Secure Email Standard Introduction for IT Suppliers

1. Secure Email Standard Introduction for IT Suppliers 09 June 2014 Clive Star

2. Background • Developed to support the secure exchange of sensitive information between Health and Social Care organisations using locally managed email services • Builds on the Information Governance Toolkit organisations already complete with some additional enhancements on a few of the individual baseline controls • Developed with a potential to step up to meet Public Sector accreditation requirements

3. Scope • Standard covers health, public health & social care in England • Under the 2012 Health Act, organisations must have “due regard” for standard • Standard covers email services for personal and sensitive data only • Outsourced, cloud, in-house and HIS IT systems must meet service provider requirements

4. The Specification • The Secure email standard is available at:http://www.isb.nhs.uk/documents/isb-1596/amd-34-2012 • Contains: • The Information Standards Notice • The Specification • The Baseline Control Set

5. Principles • Aligned to ISO 27001 • Independent accreditation • Supports insourced and outsourced systems • Organisation compliance • System/Service provider compliance • Clinical safety approval for the email service • Organisations with Public Sector (HMG) certification do not need to accredit to this standard as well

6. IT Supplier Conformance • An independently audited information security management system in relation to the email service • For services using personal or sensitive data, evidence of conformance to the  secure email baseline control set and pan-government or government departmental (e.g. Department of Health) security accreditation. For systems accredited prior to April 2014 this SHOULD be B-IL 3 • Clinical safety approval for the email service, as per ISB 0160 Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems • Evidence of conformance to the open standards policy

7. Meeting the Standard • Achieve ISO 27001 accreditation • Achieve B-IL3 departmental or pan-governmental security accreditation • Register with the Public Services Network (PSN) Authority, evidencing conformance to the PSN Code of Connection. Larger suppliers will need to register as a PSN Service Provider • Implement a PSN connection • Comply with ISB 0160 clinical safety standard • Evidence conformance to the Open Standards Policy

8. Guidance • Security accreditation is managed by CESG in accordance with HMG IA Standard Numbers 1 & 2 – Supplement Technical Risk Assessment and Risk Treatment • A CLAS consultant(CESG Listed Adviser Scheme)can advise on accreditation • PSN accreditation is managed by the PSN Authority Clinical safety guidance is available from the HSCIC • NHSmail has published its conformance statement that can be used as a guide

9. Interoperability - How it will work • Secure email will communicate via the GSi/PSN infrastructure • All email services will need to conform to pan-government standards • The HSCIC will create and administer 3 domains: • @orgname.nhs.net / @nhs.net – NHSmail • @orgname.secure.nhs.uk – Secure NHS systems • TBC – Secure care systems

10. Next Steps • Register with nhs-mail2@nhs.net so we can include you in future targeted updates • Assess the effort to achieve B-IL3 and PSN accreditation. We estimate this is the order of ~£50k for initial accreditation and ~£20k p.a. to retain • Consider employing a CLAS consultant • Implement PSN connection and (if necessary) register as a PSN Service Provider • Engage with HSCIC to implement clinical safety standard.