[Archived] Standard Implementation - Digital Interaction
- Lewis Ford (Unlicensed)
- Gavin Start
This page has been superseded and archived.
ID | STD043 |
|---|---|
Name | Identity Verification and Authentication Standard for Digital Health and Care Services |
External ID | DCB3051 |
Version | 0.1 |
Link to standard | |
Standard Type | Data Standard (NHS) |
Status | Alpha |
Effective Date | TBC |
Description
This standard provides a consistent approach to identity across digital health and care services. It describes why and how a person should prove their identity to access digital health and care services. For example their GP practice, their local hospital, and their social care provider.
The defined standards and principles in this document are to enable co-ordination of effort and to avoid duplication of effort.
Elements considered by this standard include:
• identity verification
• identity authentication
• clinical authorisation
• typical example transactions
Applicability
Any NHS or non-NHS provider, organisation, company, or authority that provides identity services for individuals accessing online digital health or care services must adhere to this standard.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD043-1 | DCB3051 IT suppliers systems MUST adhere to the Identity Verification and Authentication standard DCB3051 Specification and Implementation Guidance | MUST |
ID | STD076 |
|---|---|
Name | Secure Email |
External ID | DCB1596 |
Version | 0.1 |
Link to standard | |
Standard Type | Guidance |
Status | Alpha |
Effective Date | TBC |
Description
This information standard defines the minimum non-functional requirements for a secure email service, covering the storage and transmission of email, including where email is used for the sharing of patient identifiable data. The standard includes:
the information security of the email service
transfer of sensitive information over insecure email
access from the Internet or mobile devices
exchange of information outside the boundaries of the secure standard.
Applicability
This information standard applies to all H&SC organisations:
• public, private and third sector organisations commissioned in delivering publicly funded health, public health and adult social care (Children Social Care falls under the remit of the Department for Education
• commissioned Email service providers (any commissioned supplier providing email services within health and care)
• commissioners of health and care within England.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD0076-1 | The Service Provider MUST at all times maintain a secure service, even when the service is unavailable to users. | MUST |
STD0076-2 | Each Service Provider MUST maintain an Information Security Management System (ISMS) that conforms to ISO/IEC 27001:2013, based on ISO/IEC 27002:2013 Information technology - Security techniques - Code of practice for information security controls OR the DSPT in the case of H&SC organisations. ISO/IEC 27001:2013 Conformance should be evidenced by appropriate certification by a United Kingdom Accreditation Service (UKAS1) accredited certification organisation. | MUST |
STD0076-3 | The information security controls contained within the scope, on which the Service Provider’s ISO/IEC 27001:2013 certification OR DSPT return is based, MUST be relevant to the email service. Conformance SHOULD be evidenced by the applicable Statement of Applicability (SoA) or the DSPT return. | MUST |
STD0076-4 | The Service Provider MUST maintain an Information Security Policy, as part of its ISMS (conforming to ISO/IEC 27001:2013, ISO/IEC 27002:2013 OR DSPT for H&SC) which sets out the security aims and objectives, as well as security measures to be implemented and maintained. The security policy MUST be regularly reviewed and updated by the Service Provider and MUST be endorsed by the Service Provider’s senior management. A copy should be supplied as evidence. | MUST |
STD0076-5 | Each Service Provider MUST have a suitably scoped independent IT Health Check / penetration test carried out (by a CHECK / Tiger scheme accredited or CREST member organisation) encompassing the email system and any external network interfaces (including perimeter security / access control devices). Conformance SHOULD be evidenced by an ITHC / penetration test report, conducted within the last 12 months, with all identified findings remediated/mitigated, and any residual risks accepted by the Senior Information Risk Owner. All medium or higher risks are expected to be remediated unless there are exceptional reasons not to do so and NHS Digital agree that the residual risk is sufficiently mitigated. | MUST |
STD0076-6 | The email service MUST provide anti-virus, anti-malware and anti-spam filtering, in addition to commodity content management such as attachment blocking, virus/spam filtering capabilities and data leakage prevention e.g. encrypt protectively marked email destined for the Internet. The service MUST also provide for the management of spoofed email and items that cannot be checked such as S/MIME encrypted, or password protected attachments. The service MUST support DMARC with supporting public DNS entries for SPF set to quarantine with an agreed timeline to implement a blocking policy. All outgoing email MUST be signed with DKIM. The service SHOULD support MTA-STS as well as TLS-RPT. Opportunistic TLS in accordance with National Cyber Security Centre requirements on ciphers and certificates MUST be in place. The commissioner of the email service MUST ensure adequate policies and/or contractual agreements are in place to safeguard this. | MUST |
STD0076-7 | All OFFICIAL data (particularly patient identifiable and OFFICIAL SENSITIVE) MUST be maintained in accordance with the Information Commissioner’s Office data protection guidance paying particular note to Principle 7 and the guidance on the use of cloud computing. | MUST |
STD0076-8 | The Service Provider MUST provide tools to ensure that mobile devices are appropriately secured when accessing the email service. This SHOULD include: Functions to allow/deny/quarantine by device type, organisation or groups of users. Remove device, meets password security, and wipe any data associated with the service. Reporting functions/capabilities. Detect and block rooted (i.e. jail broken) devices. | MUST |
STD0076-9 | The Service Provider SHOULD provide eDiscovery tools to support the administration of the service, especially with respect to the General Data Protection Regulation (EU) 2016/679 (GDPR), Data Protection Act 2018 and Freedom of Information Act 2000. | SHOULD |
STD0076-10 | The email service MUST comply with the provisions of DCB0129 Clinical Risk Management: it’s Application in the Manufacture of Health IT Systems. | MUST |
STD0076-11 | Each Service Provider SHOULD comply with the open standards principles. | SHOULD |
STD0076-12 | Each service provider MUST enable inbound and outbound TLS version 1.2 or better for secure email transport between other secure email services. | MUST |
STD0076-13 | TLS Ciphers MUST conform with current NCSC guidance. | MUST |
Health & Care Organisations Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
1 | Either party (Service Provider and customer) MUST notify the other immediately upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services. | MUST |
2 | H&SC organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them. | SHOULD |
3 | H&SC organisations SHOULD comply with the provisions of DCB0160 Clinical Risk Management: it’s Application in the Deployment and Use of Health IT Systems | SHOULD |
4 | H&SC organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems, such as those used by patients. | MUST |
MAY
ID | STD089 |
|---|---|
External ID | Web Content Accessibility Guidelines (WCAG) 2.1 |
Version | 0.1 |
Link to standard | |
Standard Type | Guidance |
Status | Alpha |
Effective Date | TBC |
Description
Web Content Accessibility Guidelines (WCAG) 2.1 defines how to make Web content more accessible to people with disabilities. Accessibility involves a wide range of disabilities, including visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities. Although these guidelines cover a wide range of issues, they are not able to address the needs of people with all types, degrees, and combinations of disability. These guidelines also make Web content more usable by older individuals with changing abilities due to aging and often improve usability for users in general.
The AA standard is the minimum needed for public sector websites Understanding accessibility requirements for public sector bodies .
Applicability
This standard applies to all healthcare settings in England and to any patients / users of systems with Web based content.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD0089-1 | WCAG 2.1 IT suppliers systems: Web content SHOULD adhere to the four principles that provide the foundation for Web accessibility: perceivable, operable, understandable, and robust as specified in the W3C guidelines Web Content Accessibility Guidelines (WCAG) 2.1 | SHOULD |