NHS

Email migrated from @nhs.net to @nhs.scot during the year 2021 at a cost of £2.5M as per FOI.

The question then needs to be asked, why don’t ALL other NHS domain names have DMARC records defined to effectively prohibit their use and thereby minimise their potential for fraud/misuse?

Key table:

KeyDMARC (Anti-spoofing)MTA-STS (Email privacy)
N/AN/A Doesn't apply to DMARC. For any domain defined DMARC should also be defined irrespective of whether or not it is being used for email.If no MX (Mail eXchange) records are defined then there is no requirement to define MTA-STS.
RAG red statusRed signifies no DMARC record can be found either directly applying to or inherited by the domain.Red signifies no MTA-STS record can be found.
RAG amber statusAmber signifies a DMARC record exists but is suboptimal either because it has been inherited or because it has policy set to 'none' defined or both.Amber signifies MTA-STS record has been defined but is not set to 'enforce' the policy.
RAG green statusGreen signifies a DMARC record has been defined which directly applies to the domain with a strong policy (i.e. does not contain a policy of 'none').Green signifies MTA-STS record is defined and set to 'enforce' the policy.

 

DescriptionDomainEmail SecurityDMARCMTA-STS
Old email domain for NHS Scotlandnhs.netNCSC logo linking back to NCSCRAG green statusRAG amber status
New email domain for NHS Scotlandnhs.scotNCSC logo linking back to NCSCRAG amber statusRAG red status

 

It’s good that the email domain has been standardised across the Scottish NHS. This strong identity isn’t just for branding, it also enhances security so that people learn what domains to trust. The domain names for the 14 NHS Boards are all over the place. One being xx.net, one xx.co.uk, some xx.scot.nhs.uk, some xx.com, some xx.scot and even a couple xx.org

Not only have the individual boards failed to achieve any consistency of naming standards, but they have also failed to implement adequate DMARC protection for those domain names.

NHS Scotland has 14 regional NHS Boards

NHS BoardWebsiteEmail SecurityDMARCMTA-STS
Ayrshire & Arranhttps://nhsaaa.netNCSC logo linking back to NCSCRAG red statusN/A
Bordershttps://www.nhsborders.scot.nhs.ukNCSC logo linking back to NCSCRAG amber statusN/A
Dumfries & Gallowayhttps://www.nhsdg.co.ukNCSC logo linking back to NCSCRAG red statusRAG red status
Fifehttps://www.nhsfife.orgNCSC logo linking back to NCSCRAG red statusN/A
Forth Valleyhttps://nhsforthvalley.comNCSC logo linking back to NCSCRAG red statusN/A
Grampianhttps://www.nhsgrampian.orgNCSC logo linking back to NCSCRAG red statusRAG red status
Greater Glasgow & Clydehttps://www.nhsggc.scotNCSC logo linking back to NCSCRAG red statusRAG red status
Highlandhttps://www.nhshighland.scot.nhs.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
Lanarkshirehttps://www.nhslanarkshire.scot.nhs.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
Lothianhttps://www.nhslothian.scotNCSC logo linking back to NCSCRAG red statusRAG red status
Orkneyhttps://www.ohb.scot.nhs.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
Shetlandhttps://www.nhsshetland.scotNCSC logo linking back to NCSCRAG red statusRAG red status
Taysidehttps://www.nhstayside.scot.nhs.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
Western Isleshttps://www.wihb.scot.nhs.ukNCSC logo linking back to NCSCRAG amber statusRAG red status

NHS Scotland also has some Special NHS Boards

NHS BoardWebsiteEmail SecurityDMARCMTA-STS
Public Health Scotlandhttps://publichealthscotland.scotNCSC logo linking back to NCSCRAG green statusRAG red status
Healthcare Improvement Scotlandhttps://www.healthcareimprovementscotland.scotNCSC logo linking back to NCSCRAG amber statusRAG red status
NHS Education for Scotlandhttps://www.nes.scot.nhs.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
NHS National Waiting Times Centrehttps://www.nhsgoldenjubilee.co.uk
 
https://www.nhscfsd.co.uk
NCSC logo linking back to NCSC
 
NCSC logo linking back to NCSC
RAG red status
 
RAG red status
N/A
 
N/A
NHS 24https://www.nhs24.scotNCSC logo linking back to NCSCRAG amber statusRAG red status
Scottish Ambulance Servicehttps://www.scottishambulance.comNCSC logo linking back to NCSCRAG red statusRAG red status
The State Hospitals Board for Scotlandhttps://www.tsh.scot.nhs.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
NHS National Services Scotlandhttps://www.nss.nhs.scotNCSC logo linking back to NCSCRAG amber statusN/A

Other domains significant to NHS Scotland

DescriptionDomainEmail SecurityDMARCMTA-STS
High profile NHS websitenhsinform.scotNCSC logo linking back to NCSCRAG green statusRAG red status
Golden Jubilee National Hospitalgjnh.scot.nhs.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
NHS Research Scotlandnhsresearchscotland.org.ukNCSC logo linking back to NCSCRAG red statusRAG red status
Health Scotland - now superseded by Public Health Scotland websitehealthscotland.scotNCSC logo linking back to NCSCRAG red statusRAG red status
Scottish National Blood Transfusion Service (SNBTS)scotblood.co.ukNCSC logo linking back to NCSCRAG red statusRAG red status

 

DescriptionDomainEmail SecurityDMARCMTA-STS
Used on official headed paper printed letters from NHS Lanarkshirenhslanarkshire.org.ukNCSC logo linking back to NCSCRAG red statusN/A
Re-directs to the primary website addressnhslanarkshire.scotNCSC logo linking back to NCSCRAG red statusN/A
Used for email addresses such as info@lanarkshire.scot.nhs.uk in printed leafletslanarkshire.scot.nhs.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
Appears to be the primary website addressnhslanarkshire.scot.nhs.ukNCSC logo linking back to NCSCRAG amber statusRAG red status

 

Other Government domains for comparison

DescriptionDomainEmail SecurityDMARCMTA-STS
Domain used for MP's email addressesparliament.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
Domain used for MSP's email addressesparliament.scotNCSC logo linking back to NCSCRAG green statusRAG green status
Domain used for Government email addresses such as the Cabinet Secretary for Health and Social Caregov.scotNCSC logo linking back to NCSCRAG amber statusRAG red status
National Cyber Security Centre - yes, they do follow their own advice!ncsc.gov.ukNCSC logo linking back to NCSCRAG green statusRAG green status

Hospice Care

DescriptionDomainEmail SecurityDMARCMTA-STS
Palliative Care Scotlandpalliativecarescotland.org.ukNCSC logo linking back to NCSCRAG red statusRAG red status
Accord Hospice, Paisleyaccord.org.ukNCSC logo linking back to NCSCRAG green statusRAG red status
Ardgowan Hospice, Greenockardhosp.co.uk
 
ardgowanhospice.org
 
ardgowanhospice.org.uk
NCSC logo linking back to NCSC
 
NCSC logo linking back to NCSC
 
NCSC logo linking back to NCSC
RAG red status
 
RAG red status
 
RAG red status
RAG red status
 
RAG red status
 
RAG red status
Ayrshire Hospice, Ayrayrshirehospice.orgNCSC logo linking back to NCSCRAG red statusRAG red status
Bethesda Hospice, Stornowaybethesdahospice.co.uk
 
hotmail.com
 
nhs.net
NCSC logo linking back to NCSC
 
NCSC logo linking back to NCSC
 
NCSC logo linking back to NCSC
RAG red status
 
RAG amber status
 
RAG green status
RAG red status
 
RAG green status
 
RAG amber status
Highland Hospice, Invernesshighlandhospice.org.uk
 
highlandhospice.org
NCSC logo linking back to NCSC
 
NCSC logo linking back to NCSC
RAG green status
 
RAG red status
 
RAG red status
 
RAG red status
 
Marie Curie Hospice, Edinburgh & Glasgowmariecurie.org.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
St Andrew's Hospice, Airdriest-andrews-hospice.comNCSC logo linking back to NCSCRAG amber statusRAG red status
St Columba's Hospice, Edinburghstcolumbashospice.org.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
St Margaret of Scotland Hospice, Clydebanksmh.org.ukNCSC logo linking back to NCSCRAG amber statusRAG red status
St Vincent's Hospice, Johnstonesvh.co.ukNCSC logo linking back to NCSCRAG red statusRAG red status
Strathcarron Hospice, Dennystrathcarronhospice.netNCSC logo linking back to NCSCRAG red statusRAG red status

 

Little wonder the NHS has been subjected to numerous data breaches given the obvious failings in IT governance.