New Mandatory Cybersecurity Requirements for Medical Devices

News just in: the 2021 NHS DSPT (Data Security and Protection Toolkit) has specified that healthcare organisations must maintain an up-to-date inventory of medical devices connected to their network.

What is the DSPT?

The NHS Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS systems and patient data must adhere to this toolkit and ensure that they are practising good data security and correctly handling confidential information.

As of September 2021, NHS Digital amended the DSPT to make it mandatory that all NHS organisations keep an up to date record of medical devices.

What are the top 3 data security and protection risks in healthcare?

Healthcare organisations are particularly vulnerable to cyberattacks as they use indispensable devices that are constantly in operation and can’t be easily replaced or updated. What’s more, with thousands of devices connecting to a hospital network, it’s becoming increasingly challenging to manage  and secure the IT environment. Security weaknesses can’t be rectified if nobody knows that they exist.

It boils down to one key issue: in the world of healthcare, a cybersecurity issue is a patient safety issue.

  • Outdated operating systems


Devices that are running out-of-date, unsupported software and no longer receive security updates (‘patches’) pose significant risks. Hospitals have thousands of devices connected to the IT network, from computers and smartphones to medical and IoT devices. All it takes is for one of them to have an exploitable hardware or software vulnerability, leading to all manner of issues - from the disruptive to the devastating.

Although the NHS has been migrating devices from Windows XP and Windows 7 to a current operating system for some time, compatibility issues can still arise. There are also financial repercussions when machines cannot be updated and have to be replaced.

Hospital IT teams don’t have the time or resources to manage and manually update every single device. Even if a device can be updated, it may be a lengthy process, which means the vulnerability remains on the system for some time.


  • A lack of Advanced Threat Protection


Advanced Threat Protection (ATP) refers to a category of cybersecurity solutions that recognise and defend against complex malware, ransomware and cyberattacks that target sensitive data.

Storing vast amounts of patient, financial and medical research data, the NHS holds powerful and lucrative information, making it a primary target for malicious attacks. The global WannaCry ransomware attack of 2017 was a chilling reminder of what can happen without adequate ATP measures, disrupting 80 out of 236 NHS hospital trusts.


  • Outdated anti-virus/anti-malware software


If the anti-virus or anti-malware software is not up to date, it may as well not exist. It is not enough to have a ‘tick box’ approach to anti-virus software - organisations must ensure that it’s fit for purpose and can tackle the latest and most prevalent attacks out there.

The solution? Cylera

DSPT compliance will prompt many healthcare organisations to rethink their cybersecurity posture and make changes to align with NHS Digital requirements. This doesn’t have to be a gruelling task thanks to a game-changing platform that’s revolutionising the future of healthcare cybersecurity: Cylera.

‘Built with hospitals, for hospitals’, Cylera solves the complex technological and operational cybersecurity challenges that hospitals face. It’s the only centralised cybersecurity solution that protects the entire connected healthcare IoT environment.

  • Cylera protects and manages the complete healthcare IT environment including connected medical devices, operational technology, and IoT devices.
  • It delivers 360-degree visibility, insight, and protection for all managed or unmanaged connected devices, so users have a comprehensive record of devices on the network.
  • It identifies and quantifies connected device risks, pinpointing vulnerable devices and their clinical use cases. These devices are ranked based on tangible threats to patient safety and care delivery.
  • It has scalable, clinical-grade technology to support dense, high-traffic and multi-site deployments.
  • It poses zero impact to existing systems and processes during deployment or ongoing operation, so users don’t need to worry about disruptions to patient care.
  • Thanks to real-time threat detection, it quarantines hostile threats with industry-leading accuracy rates.

Securing IoT and medical devices will define the future of healthcare. As long as outdated software and operating systems exist, healthcare organisations will be vulnerable to attacks. As we move towards a more digital NHS, organisations must be prepared to tackle these cybersecurity challenges head-on

Contact our expert team today to learn more about how Cylera can protect your healthcare organisation from cyber threats.

The Core of IT V4

Securing Tomorrow: Cybersecurity Trends and Innovations in 2024

Introduction: Navigating the Evolving Cybersecurity Landscape As we step into 2024, the world of cybersecurity is undergoing rapid transformations fueled by the dynamic interplay between advancing technology and emerging threats. From the perspective of a leading...

What Threats Impact Tech Teams?

How toxic is your tech team? Yep, we are looking at you. A toxic tech team is a group of individuals working in the technology industry who engage in behaviour or practices that create a negative work environment. This can include behaviour such as harassment,...

Trusted by over 150 organisations

Share This