NHS

Background

Email migrated from @nhs.net to @nhs.scot in 2021 for £2.5M as per FOI.

The question then needs to be asked: why don’t ALL other NHS domain names have DMARC records defined to effectively prohibit their use and thereby minimise their potential for fraud/misuse?

Is there any concept of IT Governance within the NHS? Because there doesn’t appear to be. Remember, most data breaches start with an email; therefore, DMARC should be seen as the first line of defence.

Old email domain for NHS Scotland

New email domain for NHS Scotland

Corporate Governance

There are two domains I’m aware of relating to cybersecurity and governance for NHS Scotland.

This domain is described as Cyber Security and Technical Assurance.

One of their key responsibilities is described as:

• ‘Providing expertise on information governance, assurance and cyber security.’

This domain appears to be the overarching corporate governance framework for managing all risks related to the confidentiality, integrity, and availability of all types of written, spoken, and computer information.

It’s good that the email domain has been standardised across the Scottish NHS. This strong identity isn’t just for branding; it also enhances security by helping people identify which domains to trust. The domain names for the 14 NHS Boards are inconsistent. One being xx.net, one xx.co.uk, some xx.scot.nhs.uk, some xx.com, some xx.scot and even a couple xx.org

Not only have the individual boards failed to maintain consistent naming standards, but they have also failed to implement adequate DMARC protection for those domain names.

NHS Scotland has 14 regional NHS Boards

Ayrshire & Arran

Borders

Dumfries & Galloway

Fife

Forth Valley

Grampian

Greater Glasgow & Clyde

Highland

Lanarkshire

Lothian

Orkney

Shetland

Tayside

Western Isles

NHS Scotland also has some Special NHS Boards

Public Health Scotland

Healthcare Improvement Scotland

NHS Education for Scotland

NHS National Waiting Times Centre

NHS 24

Scottish Ambulance Service

The State Hospitals Board for Scotland

NHS National Services Scotland

Other domains significant to NHS Scotland

High profile NHS website

Golden Jubilee National Hospital

NHS Research Scotland

Health Scotland – now superseded by Public Health Scotland website

Scottish National Blood Transfusion Service (SNBTS)

Some NHS Lanarkshire examples

Used on official headed paper printed letters from NHS Lanarkshire

Re-directs to the primary website address

Used for email addresses such as info@lanarkshire.scot.nhs.uk in printed leaflets

Appears to be the primary website address

Other Government domains for comparison

Domain used for MP’s email addresses

Domain used for MSP’s email addresses

Domain used for Government email addresses such as the Cabinet Secretary for Health and Social Care

National Cyber Security Centre – yes, they do follow their own advice!

Hospice Care

Palliative Care Scotland

Accord Hospice

Ardgowan Hospice

Ayrshire Hospice

Bethesda Hospice

Highland Hospice

Kilbryde Hospice

Marie Curie Hospice

St Andrew’s Hospice

St Columba’s Hospice

St Margaret of Scotland Hospice

St Vincent’s Hospice

Strathcarron Hospice

Little wonder the NHS has been subjected to numerous data breaches given the obvious failings in IT governance.