020-7223-5114
Live chat

Cyber Security Policy

  1. Introduction and Purpose

This Cyber Security Policy outlines the commitment of Tooting Med Centre (“SW11”) and ForaCare Suisse AG (“ForaCare”) to protecting information assets, ensuring compliance with Cyber Essentials (CE) scheme under PPN 014, and mitigating cyber threats in our operations. As consortium partners providing healthcare services (e.g., GP consultations, endoscopy nurse staffing at £400/day) and solutions (e.g., disease management devices for locum consultants at £1,200/day), we handle sensitive data (e.g., patient records, recruitment info) and must safeguard against risks like ransomware or data breaches.

SW11 Medical holds Cyber Essentials (Micro) certification from IASME covering the five core controls.

 Consortium Members complies via equivalent standards ( ISO 27001) for UK-attributable activities. This policy aligns with UK Cyber Essentials requirements and GDPR/Data Protection Act 2018.

Our goal: Zero major incidents annually, with 100% compliance.

  1. Scope

This policy applies to:

  • All employees, contractors, and temporary staff (e.g., locum consultants) of SW11
  • All IT systems, data (e.g., patient EHRs, recruitment databases), and supply chains (cloud providers for ForaCare devices).
  • All locations (UK clinic, and remote access (e.g., virtual consultations).
  • Third parties (subcontractors for nurse training).

It covers the five CE controls and extends to incident response.

  1. Commitments

SW11 and commit to:

  • Maintaining Cyber Essentials certification (SW11: Micro level;Consortium Members : IASME equivalent for UK ops).
  • Protecting confidentiality, integrity, and availability of data (e.g., no unauthorized access to endoscopy patient records).
  • Reporting incidents to ICO/NCSC within 72 hours (GDPR breach) or immediately (CE requirement).
  • Annual audits and training for all staff (e.g., phishing awareness for recruiters).

We integrate CE controls into contracts, requiring subcontractors to comply.

  1. Responsibilities
  • Board of Directors: Oversee policy, approve annual reviews, and ensure CE certification
  • IT/Security Lead (SW11): Implement controls (e.g., firewalls on clinic networks); conduct quarterly scans.
  • Employees/Contractors: Follow secure practices (e.g., strong passwords for remote access; report suspicious emails).
  • Suppliers/Partners: Maintain CE-equivalent; subject to audits (e.g., ForaCare device vendors).
  • ForaCare Suisse AG: Ensure Swiss-UK data flows comply (e.g., EU adequacy decision for GDPR).
  1. Cyber Security Measures (Aligned with Cyber Essentials)
  • Firewalls and Network Security: All devices behind firewalls; no unauthorized ports open (e.g., clinic Wi-Fi segmented for patient data).
  • Secure Configuration: Devices hardened (e.g., no default passwords; auto-updates enabled for recruitment software).
  • Access Control: Role-based access (e.g., nurses view only endoscopy records; multi-factor authentication for consultants).
  • Malware Protection: Antivirus on all endpoints (e.g., scanned daily for locum laptops).
  • Software Management: Patches applied within 14 days (e.g., NHS Digital updates for GP systems).
  • Incident Response: Plan includes isolation, reporting to NCSC (ncsc.gov.uk), and annual testing (e.g., simulated breach for ForaCare-UK data sharing).

Annual CE self-assessment/audit by IASME (Micro certification valid to 15/08/2026).

  1. Training and Awareness
  • All 150+ staff receive annual training (1-hour e-learning via NCSC Cyber Awareness; 100% completion).
  • Specialized for high-risk roles (e.g., recruiters on phishing; clinic staff on data protection for £1,200/day consultant files).
  • 2025: Delivered to 95% staff; quizzes with 90% pass rate.
  1. Monitoring, Reporting, and Review
  • KPIs: Zero major breaches; 100% CE compliance; quarterly vulnerability scans.
  • Reporting: Incidents logged and reported (e.g., to ICO if >72 hours). Annual review by Board.
  • Review: Update yearly or post-incident. For RM6380, commit to subcontractor CE checks.

This policy is supported by our IASME Cyber Essentials (Micro) certificate (download available on request).

Approval

Approved by the Board on 15 August 2025.

Signed:
Dr Marek Stobinski
Security Director, SW11 Medical

Contact: marek@sw11medical.uk

 
We value your privacy

The site uses cookies to provide services in accordance with the Cookies Policy. You can specify the conditions for storing or accessing cookies in your browser.

Accept