| title | description | stage | created | lastUpdated |
|---|---|---|---|---|
Security Standards |
General security standards and guidance for NHS England.
|
3. Development Stage |
2021-06-08 10:20:00 -0700 |
2024-03-19 03:22:52 -0700 |
- Guidance for using Open Internet Tools
- General End-User Video and Collaboration Apps Guidance
- TLS Standards - How to properly use Transport Level Security
-
All IT systems and services MUST be reviewed and assessed for both security and privacy issues. Any discovered issues must be formally documented with either a mitigation plan or a sign-off of the risk by the business owner. Risks may be escalated to organisation level if needed.
-
Any IT system or service being introduced or going through significant change and that is accessible across the Internet MUST have an appropriate penetration test. Any containing sensitive information may be required to go through a more comprehensive security review and testing. Reviews and testing may be done internally by NHS England's Cyber Security team or may be directed to have an external review.
-
Any IT system or service that has administrator accounts or access MUST implement Multi-Factor Authentication (MFA) or at least Two-Factor Authentication (2FA) on all user accounts with elevated rights.
-
IT systems and services SHOULD use individual user identifiable accounts to ensure that all access and actions are tracable to an individual. Where exceptions are identified, they MUST be reviewed and pre-approved by the NHS England Cyber Security team.
All of the standards for NHS England are subject to both NHS and UK Government policies, strategies and standards, the key ones of which are listed here.
- NHS Digital Service Manual - "Use the service manual to build consistent, usable services that put people first. Learn from the research and experience of other NHS teams."
- Gov.uk Service Manual - "Helping teams to create and run great public services that meet the Service Standard". See also the Government Design Principles and the Gov.uk Design System.
- Tech Code of Practice - A set of criteria to help government design, build and buy technology. It is a cross-government agreed standard used for the Cabinet Office spend control process and the Local Digital Declaration.
- DSP Toolkit - "an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly."
- Cyber Essentials Plus - "a simple but effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks." All NHS organisations are now required to be certified to CE+.
- Government Functional Standard GovS 007: Security - "part of a suite of functional standards designed to promote consistent and coherent working within government organisations and across organisational boundaries."