There are two ways to meet the secure email standard. Organisations must select one of these methods to comply.
- Implement an already compliant service such as NHSmail, Office 365 or Google Workspace for all staff at your organisation.
- Demonstrate your own service is compliant with the secure email standard by following the secure email accreditation process.
Implement an already compliant service
NHSmail
Meet the organisation requirements of the standard by following the steps below.
- Ensure there is a process in place to notify the NHSmail team upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and / or the security of the services or the systems used to provide the services.
- Health and care organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them.
- Health and care organisations SHOULD comply with the provisions of DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
- Health and care organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems such as those used by patients.
- Migrate all users/staff to the NHSmail email service: To migrate all email users to NHSmail follow the migration guidance on the NHSmail support site.
Microsoft Office 365 (O365): Secure email configuration guide
Meet the organisation requirements of the standard by following the steps below.
- Ensure there is a process in place to notify the NHSmail team upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services.
- Health and care organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them.
- Health and care organisations SHOULD comply with the provisions of DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
- Health and care organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems such as those used by patients.
- Register compliance with the NHSmail team.
It is the responsibility of each organisation to verify their own configuration, to ensure that their environment has been configured appropriately. To assist we are providing a CIS (centre for Internet Security) Microsoft Office 365 foundation benchmark assessment Level 2 criteria that we assess against for compliance to the secure email standard.
Conformance to this standard will therefore be evidenced by completing an ITHC using the scope and CIS MIcrosoft 365 Foundation Benchmark Testing Results and Corrective Action Plan template. Each organisation should define any mitigation or remedial action plans and submit to NHS Digital Secure email standard service for assessment/approval. Further guidance can be found in the CIS Microsoft 365 Foundation Benchmark Testing Results and Corrective Action Plan template.
Microsoft Office 365 (O365) accreditations must include confirmation that the email service has been configured to securely communicate with NHSmail. The Microsoft Office 365: Secure email configuration guide has been co-produced with Microsoft, allowing instances of O365 to be enabled to securely route emails to and from NHSmail.
Google Workspace Secure email configuration guide
Meet the organisation requirements of the standard by following the steps below.
- Ensure there is a process in place to notify the NHSmail team upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services.
- Health and care organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them.
- Health and care organisations SHOULD comply with the provisions of DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
-
Health and care organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems such as those used by patients.
-
Register compliance with the NHSmail team: Google Workspace accreditations must include confirmation that the email service has been configured to securely communicate with NHSmail.
Google workspace: Secure email configuration guide has been co-produced with Google, allowing instances of Workspace to be enabled to securely route emails to and from NHSmail.
Exchange, hybrid or other email services
In addition to completing the organisation section of the standard, those hosting their own email services must submit assertions and evidence that they meet the ICT Service Provider elements of the standard. These will be reviewed by the NHS Digital Data Security Centre.