliers, adopt and adhere to these Commercial standards when procuring, managing and delivering IT services and products. The aim is to help drive best practice and embed good working standards within IT contracts across the NHS. | UKCloud acknowledges and adheres to all Commercial and Behavioural Principles as mandated by NHS Digital. For example, our services are all listed on the major government frameworks with defined Service Definitions, Service Scopes, Terms and Conditions and call off contracts. All engagements with customers are conducted via a professional documented and standardised procurement process. |
Commercial and Behaviour Principles – Information provided by NHS Digital on what the principles are and how the NHS expects suppliers and those procuring and managing their services to operate. Social Value page on our website describes our commitment to drive awareness across public sector on the benefits that can be realised through good IT decisions. The UKCloud Knowledge Centre provides access to our Service Definitions, Terms and Conditions and Pricing Guide. |
What are the Data Security Standards?
All NHS digital, data and technology services should achieve the Data Security Standards (DSS) required through the Data Security and Protection Toolkit (DSPT), which is made up of ten standards. The DSPT retains the general principle that organisations should demonstrate that they can be trusted with the confidentiality and security of personal information. It also supports organisations to meet the requirements of new legislation including the likes of the General Data Protection Regulation (GDPR) and Network and Information Systems (NIS) Directive. It is important to note that the DSPT will continue to evolve over time to reflect emerging threats, changing policy and future legislative requirements.
The ten Data Standards are an overarching framework; each standard is broken down into evidence items called assertions which cover the detail required to meet each standard. They cover more than technology, encompassing people and process:
Staff understand and ensure the processes for the secure management and storage of personal confidential data and that it is only shared lawfully and understand their personal accountability. Additionally, staff must complete and pass a mandatory annual data security test.
| Standard: | Customer Responsibilities: | What is UKCloud Health's position: | More information: |
|---|---|---|---|
| Personal Confidential Data |
Staff ensure that personal confidential data is handled, stored and transmitted securely, and personal confidential data is only shared lawfully. If you choose to use a cloud service provider, you will need to ensure that they can also protect personal confidential data (evidenced by their completion of a satisfactory DSPT). |
Customers who are authorised users of the NHS Digital DSPT website can search for UKCloud Ltd (8J561) to view our latest DSPT assessment online. This document is also available on request through our website. |
UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is
available on request. Comprehensive Assurance page on our website provides assurance information and evidences our approach to data security. Ensuring the security of personal data processing blog written by UKCloud’s Director of Compliance & Information Assurance. |
| Staff Responsibilities |
All staff understand their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches. If you choose to use a cloud service provider, you will need to ensure that their staff responsibilities have been clearly defined (evidenced by their completion of a satisfactory DSPT). |
Customers who are authorised users of the NHS Digital DSPT website can search for UKCloud Ltd (8J561) to view our latest DSPT assessment online. This document is also available on request through our website. | System Interconnect Security Policy (SISP) page on our website provides an overview of the SISP and explains the respective roles and responsibilities of the customer and the cloud service provider (UKCloud). |
| Annual security training |
All staff complete appropriate annual data security training and pass a mandatory test. If you choose to use a cloud service provider, you will need to ensure that their staff complete annual data security training (evidenced by their completion of a satisfactory DSPT). |
Customers who are authorised users of the NHS Digital DSPT website can search for UKCloud Ltd (8J561) to view our latest DSPT assessment online. This document is also available on request through our website. |
We comply with the following ISO standard and can provide certificates
on request: Information Security Management (ISO27001) The highest standards for the UK Public Sector page on our website explains our approach and shows adherence to compliance frameworks. |
Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. Processes are reviewed annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security. Cyber-attacks against services must be identified and resisted, and continuity plans in place to respond to threats to data security and is tested annually as a minimum.
| Standard: | Customer responsibilities: | What is UKCloud Health's position: | More information: |
|---|---|---|---|
| Managing data access |
Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. If you choose to use a cloud service provider, you will need to ensure that they have controls in place to ensure that access to personal confidential data by their personnel is properly managed (evidenced by their completion of a satisfactory DSPT). |
Customers who are authorised users of the NHS Digital DSPT website can search for UKCloud Ltd (8J561) to view our latest DSPT assessment online. This document is also available on request through our website. |
UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request. GDPR page on our website explains the link between GDPR and cloud services and provides information on how UKCloud are GDPR compliant. |
| Process reviews |
Processes are reviewed at least annually to identify and improve processes which have caused breaches and compromised data security. If you choose to use a cloud service provider, you will need to ensure that their processes are subject to regular review on at least an annual basis (evidenced by their completion of a satisfactory DSPT). |
Customers who are authorised users of the NHS Digital DSPT website can search for UKCloud Ltd (8J561) to view our latest DSPT assessment online. This document is also available on request through our website. | System Interconnect Security Policy (SISP) page on our website provides an overview of the SISP and explains the respective roles and responsibilities of the customer and the cloud service provider (UKCloud). |
| Responding to Incidents |
Cyber-attacks against services are identified and resisted and NHS Digital Data Security Centre security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection. If you choose to use a cloud service provider, you will need to ensure that they have the capability (for example, by protective monitoring) to detect cyber incidents and notify you promptly (evidenced by their completion of a satisfactory DSPT). |
Customers who are authorised users of the NHS Digital DSPT website can search for UKCloud Ltd (8J561) to view our latest DSPT assessment online. This document is also available on request through our website. |
The highest standards for the UK Public Sector page on our website explains our approach and shows adherence to compliance frameworks. We comply with the following ISO standards: Information Security Management (ISO27001) IT Service Management (ISO2000) Monitoring the UKCloud platform - Knowledge Centre article providing information on the security incident monitoring system that scans for potential security incidents 24 hours a day. The benefits of protective monitoring blog reviews the need for protective monitoring and the preventative measures that can be taken to avoid and resolve vulnerabilities. |
| Continuity planning |
A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, tested annually. If you choose to use a cloud service provider, you will need to ensure that they have an effective continuity plan in place which is subject to testing on at least an annual basis (evidenced by their completion of a satisfactory DSPT). |
Customers who are authorised users of the NHS Digital DSPT website can search for UKCloud Ltd (8J561) to view our latest DSPT assessment online. This document is also available on request through our website. |
Sites, Regions and Zones – Knowledge Centre article explaining how customers can design applications that are highly resilient. The Disaster Recover as a Service page on our website provides information on the options, features and benefits of DRaaS for customers. This case study shows how Zerto technology can help restore services following cyber security breaches. UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request. |
A strategy is in place to protect IT Systems from cyber threats using a proven cyber security framework which is reviewed annually. No unsupported operating systems, software or internet browsers are used within the IT estate. IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the Data Security Standards.
| Standard: | Customer Responsibilities: | What is UKCloud Health's position: | More information: |
|---|---|---|---|
| Unsupported systems | No unsupported operating systems, software or internet browsers are used within the IT estate. If you choose to use a cloud service provider, you will need to seek their confirmation that no unsupported operating systems, software or internet browsers are used within their IT estate (evidenced by their completion of a satisfactory DSPT). | Customers who are authorised users of the NHS Digital DSPT website can search for UKCloud Ltd (8J561) to view our latest DSPT assessment online. This document is also available on request through our website. |
UKCloud provides a cloud assessment service to help understand what customers currently have in their estate and recommends how they can take advantage of our CyberScore service to identify if any unsupported or incorrectly patched software exists within their infrastructure. UKCloud was one of the first organisations to have successfully achieved both Cyber Essentials and Cyber Essentials Plus accreditations and has consistently maintained these certifications. UKCloud has been assessed in five key control areas: boundary firewalls and internet gateways, secure configuration, access control, malware protection and patch management. The Accreditations and certifications page on our website provides information about our compliance framework and current accreditations. |
| IT Protection |
A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework reviewed annually. If you choose to use a cloud service provider, you will need to ensure that they have a cyber security strategy in place (evidenced by their completion of a satisfactory DSPT). |
Customers who are authorised users of the NHS Digital DSPT website can search for UKCloud Ltd (8J561) to view our latest DSPT assessment online. This document is also available on request through our website. |
The benefits of protective monitoring blog reviews the need for protective monitoring and the preventative measures that can be taken to avoid and resolve vulnerabilities. We comply with the following ISO standards: Information Security Management (ISO27001) Security Controls for Cloud Services (ISO27017) Personal Data in the Cloud Security (ISO27018) All services undergo an annual NCSC-approved ITSHC CHECK Test. UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request. |
| Accountable Suppliers |
IT suppliers are held accountable via contracts for protecting the personal confidential data they hold. If you choose to use a cloud service provider, you will need to ensure that an appropriate contract is in place that provides for the protection of personal confidential data (evidenced by their completion of a satisfactory DSPT). |
Customers who are authorised users of the NHS Digital DSPT website can search for UKCloud Ltd (8J561) to view our latest DSPT assessment online. This document is also available on request through our website. | UKCloud’s comprehensive G-Cloud Evidence Pack containing assurance information is available on request. |
We appreciate that there are many aspects that you need to consider on your journey to cloud, so contact one of our multi-cloud experts today and a member of the team will be in touch.
Contact Us
The information presented in the table above is also available as a PDF document for convenience
Download PDF
The information presented in the table above is also available as a PDF document for convenience
Download PDF
The information presented in the table above is also available as a PDF document for convenience
Download PDF
For more information on UKCloud Health and their services, visit our UKCloud Health website.
Find out more