Request a Demo

Aisthesis Medical Achieves NHS Data Security and Protection Toolkit ‘Standards Exceeded’ Status

We’ve achieved ‘Standards Exceeded’ status in the NHS Data Security and Protection Toolkit (DSPT), the highest tier of NHS data security certification. Awarded February 23, 2026, this certification validates that Aisthesis Medical meets advanced data protection and cybersecurity standards required for handling NHS patient data, positioning VIOSync for deployment in NHS environments.

What is the NHS Data Security and Protection Toolkit?

The NHS Data Security and Protection Toolkit is a mandatory annual self-assessment framework required for any organization that accesses NHS patient data or systems. Introduced in 2018 to replace the Information Governance Toolkit, the DSPT ensures that healthcare suppliers, from MedTech startups to IT service providers, meet consistent standards for protecting sensitive patient information.

With over 80,000 suppliers handling NHS data, the DSPT provides a structured framework for evaluating data security practices across:

  • Personal confidential data handling and storage
  • Cybersecurity controls and incident response planning
  • Staff awareness, training, and access management
  • IT infrastructure security and vulnerability management
  • Business continuity and disaster recovery capabilities

Organizations that fail to complete the DSPT or meet its standards face loss of NHS systems access (including NHSmail), potential contract breaches, and barriers to NHS procurement opportunities.

‘Standards Exceeded’ vs ‘Standards Met’

The DSPT offers two assessment statuses for most organizations:

‘Standards Met’ – the baseline requirement demonstrating compliance with the National Data Guardian’s 10 data security standards. Most NHS suppliers aim for this tier.

‘Standards Exceeded’ – the highest tier, requiring organizations to not only meet current standards but also demonstrate readiness for forecast achievement levels in the following assessment year. For organizations assessed against the National Data Guardian framework, ‘Standards Exceeded’ requires achieving ‘Standards Met’ plus holding current Cyber Essentials Plus certification.

‘Standards Exceeded’ signals that an organization has gone beyond minimum compliance – implementing advanced data security practices, proactive cybersecurity controls, and governance structures that anticipate future requirements rather than reacting to current baselines.

What DSPT Assessment Covers

The DSPT assessment evaluates organizations against the National Data Guardian’s 10 data security standards, including:

  • Personal Confidential Data: Secure handling from collection through storage, ICO registration, information asset registers, data privacy notices
  • Staff Awareness and Training: Data security training programmes, role-based access controls, regular competency assessments
  • Access Controls: Principle of least privilege, audit trails for sensitive data access, user privilege monitoring
  • Process Reviews: Annual security audits, risk assessments, policy reviews aligned with UK GDPR requirements
  • Removable Media: Encrypted storage devices, secure data transfer protocols, device tracking
  • Incident Management: Documented incident response plans, breach notification procedures, continuous threat monitoring
  • IT Protection: Firewalls, antivirus, vulnerability management, patch management, network security
  • Accountability: Senior leadership ownership of data security, board-level oversight, governance structures
  • Continuity Planning: Business continuity plans, disaster recovery procedures, tested incident response capabilities
  • Supplier Management: Third-party security assessments, data processing agreements, supply chain risk management

Why This Matters for Pre-Market MedTech Companies

Achieving ‘Standards Exceeded’ status before market entry is rare for pre-market MedTech companies. Most startups address DSPT compliance only when actively pursuing NHS contracts, treating it as a procurement requirement rather than a foundational capability.

Aisthesis Medical took the opposite approach: building NHS-grade data security infrastructure from the beginning, recognizing that clinical AI systems handling real-time patient data cannot treat security as an afterthought.

For VIOSync, this matters because:

Real-Time Patient Data Requires Real-Time Security

VIOSync is designed to integrate with hospital EHRs, patient monitoring systems, and laboratory information systems, pulling multimodal data in real time to predict sepsis risk up to 48 hours in advance. This data flow requires robust security architecture from the infrastructure layer up, not bolted on during procurement negotiations.

NHS Deployment Readiness from Day One

DSPT compliance is mandatory for NHS suppliers, but achieving ‘Standards Exceeded’ demonstrates readiness beyond baseline requirements. When VIOSync enters clinical trials and deployment discussions with NHS trusts, our data security posture is already validated, reducing integration friction and procurement timeline.

Trust Through Transparency

Clinical AI adoption depends on clinician trust. Part of that trust comes from demonstrable commitment to data protection and patient privacy. ‘Standards Exceeded’ certification provides third-party validation that Aisthesis Medical takes these responsibilities seriously, before we ever deploy in a clinical environment.

Technical Credentialing Context

DSPT ‘Standards Exceeded’ status sits within a broader credentialing framework Aisthesis Medical has built:

  • Cyber Essentials Plus Certification – verified through independent technical audit, validating security controls against common cyber threats
  • ISO 13485:2016 Certification – quality management system for medical devices, required for CE MDR compliance
  • NHS DSPT Standards Exceeded – advanced data security and protection posture for NHS patient data handling
  • UK GDPR Compliance – data protection officer appointed, information governance policies implemented

Together, these certifications demonstrate that VIOSync is being developed within a regulatory and security framework appropriate for deployment in safety-critical healthcare environments – not retrofitted to meet requirements after product development.

The Bigger Picture: Infrastructure Before Deployment

Clinical AI deployment failures often trace back to infrastructure gaps rather than model performance. Companies build impressive algorithms but struggle with the operational realities of healthcare environments, data security requirements, regulatory compliance, quality management systems, and governance structures needed for sustained deployment.

Aisthesis Medical’s approach prioritizes building this infrastructure early, treating DSPT compliance, ISO 13485 certification, Cyber Essentials Plus, and EU AI Act readiness as foundational requirements rather than late-stage procurement hurdles.

DSPT ‘Standards Exceeded’ status validates that we’re taking this seriously. It signals to NHS trusts, clinical partners, and regulatory bodies that when VIOSync is ready for deployment, the underlying infrastructure will support it.

Looking Ahead: From Certification to Deployment

DSPT certification is valid through June 30, 2027, with annual reassessment required to maintain status. As Aisthesis Medical progresses toward CE MDR certification and prospective clinical trials, our DSPT compliance provides a stable foundation for NHS engagement, from research collaborations through eventual clinical deployment.

The work now focuses on completing our CE MDR technical file, advancing FHIR interoperability through the Caelestinus incubator, and preparing for prospective clinical validation studies. DSPT ‘Standards Exceeded’ ensures that when those conversations with NHS trusts begin, our data security posture is already validated.

About Aisthesis Medical

Aisthesis Medical is a deep-tech medtech startup developing cutting-edge AI-driven solutions to revolutionize acute care. Founded in 2022, our mission is to save lives by predicting and preventing sepsis before it becomes fatal. Aisthesis Medical is revolutionizing acute care with VIOSync, the first holistic AI-driven digital patient twin platform that goes beyond early sepsis prediction to guide clinical intervention and optimize patient outcomes. VIOSync, predicts sepsis up to 48 hours earlier, integrates directly into hospital workflows, and optimizes treatment pathways to reduce unnecessary antibiotic use.

Ready to Learn More?

If you’re a hospital, NHS trust, or healthcare investor interested in learning more about VIOSync or our security and compliance posture, we’d love to connect.

📩 Get in touch: https://aisthesismed.com/contact/

🌐 Learn more about VIOSync: https://aisthesismed.com/product/

Request a Demo