Transcript PPT, 729.0kB

Secure Email Standard
Introduction for Health and Social
Care Organisations
09 June 2014
Clive Star
1
Background
• Developed to support the secure exchange of
sensitive information between Health and Social
Care Organisations using secure email services
• Builds on the Information Governance Toolkit
organisations already complete with some
additional enhancements on a few of the
individual baseline controls
• Developed with a potential to step up to meet
Public Sector accreditation requirements
Scope
• Applies to health, public health & social
care organisations in England
• Under the 2012 Health Act, organisations
must have “due regard” for standard
• Standard covers email services for
personal and sensitive data only
The Specification
• The Secure email standard is available at:
http://www.isb.nhs.uk/documents/isb-1596/amd-34-2012
• Contains:
– The Information Standards Notice
– The Specification
– The Baseline Control Set
Principles
•
•
•
•
•
•
•
Aligned to ISO 27001
Independent accreditation
Supports insourced and outsourced systems
Organisation compliance
System/Service provider compliance
Clinical safety approval for the email service
Organisations with Public Sector (HMG)
certification do not need to accredit to this
standard as well
Health & Care Conformance
• Evidence of a security risk assessment for the email service i.e.
to consider whether is contains personal & sensitive data or not
• One of either the Information Governance Toolkit (IGT) / Public
Services Network (PSN) Code of Connection or an Information
Security Management System (ISMS) conforming to ISO 27001
• Published policies and procedures for the use of secure email
using mobile devices
• Evidence provided by the email service provider that they have
met this standard.
• Clinical safety approval for the email service
• Published policies for the use of email with insecure systems
Interoperability - How it will work
• Secure email will communicate via the Government
Secure Intranet (GSi) / PSN infrastructure
• All email services will need to conform to pangovernment standards
• The HSCIC will create and administer 3 domains:
– @orgname.nhs.net / @nhs.net – NHSmail
– @orgname.secure.nhs.uk – Secure NHS systems
– TBC – Secure care systems
IT Services that meet the Standard
• Health and Social Care using
– .nhs.net - NHSmail
• Local Government / Social Services
– .gcsx.gov.uk
• Central Government
– .gsi.gov.uk, .gse.gov.uk, gsx.gov.uk
• Criminal and Justice
– .cjsm.net, .scn.gov.uk, .pnn.police.uk
• Military
– .mod.uk
http://systems.hscic.gov.uk/nhsmail/secure
Next Steps
• Determine if your email service contains personal or sensitive
data
• Register with [email protected] so we can include you in
future targeted updates
• Seek evidence of conformance to health & care requirements
• Ensure email service conforms to supplier aspects of
standards. If you host your own email you are the supplier
• Self-certify conformance. Good practice is to publish this, as
with NHSmail:
(http://systems.hscic.gov.uk/nhsmail/emailstandards).