SECTOR — HEALTHCARE
CREST-certified penetration testing for UK healthcare and NHS supply chain partners. UK GDPR Article 32, NHS DTAC, DSP Toolkit alignment, EHR systems, telehealth platforms, medical device APIs. Patient-data-strict.
CREST
Approved Provider
DTAC
Aligned
DSPT
v6 Methodology
UK GDPR
Article 32
REGULATORY CONTEXT
What NHS & UK GDPR Expect from Penetration Testing
NHS DTAC Compliance
Digital Technology Assessment Criteria (DTAC) requires evidence of penetration testing for any digital health technology supplied to NHS organisations. Our reports map directly to DTAC clinical safety, data protection, and technical assurance domains.
DSP Toolkit (v6)
Data Security and Protection Toolkit v6 requires regular penetration testing as part of ongoing assessment. Annual cadence is the recognised baseline for organisations holding NHS data.
UK GDPR Article 32
Patient data is special-category data under UK GDPR. Article 32 requires demonstrable, ongoing testing of security measures. Pen testing is the established mechanism for evidencing this control.
SCOPE
What We Test for UK Healthcare & NHS Supply Chain
CLINICAL SYSTEMS
EHR & Patient Portals
Electronic Health Record platforms, patient-facing portals, appointment booking systems. Access control, role separation, IDOR across patient records, audit-log scrutiny.
TELEHEALTH
Mobile & Video Apps
OWASP Mobile Top 10. Telehealth video privacy, secure messaging, device-storage of clinical data, biometric authentication, certificate pinning.
MEDICAL DEVICES
Device APIs & Integration
Medical-device API testing, FHIR/HL7 integration scrutiny, IoMT (Internet of Medical Things) attack surface, device-cloud connection security.
INFRASTRUCTURE
Hospital Network
Internal segregation between clinical, administrative, and biomedical-engineering networks. AD attacks, segregation testing, MDM/clinical-device boundary scrutiny.
CLOUD
Patient Data in Cloud
AWS / Azure / GCP configuration with healthcare-specific scrutiny. Encryption-at-rest validation, IAM scoping, audit-logging, multi-tenant boundaries for shared platforms.
SOCIAL
Phishing Defence
Targeted phishing simulation against clinical-admin staff, IT, finance. Specific to NHS-aware patterns: impersonating NHS Mail, supplier-payment fraud, credential harvesting.
OUR ACCREDITATIONS
Verified Credentials That Matter to UK Healthcare & NHS Supply Chain Partners
NHS commissioning and procurement teams audit suppliers’ cyber posture as a baseline DTAC requirement. Our credentials below are individually verifiable, sit inside DTAC technical assurance domains, support DSP Toolkit assessment, and meet NHS supplier procurement gateways.
CREST Member
CREST membership is consistently cited in NHS Digital DTAC technical-assurance documentation as evidence of pen testing rigour. NHS-supplier procurement gates list CREST as a baseline requirement for cyber assurance evidence.
IASME Cyber Essentials Body
Cyber Essentials Plus is a near-universal NHS supplier procurement requirement. Our IASME-approved certification body status means we deliver Cyber Essentials Plus certification and pen testing as a single integrated engagement.
ISO 27001 (BSI)
ISO 27001 (BSI-audited) is required by many NHS Trusts as evidence of supplier information-security maturity. Our certificate is acceptable in NHS supplier risk assessments and DSP Toolkit supplier-evidence sections.
ISO 9001 (BSI)
ISO 9001 (BSI-audited) covers our delivery quality management system. NHS digital health suppliers value ISO 9001 evidence as part of clinical-safety case documentation under DCB 0129/0160.
UK Cyber Security Council
Corporate Membership of the UK Cyber Security Council confirms our testers operate to the UK government-backed professional standard, important for NHS engagements where chartered-professional evidence is requested.
Crown Commercial Service
We are a Crown Commercial Service supplier (G-Cloud framework). NHS organisations procuring through CCS frameworks (Health Systems Support Framework, Digital Capability) can engage EJN through pre-approved purchasing routes.
OUR PROCESS
From Scope to Attestation in 4-6 Weeks
Scoping Call
30-minute technical scoping call. Define attack surface, methodology, rules of engagement, and timeline. Fixed-price quote within 24 hours.
Active Testing
3-15 days of hands-on testing by CREST-certified pen testers. Daily status updates and live findings delivered to your client portal.
Reporting
Executive summary plus full technical report with CVSS scores, reproduction steps, screenshots, and specific remediation. 60-minute walkthrough call.
Free Retest
After remediation, we retest at no extra charge. Letter of attestation provided for audit, regulator submission, or insurance underwriting.
COMPLIANCE READY
Reports Aligned to Every Framework
Findings map to specific control references in each framework, so your audit team submits the report directly without translation work.
NHS DTAC
All four DTAC domains, with technical assurance evidence packaging.
DSP Toolkit v6
Mandatory data security standards for NHS data holders.
UK GDPR
Article 32 with special-category-data protocols for patient information.
ISO 27001
Annex A.12.6.1 plus healthcare-sector A.18 controls.
Cyber Essentials Plus
NHS supply chain procurement requirement, IASME-direct.
CQC Cyber
Care Quality Commission cyber-readiness expectations for registered providers.
PRICING
Indicative Engagement Pricing
Fixed-price quotes confirmed during scoping. Free retest, executive summary, walkthrough call, and letter of attestation included.
Single clinical application
£5,500 – £18,000 depending on patient-data volumes and integration complexity.
Mobile + API + EHR
£15,000 – £35,000 covering patient-facing app, clinician backend, and EHR integration.
Full NHS supplier audit
£20,000 – £60,000 across applications, network, cloud, and DTAC documentation packaging.
FAQ
Frequently Asked
Do you have prior NHS supply chain experience?
Yes. EJN testers have prior experience delivering pen testing engagements for NHS-supplier organisations, with awareness of DTAC submission requirements, DSP Toolkit assessment cycles, and clinical-safety risk-management protocols.
How do you handle patient data during testing?
We require a non-production environment populated with synthetic or fully-pseudonymised patient data. Production testing is permitted only with explicit Information Governance approval, restricted scope, and ICO-pre-notification where required.
Can you test on an active medical device?
Direct testing of patient-connected medical devices is restricted to bench environments. We test the device-cloud connection and the device API surface from the cloud side, never on a patient-connected unit.
DSP Toolkit re-submission support?
Yes. Our reports include a DSP Toolkit evidence-mapping appendix listing each finding against the relevant DSP Toolkit data-security standard. Many NHS-supplier clients attach the report directly to their DSP Toolkit re-submission.
DTAC submission support?
Yes. We provide a DTAC technical assurance evidence pack tailored to the four DTAC domains (clinical safety, data protection, technical assurance, interoperability).
How do you handle ICO notification for testing exposure?
We do not exfiltrate patient data. If testing surfaces a previously-unknown live exposure of patient data, we follow joint notification protocols with the client’s Information Governance team for any required ICO Article 33 notification within 72 hours.
What if our supplier processes are non-compliant?
Pre-test scoping identifies obvious supplier-side issues before active testing begins. We share the scoping output as actionable intelligence, then proceed with testing under your guidance regardless of supplier status.
Book a Healthcare Scoping Call
30 minutes with a CREST-certified pen tester. Fixed-price quote within 24 hours.
