NHS Secure Email Standard Gap Analysis
Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic
All NHS organisations in the UK have a responsibility to ensure that their email services meet the minimum security requirements mandated by the NHS Secure Email standard.
The NHS Secure Email standard (also referred to as DCB1596) is an information security standard developed by NHS Digital. The standard outlines the minimum security requirements that NHS organisations should have in place in order to operate secure email services, which is especially applicable for organisations which share Patient Identifiable Data (PID).
The NHS Secure Email standard includes requirements around information security, transferring sensitive data over insecure email, Internet or mobile access, and external information exchange.
All NHS organisations need to ensure their email systems comply with these security specifications to protect sensitive information. Compliance involves adhering to the technical requirements and implementation guidance provided in the NHS Secure Email standard in order to ensure secure communications in line with the Health and Social Care Act 2012.
What does the NHS Secure Email standard require?
The NHS Secure Email standard (DCB1596) contains a number of requirements which are designed to protect email communications that may contain sensitive information or Patient Identifiable Data (PID). At a high level, these requirements include the following:
Secure Email Systems
Organisations are required to use email services that meet specific security criteria to handle patient data. These systems must ensure end-to-end encryption and meet guidelines set by the standard. This reduces the chances of sensitive emails being intercepted by an attacker.
Protection of Sensitive Data
Email systems need to protect sensitive information when transferring data. This includes the encryption of emails in-transit and at-rest. Organisations should also ensure that emails are sent only to trusted domains and that the data is adequately safeguarded against unauthorised access or loss.
Authentication and Access Control
Strong authentication methods, such as Multi-Factor Authentication (MFA), should be implemented to ensure that only authorised individuals can access secure email systems. This helps to prevent unauthorised access to sensitive data.
Secure Domains
Organisations must use secure email domains that are verified and certified to meet DCB1596 standards. NHSmail, for example, is an accredited email system for health and social care organisations in the UK. Domains need to be protected from external threats and aligned with the NHS Secure Boundary.
Risk Management and Compliance
Organisations must perform risk assessments and manage potential threats to their email systems. They are also responsible for continuously monitoring compliance with the NHS Secure Email standard (DCB1596), ensuring all necessary protocols are followed and any identified risks are mitigated.
Data Integrity and Audit
NHS Secure Email standard (DCB1596) mandates the integrity of data during email transmission. It requires organisations to implement logging and auditing mechanisms that track the flow of information and detect any suspicious activities.
How can SecureTeam help?
Our experienced consultancy team have worked alongside NHS organisations for over 15 years. During this time, we have gathered in-depth knowledge of NHS Digital standards, conducted penetration testing and technical assurance, and have extensive experience of information security risk management – both in the UK’s National Health Service (NHS) and the wider health and social care sector.
If you’re an NHS organisation that needs to demonstrate that your own email service is compliant with the NHS Secure Email Standard, our NHS Secure Email Gap Analysis is perfectly positioned to help you identify areas in your email service that will need to be secured before embarking on the NHS secure email accreditation process,
Through a comprehensive audit of your organisation’s email systems, we benchmark your organisation’s email service against the requirements of the NHS Secure Email standard (DCB1596). We identify gaps in security protocols, recommend improvements, and create a tailored action plan for your organisation to achieve full compliance.
Policy & Documentation Review
Our experienced consultancy team will start the NHS Secure Email Gap Analysis with a review of all policies and documentation that your organisation uses to control risks and processes associated with secure email communication. If we identify any shortfalls in your current documentation, we’ll include additions and recommendations in your existing policy set to ensure the requirements of DCB1596 are covered. Typical policies that organisation’s could provide during this review include your organisation risk register, policies that cover email hygiene and documentation that covers how personal and clinical data is handled.
Gap Analysis & Risk Management Workshop
A remote Gap Analysis & Risk Management Workshop will be conducted by our consultancy team and will involve key individuals and Subject Matter Experts (SMEs) within your organisation. Throughout this workshop, our consultancy team will detail the requirements of the NHS Secure Email standard (DCB1596) and will discuss how these requirements may currently be met by your organisation.
During the Gap Analysis & Risk Management Workshop, the following topics will be covered:
- An overview of your email infrastructure
- Current risks that relate to email use within the organisation
- Data protection
- Authentication
- Email filtering
- Email encryption
- Anti-spoofing measures
- Email transport security
- Staff training
- Email access using mobile devices
Where appropriate, an evidence-based approach will be taken throughout the workshop(s) to gather technical assurance that the technical requirements of the NHS Secure Email standard are being applied. This approach may include the capturing of screenshots from web-based email services or reviewing settings on workstations or servers that are in use within the organisation.
Technical Review
Once the workshop has been completed, our consultancy team will conduct a technical review of your existing email infrastructure. For the majority of organisations, we can conduct this assessment remotely against your email server. In some cases however, we may need to set up a quick call with your infrastructure team, so that we can gather evidence through screensharing.
During the technical review, the follow controls will be assessed:
- Email Transport Encryption: Review implementation of Transport Layer Security (TLS) v1.2 or later for secure email transmission.
- Anti-spoofing Mechanisms: Ensure Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) are correctly implemented.
- Mobile Access Security: Evaluate email usage policies for mobile devices and ensure policies are aligned with the NHS Secure Email standard (DCB1596).
Preparing for your NHS Secure Email Gap Analysis
- Existing company documentation (in Microsoft Word format) that you feel is relevent to email security. For example, Acceptable Use Policy (AUP), Electronic Communication Policy, Cryptographic Policy, Data Handling Policy & Processes and documentation that relates to the handling and transmission of Patient Identifiable Data (PID).
- Availability of key individuals who are responsible for information governance, data protection and the configuration of your organisation’s email infrastructure to attend the Gap Analysis & Risk Management Workshop.
- The IP Address and Fully Qualified Domain Name (FQDN) of your Internet-facing email service.
Debrief Call
Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.
Reporting
At the end of the NHS Secure Email Gap Analysis, we’ll provide you with a comprehensive report which identifies the current compliance level of your organisation’s email service when benchmarked against the NHS Secure Email standard (DCB1596).
An executive summary will be included so that the organisation’s level of compliance with the NHS Secure Email standard can be clearly and concisely communicated to the organisation’s Senior Leadership Team (SLT) and other stakeholders and interested parties.
Where the organisation has failed to meet the one or more requirements of DCB1596, specific improvements will be outlined that the organisation can follow in order to be compliant.
After Care
Once our consultancy engagement is complete and our final report has been delivered to you, our consultancy team remain available to you indefinitely for any questions you may have surrounding the report’s findings or our consultancy engagement with you.
Our consultancy team can also support your organisation with assistance in implementing missing technical controls and drafting policies & documentation for email security.
When it’s time for your organisation’s DCB1596 Secure Email self-certification, we can support your organisation throughout the submission process – ensuring you have all the information and assurance required by NHS Digital.
Why Choose SecureTeam?
- UK-based Consultancy Team
- Customer Focused
- Security Vetted Consultants
- Ethical Scoping & Pricing
- 25+ Years Industry Experience
- ISO 9001 & 27001 Certified
- CREST Accredited
- Comprehensive Reporting
Ready to take your cyber security to the next level ?
Trusted Cyber Security Experts
As an organisation, SecureTeam has provided penetration testing and cyber security consultancy to public & private sector organisations both in the United Kingdom and worldwide. We pride ourselves in taking a professional, pragmatic and customer-centric approach, delivering expert cyber security consultancy – on time and within budget – regardless of the size of your organisation.
Our customer base ranges from small tech start-ups through to large multi-national organisations across nearly every sector – in nearly every continent. Some of the organisation’s who have trusted SecureTeam as their cyber security partner include:
Customer Testimonials
"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"
IoT Solutions Group Limited
“First class service as ever. We learn something new each year! Thank you to all your team.”
Royal Haskoning DHV
“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”
Capital Asset Management
“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”
Derbyshire County Council
“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”
AMX Solutions
“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”
Innovez LtdGet in touch today
If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.
Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.
We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.
Get in touch with us today and a member of our team will be in touch to provide you with a quotation.
Subscribe to our monthly newsletter
If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter.
We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all our cyber security news and articles that we’ve released that month.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)