DSP Toolkit compliance, CQC inspection readiness, and NHS Digital standards demand robust identity governance. IdentityFirst delivers the evidence — read-only, without touching clinical systems.
NHS trusts and healthcare providers operate some of the most complex identity estates in any sector — and face adversaries who know it.
EPR systems (EMIS, SystmOne, TPP, Lorenzo), PACS, pharmacy systems, and diagnostic platforms each maintain separate identity stores. Locum and agency accounts accumulate across these systems without consistent leaver processes, creating persistent access long after contracts end.
DSPT Standard 7 (Staff Responsibilities) and Standard 9 (IT Protection) require documented access control evidence — not assertions. Manual sampling by spreadsheet fails audit scrutiny. IdentityFirst produces structured, submission-ready evidence mapped to each DSPT assertion.
WannaCry and subsequent attacks exploited Active Directory misconfigurations and stale accounts that had never been reviewed. Identity is the initial access vector in the majority of NHS cyber incidents. Organisations that cannot enumerate their own access risk cannot prioritise remediation.
IdentityFirst produces structured identity governance evidence mapped to the specific DSPT assertions, CQC domains, and NHS Digital standards your organisation must meet.
These are representative examples drawn from NHS trust and healthcare provider assessments — the categories of risk that appear consistently and are invisible to manual review.
34 locum accounts remain enabled with no recorded last logon in the active period. 8 retain clinical system group memberships — including EPR access groups — despite contractor departure dates recorded in HR over six months prior.
DSPT Standard 7 gap — leaver process evidence absent for these accounts.
svc_emis_integration password unchanged for 1,240 days. Account is used by multiple ward-facing systems and holds broad read permissions across the EPR integration layer. No rotation schedule is documented and no owner is assigned.
DSPT Standard 9 gap — service account lifecycle process not evidenced.
3 consultant accounts hold permanent Domain Admin membership and are used as primary daily login accounts. No just-in-time elevation is in place. Any workstation these accounts touch becomes a Domain Admin pivot point.
Blast Radius: Critical — full domain compromise reachable from any workstation login.
Agency staff accounts are provisioned in the same OU as permanent employees with no expiry date set and no contractor lifecycle flag in Active Directory. No automated review or expiry process is triggered when agency contracts end.
DSPT Standard 7 gap — no documented contractor access termination process.
svc_pacs_imaging registered with RC4-HMAC encryption and an SPN exposing the PACS system. The TGS ticket for this account can be extracted from any domain-joined workstation and cracked offline. The account scope includes read access to the imaging data store.
NCSC Cyber Essentials Plus gap — Kerberoastable SPN with data access scope.
A four-stage pipeline from read-only connector to DSP Toolkit evidence pack — completed within 24–72 hours, with no agents installed and no production changes made.
A read-only LDAP bind account is provisioned by your IT team — minimum permissions only, approved by your IG team before setup. No Domain Admin rights. No clinical system connectors. No agents installed.
IdentityFirst enumerates every user, group, service account, SPN, and delegation setting across your AD environment. Locum, agency, and contractor accounts are identified and cross-referenced against last logon and HR data where available.
Every finding is scored by severity and blast radius — how far a compromised account can reach across your clinical and administrative systems. DSPT and CQC mapping applied automatically.
Board-ready PDF with prioritised findings, DSPT evidence mapping for Standards 7 and 9, and step-by-step remediation playbooks. Delivered within 24 hours of scan completion. Full evidence pack in 48–72 hours.
No clinical system access. Ever.
IdentityFirst connectors bind to Active Directory and cloud identity systems (Entra ID, Okta) only. No EPR, no PACS, no pharmacy system, no clinical data of any kind is accessed or processed. Your IG team can review and approve the exact permission set before any connector is established.
Straight answers to the questions NHS trusts and healthcare providers ask before starting an assessment.
No. IdentityFirst uses read-only LDAP and API connectors to Active Directory and cloud identity systems only. No clinical data, patient records, or EPR system data is ever accessed, read, or processed by any IdentityFirst connector.
The assessment is confined entirely to identity and access management infrastructure — who has access to what, not what that access allows them to see. Your IG team can review the exact permission set and verify it independently before any connector setup begins.
IdentityFirst provides documented evidence for DSPT Standards 7 and 9, including:
Output is structured for DSPT submission, not just internal reporting. Your IG team receives a findings document formatted to address the specific wording of each relevant assertion.
Yes. IdentityFirst can assess federated Active Directory environments spanning multiple sites, OUs, and trust relationships in a single assessment run. Cross-site identity correlation surfaces accounts that exist in one domain but are not governed by another — a common gap in merged trusts and shared service arrangements.
If you operate across multiple sites with separate AD domains under a trust relationship, we scope the connector setup to cover all in-scope domains before the assessment begins.
Initial Active Directory findings are delivered within 24 hours of connector setup. A full DSP Toolkit evidence pack — including privileged access review, stale account analysis, leaver process audit, and service account inventory — is typically completed within 48 to 72 hours.
Connector setup itself typically takes less than an hour once your IT team has provisioned the read-only service account. We provide the exact account specification and minimum permissions in advance.
Your Information Governance team should approve the read-only service account we use before any connector setup begins. We provide the exact minimum permissions required — a standard read-only LDAP bind account with no write access and no access to clinical data — so your IG team can review and approve it well ahead of the assessment.
We are happy to join a call with your IG lead to walk through the permission set, the data flows, and the assessment boundary. Most trusts complete IG sign-off within one working day of receiving our specification document.
See what IdentityFirst finds in a real healthcare identity estate, or book a session to scope your DSP Toolkit evidence pack — read-only, IG-approved, no clinical system access.
Read-only • No clinical system access • IG-approved permission set • DSPT evidence in 48–72 hours