Healthcare · DSP Toolkit + Backup Modernisation

How a 400-bed NHS trust closed 47 DSP Toolkit assertions in a single quarter — and rebuilt backup without taking clinical systems offline

Customer: NHS Foundation Trust

Sector: Healthcare (NHS)

Size: 400 acute beds · 4,500 staff · 3 hospital sites

Region: East of England

Headline Outcomes

47 → 0

DSP Toolkit "not yet met" assertions

0 mins

Clinical system downtime during transition

CE+

Cyber Essentials Plus achieved 6 weeks post-DSP

< 4hr

Backup RPO across all clinical systems

£0

Additional tape spend (decommissioned)

90 days

NHSE escalation closed without funding impact

Act 1 — The Challenge

DSP Toolkit "not yet met" on 47 assertions. NHSE escalation timeline: 90 days.

⚠47 DSP Toolkit assertions failing — including backup integrity, access control review cadence, MFA on privileged accounts, and joiner-mover-leaver process evidence
⚠Backup was on tape, last verified 2018, and the historical restore success rate was unknown
⚠Clinical systems (SystmOne, EMIS, MetaVision, GE Centricity PACS) couldn't be taken offline for any extended window — patient safety overrides
⚠Three sites, three IT teams, three different ways of evidencing the same control — auditor couldn't consolidate
⚠NHS Digital escalation imminent; failure to remediate triggers funding implications

Act 2 — What Servnet Did

Servnet ran the gap analysis in 8 working days. Remediation plan delivered to the CCIO + DPO in the same week.

DSP gap analysis + consolidated evidence

Mapped all 47 failing assertions to the actual deployed control set across all three sites. 19 were genuine gaps. 28 were "controls in place but evidence not captured." Built the consolidated evidence pack — same control framework across sites, single source of truth.

Microsoft Entra IDMicrosoft Defender

Immutable backup deployment, zero clinical downtime

Rubrik deployed alongside existing tape — incremental forever, immutable object storage targets, with side-by-side recovery testing. Tape decommissioned only after 90 days of successful production parallel running. Clinical systems never offline.

RubrikPure StorageAWS S3

Privileged access + MFA rollout

Microsoft Entra ID conditional access deployed for clinical app SSO and privileged accounts. NHSmail integration. Smartcard-aware policies so clinicians never blocked at the wrong moment.

Microsoft Entra IDMicrosoft Defender for Identity

Joiner-mover-leaver automation

Integrated ESR (NHS HR) with Active Directory and Entra ID — automated account provisioning, role-based access, automatic suspension on contract end. Audit trail evidence pack capturing every change.

Microsoft Entra IDPowerShell automation

DSP Toolkit re-submission + Cyber Essentials Plus

Re-submitted DSP Toolkit with all 47 assertions met. Cyber Essentials Plus certification achieved as a side-effect of the same controls work, 6 weeks later.

“

Most suppliers we spoke to wanted to sell us a project. Servnet listened, ran the gap analysis honestly, and quoted what was needed — including telling us what we could safely leave alone. We hit the deadline and we're in a stronger posture than we've been in years.

Director of IT · NHS Foundation Trust · East of England

Vendors referenced

rubrik →commvault →crowdstrike →

Facing something similar?

One call. Direct to an engineer who can size up the requirement honestly.

Talk to Servnet →More case studies