Posted inCybersecurity Digital Health Distance Selling Pharmacy NHS Pharmacy Commissioning NHS Pharmacy License

Penetration Test Action Plan

January 11, 2024No Comments

This is to meet Evidence item 9.2.3 in the NHS DSP toolkit. i.e. The person responsible for IT has reviewed the results of the latest penetration testing, with an action plan for its findings.
Provide the action plan (with confirmation of review by the person with delegated responsibility for data security).

  1. Objective Setting:
    • Define the scope and objectives of the penetration test. Focus on systems that store, process, or transmit patient data, including pharmacy management systems, electronic health records, and online prescription services.
  2. Compliance Considerations:
    • Ensure the test aligns with NHS and General Pharmaceutical Council (GPhC) guidelines.
    • Understand the requirements of the DSPT and the UK’s General Data Protection Regulation (GDPR).
  3. Choosing a Testing Provider:
    • Select a reputable and certified penetration testing provider.
    • Ensure they have experience in healthcare and are aware of the specific needs and regulations of the sector.
  4. Pre-Test Preparations:
    • Notify all relevant parties, including staff and possibly the Information Commissioner’s Office (ICO), if required.
    • Back up all systems and ensure that there are contingency plans in place in case of system disruptions.
  5. Conducting the Test:
    • Perform the test during off-peak hours to minimize disruption.
    • Include both external (networks, applications, and perimeter defenses) and internal (behind the firewall) aspects.
    • Test for a wide range of threats, including SQL injection, cross-site scripting, and ransomware.
  6. Data Handling:
    • Ensure that all data collected during the test is handled securely and in compliance with GDPR.
    • Sensitive data should not leave the premises or be exposed to unauthorized personnel.
  7. Post-Test Analysis:
    • Review the test results with the testing provider.
    • Prioritize vulnerabilities based on their potential impact and the likelihood of exploitation.
  8. Remediation Plan:
    • Develop a prioritized action plan to address identified vulnerabilities.
    • Consider both technical fixes and changes in processes or staff training.
  9. Documentation and Reporting:
    • Document the entire process and results for compliance purposes.
    • Report significant vulnerabilities and incidents to the relevant authorities as required by law.
  10. Review and Continuous Improvement:
    • Schedule regular penetration tests (at least annually).
    • Review and update security policies and procedures in light of test findings.

Additional Considerations:

  • Staff Awareness and Training: Ensure staff are aware of the test and understand the importance of cybersecurity.
  • Legal and Ethical Considerations: The test should be legal, ethical, and not harm patients or their data.
  • Budget and Resources: Allocate sufficient budget and resources for both the test and the subsequent remediation actions.

Remember, the specifics of the plan will vary based on the size of the pharmacy, the complexity of its IT systems, and the types of data handled. It’s also important to stay updated with NHS and GPhC guidelines, as they may change over time.

Tags:
Last updated on January 12, 2024

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *