Security

NHS Notify is part of NHS England and is built for the security needs of its organisations and services.

This means NHS Notify:

  • uses the Data Security and Protection Toolkit (DSPT) self-assessment return and holds the status ‘Standards Met’
  • is a General Data Protection Regulation (GDPR) compliant service
  • aligns to the information security management system standard (ISO 27001:2022)
  • uses the Cyber Assessment Framework (CAF), developed by the National Cyber Security Centre (NCSC)
  • adheres to the 10 National Data Guardian’s data security standards

NHS Notify also has approaches for:

Network security

NHS Notify maintains network security by:

  • configuring and managing virtual networks securely
  • using firewalls, network security groups and other tools to control and monitor inbound and outbound traffic
  • implementing virtual private clouds (VPCs) for private network environments
  • performing intrusion detection and prevention monitoring to identify and respond to potential threats via the Cyber Security Operations Centre (CSOC)

Security groups and policies

NHS Notify:

  • defines and enforces security groups and policies
  • restricts communications between different components in the cloud environment
  • regularly reviews and updates security group configurations

Secure development practices

NHS Notify develops its service securely by:

  • following secure coding practices for applications
  • conducting regular security assessments, code reviews, and testing
  • implementing continuous integration and continuous deployment (CI/CD) security controls within the pipeline

Data protection

NHS Notify protects data by:

  • encrypting sensitive data, both in transit and at rest
  • using encryption mechanisms provided by cloud service providers
  • managing and controlling encryption keys
  • performing regular data backups and storing it securely

Patch management

NHS Notify:

  • regularly updates and patches software, systems and makes use of server-less technology
  • uses a systematic process for testing and applying patches
  • monitors vendor security advisories for timely updates

Security monitoring and logging

NHS Notify monitors and logs its security by:

  • implementing continuous monitoring for suspicious activities
  • observing and monitoring resources and applications
  • maintaining logs for auditing, analysis and forensic purposes

Security configuration

NHS Notify:

  • applies system hardening
  • ensures that systems and devices are securely configured
  • disables unnecessary services and features
  • regularly audits and updates configurations to align with security best practices

Regulatory compliance

NHS Notify stays compliant with relevant data protection and cybersecurity regulations by:

  • staying informed
  • conducting regular audits
  • carrying out penetration testing to check for adherence to compliance requirements