top of page

Cyber Security Policy

Cyber Security Policy

(DVSP ltd trading under UK ME/CFS specialist clinic)

1. PurposeThis policy sets out the clinic’s approach to protecting digital systems and personal data from unauthorised access, cyber threats, and data loss, in compliance with UK GDPR and best practice in healthcare information governance.

2. ScopeThis policy applies to all electronic systems, devices, software, and networks used in connection with the clinic’s operations, including: PKB, Smilenotes, Doxy.me, MS office, email systems, and authorised hardware.

3. Cyber Security PrinciplesThe clinic adopts a risk-based approach to cyber security, focusing on:

  • Confidentiality of patient data

  • Integrity of clinical records

  • Availability of systems for patient care

  • Proportional controls appropriate to a solo online clinic

4. System Access Controls

  • Unique user credentials are used for all systems.

  • Multi-factor authentication (MFA) is enabled wherever available.

  • Strong password policies are enforced (minimum length, complexity, regular review).

  • Access is restricted to the Clinic Director only.

  • Credentials are never shared.

5. Device Security

  • All devices used to access clinical systems are:

    • Password-protected

    • Encrypted using full-disk encryption

    • Configured with automatic screen lock

    • Kept up to date with operating system and security patches

  • Anti-malware and firewall protection are enabled on all devices.

6. Network Security

  • Secure, private internet connections are used for all clinical work.

  • Public Wi-Fi networks are avoided.

  • Where remote access is required, a secure VPN is used.

7. Data Protection Measures

  • All data are stored within PKB or Smilenotes’ secure cloud environment.

  • Video consultations via Doxy.me are encrypted in transit.

  • No consultations are recorded.

  • Data minimisation principles are applied (only clinically necessary data collected).

  • Regular backups are performed automatically by system providers.

8. Third-Party Systems and Vendors

  • Only reputable, GDPR-aligned vendors are used.

  • Data Processing Agreements (DPAs) are maintained with PKB, Smilenotes and Doxy.me.

  • Vendor security features and terms are reviewed before onboarding and periodically thereafter.

9. Monitoring and Incident Detection

  • System access logs and security alerts are reviewed periodically.

  • Any suspected cyber incident or unauthorised access is reported immediately to the Clinic Director.

  • All incidents are logged and investigated.

10. Incident Response

  • Cyber incidents are managed in line with the Data Breach Response Policy.

  • Systems are isolated where compromise is suspected.

  • Passwords and credentials are reset as a precaution following any security incident.

11. Business Continuity

  • In the event of system unavailability, clinical records can be restored from provider backups.

  • Patients will be informed of any service disruption and alternative arrangements made where feasible.

12. Review and Governance

  • This policy is reviewed annually or following any cyber incident.

  • The Clinic Director is responsible for cyber security governance and compliance.



bottom of page