STD039 - Health and Social Care Organisation Reference Data

STD076 - Secure email

STD089 - Web Content Accessibility Guidelines (WCAG) 2.1

STD039

Health and Social Care Organisation Reference Data

DAPB0090

1.0

DAPB0090 - Health and Social Care Organisation Reference Data

Data Standard (NHS)

Alpha

STD0039-1

Data Composition

This standard describes and governs reference data about the Organisations that comprise health and social care services, and the Sites they provide services from. This reference data is comprised of a number of core components, listed below:

Dates, Name,. Identifier, Geographic Location, Contacts, Roles, Relationship(s), Succession and Additional Attributes.

Full details of the data and structures is included here Health and Social Care Organisation Reference Data (SCCI0090): Requirements Specification

MUST

STD076

Secure email

DCB1596

1.0

DCB1596 Guidance (NHS Digital)

Guidance

Alpha

TBC

STD0076-1

The Service Provider MUST at all times maintain a secure service, even when the service is unavailable to users.

MUST

STD0076-2

Each Service Provider MUST maintain an Information Security Management System (ISMS) that conforms to ISO/IEC 27001:2013, based on ISO/IEC 27002:2013 Information technology - Security techniques - Code of practice for information security controls OR the DSPT in the case of H&SC organisations. ISO/IEC 27001:2013 Conformance should be evidenced by appropriate certification by a United Kingdom Accreditation Service (UKAS1) accredited certification organisation.

MUST

STD0076-3

The information security controls contained within the scope, on which the Service Provider’s ISO/IEC 27001:2013 certification OR DSPT return is based, MUST be relevant to the email service. Conformance SHOULD be evidenced by the applicable Statement of Applicability (SoA) or the DSPT return.

MUST

STD0076-4

The Service Provider MUST maintain an Information Security Policy, as part of its ISMS (conforming to ISO/IEC 27001:2013, ISO/IEC 27002:2013 OR DSPT for H&SC) which sets out the security aims and objectives, as well as security measures to be implemented and maintained. The security policy MUST be regularly reviewed and updated by the Service Provider and MUST be endorsed by the Service Provider’s senior management. A copy should be supplied as evidence.

MUST

STD0076-5

Each Service Provider MUST have a suitably scoped independent IT Health Check / penetration test carried out (by a CHECK / Tiger scheme accredited or CREST member organisation) encompassing the email system and any external network interfaces (including perimeter security / access control devices). Conformance SHOULD be evidenced by an ITHC / penetration test report, conducted within the last 12 months, with all identified findings remediated/mitigated, and any residual risks accepted by the Senior Information Risk Owner. All medium or higher risks are expected to be remediated unless there are exceptional reasons not to do so and NHS Digital agree that the residual risk is sufficiently mitigated.

MUST

STD0076-6

The email service MUST provide anti-virus, anti-malware and anti-spam filtering, in addition to commodity content management such as attachment blocking, virus/spam filtering capabilities and data leakage prevention e.g. encrypt protectively marked email destined for the Internet. The service MUST also provide for the management of spoofed email and items that cannot be checked such as S/MIME encrypted, or password protected attachments. The service MUST support DMARC with supporting public DNS entries for SPF set to quarantine with an agreed timeline to implement a blocking policy. All outgoing email MUST be signed with DKIM. The service SHOULD support MTA-STS as well as TLS-RPT. Opportunistic TLS in accordance with National Cyber Security Centre requirements on ciphers and certificates MUST be in place. The commissioner of the email service MUST ensure adequate policies and/or contractual agreements are in place to safeguard this.

MUST

STD0076-7

All OFFICIAL data (particularly patient identifiable and OFFICIAL SENSITIVE) MUST be maintained in accordance with the Information Commissioner’s Office data protection guidance paying particular note to Principle 7 and the guidance on the use of cloud computing.

MUST

STD0076-8

The Service Provider MUST provide tools to ensure that mobile devices are appropriately secured when accessing the email service. This SHOULD include: Functions to allow/deny/quarantine by device type, organisation or groups of users. Remove device, meets password security, and wipe any data associated with the service. Reporting functions/capabilities. Detect and block rooted (i.e. jail broken) devices.

MUST

STD0076-9

The Service Provider SHOULD provide eDiscovery tools to support the administration of the service, especially with respect to the General Data Protection Regulation (EU) 2016/679 (GDPR), Data Protection Act 2018 and Freedom of Information Act 2000.

SHOULD

STD0076-10

The email service MUST comply with the provisions of DCB0129 Clinical Risk Management: it’s Application in the Manufacture of Health IT Systems.

MUST

STD0076-11

Each Service Provider SHOULD comply with the open standards principles.

SHOULD

STD0076-12

Each service provider MUST enable inbound and outbound TLS version 1.2 or better for secure email transport between other secure email services.

MUST

STD0076-13

TLS Ciphers MUST conform with current NCSC guidance.

MUST

STD0089-1

WCAG 2.1

IT suppliers systems:

Web content SHOULD adhere to the four principles that provide the foundation for Web accessibility: perceivable, operable, understandable, and robust as specified in the W3C guidelines Web Content Accessibility Guidelines (WCAG) 2.1

SHOULD

⬅️ National Data Sets

Standards Map

Clinical Scheduling ➡️