Has O365 closed the NHS to data leaks?

When NHSMail went live with O365 in June, efficiency, collaboration and security were the positive messages. But, do NHS staff and patients now truly have the comfort of safe communication? We see that organisations increasingly recognise that extra measures are needed to provide maximum protection from potentially damaging data leaks, but what about the NHS?

Against a landscape of sizeable potential secure communications issues, the team at NHS Digital rolled out a standard Microsoft Hybrid implementation of Office 365 (O365 E5) to the NHSMail platform in June 2020. The NHS now uses Office 365 as a basis for email security, meaning that it is relying fully on Office365 products and features, to effectively prevent data leaks and comply with GDPR.

NHS Trusts and CCGs should be asking the question - can O365 fulfil a significant part of the email data protection requirements that have been formulated based on best practices?

According to our standards a secure email client should:

• allow staff to effectively prevent human errors before sending emails
• focus on the encryption of data in transit as well as at rest
• cover all bases when it comes to recipient authentication
• effectively limit and understand the impact of a potential data leak

We see that many O365, standing alone, have considerable challenges to adequately fulfil these requirements. Based on the (announced) roadmap of Microsoft, it also becomes clear that most of these challenges will not disappear.

We’ve done a deep-dive into the seven gaps between NHS security requirements and the O365 offering, which you can download here.


Written by

Kate O'Neill

Originally published on March 4, 2021

Last update on May 19, 2021