ISB 1596 Secure Email Specification25/11/2013Draft v0.4

ISB 1596 Secure Email Specification

Amendment History:

Version / Date / Amendment History
0.2 / 09/09/2013
0.3 / 11/11/2013 / Incorporates comments from ISB quality checks.
0.4 / 25/11/2013 / Incorporates comments from ISB quality checks.

Approvals:

Name / Title / Responsibility / Date / Version
Dr Simon Eccles / SRO – NHSmail 2 / 25/11/2013 / 0.4

Glossary of Terms:

Term / Acronym / Definition
Business Impact Level / B-IL / A B-IL is a level from 1 to 6 that indicates the security risk of an IT system. It is defined by CESG guidance.
CESG / CESG protects the vital interests of the UK by providing policy and assistance on the security of communications and electronic data, working in partnership with industry and academia. It is the UK Government's National Technical Authority for Information Assurance (IA).
CESG Listed Adviser Scheme / CLAS
Department of Health / DH
Health & Social Care Information Centre / HSCIC
Information Commissioner’s Office / ICO / The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Information Security Management System / ISMS / An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799.
The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

Contents

1Overview

1.1Summary

1.2Controlled Documents

1.3Guidance

1.4Related Standards

2Introduction

2.1Purpose

2.2Scope

2.3Customer Need

3Health and Care Organisations

3.1Overview

3.2Requirements

3.3Conformance

4IT Systems Suppliers

4.1Overview

4.2Requirements

4.3Conformance

5Technical Guidance

5.1Information Security

5.2Clinical Safety

5.3Interoperability

6User Guidance

6.1Emailing Patients

6.2Secure Communications

6.3Professional Record-keeping

6.4Data Protection & Freedom of Information

6.5GP Practice Staff

7Appendix 1 – Example Risk Log

7.1Overview

7.2Hazard Log

© Open Government Licence 2013Page 1 of 18

ISB 1596 Secure Email Specification25/11/2013Draft 0.3

1Overview

1.1Summary

Standard
Standard Number / ISB 1596
Title / Secure Email
Type / Fundamental
Description / This standard defines the minimum non-functional requirements for a secure email service, covering the storage and transmission of email. This is the basic level for the storage and transmission of patient identifiable data by an email system.
It excludes security standards for document archives.
Applies to /
  • Health, public health and social care organisations.
  • Email service providers.

Release
Release Number / Amd 34/2012
Title / Initial Standard
Description
Implementation Completion Date / 30th June 2016

1.2Controlled Documents

Ref no / Title / Version
A / ISB 1596 Secure Email Baseline Control Set

1.3Guidance

Ref no / Title / Version
1 / Information: To Share Or Not To Share? The Information Governance Review
2 / CIO Council Offshoring Position / 1.0
3 / CESG IS1 Technical Risk Assessment / 3.51
4 / The Good Practice Guidelines for GP electronic patient records / 4
5 / General Medical Council Good Medical Practice / 2013

1.4Related Standards

Reference / Title
ISB 0086 / Information Governance Toolkit
ISB 0160 / Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems
ISB 0129 / Clinical Risk Management: its Application in the Manufacture of Health IT Systems
BS ISO/IEC 27001: 2013 / Information technology -- Security techniques -- Information security management systems -- Requirements
BS ISO/IEC 27002: 2013 / Information technology. Security techniques. Code of practice for information security controls
IS1 / HMG Impact Assessment Standards including CESG IS1 Technical Risk Assessment

2Introduction

2.1Purpose

This standard establishes the minimum requirements for email systems in health, public health and social care. The intention is not to impose significant requirements on organisations but instead to establish the minimum acceptable level. Where possible they will refer to health and care, Government and international standards (e.g. BS ISO/IEC 27001 – see related standards).

2.2Scope

The standard defines how email systems used for sensitive data (e.g. patient identifiable data) should manage:

  • The information security of the email service.
  • Transfer of sensitive information over non-secure channels.
  • Accessing information from the Internet or mobile devices.
  • Exchange of information outside the controlled boundary of the secure email system:
  • to other email systems compliant with this standard.
  • to other email systems not compliant with this standard.

2.3Customer Need

Health and care email is now a rich source of patient/service user information. There is a clear need to ensure that it is held securely and used appropriately. The power of information: putting all of us in control of the health and care information we needparagraph 3.51 specifies (our bold text):

All e-mail communication about our care must be appropriately secure and protected. Work will continue to improve access to and use of NHSmail within the NHS, and social enterprises and other qualified providers of care services, as part of their commissioning contracts with the NHS, will be given access to a limited number of NHSmail accounts. Similar incentives for social care will be made available that make the process and cost of connecting social care providers, local authorities and other care providers via secure electronic communication easier, cheaper and less bureaucratic.

The standard will ensure that health, public health and adult social care organisations have a recognisable baseline which they can conform to.

3Health and Care Organisations

3.1Overview

ISB 0086 Information Governance Toolkit IGT (as an already approved information standard) provides the strategic assurance tool for use by health and care organisations and other business partners / suppliers. It has a series of requirements that all health and care organisations must meet, with the information security requirements being particularly applicable. This standard describes how health and care organisations can comply with the IG Toolkit with respect to email services.

Of particular note are:

Num / Description
10-300 / The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation’s assessed needs
10-305 / Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems
10-308 / All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers
10-313 / Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely
10-314 / Policy and procedures ensure that mobile computing and teleworking are secure
10-323 / All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures

3.2Requirements

# / Description
Information Security
1 / Health and care organisations MUST perform a security risk assessment when procuring or delivering an email service internally.
2 / Health and care organisations MUST operate their email service to a level appropriate to the security risk assessment, and at minimum BS ISO/IEC 27001.
3 / Health and care organisations MUST ensure their email service meets the baseline control set specific in Section 5.1 for Personal Data if the service contains patient identifiable or sensitive data.
4 / Health and care organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them.
Safety
5 / Health and care organisations SHOULD comply with the provisions of ISB 0160 Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
Interoperability
6 / Health and care organisations SHOULD provide updates to the NHSmail white pages directory service of their directory information.
7 / Health and care organisations MUST ensure there are appropriate policies in place for the user of email, including correspondence with insecure email systems, including those used by patients.

3.3Conformance

Conformance to the security requirements shall be measured by having:

  • Anauditable information security management system in relation to the email service that conforms to BS ISO/IEC 27001.
  • Evidence their email service either has:
  • Non-Personal data - a BS ISO/IEC 27001 conformance certificate with the appropriate scope of applicability and baseline control set for the service or pan-government or government departmental (e.g. Department of Health) to business impact level (B-IL) 2 or above.
  • Personal Data – pan government or government departmental (e.g. Department of Health) accreditation to business impact level (B-IL) 3.

Conformance to the clinical safety requirements shall be met as per ISB 0160 Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.

Health and care organisations shall self-certify to the interoperability requirements.

4IT Systems Suppliers

4.1Overview

IT systems suppliers need to ensure that their email service meets the needs of health and care, especially when it is used for the transmission of patient identifiable data. Email systems are not normally sector specific (i.e. just for healthcare) so IT suppliers will normally demonstrate this through adherence to cross-public sector, UK or international standards.

4.2Requirements

# / Requirement
Information Security
1 / Each Supplier MUST at all times maintain a secure service.
2 / Each Supplier MUST maintain an Information Security Management System (ISMS) that conforms to theBS ISO/IEC 27001: 2013 Information Security Management Systemsbaseline control set and BS ISO/IEC 27002: 2013 Information technology. Security techniques. Code of practice for information security controls.
Conformance may be evidenced by appropriate certification.
3 / Each Supplier MUST maintain a security policy which sets out the security measures to be implemented and maintained in accordance with BS ISO/IEC 27001, BS ISO/IEC 27002 and the Information Security Management System.
The security policy MUST be reviewed and updated in a timely fashion and will be reviewed on an annual basis.
4 / Each Supplier MUST ensure their email service meets the baseline control set specific in Section 5.1forPersonal Data if the service contains patient identifiable or sensitive data.
5 / Each Supplier MUST conduct tests of the security policy in accordance with the provisions of the Suppliers Security Policy relating to security testing. The tests must be independently audited by either an accredited 3rd party or representatives of the customer.
6 / Either party (Supplier and customer) MUST notify the other immediately upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services.
7 / Each supplier MUST provide protection against malicious content for their services such as virus checking when onboarding data.
8 / The email service MUSTprovide anti-virus and anti-spam filtering. In addition to commodity content management such as attachment blocking, virus/spam filtering capabilities and data leakage prevention e.g. encrypt protectively marked email destined for the Internet. The service SHOULD alsoprovide for the management of spoofed/forged email and items that cannot be checked such as S/MIME encrypted or password protected attachments.
9 / All patient identifiable and sensitive data MUSTat all times remain in the UK.
10 / The Supplier MUST ensure that mobile devices are appropriately secured when accessing the email service. This could include:
  • Functions to allow/deny/quarantine by device type, organisation or groups of users.
  • Remove device, expire password, and wipe any data associated with the service.
  • Reporting functions/ capabilities.
  • Detect and block rooted (i.e. jail broken) devices.

11 / Each Supplier SHOULD provide eDiscovery tools to support the administration of the service, especially with respect of the Data Protection Act 1998 and Freedom of Information Act 2000.
Safety
12 / Suppliers SHOULD comply with the provisions of ISB 0129 Clinical Risk Management: its Application in the Manufacture of Health IT Systems.
Interoperability
13 / Each Supplier SHOUD comply with the open standards policy:
14 / Each supplier SHOULD interface with the NHSmail white pages directory service and provide regular updates of NHS directory information.

4.3Conformance

Conformance to the security requirements shall be measured by:

  • An independently audited information security management system in relation to the email service. This shall be evidenced by either a BS ISO/IEC 27001 conformance certificate for the service with the appropriate scope of applicability.BS ISO/IEC 27001 conformance certificates shall be issued from a body accredited by an appropriate National Authority. In the UK this is the United Kingdom Accreditation Service (UKAS).
  • Evidence their email service either has:
  • Non-Personal data - a BS ISO/IEC 27001 conformance certificate with the appropriate scope of applicability and baseline control set for the service or pan-government or government departmental (e.g. DH or HSCIC) to business impact level (B-IL) 2 or above.
  • Personal Data –pan government or government departmental (e.g. DH or HSCIC) accreditation to business impact level (B-IL) 3.

Conformance to the clinical safety requirements shall be met as per ISB 0129 Clinical Risk Management: its Application in the Manufacture of Health IT Systems.

IT systems suppliers shall self-certify to the interoperability requirements.

5Technical Guidance

5.1Information Security

BS ISO/IEC 27001 sets out the requirements for an Information Security Management System (ISMS). This is a structured means of managing information security risk within an organisation.

The CESG IS1/IS2 baseline control set provides the minimum baseline controls organisations and their IT systems must comply with. It is divided into different areas of security controls with three levels for each – DETER, DETECT AND RESIST and DEFEND. Further guidance is available on the CESG website or an appropriately accredited (CLAS) security professional.

The spread sheet (A)ISB 1596 Secure Email Baseline Control Setprovides the baseline control set for email services using Personal Data and non-Personal Data.

5.2Clinical Safety

Any IT system used for clinical purposes should follow the clinical safety information standards. An example risk log is provided in section 7.

5.3Interoperability

Systems should conform to open standard for interoperability, normally promulgated by the W3C. Government open standards are published on data.gov.uk.

Systems should populate national directory services. Details of how to populate the NHSmail directory are available from .

6User Guidance

6.1Emailing Patients

The (1) Caldicott 2 review noted the belief that email could not be used to communicate with patients as it is not secure. The review report noted:

“The Review Panel concludes that personal confidential data can be shared with individuals via email when the individual has explicitly consented and they have been informed of any potential risk.”

Health and care organisations should develop guidelines for health and care professionals to support and encourage the use of email with patients. The (5) The Good Practice Guidelines for GP electronic patient records describe the use of email for patient consultations.

6.2Secure Communications

NHS information security guidelines require that patient identifiable or sensitive data is handled appropriately. For routine communication this should be within a secure email service, or sent in a secure manner, for example encrypted attachments that comply with the NHS encryption requirements.

Note that security should not be used as a reason for providing poor care. The onus is to provide appropriate systems and so share information, not inhibit it.

6.3Professional Record-keeping

In (5) Good Medical Practice (2013), the General Medical Council (GMC) states that

“19. Documents you make (including clinical records) to formally record your work must be clear, accurate and legible. You should make records at the same time as the events you are recording or as soon as possible afterwards.

20. You must keep records that contain personal information about patients, colleagues or others securely, and in line with any data protection requirements”

Although ephemeral in nature, emails can form part of the clinical record. Good practice is to ensure that emails are copied into the patient’s medical record. See the Medical Protection Society Good Records advice for further information.

6.4Data Protection & Freedom of Information

Information stored in an email service is subject to data protection and freedom of information requests. All health and care professionals must be aware of this obligation and support such requests.

6.5GP Practice Staff

The (5) The Good Practice Guidelines for GP electronic patient records describe the use of email in practice, noting that.

“Unless practices have the technical expertise to set up and maintain a local mail server, and ensure that it is secure within the practice network boundaries, the recommended approach is to use NHSmail for this purpose. NHSmail is available in Scotland and England.

7Appendix 1 – Example Risk Log

7.1Overview

The example risk log has been derived from secure email clinical risk assurance undertaken by the HSCIC. A fishbone diagram providing an overview is given below.

© Open Government Licence 2013Page 1 of 18

ISB 1596 Secure Email Specification25/11/2013Draft 0.3

7.2Hazard Log

Area / Hazard Name / Description / Effect / Rating
Attachment / File attachment issues / File attachments exceed mail system specified limits.
File attachments exceed mail system specified attachment quantity limits.
Incorrect file formats used when attached to email. / Delay to email transmission.
Potential system error resulting from oversize file attachments.
Failure to transmit / receive email successfully including potential loss of data.
Potential system error resulting from large quantities of file attachments. / Low
Attachment / Email notifications fail to arrive / Failure to receive email notification of error message. / The sender does not receive notification of email failure.
Potential delay in treatment by way of failure to receive / send email. / Low