The NHS have updated their ‘secure email standard’ which other organisations are expected to follow.
First published in 2016, the minimum standards for email security are designed to protect NHS staff and systems against supply-chain attacks caused by weaknesses in the cyber security of third-parties.
The standard anticipates that one of the biggest risks to the NHS originates with the rest of us: outside organisations, who need to be trusted not to put the health service in danger via email compromise.
There are two ways to meet the NHS secure email standard:
1. Implement an existing compliant service such as NHSmail, Microsoft 365 or Google Workspace [and follow configuration guidelines for that service.]
2. Demonstrate your own [email] service is compliant with the secure email standard by following the NHS secure email accreditation process.
For those using the biggest platforms – NHSmail, Microsoft 365 or Google Workspace, the to-do list of requirements are simpler and include such steps as ensuring there is a process for notifying the NHS if you have been breached, policies and procedures for using mobile devices, risk assessment, documented policies and universal use within the organisation.
There are also a set of specific configuration settings which the NHS has documented for Microsoft 365 and Google Workspace, which you can learn more about here.
For organisations operating their own mail servers or other email systems, the requirements are more extensive, and require the organisation to manually achieve DCB1596 certification with documented evidence that their setup meets the NHS Secure Email Standard. This applies to organisations hosting their own Exchange, hybrid configurations, and other lesser-known business email platforms.
For cyber security assistance and support, please contact our team today.