[Archived] Community Standards Implementation - Patient Communication
- Lewis Ford (Unlicensed)
- Gavin Start
This page has been superseded and archived.
ID | STD039 |
|---|---|
Name | Health and Social Care Organisation Reference Data |
External ID | DAPB0090 |
Version | 1.0 |
Link to standard | DAPB0090 - Health and Social Care Organisation Reference Data |
Standard Type | Data Standard (NHS) |
Status | Alpha |
Effective Date |
|
Description
This information standard provides reference data about the Organisations that comprise the health and social care services, including non-direct-care Organisations, primarily in England but also in other UK-constituent countries. The data is distributed and uploaded to health IT systems. It supports user security, access control, and messaging and is used as reference data for both operations and reporting.
Applicability
All end-users of Organisation Reference Data. Including but not limited to: NHS Trusts, primary care & commissioning organisations, independent sector healthcare organisations, healthcare organisations in other UK-constituent countries, suppliers of systems, SUS/NTS & data set owners, social care, arms-length bodies, government departments & non-departmental public bodies, executive agencies, inspectorates, health and social care educational establishments, professional bodies, etc.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD0039-1 | Data Composition This standard describes and governs reference data about the Organisations that comprise health and social care services, and the Sites they provide services from. This reference data is comprised of a number of core components, listed below: Dates, Name,. Identifier, Geographic Location, Contacts, Roles, Relationship(s), Succession and Additional Attributes. Full details of the data and structures is included here Health and Social Care Organisation Reference Data (SCCI0090): Requirements Specification | MUST |
ID | STD076 |
|---|---|
| Secure email |
External ID | DCB1596 |
Version | 1.0 |
Link to standard | |
Standard Type | Guidance |
Status | Alpha |
Effective Date | TBC |
Description
This information standard defines the minimum non-functional requirements for a secure email service, covering the storage and transmission of email, including where email is used for the sharing of patient identifiable data. The standard includes:
the information security of the email service
transfer of sensitive information over insecure email
access from the Internet or mobile devices
exchange of information outside the boundaries of the secure standard.
Applicability
This information standard applies to all H&SC organisations:
public, private and third sector organisations commissioned in delivering publicly funded health, public health and adult social care (Children Social Care falls under the remit of the Department for Education
commissioned Email service providers (any commissioned supplier providing email services within health and care)
commissioners of health and care within England.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD0076-1 | The Service Provider MUST at all times maintain a secure service, even when the service is unavailable to users. | MUST |
STD0076-2 | Each Service Provider MUST maintain an Information Security Management System (ISMS) that conforms to ISO/IEC 27001:2013, based on ISO/IEC 27002:2013 Information technology - Security techniques - Code of practice for information security controls OR the DSPT in the case of H&SC organisations. ISO/IEC 27001:2013 Conformance should be evidenced by appropriate certification by a United Kingdom Accreditation Service (UKAS1) accredited certification organisation. | MUST |
STD0076-3 | The information security controls contained within the scope, on which the Service Provider’s ISO/IEC 27001:2013 certification OR DSPT return is based, MUST be relevant to the email service. Conformance SHOULD be evidenced by the applicable Statement of Applicability (SoA) or the DSPT return. | MUST |
STD0076-4 | The Service Provider MUST maintain an Information Security Policy, as part of its ISMS (conforming to ISO/IEC 27001:2013, ISO/IEC 27002:2013 OR DSPT for H&SC) which sets out the security aims and objectives, as well as security measures to be implemented and maintained. The security policy MUST be regularly reviewed and updated by the Service Provider and MUST be endorsed by the Service Provider’s senior management. A copy should be supplied as evidence. | MUST |
STD0076-5 | Each Service Provider MUST have a suitably scoped independent IT Health Check / penetration test carried out (by a CHECK / Tiger scheme accredited or CREST member organisation) encompassing the email system and any external network interfaces (including perimeter security / access control devices). Conformance SHOULD be evidenced by an ITHC / penetration test report, conducted within the last 12 months, with all identified findings remediated/mitigated, and any residual risks accepted by the Senior Information Risk Owner. All medium or higher risks are expected to be remediated unless there are exceptional reasons not to do so and NHS Digital agree that the residual risk is sufficiently mitigated. | MUST |
STD0076-6 | The email service MUST provide anti-virus, anti-malware and anti-spam filtering, in addition to commodity content management such as attachment blocking, virus/spam filtering capabilities and data leakage prevention e.g. encrypt protectively marked email destined for the Internet. The service MUST also provide for the management of spoofed email and items that cannot be checked such as S/MIME encrypted, or password protected attachments. The service MUST support DMARC with supporting public DNS entries for SPF set to quarantine with an agreed timeline to implement a blocking policy. All outgoing email MUST be signed with DKIM. The service SHOULD support MTA-STS as well as TLS-RPT. Opportunistic TLS in accordance with National Cyber Security Centre requirements on ciphers and certificates MUST be in place. The commissioner of the email service MUST ensure adequate policies and/or contractual agreements are in place to safeguard this. | MUST |
STD0076-7 | All OFFICIAL data (particularly patient identifiable and OFFICIAL SENSITIVE) MUST be maintained in accordance with the Information Commissioner’s Office data protection guidance paying particular note to Principle 7 and the guidance on the use of cloud computing. | MUST |
STD0076-8 | The Service Provider MUST provide tools to ensure that mobile devices are appropriately secured when accessing the email service. This SHOULD include: Functions to allow/deny/quarantine by device type, organisation or groups of users. Remove device, meets password security, and wipe any data associated with the service. Reporting functions/capabilities. Detect and block rooted (i.e. jail broken) devices. | MUST |
STD0076-9 | The Service Provider SHOULD provide eDiscovery tools to support the administration of the service, especially with respect to the General Data Protection Regulation (EU) 2016/679 (GDPR), Data Protection Act 2018 and Freedom of Information Act 2000. | SHOULD |
STD0076-10 | The email service MUST comply with the provisions of DCB0129 Clinical Risk Management: it’s Application in the Manufacture of Health IT Systems. | MUST |
STD0076-11 | Each Service Provider SHOULD comply with the open standards principles. | SHOULD |
STD0076-12 | Each service provider MUST enable inbound and outbound TLS version 1.2 or better for secure email transport between other secure email services. | MUST |
STD0076-13 | TLS Ciphers MUST conform with current NCSC guidance. | MUST |
Health & Care Organisations Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
1 | Either party (Service Provider and customer) MUST notify the other immediately upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services. | MUST |
2 | H&SC organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them. | SHOULD |
3 | H&SC organisations SHOULD comply with the provisions of DCB0160 Clinical Risk Management: it’s Application in the Deployment and Use of Health IT Systems | SHOULD |
4 | H&SC organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems, such as those used by patients. | MUST |
ID | STD089 |
|---|---|
External ID | Web Content Accessibility Guidelines (WCAG) 2.1 |
Version | 1.0 |
Link to standard | |
Standard Type | Guidance |
Status | Alpha |
Effective Date | TBC |
Description
Web Content Accessibility Guidelines (WCAG) 2.1 defines how to make Web content more accessible to people with disabilities. Accessibility involves a wide range of disabilities, including visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities. Although these guidelines cover a wide range of issues, they are not able to address the needs of people with all types, degrees, and combinations of disabilities. These guidelines also make Web content more usable by older individuals with changing abilities due to ageing and often improve usability for users in general.
The AA standard is the minimum needed for public sector websites Understanding accessibility requirements for public sector bodies .
Applicability
This standard applies to all healthcare settings in England and to any patients/users of systems with Web-based content.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD0089-1 | WCAG 2.1 IT suppliers systems: Web content SHOULD adhere to the four principles that provide the foundation for Web accessibility: perceivable, operable, understandable, and robust as specified in the W3C guidelines Web Content Accessibility Guidelines (WCAG) 2.1 | SHOULD |