Cyber Security and Technical Assurance
About the work area
Within NHS Scotland, there are two principle focuses for the Scottish Government (SG) Digital Health and Care (DHAC) Division Cyber Security Team. One is the supporting role provided by the DHAC Division to look at enhancing system capabilities, people skills and capacity, sharing learning and providing funding, the other is as the Scottish Health Competent Authority on behalf of Scottish Ministers as per the Network and Information Systems (NIS) Regulations 2018.
The two are interlinked. For example, the findings from the national audit report conducted by the Scottish Health Competent Authority will help inform the strategic direction by focusing on mitigating practices for the areas of greatest risk. This includes developing appropriate governance, including service models and responsibilities, which can be overseen by SG, and identifying were additional strategic investment is required.
The legal responsibility, however, for compliance with the NIS Regulations lies with individual Health Boards, therefore Boards must demonstrate continual improvements individually as they go through the audit lifecycle. The wider SG and NHS Scotland national work will assist in improving Boards security posture.
The NIS Regulations set out standards which Operators of Essential Services (all NHS Scotland Health Boards) must comply with. These standards cover managing security risk, defending systems against cyber-attack, detecting cyber security events, and minimising the impact of cyber security incidents.
What the work area does
The current audit process monitors compliance against the Scottish Public Sector Cyber Resilience Framework (PSCRF v2.0), which remains the foundation for the 2025/26 audit review programme.
As part of its continued commitment to promoting a trusted and secure health & care digital ecosystem, the SHCA is reviewing its approach to information security assurance processes.
Informed by an ongoing engagement process with NHS Scotland Boards, SHCA will transition away from the PSCRF v2.0 towards NCSC’s Cyber Assessment Framework (CAF).
CAF adoption will simplify assurance by focusing on evidence quality over quantity. The CAF is a widely adopted framework with a strong catalogue of guidance. Its widespread use across the UK enables Health Boards to streamline engagements with commercial and non-commercial delivery partners, with easier collaboration and sharing of findings and best practice across the wider UK public sector.
Example of work done
Launched in December 2022, the Cyber Centre of Excellence (CCoE) was created to strengthen NHS Scotland’s defences against cyber threats and minimise disruption to health and care services. Developed in partnership with the Digital Health and Care Division, the CCoE supports the goals of Scotland’s Health and Social Care Data Strategy.
Following a major expansion in 2024, the CCoE now provides 24/7 monitoring, alerting, and incident response across NHS Scotland via its Security Operations Centre at Abertay University’s cyberQuarter.