Digital Telecare for Scottish Local Government has launched a Digital Telecare Security Assessment Scheme to support Health and Social Care Partnerships across Scotland and suppliers with the transition to digital telecare.
When implementing digital telecare, Partnerships are likely to use a range of suppliers to provide the equipment and services that form the overall solution. For this reason, Partnerships need to evaluate the Cyber Security risk associated with each supplier before integrating their equipment/service into the solution.
Digital Telecare has designed an assessment procedure to reduce the burden on suppliers to provide this evidence to multiple customer organisations and ensure a consistent and best practice approach is taken to Cyber Security. Digital telecare suppliers can choose to undertake this assessment to be listed on the Digital Telecare Playbook as a Supplier who provides an appropriate level of Cyber Security.
The assessment requests that suppliers provide the following information:
1. Evidence of the company’s Information Security Management System;
2. Results of the independent penetration test completed on each device/service the supplier wants to be assessed;
3. A completed Supplier Security Questionnaire provided by Digital Telecare. The questionnaire is based on the 10 Steps to Cyber Security guidance published by the National Cyber Security Centre (NCSC); establishing the supplier’s readiness for defence of its digital telecare systems and information that falls into the scope of the solution they provide to partners.
Where a supplier meets the fair and common minimum-security standard, their name and the detail of the equipment/service assessed will be added to the list of Assessed Suppliers list on the Digital Telecare Playbook. Partners will be able to access details of the assessed equipment/services and use this as evidence that appropriate Cyber Security is in place, rather than having to complete the assessment themselves.
Where a supplier fails to meet the minimum standard, their name will not be included on the Assessed Supplier list and advice will be provided to the supplier outlining how they might achieve the standard in a future evaluation.
Suppliers who chose not to undergo the evaluation procedure will not be included on list. There is no penalty for failing the assessment. Partnerships will only have visibility of those suppliers that have passed, not those that have tried and failed. Suppliers can carry out remediation and resubmit evidence of compliance as many times as required to meet the standard.
Digital Telecare does not charge suppliers to undergo assessment, although suppliers will be liable for their own costs (if any) associated with producing the information requested to complete the scheme.
If you are interested in submitting an application, please email the following details to firstname.lastname@example.org with the subject “ Assessed Suppliers List”:
1. A point of contact for your company;
2. A list of the equipment/services you intend to put through the Assessment Scheme;
3. Potential timescales for completing the Assessment Scheme.
After providing initial interest, the Digital Telecare team will be in touch with details to progress your application including the Supplier Security Questionnaire for completion. Once assessments have been completed, the Digital Telecare team will assess the information and come back with clarifications and outcome. If the results of the assessment state that the organisations device/service does not meet the required criteria, you will be provided with details of the actions required to address the issues identified. Suppliers will be informed of the assessment outcome prior to any results being published in the Digital Telecare Playbook.
If you have any queries regarding the Digital Telecare Security Assessment Scheme, please get in touch.