InHealth is the UK’s largest specialist provider of diagnostic solutions, dedicated to enhancing healthcare outcomes across both NHS and independent sectors. With over 30 years of experience, they provide tests, scans and examinations for more than 4 million patients a year, through a network spanning 800 locations nationwide, supported by 3,500 staff.
In late 2023, InHealth Group became a designated operator of essential services (OES) under the Network and Information Systems Regulations (NIS Regulations), necessitating an independent assessment of their NHS-DSPT toolkit.
We spoke to Michael Pennington, Group Head of Security and Information Governance at InHealth, who has been with the company for nearly 18 years, including his tenure at InHealth Intelligence prior to its acquisition by InHealth.
What did you find challenging about this assessment?
“The assessment posed challenges due to its broader scope compared to previous years, particularly in demonstrating activities to external auditors rather than relying on self-assessment. To address this, we developed a comprehensive project plan to identify and rectify any gaps. Each area was assigned to a Subject Matter Expert with clear instructions on the types and formats of evidence required.”
“On a personal level, I have been doing the NHS-DSP since its inception and it was a self-assessment. This was the first time I was getting my homework marked and it did bring about a lot of self-reflection on whether my interpretation of the requirements was in fact correct. Never underestimate the effects of imposter syndrome!”
How did you find the auditors’ technical knowledge on the assertations?
“The auditors already had extensive knowledge of ISO 27001, NIST, and Data Protection, integral to the NHS-DSPT framework. Their thorough understanding of audit requirements enabled them to effectively evaluate our assertions.”
“Following on from the assessment, I am confident in the assurance of our system, both organisationally and personally. The external audit has elevated our NHS-DSPT from a level of compliance to a level of assurance.”
Reflecting on the way the audit was conducted, Michael said, “The conversational approach adopted during the audit proved highly effective. It allowed us to showcase not only documentation and evidence but also the interconnectedness of our operations, the dedication of our team, and our commitment to excellence.”
Why did you choose ISOQAR and how was the overall experience?
“We selected ISOQAR based on their extensive experience auditing our ISO 9001, 14001, 27001, and 50001 standards. A chance conversation during an ISO 27001 Surveillance Audit highlighted their suitability for auditing the NHS-DSPT. Their understanding of healthcare complexities and ISO standards made them an obvious choice, ensuring a smooth and insightful audit process.”
And finally, any advice for those going through this process?
“For organisations embarking on this process, thorough preparation is key. Ensure all evidence is readily accessible and that subject matter experts are available. Be prepared to be fully transparent – the external audit is there to praise good practice too, but where things do need a little bit of work, this provides a second set of eyes to really push forward any opportunities for improvement.”