NHS
Email migrated from @nhs.net to @nhs.scot during the year 2021 at a cost of £2.5M as per FOI.
The question then needs to be asked, why don’t ALL other NHS domain names have DMARC records defined to effectively prohibit their use and thereby minimise their potential for fraud/misuse?
Key table:
Key | DMARC (Anti-spoofing) | MTA-STS (Email privacy) |
---|---|---|
N/A | N/A Doesn't apply to DMARC. For any domain defined DMARC should also be defined irrespective of whether or not it is being used for email. | If no MX (Mail eXchange) records are defined then there is no requirement to define MTA-STS. |
Red signifies no DMARC record can be found either directly applying to or inherited by the domain. | Red signifies no MTA-STS record can be found. | |
Amber signifies a DMARC record exists but is suboptimal either because it has been inherited or because it has policy set to 'none' defined or both. | Amber signifies MTA-STS record has been defined but is not set to 'enforce' the policy. | |
Green signifies a DMARC record has been defined which directly applies to the domain with a strong policy (i.e. does not contain a policy of 'none'). | Green signifies MTA-STS record is defined and set to 'enforce' the policy. |
Description | Domain | Email Security | DMARC | MTA-STS |
---|---|---|---|---|
Old email domain for NHS Scotland | nhs.net | |||
New email domain for NHS Scotland | nhs.scot |
It’s good that the email domain has been standardised across the Scottish NHS. This strong identity isn’t just for branding, it also enhances security so that people learn what domains to trust. The domain names for the 14 NHS Boards are all over the place. One being xx.net, one xx.co.uk, some xx.scot.nhs.uk, some xx.com, some xx.scot and even a couple xx.org
Not only have the individual boards failed to achieve any consistency of naming standards, but they have also failed to implement adequate DMARC protection for those domain names.
NHS Scotland has 14 regional NHS Boards
NHS Board | Website | Email Security | DMARC | MTA-STS |
---|---|---|---|---|
Ayrshire & Arran | https://nhsaaa.net | N/A | ||
Borders | https://www.nhsborders.scot.nhs.uk | N/A | ||
Dumfries & Galloway | https://www.nhsdg.co.uk | |||
Fife | https://www.nhsfife.org | N/A | ||
Forth Valley | https://nhsforthvalley.com | N/A | ||
Grampian | https://www.nhsgrampian.org | |||
Greater Glasgow & Clyde | https://www.nhsggc.scot | |||
Highland | https://www.nhshighland.scot.nhs.uk | |||
Lanarkshire | https://www.nhslanarkshire.scot.nhs.uk | |||
Lothian | https://www.nhslothian.scot | |||
Orkney | https://www.ohb.scot.nhs.uk | |||
Shetland | https://www.nhsshetland.scot | |||
Tayside | https://www.nhstayside.scot.nhs.uk | |||
Western Isles | https://www.wihb.scot.nhs.uk |
NHS Scotland also has some Special NHS Boards
NHS Board | Website | Email Security | DMARC | MTA-STS |
---|---|---|---|---|
Public Health Scotland | https://publichealthscotland.scot | |||
Healthcare Improvement Scotland | https://www.healthcareimprovementscotland.scot | |||
NHS Education for Scotland | https://www.nes.scot.nhs.uk | |||
NHS National Waiting Times Centre | https://www.nhsgoldenjubilee.co.uk https://www.nhscfsd.co.uk | N/A N/A |
||
NHS 24 | https://www.nhs24.scot | |||
Scottish Ambulance Service | https://www.scottishambulance.com | |||
The State Hospitals Board for Scotland | https://www.tsh.scot.nhs.uk | |||
NHS National Services Scotland | https://www.nss.nhs.scot | N/A |
Other domains significant to NHS Scotland
Other Government domains for comparison
Hospice Care
Little wonder the NHS has been subjected to numerous data breaches given the obvious failings in IT governance.