Title Secure Email Requirement Submission Document ID ISB 1596 Amd 34/2012 Director Mark Reynolds Status Final Owner Jon Calpin Version 1.1 Author Mark Reynolds Version Date 03/12/2012 Secure Email Requirement Submission Open Government Licence 2012
Amendment History: Version Date Amendment History 1.0 09/11/2012 Initial Release 1.1 03/12/2012 Incorporated comments from appraisers. Approvals: Name Title / Responsibility Date Version Chris Wilber Technical Director 09/11/2012 V1.0 James Wood NHS CFH Head of Information Security 25/10/2012 V0.1 Related Documents: These documents will provide additional information. Ref no Doc Reference Number Title Version 1 NHSmail 2 Privacy Impact Assessment 1.1 2 NHSmail 2 Communications and Stakeholder Engagement Strategy 1.1 Glossary of Terms: Term Acronym Definition Risk Potential Assessment Information Commissioners Office RPA ICO CESG CESG protects the vital interests of the UK by providing policy and assistance on the security of communications and electronic data, working in partnership with industry and academia. It is the UK Government's National Technical Authority for Information Assurance (IA). Open Government Licence 2012 Page 2 of 11
Contents 1 Summary... 4 2 Introduction... 5 2.1 Purpose... 5 2.2 Mandate... 5 2.3 Customer Need... 5 3 Requirements... 6 3.1 Scope... 6 3.2 Requirements... 6 3.3 Related Standards... 6 4 Supporting Information... 8 4.1 Value for Money Proposition... 8 4.2 Evidence of Consultation... 8 4.3 Implementation Strategy... 8 4.4 Maintenance Strategy... 8 4.5 Risks and Issues... 10 5 Products... 11 5.1 Provided... 11 5.2 Not Provided... 11 Open Government Licence 2012 Page 3 of 11
1 Summary Standard Standard Number ISB 1596 Title Type Description Secure Email Operational This standard defines the minimum non-functional requirements for a secure email service, covering the storage and transmission of email. This is the basic level for the storage and transmission of patient identifiable data by an email system. It excludes security standards for document archives. Applies to Health, public health and social care organisations. Email service providers. Release Release Number Amd 34/2012 Title Initial Standard Description Implementation Completion Date 30 th June 2016 Open Government Licence 2012 Page 4 of 11
2 Introduction 2.1 Purpose This standard will establish the minimum requirements for email systems in health and care. The intention is not to impose significant requirements on organisations but instead to establish the minimum acceptable level. An appropriate set of controls / requirements will be created in collaboration with the suppliers, implementers and customers, rather than being dictatorially specified and mandated from the centre. Where possible they will refer to Government and international standards (e.g. ISO 27001). The current and future NHSmail services will either meet or exceed these requirements. They will offer a way of conforming to the standard. 2.2 Mandate The information standard has sponsorship from: Role Name Job Title SRO Dr Simon Eccles Medical Director, DH Informatics Directorate Business Sponsor Bill McAvoy Transition Director, Patients and Intelligence NHS Commissioning Board Technical Sponsor Alex Abbott NHS CB Chief Technology Officer The project brief for the NHSmail 2 project which includes the development of the information standard has been approved by the Informatics Directorate Portfolio Board and a portfolio number has been assigned. 2.3 Customer Need Health and care email is now a rich source of patient/service user information. There is a clear need to ensure that it is held securely and used appropriately. The Power of Information paragraph 3.51 specifies (our bold text): All e-mail communication about our care must be appropriately secure and protected. Work will continue to improve access to and use of NHSmail within the NHS, and social enterprises and other qualified providers of care services, as part of their commissioning contracts with the NHS, will be given access to a limited number of NHSmail accounts. Similar incentives for social care will be made available that make the process and cost of connecting social care providers, local authorities and other care providers via secure electronic communication easier, cheaper and less bureaucratic. The standard will ensure that health, public health and adult social care organisations have a recognisable baseline which they can conform to. Open Government Licence 2012 Page 5 of 11
3 Requirements 3.1 Scope The standard will define how email systems used for sensitive data (e.g. patient identifiable data) should manage: The information security of the email service. Transfer of sensitive information over non-secure channels. Accessing information from the Internet or mobile devices. Exchange of information outside the controlled boundary of the secure email system: o to other email systems compliant with this standard. o to other email systems not compliant with this standard. Care will be taken to ensure that the requirements are tied to specific legal and policy requirements to stop the standard becoming a wish list. 3.2 Requirements ISB 0086 Information Governance Toolkit has a series of requirements that all health and care organisations must meet, with the information security requirements being particularly applicable. The standard will specify how health and care email systems MUST, SHOULD and MAY conform to these requirements. Of particular note are: Num Description 10-300 The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation s assessed needs 10-305 Operating and application information systems (under the organisation s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems 10-308 All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers 10-313 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely 10-314 Policy and procedures ensure that mobile computing and teleworking are secure 10-323 All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures The standard will give specifics to each of these requirements for email systems.. 3.3 Related Standards Reference Title Open Government Licence 2012 Page 6 of 11
ISB 0086 ISO/IEC 27001 BS ISO/IEC 27002: 2005 Information Governance Toolkit Information Security Management Systems IT. Security Techniques. Code of practice for information security management HMG Impact Assessment Standards CIO Council Offshoring Position Open Government Licence 2012 Page 7 of 11
4 Supporting Information 4.1 Value for Money Proposition This standard is predicated on defining the minimum requirements that any email system must comply with to meet policy and legislation for the security of patient identifiable data. It s therefore a necessary cost. The standard offers value for money by ensuring that email services are not over-engineered due to a lack of clarity on how to meet the Information Governance requirements. Implementation of the standard avoids costs of not complying, for example Information Commissioner Office (ICO) fines. The development and issuance of the standard is part of the wider NHSmail 2 investment. The Strategic Outline Case for the investment is expected to have DH Information Directorate approval by the end of November. 4.2 Evidence of Consultation The requirements of the Information Governance Toolkit are already well known and the underlying standards and good practice guides in wide use. The standard itself will be published at draft stage for consultation. 4.3 Implementation Strategy At the full stage an assessment will be made of which health and care organisations already meet the standard. This will inform the implementation approach. Once approved, the standard will be communicated to health and care organisations through the normal information standards routes. Health and care organisations will need to ensure that when they renew their email service that they comply with this standard. They can do this by specifying the requirements to their supplier or by moving to NHSmail or NHSmail 2. They can also do this by selecting a supplier from other procurement vehicles such as the G-Cloud catalogue that meets or exceeds the standard. Health and care organisations and their IT suppliers shall self-certify to this information standard. This shall normally be through the production of an internal assessment, which then provides evidence to support the wider IG Toolkit submission. Where an international or national standard is referenced (e.g. ISO 27001) the information standard will identify the assurance regime for it. Support shall be offered by the NHSmail 2 project and Technology Office information security team through well-established channels. 4.4 Maintenance Strategy The standard will be maintained by the NHSmail operations team who will by approval reside within the Health and Social Care Information Centre. The standard will be reviewed in accordance with the normal information standards review cycle Open Government Licence 2012 Page 8 of 11
and updated if the underlying policy and legislative drivers for securing information, the ISO standards or best practice in securing systems changes. Open Government Licence 2012 Page 9 of 11
4.5 Risks and Issues # Risk Mitigation 41 Business Impact Levels The Government using (Business) Impact Levels for its security but these are not well understood by the NHS. NHS requirements seem to fall between IL2 and IL3 but with no clear standard. This needs to be resolved. 12 Offshoring Policy Offshoring policy used to mandate that data could only be secured within England. The policy was recently changed but not communicated widely. 6 IL3 Requirement As a result of the requirement for an IL3 platform (high IG security levels), there is a risk that the number of companies able to tender for the contract is restricted, leading to the requirements not being met in a cost effective manner. 45 Changes to ISB Changes to the ISB process as a result of informatics transition result in delays to the information standard or rework. (Numbering is taken from NHSmail 2 project risk log) This standard will define the security controls for health and care, eliminating this risk. Refer to and clarify offshoring policy in standard. IL assessment being done by the NHSmail project. Monitor together with ISB. The standard is not on the project critical path. Open Government Licence 2012 Page 10 of 11
5 Products 5.1 Provided Product Requirements Value for money proposition Title Privacy impact assessment NHSmail 2 Privacy Impact Assessment v1.1 Communication strategy NHSmail Communications and Stakeholder Engagement Strategy v1.0 Evidence of consultation Implementation strategy Maintenance strategy Glossary of Terms Issues log / Risk register 5.2 Not Provided Product Safety case Justification for Absence The safety case has been deferred until the Draft stage so that it can apply to the draft standard, not the requirements. Open Government Licence 2012 Page 11 of 11