Security

NHS Notify is part of NHS England and is built for the security needs of its organisations and services.

This means NHS Notify:

• uses the Data Security and Protection Toolkit (DSPT) self-assessment return and holds the status ‘Standards Met’
• is a General Data Protection Regulation (GDPR) compliant service
• aligns to the information security management system standard (ISO 27001:2022)
• uses the Cyber Assessment Framework (CAF), developed by the National Cyber Security Centre (NCSC)
• adheres to the 10 National Data Guardian’s data security standards

NHS Notify also has approaches for:

• network security
• security groups and policies
• secure development practices
• data protection
• patch management
• security monitoring and logging
• security configuration
• regulatory compliance

Network security

NHS Notify maintains network security by:

• configuring and managing virtual networks securely
• using firewalls, network security groups and other tools to control and monitor inbound and outbound traffic
• implementing virtual private clouds (VPCs) for private network environments
• performing intrusion detection and prevention monitoring to identify and respond to potential threats via the Cyber Security Operations Centre (CSOC)

Security groups and policies

NHS Notify:

• defines and enforces security groups and policies
• restricts communications between different components in the cloud environment
• regularly reviews and updates security group configurations

Secure development practices

NHS Notify develops its service securely by:

• following secure coding practices for applications
• conducting regular security assessments, code reviews, and testing
• implementing continuous integration and continuous deployment (CI/CD) security controls within the pipeline

Data protection

NHS Notify protects data by:

• encrypting sensitive data, both in transit and at rest
• using encryption mechanisms provided by cloud service providers
• managing and controlling encryption keys
• performing regular data backups and storing it securely

Patch management

NHS Notify:

• regularly updates and patches software, systems and makes use of server-less technology
• uses a systematic process for testing and applying patches
• monitors vendor security advisories for timely updates

Security monitoring and logging

NHS Notify monitors and logs its security by:

• implementing continuous monitoring for suspicious activities
• observing and monitoring resources and applications
• maintaining logs for auditing, analysis and forensic purposes

Security configuration

NHS Notify:

• applies system hardening
• ensures that systems and devices are securely configured
• disables unnecessary services and features
• regularly audits and updates configurations to align with security best practices

Regulatory compliance

NHS Notify stays compliant with relevant data protection and cybersecurity regulations by:

• staying informed
• conducting regular audits
• carrying out penetration testing to check for adherence to compliance requirements