Skip to main content

Does cyber security have to be painful?

Dan Jeffery, Head of Innovation, Delivery and Business Operations at NHS Digital’s Data Security Centre, explains how automation within NHSmail is delivering improved cyber security.

Yellow envelope covered by a blue security lock (line art) on a blue background

One of our basic principles in NHS Digital’s Data Security Centre is ‘don’t reinvent the wheel.’

Our work with NHSmail over the past year is an example of how we can improve the security, identity verification and user experience of one of the NHS’s key communications tools without ripping up the foundations and causing disruption to users.

NHSmail is more than just an email service. The system manages the identities of all users within the Microsoft Active Directory in the NHS and allows local administrators to manage accounts within the NHSmail portal.

Typically, NHS organisations will manage local identities within their own Active Directory and use the NHS Electronic Staff Record for workforce management, including the on-boarding and off-boarding of employees.

With more than 13,000 health and care organisations in England and Scotland using NHSmail and 64,000 movements of user accounts every month, the burden is real and the security implications relating to identity are acute. 

This may all sound straightforward and a bit technical, but the reality is that all of this has put significant burden on back offices across the NHS. Local organisations have had to manually manage employees that join, move or leave their roles within NHSmail, as well as their local active directories and Electronic Staff Record.

With more than 13,000 health and care organisations in England and Scotland using NHSmail and 64,000 movements of user accounts every month, the burden is real and the security implications relating to identity are acute. But that also means the opportunity for improvement is significant.

We are delivering three important improvements to workflows and to integration with local processes.

1.    A new Joiners, Movers, Leavers (JML) product integrates the Electronic Staff Record, NHSmail, and local directory services. It automates the movement of user accounts between NHSmail organisations, the synchronisation of attributes and the commissioning and de-commissioning of local identities in the active directories.  When fully implemented, this process is expected to save around 40,000 hours a year, leading to millions of pounds worth of efficiency savings.

2.    A password synchronisation micro-service allows users to synchronise their password from the NHS Directory to their local active directory services and vice versa. This will also improve user experiences by delivering a same sign-on experience regardless of whether they authenticate for services against the NHS Directory or local Active Directory services. It will also improve cyber security by reducing the number of passwords users need to manage, reducing the temptation to store them in an insecure way – such as post-its with user-names and passwords written on them and stuck to desktop or laptop monitors.

3.    Behavioural and transactional analysis will allow us to identify patterns in user behaviour and associated digital transactions to help pinpoint anomalous events. For example, if a user attempts to authenticate a service from an unusual location or an odd time or date the service can block authorisation in case the account has been compromised.

These new services build on a series of improvements to the NHSmail platform over the past year, including:

  • single sign-on for third party applications allowing digital services, from large national services to small start-ups, to use the NHS Directory as a trusted identity provider. This capability allows users to access services (for example Forward Health’s instant messaging) with their existing NHSmail account

  • multi-factor authentication (MFA) that introduces a second challenge when users sign-in. By adding the extra layer of identity security, we reduce the likelihood of intruders getting access. The capability is live across thousands of users and is available for local organisations to request for priority user groups.

  • intelligent enterprise password management and reset. The NHSmail Password Policy was updated in line with guidance from the National Cyber Security Centre (NCSC) and a new micro-service was launched to dynamically identify and block the use of common and compromised passwords using global intelligence. At the time of writing, we now stop around 100,000 weak passwords from being registered against NHSmail.

These enhancements are complemented by continued filtering and monitoring of spam and malicious activity at the NHSmail gateway. On average, we stop about 500 million malicious events every three months.

There is still a lot more we can do to improve user experience and data security on the NHS’s communications systems. As part of our work to support the NHS Cyber Programme and deliver NHSX’s Tech Vision and Long-Term Plan, we will continue to work to improve cyber preparedness and capability while relieving pressure on local teams.

Related subjects

  • Sign in to your secure NHS email. NHSmail is a secure email service approved for sharing sensitive information.

Share this page

Dan Jeffery

Dan is the Head of Cyber Innovation, Delivery, and Business Operations as well as the Head of the Cyber Security Profession, and is also a Deputy SIRO at NHS Digital. He is responsible for delivering the Cyber Security Programme for Health and Care. 

Latest blogs

Susie Day smiling
By Susie Day. 24 November 2020
Susie Day, Programme Head for the NHS App, explains how new features help support patients and clinicians to meet an increasing need for remote access to services during the pandemic and how they will improve healthcare after the current crisis.
Photo of James Reith working from home.
By James Reith. 19 November 2020
James Reith, Content Designer for the NHS App, explains how the NHS App integration team have improved their integration process to make it easier for partner services to innovate.
Graphic demonstrating that you can access the NHS login via the website or an app.
By Richard McStay. 4 November 2020
Richard McStay, Lead Delivery Manager, explains how the NHS login team is making it easier for more people to register. 
Last edited: 18 August 2020 2:35 pm