Download Guidance on the Use of E-Mail when Sending Person

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
Document related concepts

Next-Generation Secure Computing Base wikipedia , lookup

Gmail wikipedia , lookup

Information security wikipedia , lookup

Mobile security wikipedia , lookup

Computer security wikipedia , lookup

HealthCare.gov wikipedia , lookup

Data remanence wikipedia , lookup

Certificate authority wikipedia , lookup

Information privacy law wikipedia , lookup

Web of trust wikipedia , lookup

Unix security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Outlook.com wikipedia , lookup

Transcript 
Guidance on the Use of E-Mail when Sending Person Identifiable or Confidential Information
This guidance supplements the Email Policy; all NUH staff should be familiar with the provisions of the Email Policy
and should not take this guidance in isolation.
Email
Microsoft Exchange (which is usually accessed through Outlook) is the most widely used email system at Trusts
across the NHS, (at NUH this is the normal email system with an address type of [email protected])
NHSmail (or nhs.net email as it’s commonly referred to) is a separate email system which is accessed via the
website: www.nhs.net, and email addresses are of the type [email protected]. All NHS employees can have an
NHSmail account. To get an NHSmail account, contact the ICT Services Help Desk.
External mail systems which are mainly web based email services are generally available for anyone with an
internet connection, and are widely used for personal email communication for example Googlemail, Hotmail,
Yahoo mail etc.
Encryption
Encryption is the process of transforming information to make it unreadable whilst it’s in transit. It is then decrypted
by the recipient. Encrypting emails and/or file attachments make it secure for transmission across any of the email
options mentioned above, (subject to a certain minimum standard of encryption being applied – CfH recommend
that the minimum acceptable encryption level where data is to be transferred across the internet or by removable
media should be AES 256 bit.
If you send emails from one NHSmail account to another NHSmail account (i.e. where both the sender and receiver
addresses are of the type [email protected]), encryption happens automatically and transmission of data is
secure. This is the recommended means for sending confidential, sensitive or patient identifiable data securely
within the NHS.
Encrypted attachments are not permitted on the NHSmail service for security/ governance reasons. NHSmail is a
secure service approved for the exchange of patient data between NHSmail recipients. Because of the NHSmail
service’s high security levels, attachments between NHSmail recipients or secure Government domains do not need
to be encrypted.
Transmission of emails and file attachments between different email systems and across different networks has
varying levels of security (See the table below). Further information about encryption can be found on the ICT
Services web site or from the ICT Help Desk.
Online Security Precautions
One of the key advantages of NHSmail is the ability to access your email wherever you are; however, if you access
your NHSmail from a public computer it is essential that you take certain precautions in order to safeguard your
login details and the sensitive data in your NHSmail mailbox.
Logging into NHSmail when using a Public Computer
Take the following precautions when you log in using a computer in a public place:
Make sure no one watches you type your username and password when you log in
Never select an option that allows you to save your password for later use. Always type your password,
even if you plan to use the same computer for several days
Only ever provide your username and password to the NHSmail website
Ensure that you log out of NHSmail before closing the browser window.
Auto Forwards
NHSmail does not permit auto forwarding of email because of the risk of sensitive data being unwittingly forwarded
to an insecure network.
Auto forwards should not be set on NUH Exchange/Outlook mail for the same reasons. If an auto forward is set
from an NUH Exchange/Outlook email account to an NHSmail account, it is not encrypted when it leaves the NUH
local area network. Therefore, any sensitive data content sent via this route would breach NHS security rules.
Individual users and departments should undertake a risk assessment of any sensitive data that they are sending
off site. (Examples of unsecure auto forwarding include emails containing sensitive data sent from @nuh.nhs.uk to
@nhs.net, @nottingham.ac.uk etc).
Frequently Asked Questions
Q. What is safe and secure email?
Securely sending and receiving email means that the contents and attachments of the email are secure
whilst in transit to the recipient.
Q. If I use Trust email (@nuh.nhs.uk) can I send confidential email to other Trust email users on the same
email system?
If you’re using Trust email and sending internally, the email transmission is secure and you do not need to
set any passwords. However, it is important not to alter the security settings in Outlook.
Q. What is encryption?
Encryption is scrambling the email before sending and applying a secret password to unscramble.
Q. When should email be encrypted?
Any email that is confidential must be encrypted.
Q. I don’t use corporate email (@nuh.nhs.uk). I use NHSmail
Users of NHSmail can only send confidential email to other users of NHSmail (or to secure Government
domains).
Q. Can I send confidential emails from my Trust email account to staff who use NHSmail (@nhs.net)?
No. By design NHSmail cannot send or receive encrypted email or encrypted attachments from non
NHSmail accounts
Q Can I receive confidential emails from external contacts if I am using corporate Email (@nuh.nhs.uk).
Yes. Unlike NHSmail Trust email can receive encrypted emails.
Q. Can other organisations receive and send encrypted email
That very much depends on their internal email set-up. In most cases the answer is yes but it advisable that
this is confirmed with the recipient.
Summary Option if you use NHS.net
Possible Method
of Sending Email
From an @nhs.net
account
Content of Email
Person Identifiable
Information
Recipient Domain
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Notes
Sending from nhs.net accounts to this list
of recipient accounts is the safest way of
sending Personal Identifiable Information
Person Identifiable
Data
Non Person
Identifiable
Information/non
sensitive or confidential
data
Summary Option if you use @nuh.nhs.uk
Possible Method
of Sending Email
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Any email domain not listed
above
Any
Content of Email
Recipient Domain
DO NOT USE THIS METHOD
Care should still be taken with anything
that might be considered sensitive to the
organisation, in which case you may wish
to use the secure method
Notes
Person Identifiable
Information
[email protected]
The default settings on Outlook email
ensure that data is secure. Users should
not change the default settings.
Person Identifiable
Information
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Any email domain not listed
above
DO NOT USE THIS METHOD
From an
@nuh.nhs.uk
account
Person
Identifiable
Data
Non Person Identifiable
Information/non
sensitive or confidential
data
Any
Information must be encrypted using
either 7-zip or where available Microsoft
office Word 2007.
Care should still be taken with anything
that might be considered sensitive to the
organisation, in which case you may
wish to use the secure method.
Note also, there are some exceptions where it may be acceptable to send sensitive data in a way other than
specified above, for example, if there is a greater risk of harm to an individual if we do not communicate information
(e.g. child protection). Or it may be possible to send data by reducing the information that would identify the
individual to a minimum, so that the authorised recipient would know who the patient was, but an unauthorised user
would not. In these cases it is better to offer some protection, e.g. password protected files, than none at all.
Version
Changes
Author
Date
1.0
New Document
D. Cadwell
April 2008
2.0
New summary option table,
inclusion of encryption
guidance and online
security precautions.
F. Famodile
June 2012
Related documents
INTRODUCTION TO SETTING UP AND RUNNING A CLINICAL
INTRODUCTION TO SETTING UP AND RUNNING A CLINICAL
10.34. Numerical Methods Applied to Chemical Engineering
10.34. Numerical Methods Applied to Chemical Engineering
PRIOR APPROVAL FORM MEDIAL BRANCH BLOCKS How to
PRIOR APPROVAL FORM MEDIAL BRANCH BLOCKS How to
BOTULINUM TOXIN FOR THE TREATMENT OF CHRONIC ANAL
BOTULINUM TOXIN FOR THE TREATMENT OF CHRONIC ANAL
Diagnostic Heart Failure Clinic Referral Form
Diagnostic Heart Failure Clinic Referral Form
Church Hill Surgery
Church Hill Surgery
MEDIAL BRANCH BLOCKS PRIOR APPROVAL FORM Please
MEDIAL BRANCH BLOCKS PRIOR APPROVAL FORM Please
Initiating Clinical Research - Leicestershire Partnership NHS Trust
Initiating Clinical Research - Leicestershire Partnership NHS Trust
A day in the life of Public Health
A day in the life of Public Health
True `T` or False `F` - Newark and Sherwood CCG
True `T` or False `F` - Newark and Sherwood CCG