The secure email standard
Summary
Emails sent to and from health and social care organisations must meet the the secure email standard (DCB1596) so that everyone can be sure that sensitive and confidential information is kept secure.
Top tasks
Meeting the secure email standard
There are two ways to meet the secure email standard. Organisations must select one of these methods to comply. Either:
adopt an already compliant service such as NHSmail or Office 365 for all staff at your organisation, or
demonstrate your own service is compliant to the secure email standard by following the secure email accreditation process
Implement an already compliant service
NHSmail
Meet the organisation requirements of the standard by following the steps below.
- Ensure there is a process in place to notify the NHSmail team upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and / or the security of the services or the systems used to provide the services.
- Health and care organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them.
- Health and care organisations SHOULD comply with the provisions of SCCI0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
- Health and care organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems, such as those used by patients.
To migrate all email users to NHSmail follow the migration guidance on our Portal help pages.
Microsoft Office 365 (O365): Secure email configuration guide
Meet the organisation requirements of the standard by following the steps below.
- Ensure there is a process in place to notify the NHSmail team upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and / or the security of the services or the systems used to provide the services.
- Health and care organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them.
- Health and care organisations SHOULD comply with the provisions of SCCI0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems
- Health and care organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems, such as those used by patients.
Microsoft Office 365 (O365) accreditations must include confirmation that the email service has been configured to securely communicate with NHSmail. The below guide has been co-produced with Microsoft, and enables instances of O365 to be enabled to securely route emails to and from NHSmail.
Microsoft Office 365: Secure email configuration guide
Advise the NHSmail team of the *.secure.nhs.uk email domains you intend to run on the service, so they can get the domains approved for release by the Domain Name Service (DNS) team.
Since these services already conform to the secure email standard, organisations that fully implement these services for all staff are not required to complete the IT supplier section of the secure accreditation paperwork to demonstrate their compliance.
Exchange, hybrid or other email services
In addition to completing the organisation section of the standard, those hosting their own email services must submit assertions and evidence that they meet the ICT Service Provider elements of the standard. These will be reviewed by the NHS Digital Data Security Centre.
Secure email accreditation process
The steps below illustrate the end to end accreditation process:
- Submission of a signed self-accreditation statement, with evidence
- Evidence checked by the Security and NHSmail team
- Rectification of findings and re-submission to NHSmail team
- DCB1596 met
Secure email accreditation templates
The templates to accredit your email service to the secure email standard are listed below, and should be returned with the required evidence to feedback@nhs.net.
DCB1596 Microsoft Office 365 Conformance Template
DCB1596 Self Accreditation Conformance Template
DCB1596 ICT Service Provider Template
Note: In the 'Health and Care Organisation' section of the templates, please provide the name and date of the policy or document covering each requirement and ensure the requisite approvals are in place.
Conformance statements
The statements below confirm how NHSmail and Microsoft Office 365 meet their email security obligations:
ISB 1596 conformance statement for NHSmail
ISB 1596 conformance statement for Microsoft Office 365
When suppliers and organisations meet the published standard, they are listed here. The conformance table below confirms how organisations meet their security obligations (arranged A-Z):
| Organisation name | Date accredited | Accreditation type | Conformance statement |
|---|---|---|---|
|
BMI Healthcare |
13 December 2016 |
Exchange |
|
|
Bradford District Care NHS Foundation Trust |
28 February 2018 |
Office 365 |
DCB1596 Conformance Statement for Bradford District Care NHS Foundation Trust |
|
Earl Mountbatten Hospice |
19 January 2018 |
Office 365 |
|
|
Egton Medical Information Systems Ltd |
20 October 2017 |
Office 365 |
SCCI1596 Conformance Statement: Egton Medical Information Systems Ltd (EMIS ) |
|
Health Education England |
19 September 2017 |
Office 365 |
|
|
Kings Fertility Limited |
6 November 2017 |
Office 365 |
|
|
Leicestershire Health Informatics Service |
13 December 2016 |
Exchange |
ISB1596 Conformance Statement: Leicestershire Health Informatics Service (LHIS) |
|
Mid Cheshire Hospital Foundation Trust |
8 August 2017 |
Office 365 |
SCCI1596 Conformance Statement for Mid Cheshire Hospital Foundation Trust [176.98KB] |
|
Norfolk and Norwich University Hospital NHS Foundation Trust |
6 March 2018 |
Office 365 |
DCB1596 Conformance Statement: Norfolk and Norwich University Hospital NHS Foundation Trust |
|
Northumberland Tyne and Wear NHS Foundation Trust |
13 December 2016 |
Exchange |
|
|
Nottingham University Hospitals |
6 December 2017 |
Exchange |
SCCI1596 Conformance Assessment for Nottingham University Hospital NHS Trust |
|
South East Coast Ambulance Service |
10 January 2017 |
Exchange |
ISB1596 Conformance Statement: South East Coast Ambulance Service |
|
South London and Maudsley NHS Foundation Trust |
28 September 2017 |
Office 365 |
SCCI1596 Conformation Statement: South London and Maudsley NHS Foundation Trust |
|
Staffordshire and Shropshire Health Informatics Service |
12 May 2017 |
Exchange |
ISB1596 Conformance Statement for Staffordshire & Shropshire Health Informatics Service |
|
Staffordshire and Stoke on Trent Partnership Trust |
13 December 2016 |
Exchange |
SCCI1596 Conformance Statement: Staffordshire and Stoke on Trent Partnership Trust |
|
Sussex Partnership Foundation Trust |
8 February 2017 |
Exchange |
DCB1596 Conformance Assessment - Sussex Partnership NHS Foundation Trust v1 |
|
Swindon CCG |
20 March 2018 |
Office 365 |
|
|
University Hospital Coventry and Warwickshire |
5 December 2017 |
Exchange |
SCCI1596 Conformance Statement for University Hospital Coventry and Warwickshire v1.1 |
|
University Hospitals Birmingham NHS Foundation Trust |
17 August 2017 |
Exchange |
ISB1596 Conformance Statement for University Hospitals Birmingham NHS Foundation Trust |
|
West Midlands Ambulance Service NHS |
13 December 2016 |
Exchange |
SCCI1596 Conformance Statement for West Midlands Ambulance Service |
Contact
For any further queries regarding the secure email standard please contact feedback@nhs.net, where a response will be received within 5 working days.