In an earlier article, “Cyber Assessment Framework: Why NHS Trusts Must Act Now,” we provided an overview of the new Cyber Assessment Framework (CAF), developed by the UK National Cyber Security Centre (NCSC).
We also discussed how NHS Trusts must comply with the updated Data Security and Protection Toolkit (DSPT), which now aligns with the CAF, by June 30, 2025.
In this article, we will explore how the Cylera platform supports the new CAF-aligned DSPT in more detail.
What Is the CAF-aligned DSPT and Its Purpose?
The CAF-aligned DSPT stands for the Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT). This toolkit is used by health care organizations in the United Kingdom to assess and demonstrate their compliance with data security and protection standards.
The CAF-aligned DSPT integrates the principles of the UK's NCSC CAF to guide organizations in managing cyber security risks effectively. It focuses on key areas such as:
- Managing Security Risk: Ensuring that organizations have robust risk management processes in place.
- Protecting Against Cyber Attacks: Implementing measures to prevent data breaches and cyber attacks.
- Detecting Cyber Security Events: Establishing systems to identify and respond to security incidents.
- Minimizing the Impact of Incidents: Reducing the damage caused by any security breaches.
- Using and Sharing Information Appropriately: Ensuring that data is handled and shared in a secure and compliant manner.
This approach helps organizations to not only comply with regulatory requirements but also to enhance their overall cyber security posture.
New CAF-aligned DSPT Structure
The new CAF-aligned DSPT structure has moved away from the National Data Guardian’s 10 data security standards structure and towards a new Objective and Principles structure. The new CAF-aligned DSPT also sets a much higher security bar than previous versions of the DSPT.
The new CAF-aligned DSPT specifically focuses on achieving specific security outcomes rather than prescribing detailed controls. It has also moved away from self-assessment and towards independent audits to ensure compliance and verify cybersecurity control effectiveness.
The illustration below shows the difference in structure between prior versions of the DSPT and the new CAF-aligned DSPT.
The new structure of the CAF-aligned Data Security and Protection Toolkit (DSPT) is organized into several key components to help health and care organizations manage their cyber security and information governance (IG) activities effectively.
- Objectives: These are the overarching goals that your organization aims to achieve in terms of cyber security and IG.
- Principles: These underpin the objectives and provide the foundational concepts that guide your organization's approach to cyber security and IG.
- Contributing Outcomes: These are specific, actionable items that organizations need to address to meet the objectives and principles. Each outcome has detailed guidance to help organizations understand and implement the necessary measures.
- National Directive Policy Requirements: These are specific policies set at the national level that organizations must comply with. Compliance with these policies is mandatory and organizations must indicate whether they are adhering to them.
This structured approach ensures that organizations can systematically assess and improve their cyber security and data protection measures.
How Cylera Supports the New CAF-aligned DSPT Objectives
Cylera has several NHS Trust customers. As a result, Cylera has been analyzing the DSPT requirements since the NHS DSPT was first introduced in April 2018. Cylera has worked closely with many of our NHS Trust customers over the ensuing years to help them understand how the Cylera platform supports the NHS DSPT compliance requirements. Cylera has also provided training to our NHS Trust customers on how they can use the Cylera platform and its dashboards to help demonstrate compliance with DSPT standards.
In this same light, the cybersecurity experts at Cylera have also been closely following along over the past several years as the UK NCSC has been developing the CAF. Cylera experts have also been analyzing how the NHS has adapted to CAF into the new CAF-aligned DSPT that NHS Trusts will now be required to comply with going forward.
In addition, in preparation for helping our NHS Trust customers comply with the new CAF-aligned DSPT, Cylera has mapped Cylera platform capabilities to the new CAF-aligned DSPT Objective and Principles. Cylera has also already begun working with several of our existing NHS Trust customers to show them how the Cylera platform can provide instant, automated insights for complete visibility into their current CAF-aligned DSPT compliance status.
Below are some representative examples of how Cylera helps NHS Trusts comply with some of the new CAF-aligned DSPT objectives.
Objective A: Managing Security Risks
- Real-time, automated inventory: Automated reports from Cylera provide detailed healthcare IoT, connected medical device, building automation, and IT asset inventory information, as well as the associated risk for each device (including both managed and unmanaged devices). With this information, NHS Trust IT, Information Security, and Biomedical teams know what is on their network and any associated risks these devices have that may negatively impact secure, reliable care delivery.
- Real-time, automated risk prioritization and assessment: Risks are prioritised within the Cylera platform dashboards by severity, which allows teams to effectively prioritize their remediation activities. Risk assessments are also updated in real-time as new vulnerabilities and threats are identified and threat feeds are updated.
For example, if the NHS issues a new Cyber Alert (Care Cert), the inventory data within the Cylera platform is immediately re-assessed to see if the newly published alert affects any devices. If a new vulnerability for a medical device is published in the NVD, assets are also immediately re-assessed to see which devices may be impacted by the newly identified vulnerability. - ePHI data storage or transmission: Cylera can identify whether a device stores or transmits PHI, enabling teams to quickly identify if vulnerable devices are involved in processing confidential patient data or not.
- Device ownership: Within the Cylera dashboard, you can assign custom attributes to devices which can be used for assigning group owners, contact details and department ownership etc.
- End-of-life device identification: The Cylera dashboard can help teams quickly identify devices which are running old firmware or out-of-date operating systems.
- Supply chain risks: Cylera allows you to track network activity by device or device group to external sites and domains, allowing teams to gain an understanding of which devices are genuinely involved in supply chain data transfers and which ones are potentially engaged in non-approved (or suspicious) network activity.
- Unauthorized data transfer/exfiltration: Cylera can identify and display any healthcare IoT or connected medical devices that engage in data transfers outside the UK. The Cylera dashboard has a global map and can show not just devices that are communicating abroad, but also devices that are trying but are being blocked by your firewall. This is especially useful to confirm if devices that shouldn't be engaged in such behavior are (a possible sign of previous compromise) as well as confirming your data transfer list matches real time reality.
- Single source of truth: The Cylera platform provides a single source of truth for an online inventory for all connected IoT assets. The Cylera platform also integrates with commonly used NHS CMBD systems used within the NHS, allowing teams to accurately find where connected IoT devices are used or not used.
Objective B: Protecting Against Cyber Attack
- Unauthorized device activity: Cylera provides insights into device behaviors that enable IT and information security teams to ensure that all of their healthcare IoT and connected medical devices are behaving as expected and secure. In addition, in the event of a cyber attack or data breach, Cylera can also alert on abnormal device behavior and potential data exfiltration.
- Unauthorized user activity: User activity within the Cylera platform is recorded allowing user activity to be reviewed as part of this process.
- Third-party or shadow IT threat identification: Cylera passively profiles all connected devices connected to the network, regardless of owner. If a third-party device is connected to the network, whether domain joined or otherwise, the Cylera solution will profile the device and present a list of risks and active threats for this device, enabling IT teams to take actions to mitigate risks posed by third-party or shadow IT.
- Unknown device identification and profiling: Cylera profiles all connected devices passively allowing network teams to quickly identify unknown devices and even more importantly, identifying how they are connecting to the network
- Data exfiltration identification: Cylera produces a global heat map detailing which jurisdictions devices are communicating too, allowing IT Teams to quickly identify if a device is trying to communicate with foreign countries, and if that communication is bi-directional. IT teams can use the Cylera dashboard to confirm they have identified and correctly catalogued devices who they expect to see successful external communications with, and investigate those which were not expected.
- Mobile device profiling: Cylera's dashboard profiles connected IoT assets within the network, including mobile devices. When mobile devices are connected to the network, such devices are profiled and their network activity mapped.
- Attack surface visibility: The Cylera platform empowers IT and network teams to understand and then take the necessary steps to reduce the attack surface and limit the opportunities an attacker could potentially exploit.
- Network segmentation policy generation: Cylera integrates with other technologies within the environment and is part of the technology ecosystem to enable network segmentation and protection, ensuring security policy is enforced and adopted automatically by all IoT devices.
- Data flow monitoring: The Cylera dashboard presents a traffic flow and communication summary for all IoT devices, giving network and IT teams a clear understanding of what critical IoT assets are communicating too. This allows teams to effectively monitor data flows, assess network design, further reduce opportunities for attackers to exploit, and ensure any threats or attacks are detected earlier.
- Network segmentation: Network security policies can be defined for a device group within Cylera, then applied by other security solutions within the ecosystem to ensure that defined policies are applied to all device profiles within the group.
- Vulnerability management: Cylera's risk dashboard presents customers with a list of vulnerabilities present in their network for every connected IoT asset. This information is provided from numerous 3rd party feeds, including manufacturer feeds as well as the NHS Cyber Alerts. Vulnerabilities are also linked to NHS Cyber Alert (Care Certs) and/or the CVE Identifier held within NVD. Vulnerabilities are graded from low to critical as appropriate, allowing teams to prioritize their vulnerability management work and focus.
- Real-time alerting on new attack vectors: Cylera's dashboards report in near real time, against updated threat feeds, allowing customers to see and evaluate new or heightened levels of risk to the connected IoT landscape profiled within the network.
- Network communication and behavioral anomaly detection: Cylera's network dashboard tracks network communication from devices or device groups, allowing continuous, near real-time assessment of device behavior. Additional policy-based behavioural alarms can be created to alert on unexpected device behaviour. Network segmentation policies can also be generated based on expected device behavior, and then shared via integrations with Network Access Control (NAC) solutions for enforcement.
Objective C: Detecting Cyber Security Events
- Cyber event detection and alerting: Cylera profiles all connected IoT devices and monitors them against known and common attack methods that could indicate real time threats. When Cylera detects abnormal behavior, Cylera proactively generates an alert for the device, as well as highlights the behavior pattern that triggered the alert. Within the alert page, Cylera provides time-stamps for the alert, as well as details for the other devices involved in the communication thread.
- Threat and IOC reporting: Cylera proactively reports on threats and indicators of compromise (IoCs) for all profiled connected IoT assets in the Cylera platform inventory. Signatures and threat feed updates are ingested automatically in near real time. The metadata for device activity held within the Cylera dashboard is re-examined against new intelligence, resulting in near real- time alerting for new intelligence. Cylera's threat intelligence feeds are also tuned and relevant to the global healthcare industry. For example, for UK-based customers, this is further augmented by ingesting NHS Cyber Alerts.
- Unauthorized network communication detection: Cylera's dashboard provides a table of network connection metadata, allowing network engineers to quickly understand what devices, domains or services a connected IoT asset is communicating with, including communications with unauthorized networks. Cylera's dashboards provide an easy and digestible way for people to evaluate what an IoT asset is communicating too and when. Additionally, default behavour profiles can be created for known good baseline of activity and alerts are triggered when an IoT device exhibits behavour outside of this permitted baseline, resulting in teams picking up abnormalities more quickly.
- Proactive attack surface monitoring: The Cylera threat detection dashboard provides insights into malicious activity for connected IoT assets within the network. This information is routinely used by network and security engineers who are proactively looking at their IoT landscape attack surface.
Next Steps
If you are an NHS Trust or other healthcare organization responsible for complying with the new CAF-aligned DSPT by June 30, 2025, we invite you to learn more about Cylera’s healthcare IoT asset intelligence and cybersecurity platform and how your IT and information security teams can use the Cylera platform to prepare for CAF compliance.
Contact us today to talk to one of our UK-based healthcare cybersecurity experts or schedule a demo with one of our senior technical sales engineers. Discover for yourself how Cylera is uniquely designed to help ensure your NHS Trust is fully prepared to successfully demonstrate CAF compliance well before the 2025 deadline.