Secure Email Standard
Introduction for IT Suppliers
09 June 2014
Clive Star
1
Background
• Developed to support the secure exchange of
sensitive information between Health and Social
Care organisations using locally managed email
services
• Builds on the Information Governance Toolkit
organisations already complete with some
additional enhancements on a few of the
individual baseline controls
• Developed with a potential to step up to meet
Public Sector accreditation requirements
Scope
• Standard covers health, public health &
social care in England
• Under the 2012 Health Act, organisations
must have “due regard” for standard
• Standard covers email services for
personal and sensitive data only
• Outsourced, cloud, in-house and HIS IT
systems must meet service provider
requirements
The Specification
• The Secure email standard is available at:
http://www.isb.nhs.uk/documents/isb-1596/amd-34-2012
• Contains:
– The Information Standards Notice
– The Specification
– The Baseline Control Set
Principles
•
•
•
•
•
•
•
Aligned to ISO 27001
Independent accreditation
Supports insourced and outsourced systems
Organisation compliance
System/Service provider compliance
Clinical safety approval for the email service
Organisations with Public Sector (HMG)
certification do not need to accredit to this
standard as well
IT Supplier Conformance
• An independently audited information security management
system in relation to the email service
• For services using personal or sensitive data, evidence of
conformance to the secure email baseline control set and
pan-government or government departmental (e.g.
Department of Health) security accreditation. For systems
accredited prior to April 2014 this SHOULD be B-IL 3
• Clinical safety approval for the email service, as per ISB 0160
Clinical Risk Management: its Application in the Deployment
and Use of Health IT Systems
• Evidence of conformance to the open standards policy
Meeting the Standard
• Achieve ISO 27001 accreditation
• Achieve B-IL3 departmental or pan-governmental
security accreditation
• Register with the Public Services Network (PSN)
Authority, evidencing conformance to the PSN Code of
Connection. Larger suppliers will need to register as a
PSN Service Provider
• Implement a PSN connection
• Comply with ISB 0160 clinical safety standard
• Evidence conformance to the Open Standards Policy
Guidance
• Security accreditation is managed by CESG in
accordance with HMG IA Standard Numbers 1 & 2 –
Supplement Technical Risk Assessment and Risk
Treatment
• A CLAS consultant (CESG Listed Adviser Scheme)
can advise on accreditation
• PSN accreditation is managed by the PSN Authority
Clinical safety guidance is available from the HSCIC
• NHSmail has published its conformance statement
that can be used as a guide
Interoperability - How it will work
• Secure email will communicate via the GSi/PSN
infrastructure
• All email services will need to conform to pangovernment standards
• The HSCIC will create and administer 3 domains:
– @orgname.nhs.net / @nhs.net – NHSmail
– @orgname.secure.nhs.uk – Secure NHS systems
– TBC – Secure care systems
Next Steps
• Register with nhs-mail2@nhs.net so we can include
you in future targeted updates
• Assess the effort to achieve B-IL3 and PSN
accreditation. We estimate this is the order of ~£50k
for initial accreditation and ~£20k p.a. to retain
• Consider employing a CLAS consultant
• Implement PSN connection and (if necessary)
register as a PSN Service Provider
• Engage with HSCIC to implement clinical safety
standard.