Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Next-Generation Secure Computing Base wikipedia , lookup
Information security wikipedia , lookup
Mobile security wikipedia , lookup
Computer security wikipedia , lookup
HealthCare.gov wikipedia , lookup
Data remanence wikipedia , lookup
Certificate authority wikipedia , lookup
Information privacy law wikipedia , lookup
Web of trust wikipedia , lookup
Unix security wikipedia , lookup
Guidance on the Use of E-Mail when Sending Person Identifiable or Confidential Information This guidance supplements the Email Policy; all NUH staff should be familiar with the provisions of the Email Policy and should not take this guidance in isolation. Email Microsoft Exchange (which is usually accessed through Outlook) is the most widely used email system at Trusts across the NHS, (at NUH this is the normal email system with an address type of [email protected]) NHSmail (or nhs.net email as it’s commonly referred to) is a separate email system which is accessed via the website: www.nhs.net, and email addresses are of the type [email protected]. All NHS employees can have an NHSmail account. To get an NHSmail account, contact the ICT Services Help Desk. External mail systems which are mainly web based email services are generally available for anyone with an internet connection, and are widely used for personal email communication for example Googlemail, Hotmail, Yahoo mail etc. Encryption Encryption is the process of transforming information to make it unreadable whilst it’s in transit. It is then decrypted by the recipient. Encrypting emails and/or file attachments make it secure for transmission across any of the email options mentioned above, (subject to a certain minimum standard of encryption being applied – CfH recommend that the minimum acceptable encryption level where data is to be transferred across the internet or by removable media should be AES 256 bit. If you send emails from one NHSmail account to another NHSmail account (i.e. where both the sender and receiver addresses are of the type [email protected]), encryption happens automatically and transmission of data is secure. This is the recommended means for sending confidential, sensitive or patient identifiable data securely within the NHS. Encrypted attachments are not permitted on the NHSmail service for security/ governance reasons. NHSmail is a secure service approved for the exchange of patient data between NHSmail recipients. Because of the NHSmail service’s high security levels, attachments between NHSmail recipients or secure Government domains do not need to be encrypted. Transmission of emails and file attachments between different email systems and across different networks has varying levels of security (See the table below). Further information about encryption can be found on the ICT Services web site or from the ICT Help Desk. Online Security Precautions One of the key advantages of NHSmail is the ability to access your email wherever you are; however, if you access your NHSmail from a public computer it is essential that you take certain precautions in order to safeguard your login details and the sensitive data in your NHSmail mailbox. Logging into NHSmail when using a Public Computer Take the following precautions when you log in using a computer in a public place: Make sure no one watches you type your username and password when you log in Never select an option that allows you to save your password for later use. Always type your password, even if you plan to use the same computer for several days Only ever provide your username and password to the NHSmail website Ensure that you log out of NHSmail before closing the browser window. Auto Forwards NHSmail does not permit auto forwarding of email because of the risk of sensitive data being unwittingly forwarded to an insecure network. Auto forwards should not be set on NUH Exchange/Outlook mail for the same reasons. If an auto forward is set from an NUH Exchange/Outlook email account to an NHSmail account, it is not encrypted when it leaves the NUH local area network. Therefore, any sensitive data content sent via this route would breach NHS security rules. Individual users and departments should undertake a risk assessment of any sensitive data that they are sending off site. (Examples of unsecure auto forwarding include emails containing sensitive data sent from @nuh.nhs.uk to @nhs.net, @nottingham.ac.uk etc). Frequently Asked Questions Q. What is safe and secure email? Securely sending and receiving email means that the contents and attachments of the email are secure whilst in transit to the recipient. Q. If I use Trust email (@nuh.nhs.uk) can I send confidential email to other Trust email users on the same email system? If you’re using Trust email and sending internally, the email transmission is secure and you do not need to set any passwords. However, it is important not to alter the security settings in Outlook. Q. What is encryption? Encryption is scrambling the email before sending and applying a secret password to unscramble. Q. When should email be encrypted? Any email that is confidential must be encrypted. Q. I don’t use corporate email (@nuh.nhs.uk). I use NHSmail Users of NHSmail can only send confidential email to other users of NHSmail (or to secure Government domains). Q. Can I send confidential emails from my Trust email account to staff who use NHSmail (@nhs.net)? No. By design NHSmail cannot send or receive encrypted email or encrypted attachments from non NHSmail accounts Q Can I receive confidential emails from external contacts if I am using corporate Email (@nuh.nhs.uk). Yes. Unlike NHSmail Trust email can receive encrypted emails. Q. Can other organisations receive and send encrypted email That very much depends on their internal email set-up. In most cases the answer is yes but it advisable that this is confirmed with the recipient. Summary Option if you use NHS.net Possible Method of Sending Email From an @nhs.net account Content of Email Person Identifiable Information Recipient Domain [email protected] [email protected] [email protected] [email protected] [email protected] Notes Sending from nhs.net accounts to this list of recipient accounts is the safest way of sending Personal Identifiable Information Person Identifiable Data Non Person Identifiable Information/non sensitive or confidential data Summary Option if you use @nuh.nhs.uk Possible Method of Sending Email [email protected] [email protected] [email protected] [email protected] [email protected] Any email domain not listed above Any Content of Email Recipient Domain DO NOT USE THIS METHOD Care should still be taken with anything that might be considered sensitive to the organisation, in which case you may wish to use the secure method Notes Person Identifiable Information [email protected] The default settings on Outlook email ensure that data is secure. Users should not change the default settings. Person Identifiable Information [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] Any email domain not listed above DO NOT USE THIS METHOD From an @nuh.nhs.uk account Person Identifiable Data Non Person Identifiable Information/non sensitive or confidential data Any Information must be encrypted using either 7-zip or where available Microsoft office Word 2007. Care should still be taken with anything that might be considered sensitive to the organisation, in which case you may wish to use the secure method. Note also, there are some exceptions where it may be acceptable to send sensitive data in a way other than specified above, for example, if there is a greater risk of harm to an individual if we do not communicate information (e.g. child protection). Or it may be possible to send data by reducing the information that would identify the individual to a minimum, so that the authorised recipient would know who the patient was, but an unauthorised user would not. In these cases it is better to offer some protection, e.g. password protected files, than none at all. Version Changes Author Date 1.0 New Document D. Cadwell April 2008 2.0 New summary option table, inclusion of encryption guidance and online security precautions. F. Famodile June 2012