Secure Email Standard Introduction for Health and Social Care Organisations

1. Secure Email Standard Introduction for Health and Social Care Organisations 09 June 2014 Clive Star

2. Background • Developed to support the secure exchange of sensitive information between Health and Social Care Organisations using secure email services • Builds on the Information Governance Toolkit organisations already complete with some additional enhancements on a few of the individual baseline controls • Developed with a potential to step up to meet Public Sector accreditation requirements

3. Scope • Applies to health, public health & social care organisations in England • Under the 2012 Health Act, organisations must have “due regard” for standard • Standard covers email services for personal and sensitive data only

4. The Specification • The Secure email standard is available at:http://www.isb.nhs.uk/documents/isb-1596/amd-34-2012 • Contains: • The Information Standards Notice • The Specification • The Baseline Control Set

5. Principles • Aligned to ISO 27001 • Independent accreditation • Supports insourced and outsourced systems • Organisation compliance • System/Service provider compliance • Clinical safety approval for the email service • Organisations with Public Sector (HMG) certification do not need to accredit to this standard as well

6. Health & Care Conformance • Evidence of a security risk assessment for the email service i.e. to consider whether is contains personal & sensitive data or not • One of either the Information Governance Toolkit (IGT) / Public Services Network (PSN) Code of Connection or an Information Security Management System (ISMS) conforming to ISO 27001 • Published policies and procedures for the use of secure email using mobile devices • Evidence provided by the email service provider that they have met thisstandard. • Clinical safety approval for the email service • Published policies for the use of email with insecure systems

7. Interoperability - How it will work • Secure email will communicate via the Government Secure Intranet (GSi) / PSN infrastructure • All email services will need to conform to pan-government standards • The HSCIC will create and administer 3 domains: • @orgname.nhs.net / @nhs.net – NHSmail • @orgname.secure.nhs.uk – Secure NHS systems • TBC – Secure care systems

8. IT Services that meet the Standard • Health and Social Care using • .nhs.net - NHSmail • Local Government / Social Services • .gcsx.gov.uk • Central Government • .gsi.gov.uk, .gse.gov.uk, gsx.gov.uk • Criminal and Justice • .cjsm.net, .scn.gov.uk, .pnn.police.uk • Military • .mod.uk http://systems.hscic.gov.uk/nhsmail/secure

9. Next Steps • Determine if your email service contains personal or sensitive data • Register with nhs-mail2@nhs.net so we can include you in future targeted updates • Seek evidence of conformance to health & care requirements • Ensure email service conforms to supplier aspects of standards. If you host your own email you are the supplier • Self-certify conformance. Good practice is to publish this, as with NHSmail: (http://systems.hscic.gov.uk/nhsmail/emailstandards).