What are NHS DTAC penetration testing requirements?

NHS DTAC pentest cover


Share on facebook
Share on twitter
Share on linkedin

In an era where healthcare increasingly intersects with technology, the sector’s vulnerability to cyber threats has become more pronounced. A 2023 report from the UK’s Cyber Security Breaches Survey revealed that 49% of businesses and 44% of charities sought external guidance on cyber security in the past year, reflecting a heightened awareness and proactive stance towards cyber threats. The healthcare industry experienced an average of 1,684 attacks per week in the first quarter of 2023 alone, marking a 22% increase year-on-year and making it the third most targeted industry globally.

The consequences of these attacks are not merely digital; they have a tangible, adverse impact on healthcare operations and patient safety. The statistics are stark: according to The HIPAA Journal, in December 2023, hacking incidents accounted for a substantial 83.78% of the month’s 74 data breaches in the healthcare sector, compromising nearly 11.3 million healthcare records.

More recently, a ransomware attack on UnitedHealth Group’s Change Healthcare paralyzed large swathes of insurance claims processing systems throughout the United States. A few months later, the second largest hospital group in the US, Ascension, suffered a cyberattack that put its systems offline for weeks, affecting its emergency rooms, planned surgeries, and access to patient data. Recently, in London, operations have been canceled at several large hospitals after a ransomware attack on a third-party provider, Synnovis, leaving healthcare professionals without access to pathology services.

To raise the cybersecurity bar of digital health apps and products, the National Health Service’s Digital Technology Assessment Criteria (DTAC) were developed. Penetration testing is a required component of the DTAC and serves as a strategic defense mechanism, simulating cyber attacks to identify and fix vulnerabilities. This article aims to shed light on the requirements of NHS’s Digital Technology Assessment Criteria related to pentesting, guiding healthcare technology providers towards a proactive defense of their health products.

What is NHS DTAC?

The NHS’s Digital Technology Assessment Criteria (DTAC) is a framework developed by the National Health Service (NHS) in the United Kingdom to ensure that new digital health technologies meet stringent quality, clinical safety, data security, interoperability and usability standards.

Established in early 2021, DTAC was conceived as a response to the rapid evolution and integration of digital solutions in healthcare. Its primary purpose is to provide a clear, consistent benchmark for evaluating digital health technologies, ensuring they are fit for use within the NHS and aligned with the goal of enhancing patient care.

A brief overview of the Digital Technology Assessment Criteria (DTAC)

DTAC sets forth a set of criteria that digital health technologies must meet to be considered for use within the NHS. For the purposes of this article, we’ll focus on Section C Assessment Criteria. These criteria are categorized into several key domains:

  • C1 – Clinical Safety: Technologies must demonstrate that they do not pose any risk to patient safety and comply with relevant clinical safety standards and clinical risk management activities.
  • C2 – Data Protection: Technologies must adhere to stringent data protection laws and regulations to ensure the confidentiality and integrity of patient data.
  • C3 – Technical Security: Technologies must exhibit robustness against potential cyber threats, ensuring the security and resilience of healthcare IT systems.
  • C4 – Interoperability: Technologies must be capable of seamlessly integrating with existing NHS systems, facilitating efficient and error-free data exchange.

Penetration testing requirements of NHS DTAC

Penetration testing is a mandatory requirement of the NHS Digital Technology Assessment Criteria (DTAC). This article delves into pen testing’s goals within the DTAC framework, outlining its purpose, methodologies, and key role in ensuring adherence with DTAC compliance.

Penetration testing is a method of technical security assurance that involves the simulated attack on a system, application, or entire IT infrastructure to identify vulnerabilities that malicious entities could exploit. The primary purpose of penetration testing is to proactively discover security weaknesses so that they can be addressed before being exploited by attackers. This proactive approach helps in safeguarding sensitive data and maintaining the integrity and availability of healthcare services.

NHS guidance on penetration testing assessments

As part of the Data Security and Protection Toolkit (DSPT), the NHS emphasizes in its guidance the importance of conducting penetration tests at least annually. The guidance suggests that organizations can choose between outsourcing to commercial specialists, conducting tests in-house, or partnering with other healthcare organizations.

When scoping the test, it must include all web servers used by the organization, vulnerability scans, and ensuring default passwords on network components are changed. The test should cover all critical network structures, including server farms, to provide comprehensive security insights.

When selecting a commercial pentest provider, NHS suggests healthcare organizations consider the following indicators: choose a CREST-approved member company, look for pentesters qualified under CREST or the Tiger Scheme, or CHECK Team Leaders, and ensure the organization is ISO 27001 and/or 9001 certified. We have written a comprehensive article that helps organizations select the right pentest partner for their needs.

Common types of penetration tests

Penetration tests can be classified based on the level of knowledge about the system that the tester possesses:

  • White box testing: The pentesters have full system knowledge, including access to source code, architecture diagrams, and other documentation. A white box pentest does not seem to be an explicit requirement imposed by DTAC, but security-oriented code review of custom code is part of item C3.3. White box assessments are needed for DiGA, a similar regulation in Germany.
  • Black box testing: Testers have no prior knowledge of the system and must discover vulnerabilities solely from an external perspective.
  • Grey box testing: A combination of both, where pentesters have partial knowledge of the system, simulating the level of access that a privileged user might have. Usually, the most common approach to pentesting.

DTAC-specific penetration testing requirements

To fulfill DTAC’s point C3.2, a pentest assessment is mandatory to ensure that digital health technologies adhere to information security best practices. DTAC-specific requirements include:

  • Frequency and scope: Anual penetration testing is required, with a comprehensive scope that covers all critical system components.
  • Standards and benchmarks: Penetration testing should meet recognized standards and benchmarks, such as the Common Vulnerability Scoring System (CVSS), for assessing the severity of vulnerabilities and adherence to the OWASP Top 10 to safeguard against the most critical web application security risks.

DTAC penetration testing requirements

Which DTAC criteria can penetration testing help with?

Within the DTAC framework, penetration testing specifically addresses and satisfies key components related to:

Technical Security

Penetration testing is integral to DTAC’s Technical Security domain. It assesses the system’s resilience against cyber threats, ensuring that security measures are not only in place but also effective in protecting against potential attacks.

Data Protection

By identifying vulnerabilities that could lead to data breaches, penetration testing contributes to the Data Protection aspect of DTAC. It ensures that all access points and data transmission channels are secure, thus maintaining the confidentiality and integrity of patient data.


While primarily security-focused, penetration testing indirectly supports the C4 Interoperability domain by ensuring that the interfaces and data exchange points between different systems are not vulnerable to breaches, thereby facilitating safe and secure data flow across integrated systems.

For example, the Interoperability item openly discusses API integration channels, data exchange over HL7 and FHIR medical protocols, transport security with TLS, OAuth and JWT usage, and others. A comprehensive pentest assessment can ensure the security of these data exchange protocols.

Comparing international frameworks: NHS DTAC, HIPAA, and DiGA

Three prominent frameworks include the NHS Digital Technology Assessment Criteria (DTAC) in the UK, the Health Insurance Portability and Accountability Act (HIPAA) in the US, and the DiGA (Digitale Gesundheitsandwendungen – or in English, Digital Health Applications) framework in Germany. This section provides a comparative analysis of these frameworks, highlighting their unique features, requirements, and areas of overlap.

Overview of frameworks


  • Purpose: Ensure digital health technologies meet standards of clinical safety, data protection, technical security, interoperability, and usability.
  • Established: 2021
  • Focus: Comprehensive assessment covering clinical and technical aspects to enhance patient care and system integration.


  • Purpose: Protect the privacy and security of individuals’ health information.
  • Established: 1996
  • Focus: Primarily on safeguarding electronic protected health information (ePHI) through stringent privacy and security rules.

DiGA (Germany):

  • Purpose: Facilitate the approval and integration of digital health applications into the statutory health insurance system.
  • Established: 2019
  • Focus: Ensuring that digital health applications are safe, effective, and beneficial for patient care.

Comparing international frameworks NHS DTAC HIPAA and DiGA


Navigating the DTAC assessment process is crucial for NHS suppliers aiming to deliver secure and effective digital health tools. To satisfy C3 Technical Security criteria, a key component of this process is conducting penetration testing. Regular and comprehensive penetration testing not only satisfies DTAC criteria but also enhances the overall security posture of digital health technologies.

Additionally, conducting a detailed data protection impact assessment (DPIA) is vital to identify patient record data, understand how it is processed and pinpoint potential risks. This proactive approach ensures that appropriate safeguards are in place, aligning with DTAC’s emphasis on data protection. Digital health technology suppliers must also involve a data protection officer (DPO) to oversee compliance with data protection regulations and to maintain high standards of information security and privacy.

By prioritizing these measures, digital health suppliers can ensure their solutions are adequately secure, effective, and compliant with NHS DTAC.

About the author

Julio Fort

Julio Fort

Julio has been professionally in the field of cybersecurity for over 15 years. With extensive international experience, he worked as a security consultant for London Olympics 2012, and served as a senior application security advisor at a global investment bank. Julio holds a master’s degree from Royal Holloway, University of London, in application security and fuzzing.


Ready to take your security
to the next level?

We are! Let’s discuss how we can work together to create strong defenses against real-life cyber threats.

Stay informed, stay secure

Subscribe to our monthly newsletter

Get notified about new articles, industry insights and cybersecurity news