Secure Email Standard accreditation update

We've recently completed a review of the secure email accreditation. Following this review, we've made a number of recommendations to the way the Secure Email Implementation Guidance (SCCI1596) is administered.

We are grateful to the organisations who have contributed to the review - we plan to publish the findings of the report at the end of the summer but here are some of the core themes.

The recommended direction of travel is that the SCCI1596 email standard processes are simplified and that the assurance approach is aligned to the GDS standard (wherever possible) over the next 6-9 months.

To meet the secure email standard, organisations can either:

1. Join NHSmail - we have increaced capacity so your organisation can join quickly. Contact NHSmail contact changes – NHSmail Support if you have any questions on this option.
2. Complete a secure email accreditation application.
   • Self-accreditation of an in-house system which requires detailed assurance evidence and any ISO27001 documentation
   • Migrate to a secure email solution (Microsoft O365 is accredited), and ensure you provide assurance evidence such as clinical safety policies, clinical risk management.

Systems that are not accredited place your organisation at risk of cyber-attack and means there is a possibility that sensitive data could be sent insecurely.

We have no intention to switch off NHSmail accounts for sites that are transitioning to a secure email system, or those that use NHSmail accounts for clinical or high profile staff and have not yet migrated to a secure in-house email solution.

We do ask, that any organisations release any NHSmail accounts that are no longer required (e.g. if individuals leave your organisation, or when secure alternative email accounts are in place).

We recognise that meeting the secure email standard for all email exchange is challenging for some organisations. We're happy to help, so please contact the NHSmail team to inform us of your 'secure email standard' position.  

We can also provide general advice and guidance, benefits information to support business cases, and address any concerns you have. We would like to update our cyber security colleagues.

We are setting up a range of new user forums and activities to shape the future of NHSmail and the digital collaborative service (seeking a mixed community of users and stakeholders). We are on-boarding a range of new users to NHSmail this year, including all pharmacy sites, optometrists, dentists and the first wave of independent care providers, establishing opportunities for secure collaboration across whole health and care communities. 

If you are interested in getting involved with our user forums then contact us at NHSmail support.

In summary, each organisation needs to make a local decision on the balance of risk (cyber-attacks, unsecure email exchange) and the provisions to implement the secure email standard in this context.

NHSmail is ready to welcome new organisations and continues to plan strategically to ensure that our service evolves and improves in line with the needs of our expanding user base.