NHS certifications & roadmap
DSPT, DCB0129 clinical safety, Cyber Essentials Plus, and ISO 27001 - current status, evidence, hazard log, and roadmap dates.
DSPT
Targeting Standards Met
Data Security & Protection Toolkit — the NHS baseline for any supplier handling patient data.DCB0129
In progress
Clinical Risk Management for manufacturers of Health IT. Hazard log + safety case + Clinical Safety Officer.Cyber Essentials Plus
Roadmap Q3 2026
Government-backed cyber security certification. External audit required.ISO 27001
Roadmap Q1 2027
Information security management system. Stage 1 audit planned for Q1 2027.DSPT status by section
Our current self-assessment is documented in docs/security/dspt-submission-draft.md. Summary:
| Section | Topic | Status |
|---|---|---|
| 1 | Personal Confidential Data | Met |
| 2 | Staff responsibilities | Met |
| 3 | Training | In progress |
| 4 | Managing data access | Met |
| 5 | Process reviews | In progress |
| 6 | Responding to incidents | Met |
| 7 | Continuity planning | Met |
| 8 | Unsupported systems | Met |
| 9 | IT protection | Met |
| 10 | Accountable suppliers | In progress |
DCB0129 clinical safety
Full safety case in docs/security/dcb0129-clinical-safety-case.md. Top 10 hazards with mitigations:
| ID | Hazard | Severity | Mitigation |
|---|---|---|---|
| H001 | Cross-clinic data leak | Catastrophic | RLS + clinic_id scoping + AES-256 |
| H002 | Wrong patient record displayed | Major | UUID PKs, explicit patient_id in every query |
| H003 | AI voice agent gives medical advice | Catastrophic | Guardrails + emergency detector + human handoff |
| H004 | Prescription issued for wrong patient | Catastrophic | FK constraints + allergies check + clinician signature |
| H005 | Appointment double-booked | Minor | Unique constraint on (clinician_id, starts_at) |
| H006 | PII in logs or LLM prompts | Major | Typed PII redaction + regex scrubber |
| H007 | Authentication bypass | Catastrophic | JWT HS256 + denylist + MFA + rate limiting |
| H008 | Audit trail gaps | Major | middleware.Audit + append-only + hash chain |
| H009 | Data loss | Catastrophic | 35-day geo-redundant PITR + backup verification |
| H010 | SMS / email sent to wrong recipient | Major | E.164 validation + HMAC phone hashing |
Clinical Safety Officer
A registered healthcare professional must be appointed as Clinical Safety Officer before NHS deployment. This is a DCB0129 requirement. The CSO owns the hazard log, signs off on releases affecting clinical workflows, and is the named contact for any clinical incident.
Roadmap
Cyber Essentials Plus (Q3 2026)
Requires an external audit from an IASME-accredited assessor. Covers five control areas:
- Firewalls — handled by Azure Front Door WAF + NSGs
- Secure configuration — distroless container, RBAC, no default passwords
- User access control — MFA, RBAC, least privilege
- Malware protection — distroless image has no shell or package manager
- Patch management — Dependabot + automated image rebuilds
Evidence is already mostly in place. Gap: formal vulnerability scan report (we have Trivy in CI but need a CE+-specific scan).
ISO 27001 (Q1 2027)
ISO 27001 requires an Information Security Management System (ISMS). Beyond the technical controls we already have, we need:
- Documented ISMS scope + policy
- Risk assessment and treatment plan (formal)
- Statement of Applicability covering all 93 Annex A controls
- Internal audit programme
- Management review cadence
- Stage 1 audit (documentation review) + Stage 2 audit (effectiveness)
Target: Stage 1 audit Q1 2027, full certification Q3 2027.