The secure email standard

Summary

Emails sent to and from health and social care organisations must meet the secure email standard (DCB1596) so that everyone can be sure that sensitive and confidential information is kept secure.

Meeting the secure email standard

There are two ways to meet the secure email standard. Organisations must select one of these methods to comply.

  1. Implement an already compliant service such as NHSmail or Office 365 for all staff at your organisation.
  2. Demonstrate your own service is compliant to the secure email standard by following the secure email accreditation process.

Implement an already compliant service

NHSmail

Meet the organisation requirements of the standard by following the steps below.

  1. Ensure there is a process in place to notify the NHSmail team upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and / or the security of the services or the systems used to provide the services.
  2. Health and care organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them.
  3. Health and care organisations SHOULD comply with the provisions of SCCI0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
  4. Health and care organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems, such as those used by patients.
  5. Migrate all users/staff to NHSmail email service: To migrate all email users to NHSmail follow the migration guidance on our Portal help pages. 

Microsoft Office 365 (O365): Secure email configuration guide

Meet the organisation requirements of the standard by following the steps below.

  1. Ensure there is a process in place to notify the NHSmail team upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and / or the security of the services or the systems used to provide the services.
  2. Health and care organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them.
  3. Health and care organisations SHOULD comply with the provisions of SCCI0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
  4. Health and care organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems, such as those used by patients.
  5.  Register compliance with the NHSmail team:
  • Microsoft Office 365 (O365) accreditations must include confirmation that the email service has been configured to securely communicate with NHSmail. The below guide has been co-produced with Microsoft, and enables instances of O365 to be enabled to securely route emails to and from NHSmail. Microsoft Office 365: Secure email configuration guide.
  • Advise the NHSmail team of the *.secure.nhs.uk email domains you intend to run on the service, so they can get the domains approved for release by the Domain Name Service (DNS) team.

Exchange, hybrid or other email services

In addition to completing the organisation section of the standard, those hosting their own email services must submit assertions and evidence that they meet the ICT Service Provider elements of the standard. These will be reviewed by the NHS Digital Data Security Centre.

Secure email accreditation process

The steps below illustrate the end to end accreditation process:

  1. Submission of a signed self-accreditation statement, with evidence
  2. Evidence checked by the Security and NHSmail team
  3. Rectification of findings and re-submission to NHSmail team
  4. DCB1596 met

Secure email accreditation templates

The templates to accredit your email service to the secure email standard are listed below, and should be returned with the required evidence to feedback@nhs.net.

DCB1596 Microsoft Office 365 Conformance Template
DCB1596 Self Accreditation Conformance Template
DCB1596 ICT Service Provider Template

Note: In the 'Health and Care Organisation' section of the templates, please provide the name and date of the policy or document covering each requirement and ensure the requisite approvals are in place.

Conformance statements

The statements below confirm how NHSmail and Microsoft Office 365 meet their email security obligations:

ISB 1596 conformance statement for NHSmail
ISB 1596 conformance statement for Microsoft Office 365

Re-accreditation

Accreditations to the secure email standard last for one calendar year. After this period organisations are required to re-accredit.

The re-accreditation process will involve the organisation re-submitting evidence for review. In most instances this will be very similar to the information previously submitted.

Penetration test results and ISO27001 certificates must be within the last 12 months.

As accreditations come to the end of their term the NHSmail Service will send out a reminder to each organisation. 

When suppliers and organisations meet the published standard, they are listed here. The conformance table below confirms how organisations meet their security obligations (arranged A-Z):

Organisation name Date accredited Accreditation type Conformance statement

BMI Healthcare

26 September 2018

Exchange

DCB1596 Conformance Statement: BMI Healthcare

Bradford District Care NHS Foundation Trust

28 February 2018

Office 365

DCB1596 Conformance Statement for Bradford District Care NHS Foundation Trust

Coventry and Warwickshire Partnership NHS Trust 14 September 2018 Exchange DCB1596 Conformance Statement: Coventry and Warwickshire Partnership NHS Trust

Earl Mountbatten Hospice

19 January 2018

Office 365

DCB1596 Conformance Statement: Earl Mountbatten Hospice

Egton Medical Information Systems Ltd

20 October 2017

Office 365

SCCI1596 Conformance Statement: Egton Medical Information Systems Ltd (EMIS)

Health Education England

19 September 2017

Office 365

DCB1596 Conformance Statement: Health Education England

Herefordshire CCG 28 September 2018 Exchange DCB1596 Conformance Statement: Herefordshire CCG

Kings Fertility Limited

6 November 2017

Office 365

SCCI1596 Conformance Assessment for Kings Fertility Limited

Leicestershire Health Informatics Service

13 December 2016

Exchange

ISB1596 Conformance Statement: Leicestershire Health Informatics Service (LHIS)

Mid Cheshire Hospital Foundation Trust

14 September

2018

Office 365

DCB1596 Conformance Statement: Mid Cheshire NHS Foundation Trust

Norfolk and Suffolk NHS Foundation Trust 8 February 2018 Office 365

DCB1596 Conformance Statement: Norfolk and Suffolk NHS Foundation Trust

Norfolk Community Health & Care NHS Trust

24 August 2018 Office 365

DCB1596 Conformance Statement: Norfolk Community Health & Care NHS Trust

Norfolk and Norwich University Hospital NHS Foundation Trust

6 March 2018

Office 365

DCB1596 Conformance Statement: Norfolk and Norwich University Hospital NHS Foundation Trust

Northumberland Tyne and Wear NHS Foundation Trust

13 December 2016

Exchange

ISB1596 Northumberland Tyne and Wear NHS Foundation Trust

Nottinghamshire Health Informatics Service 24 August 2018 Office 365 DCB1596 Conformance Statement: Nottinghamshire Health Informatics Service

Nottingham University Hospitals

6 December 2017

Exchange

SCCI1596 Conformance Assessment for Nottingham University Hospital NHS Trust

South East Coast Ambulance Service

10 January 2017

Exchange

ISB1596 Conformance Statement: South East Coast Ambulance Service

Southern Health NHS Foundation Trust 24 September 2018 Exchange DCB1596 Conformance Statement: Southern Health NHS Foundation Trust

South London and Maudsley NHS Foundation Trust

17 September 2018

Office 365

DCB1596 Conformance Statement: South London and Maudsley NHS Foundation Trust

Staffordshire and Shropshire Health Informatics Service

12 May 2017

Exchange

ISB1596 Conformance Statement for Staffordshire & Shropshire Health Informatics Service

Staffordshire and Stoke on Trent Partnership Trust

13 December 2016

Exchange

SCCI1596 Conformance Statement: Staffordshire and Stoke on Trent Partnership Trust

Sussex Partnership Foundation Trust

8 February 2017

Exchange

DCB1596 Conformance Assessment - Sussex Partnership NHS Foundation Trust v1

Swindon CCG

20 March 2018

Office 365

DCB1596 Conformation Statement: Swindon CCG

University Hospital Coventry and Warwickshire

5 December 2017

Exchange

SCCI1596 Conformance Statement for University Hospital Coventry and Warwickshire v1.1

University Hospitals Birmingham NHS Foundation Trust

22 August 2018

Exchange

DCB1596 Conformance Statement for University Hospitals Birmingham NHS Foundation Trust

West Midlands Ambulance Service NHS

13 December 2016

Office 365

SCCI1596 Conformance Statement for West Midlands Ambulance Service

Wye Valley NHS Trust

27 July 2018 Exchange

DCB1596 Conformance Statement for Wye Valley NHS Trust

Contact

The NHSmail regional support managers are available to assist with questions and signpost in relation to meeting the secure email standard.

Region

 

Contact

Email address

North

Amanda Parkin

amanda.parkin@nhs.net

London

Simon Berest

simon.berest@nhs.net

Midlands

James Kane

james.kane2@nhs.net

South

Janet Bate

janet.bate@nhs.net

For any further queries regarding the secure email standard please contact feedback@nhs.net, where a response will be received within 5 working days.