NHSmail was not fully compliant with its own secure email standard until six months after NHS Digital’s deadline for moving to a block policy for spoofed emails.
Information sent to Digital Health from an NHS source indicates that until recently, NHSmail did not meet the requirements of NHS Digital’s DCB1596 standard, which is necessary for health and social care organisations to ensure sensitive and confidential information is kept secure.
Specifically, the information shows that the DMARC block policy for NHSmail, a requirement of DCB1596, had not been implemented by July 2019 as directed in NHS Digital’s conformance statement.
DMARC, or domain-based message authentication, reporting and conformance, is an email authentication protocol designed to enable email domain owners to protect themselves against email spoofing.
Section 6 of the NHSmail conformance document, which can be found here, states: “The NHSmail service uses DMARC, SPF and DKIM. It is intended to move from a quarantine to block policy for received spoofed email and publish a block record for recipient systems to act upon on the 9 July 2019.”
Despite this, a DNS lookup performed in early January showed that NHSmail was still using “quarantine” and not “block”.
NHS Digital told Digital Health News that DMARC was correctly configured as of last week.
A spokesperson said the delay from the original implementation date of July 2019 followed requests by organisations that used NHSmail, as configuration at that time “would impact on service delivery and clinical safety.”
“The additional time has enabled them to make the necessary local adjustments,” the spokesperson said.
Section 6 of the conformance document also details information security requirements for the IT provider, in this case Accenture, which provides the NHSmail service to the NHS.
Amongst the requirements is that the email service “MUST support Domain Based Message Authentication and Reporting (DMARC) with supporting public Domain Name System (DNS) entries for Sender Policy Framework (SPF) set to quarantine with an agreed timeline to implement a blocking policy no later than 3 months after accreditation.”
In a somewhat ironic twist, Dan Jeffery, head of innovation, delivery and business operations at NHS Digital’s Data Security Centre, recently wrote a blog post detailing how NHS Digital was taking steps improve the security of NHSmail and improve user experience.
While not significant security issues in themselves, they may raise concerns around the misreporting of adherence to standards.
NHS Digital is responsible for both setting standards for NHSmail and assessing others, but is also responsible for assessing the compliance for systems that it procures and manages on behalf of the NHS.
The NHS source who exposed the discrepancy to Digital Health News said it demonstrated that the assessment process “was not working,” and suggested that external assessment and audit should be introduced to ensure that NHS Digital was not “marking its own homework.”
“These are assertions that can be publicly verified and raises doubts in relation to the internal elements of the service and security that cannot be verified publicly,” they added.
“The service is due to be re-accredited in January 2020, and whilst these issues may be resolved it does not alter the position that the service had not been compliant half of 2019.
“Whether this is deliberate or accidental, it is clear that the ongoing monitoring of accreditation is deficient.”
DKIM and DMARC standards are both recommendations of the National Cyber Security Centre (NCSC), detailed here.
Among the recommendations are that all organisations implement a DMARC policy of “reject” on all domains and “regularly conduct health checks and fix any problems which show up.”
NCSC also offers a Mail Check tool to help UK public sector organisation set up and maintain good anti-spoofing protocols.