ID | STD043 |
|---|---|
Name | Identity Verification and Authentication Standard for Digital Health and Care Services |
External ID | DCB3051 |
Version | 0.1 |
Link to standard | |
Standard Type | Mapped Standard |
Status | Alpha |
Effective Date |
|
Description
This standard provides a consistent approach to identity across digital health and care services. It describes why and how a person should prove their identity to access digital health and care services. For example their GP practice, their local hospital, and their social care provider.
The defined standards and principles in this document are to enable co-ordination of effort and to avoid duplication of effort.
Elements considered by this standard include:
identity verification
identity authentication
clinical authorisation
typical example transactions
Applicability
Any NHS or non-NHS provider, organisation, company, or authority that provides identity services for individuals accessing online digital health or care services must adhere to this standard.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD043-1 | DCB3051 A Supplier system MUST adhere to the Identity Verification and Authentication standard | MUST |
ID | STD001 |
|---|---|
Name | Accessible Information |
External ID | DCB1605 |
Version | 0.1 |
Link to standard | |
Standard Type | Mapped Standard |
Status | Alpha |
Effective Date |
|
Description
This information standard aims to make sure that people who have a disability, impairment or sensory loss get appropriate information and communication support from NHS and adult social care services.
Applicability
The standard applies to service providers across the NHS and adult social care system, and effective implementation will require such organisations to make changes to policy, procedure, human behaviour and, where applicable, electronic systems. Commissioners of NHS and publicly funded adult social care must also have regard to this standard, in so much as they must ensure that contracts, frameworks and performance management arrangements with provider bodies enable and promote the standard's requirements.
It is also applicable to:
NHS and adult social care bodies, including (but not limited to) NHS Trusts, NHS Foundation Trusts and local authorities.
Providers of publicly funded health and adult social care including (but not limited to) independent contractors and providers from the private and voluntary sectors.
Suppliers of IT systems, software and hardware to health and adult social care organisations and providers.
Requirements
These requirements are taken from the Standards specification, and are extracts specifically chosen, which pertain to systems and electronic recording of information and data items. This is not a complete picture for guidance purposes, and suppliers are advised to avail themselves of the full specification and guidance.
The full specification can be viewed here: DCB1605: Accessible Information - Specification
Requirement ID | Requirement Text | Level |
|---|---|---|
STD001-1 | Trust Contracts for patient / service user record and administration systems include the requirement for the system MUST adhere to the Accessible Information Standard. | MUST |
STD001-2 | Suppliers' systems SHOULD enable revision / amendment of records made about individuals’ information and communication support needs and, where possible, include prompts for review at appropriate points. | SHOULD |
STD001-3 | Where Suppliers' online systems enable patients or service users to access their own records, there SHOULD be evidence that individuals have viewed and / or contributed to their records with regards to information and communication needs | SHOULD |
STD001-4 | Suppliers' Electronic patient, or service user administration and record systems, SHOULD automatically identify a recorded need for information or correspondence in an alternative format and / or communication support, and flag, prompt or otherwise make this highly visible to staff whenever the record is accessed. | SHOULD |
STD001-5 | Suppliers' Electronic patient or service user administration and record systems, SHOULD automatically identify relevant recorded needs and either automatically generate correspondence or information in an alternative format or enable staff to manually generate correspondence in an alternative format upon receipt of an alert | SHOULD |
STD001-5 | Suppliers' systems used for the recording of individuals’ information and communication needs SHOULD be designed and built with consideration for the clinical safety risks identified in the Clinical Safety Case published alongside this Specification | SHOULD |
STD001-6 | Suppliers' systems MUST enable recording of all of the data items or categories associated with the subsets defined by the Accessible Information Standard, in their specified format. Local systems MAY hold more information than is required by the Accessible Information Standard. | MUST |
STD001-7 | Suppliers' systems SHOULD alert users – in line with other review reminders – when none of the data items / categories in any one of the subsets associated with the Standard has been selected. | SHOULD |
STD001-8 | Suppliers' systems SHOULD support edit checking / quality assurance of data recorded about individuals’ information and communication needs. This MAY include generating an alert or preventing users from populating mutually incompatible data fields (in line with best practice). | SHOULD |
STD001-9 | The Suppliers' systems MUST allow for changes to the data items associated with the Standard over time, including following release of new or amended SNOMED CT, Readv2 or CTV3 codes (where used by relevant systems), and enabling any locally defined additional information to be captured | MUST |
STD001-10 | The Suppliers' systems MUST include functionality to notify staff involved – or to be involved in the near future – in the administration or care of patients or service users of their communication and information needs (and where appropriate the needs of patients’ or service users’ parents or carers). | MUST |
STD001-11 | The Supplier's system MUST automatically identify a recorded need for information or correspondence in an alternative format and / or communication support, and flag, prompt or otherwise make this highly visible to staff whenever the record is accessed. | MUST |
STD001-12 | Where Suppliers' systems automatically generate correspondence, the system MUST automatically identify a recorded need for information or correspondence in an alternative format and in response:
| MUST |
STD001-13 | Where Suppliers' systems automatically generate correspondence, the system SHOULD automatically identify a recorded need for information or correspondence in an alternative format and in response does not produce the standard printed output for sending to the individual, and alerts staff accordingly. | SHOULD |
STD001-14 | The Supplier's system MUST enable records made about individuals’ information and communication support needs to be revised / amended. | MUST |
STD001-15 | The Supplier's system SHOULD prompt for a review of data recorded about individuals’ information and communication needs alongside and concurrent with review of data held in other demographic fields. | SHOULD |
STD001-16 | The Suppliers' systems SHOULD enable recording of all of the data items or categories associated with the subsets defined by the Accessible Information Standard in their specified format. | SHOULD |
STD001-17 | Suppliers' systems SHOULD alert users – in line with other review reminders – when none of the data items or categories in any one of the subsets associated with the Standard has been selected. | SHOULD |
STD001-18 | Suppliers' systems SHOULD support edit checking / quality assurance of data recorded about individuals’ information and communication needs | SHOULD |
STD001-19 | The Suppliers' systems SHOULD generate an alert or prevent or discourage users from populating mutually incompatible data fields when recording individuals’ information and communication needs (in line with best practice). | SHOULD |
STD001-20 | The Suppliers' system SHOULD allow for records made about individuals’ information and communication support needs to be revised or amended. | SHOULD |
STD001-21 | The Suppliers' system SHOULD prompt for a review of data held about individuals’ information and communication needs alongside and concurrent with review of data held in other demographic fields | SHOULD |
ID | STD089 |
|---|---|
External ID | Web Content Accessibility Guidelines (WCAG) 2.1 |
Version | 0.1 |
Link to standard | |
Standard Type | Guidance |
Status | Alpha |
Effective Date | TBC |
Description
Web Content Accessibility Guidelines (WCAG) 2.1 defines how to make Web content more accessible to people with disabilities. Accessibility involves a wide range of disabilities, including visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities. Although these guidelines cover a wide range of issues, they are not able to address the needs of people with all types, degrees, and combinations of disability. These guidelines also make Web content more usable by older individuals with changing abilities due to aging and often improve usability for users in general.
Applicability
This standard applies to all healthcare settings in England and to any patients / users of systems with Web based content.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD0089-1 | WCAG 2.1 Web content MUST adhere to the four principles that provide the foundation for Web accessibility: perceivable, operable, understandable, and robust | MUST |
ID | STD095 |
|---|---|
External ID | vCard |
Version | 0.1 |
Link to standard | |
Standard Type | Data Standard (External) |
Status | Alpha |
Effective Date | TBC |
Description
vCard (Virtual Contact File) is a data format for representing and exchanging a variety of information about individuals and other entities (e.g., formatted and structured name and delivery addresses, email address, multiple telephone numbers, photograph, logo, audio clips, etc.).
Applicability
This standard applies to all healthcare settings in England where contact information is to be passed between systems.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD0095-1 | vCard Supplier systems MUST adhere to the vCard standard when passing contact information between systems. | MUST |
ID | STD076 |
|---|---|
External ID | DCB1596 Secure email |
Version | 0.1 |
Link to standard | |
Standard Type | Guidance |
Status | Alpha |
Effective Date | TBC |
Description
This information standard defines the minimum non-functional requirements for a secure email service, covering the storage and transmission of email, including where email is used for the sharing of patient identifiable data. The standard includes:
the information security of the email service
transfer of sensitive information over insecure email
access from the Internet or mobile devices
exchange of information outside the boundaries of the secure standard.
Applicability
This information standard applies to all H&SC organisations:
public, private and third sector organisations commissioned in delivering publicly funded health, public health and adult social care (Children Social Care falls under the remit of the Department for Education
commissioned Email service providers (any commissioned supplier providing email services within health and care)
commissioners of health and care within England.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD0076-1 | The service Supplier MUST at all times maintain a secure service, even when the service is unavailable to users. | MUST |
STD0076-2 | Each Supplier MUST maintain an Information Security Management System (ISMS) that conforms to ISO/IEC 27001:2013, based on ISO/IEC 27002:2013 Information technology - Security techniques - Code of practice for information security controls OR the DSPT in the case of H&SC organisations. ISO/IEC 27001:2013 Conformance should be evidenced by appropriate certification by a United Kingdom Accreditation Service (UKAS1) accredited certification organisation. | MUST |
STD0076-3 | The information security controls contained within the scope, on which the Service Provider’s ISO/IEC 27001:2013 certification OR DSPT return is based, MUST be relevant to the email service. Conformance SHOULD be evidenced by the applicable Statement of Applicability (SoA) or the DSPT return. | MUST |
STD0076-4 | The service Supplier MUST maintain an Information Security Policy, as part of its ISMS (conforming to ISO/IEC 27001:2013, ISO/IEC 27002:2013 OR DSPT for H&SC) which sets out the security aims and objectives, as well as security measures to be implemented and maintained. The security policy MUST be regularly reviewed and updated by the Service Provider and MUST be endorsed by the Service Provider’s senior management. A copy should be supplied as evidence. | MUST |
STD0076-5 | Each service Supplier MUST have a suitably scoped independent IT Health Check / penetration test carried out (by a CHECK / Tiger scheme accredited or CREST member organisation) encompassing the email system and any external network interfaces (including perimeter security / access control devices). Conformance SHOULD be evidenced by an ITHC / penetration test report, conducted within the last 12 months, with all identified findings remediated/mitigated, and any residual risks accepted by the Senior Information Risk Owner. All medium or higher risks are expected to be remediated unless there are exceptional reasons not to do so and NHS Digital agree that the residual risk is sufficiently mitigated. | MUST |
STD0076-6 | The service Supplier MUST ensure the email service provides anti-virus, anti-malware and anti-spam filtering, in addition to commodity content management such as attachment blocking, virus/spam filtering capabilities and data leakage prevention e.g., encrypt protectively marked email destined for the Internet. The service MUST also provide for the management of spoofed email and items that cannot be checked such as S/MIME encrypted, or password protected attachments. The service MUST support DMARC with supporting public DNS entries for SPF set to quarantine with an agreed timeline to implement a blocking policy. All outgoing email MUST be signed with DKIM. The service SHOULD support MTA-STS as well as TLS-RPT. Opportunistic TLS in accordance with National Cyber Security Centre requirements on ciphers and certificates MUST be in place. The commissioner of the email service MUST ensure adequate policies and/or contractual agreements are in place to safeguard this. | MUST |
STD0076-7 | All OFFICIAL data (particularly patient identifiable and OFFICIAL SENSITIVE) MUST be maintained in accordance with the Information Commissioner’s Office data protection guidance paying particular note to Principle 7 and the guidance on the use of cloud computing. | MUST |
STD0076-8 | The service Supplier MUST provide tools to ensure that mobile devices are appropriately secured when accessing the email service. This SHOULD include functions to allow/deny/quarantine by device type, organisation or groups of users. Remove device, meets password security, and wipe any data associated with the service. Reporting functions/capabilities. Detect and block rooted (i.e., jail broken) devices. | MUST |
STD0076-9 | The service Supplier SHOULD provide eDiscovery tools to support the administration of the service, especially with respect to the General Data Protection Regulation (EU) 2016/679 (GDPR), Data Protection Act 2018 and Freedom of Information Act 2000. | SHOULD |
STD0076-10 | The email service MUST comply with the provisions of DCB0129 Clinical Risk Management: it’s Application in the Manufacture of Health IT Systems. | MUST |
STD0076-11 | Each service Supplier SHOULD comply with the open standards principles. | SHOULD |
STD0076-12 | Each service Supplier MUST enable inbound and outbound TLS version 1.2 or better for secure email transport between other secure email services. | MUST |
STD0076-13 | Service suppliers MUST ensure that TLS Ciphers conform with current NCSC guidance. | MUST |