Security
NHS Notify is part of NHS England and is built for the security needs of its organisations and services.
This means NHS Notify:
- uses the Data Security and Protection Toolkit (DSPT) self-assessment return and holds the status ‘Standards Met’
- is a General Data Protection Regulation (GDPR) compliant service
- aligns to the information security management system standard (ISO 27001:2022)
- uses the Cyber Assessment Framework (CAF), developed by the National Cyber Security Centre (NCSC)
- adheres to the 10 National Data Guardian’s data security standards
NHS Notify also has approaches for:
- network security
- security groups and policies
- secure development practices
- data protection
- patch management
- security monitoring and logging
- security configuration
- regulatory compliance
Network security
NHS Notify maintains network security by:
- configuring and managing virtual networks securely
- using firewalls, network security groups and other tools to control and monitor inbound and outbound traffic
- implementing virtual private clouds (VPCs) for private network environments
- performing intrusion detection and prevention monitoring to identify and respond to potential threats via the Cyber Security Operations Centre (CSOC)
Security groups and policies
NHS Notify:
- defines and enforces security groups and policies
- restricts communications between different components in the cloud environment
- regularly reviews and updates security group configurations
Secure development practices
NHS Notify develops its service securely by:
- following secure coding practices for applications
- conducting regular security assessments, code reviews, and testing
- implementing continuous integration and continuous deployment (CI/CD) security controls within the pipeline
Data protection
NHS Notify protects data by:
- encrypting sensitive data, both in transit and at rest
- using encryption mechanisms provided by cloud service providers
- managing and controlling encryption keys
- performing regular data backups and storing it securely
Patch management
NHS Notify:
- regularly updates and patches software, systems and makes use of server-less technology
- uses a systematic process for testing and applying patches
- monitors vendor security advisories for timely updates
Security monitoring and logging
NHS Notify monitors and logs its security by:
- implementing continuous monitoring for suspicious activities
- observing and monitoring resources and applications
- maintaining logs for auditing, analysis and forensic purposes
Security configuration
NHS Notify:
- applies system hardening
- ensures that systems and devices are securely configured
- disables unnecessary services and features
- regularly audits and updates configurations to align with security best practices
Regulatory compliance
NHS Notify stays compliant with relevant data protection and cybersecurity regulations by:
- staying informed
- conducting regular audits
- carrying out penetration testing to check for adherence to compliance requirements