NHSmail is said to be the “national secure collaboration service for health and social care in England and Scotland”. However, as NHS Digital notes in a new blog, the service is about more than just email - the system manages the identities of all users within the Microsoft Active Directory in the NHS and allows local admins to manage accounts within the NHSmail portal.
However, because NHS organisations manage identities locally, including the management of onboarding and off-boarding employees, complexity is inherent and back offices across the NHS have been put under significant strain.
As a result, NHS Digital is thinking about how it can improve the security, identity verification and user experience of one of the NHS’s key tools, without ‘reinventing the wheel’.
Dan Jeffery, head of innovation, delivery and business operations at NHS Digital, has outlined the progress made over the past year and also the plans the organisation has in the future.
Jeffery explains that there are more than 13,000 health and social care organisations in England and Scotland using NHSmail and 64,000 movements of user accounts every month. He states that the “burden is real and the security implications relating to identity are acute”.
In fact, a recent Freedom of Information request revealed that the NHSmail system blocked a total of 11.35 million email attacks between its 2016-2019 financial years.
Plans in the pipeline
Jeffery outlined three improvements that will be made to NHSmail, which focus on workflows and integration with local processes. These are:
Anew Joiners, Movers, Leavers (JML) product will integrate with the Electronic Staff Record, NHSmail, and local directory services. It will automate the movement of user accounts between NHSmail organisations, the synchronization of attributes and the commissioning and decommissioning of local identities in the active directories. NHS Digital estimates that this process will save around 40,000 hours a year, leading to millions of pounds worth of efficiency savings.
A password synchronisation micro-service will allow users to synchronise their password from the NHS Directory to their local active directory services and vice versa. NHS Digital claims that this will also improve user experiences by delivering a same sign-on experience regardless of whether they authenticate for services against the NHS Directory or local Active Directory services. It is thought that because the number of passwords users need to manage will be reduced, this will also improve cyber security.
Behavioural and transactional analysis will also be used to identify patterns in user behaviour and associated digital transactions to help pinpoint anomalous events. For instance, if a user attempts to authenticate a service from an unusual location or at an odd time, the service can block authorisation in case the account has been compromised.
These new services build on a number of other improvements to NHSmail that NHS Digital has been working on, including:
Single sign-on for third party applications, which allows digital services to use the NHS Directory as a trusted identity provider. This allows users to access services with their existing NHSmail account.
Multi-factor authentication (MFA) for when users sign in. NHS Digital believes that by adding the extra layer of identity security, the likelihood of intruders getting access is reduced. This capability is already live across thousands of users.
The use of “intelligent enterprise password management and reset”. A new micro-service was launched to dynamically identify and block the use of common and compromised passwords using ‘global intelligence’. NHS Digital said that it currently stops around 100,000 weak passwords from being registered against NHSmail.
Jeffery concludes by saying:
These enhancements are complemented by continued filtering and monitoring of spam and malicious activity at the NHSmail gateway. On average, we stop about 500 million malicious events every three months.
There is still a lot more we can do to improve user experience and data security on the NHS’s communications systems. As part of our work to support the NHS Cyber Programme and deliver NHSX’s Tech Vision and Long-Term Plan, we will continue to work to improve cyber preparedness and capability while relieving pressure on local teams.
NHS Digital’s NHSmail announcements follow the announcement from the Department of Health and Social Care that £40 million of funding has been made available to reduce login times for NHS staff.