Welcome to the NHSmail LA webinar • The webinar will begin at 11am. • Please synchronise your web and phone presence by

inputting your Attendee ID into the phone. • Participant lines will be muted during the presentation. • The webinar will be recorded. • You can use the chat messaging feature on the right

of the screen to ask questions. Please only use this for questions, not general comments.

1

NHSmail Local Administrator webinar Wednesday 28 June 2017 at 11am

Tom Blackmore – Accenture Kieran Brough and Mike Fisher – NHS Digital

Agenda • Service status • Other service updates

– Removal of inactive accounts and the data retention policy – Auto-forward from NHSmail accounts to nhs.uk accounts – DMARC update – Mailbox size and deleted items

• NHSmail Portal • Skype for Business • Skype for Business federation update • NHSmail Relay Service and Mail Hygiene

3

Service status

Update on NHSmail service 4

Service status • Service across the NHSmail platform has remained stable and there have been no

high-severity incidents reported during June 2017 to date. • The quality of the national NHSmail helpdesk remains a key area of focus, although

results remain consistently high and within expectations in line with the quality marking calibration exercise with NHS Digital.

• The team are working through a programme of continuous service improvement and will be focussing on areas where we can increase the usage of existing NHSmail self-service functions by end-users. We are also reviewing new functionality options that could also be of benefit from a service perspective.

• Dates for the NHSmail Business Continuity and Disaster Recovery test that was postponed in May are being reviewed but anticipate the rescheduled dates to be during September 2017. We will communicate the exact dates when they are finalised.

5

Other service updates

6

Removal of inactive accounts • The NHSmail data retention policy will be firmly

adhered to from September 2017 and daily updates will be made to remove inactive accounts.

• In the interim, we will be conducting a clean up exercise of inactive accounts and expect this to happen in the next few weeks. We will notify LAs in advance and further information will follow.

7

Auto-forwards to nhs.uk accounts • NHS.uk accounts are not considered secure therefore

auto-forwards cannot be set up from NHSmail accounts to NHS.uk accounts.

• Individual emails can be manually forwarded if required, as long as there is no sensitive data contained within the email.

• We are updating the NHSmail sharing sensitive information guide to reflect this.

8

DMARC update • DMARC is used to instruct external email services and NHSmail how to

handle mail identified as coming from spoofed NHSmail addresses. • Currently DMARC instructs organisations that if email is identified as being

spoofed from NHSmail it should be treated as junk, • It is expected that by the end of this year, the policy will change to:

– Instruct third party organisations to block any failing messages from nhs.net – Block incoming messages from the internet that are identified as being spoofed – For incoming messages from N3 / HSCN, place them in users’ junk email folders

• There are items of Portal functionality due for delivery towards the end of 2017 that will support organisations which need to send email from external services as if from NHSmail (i.e. spoofed). Another update is expected in September 2017.

9

Mailbox size and deleted items • For mailboxes with a standard size of 4GB, there is also

recoverable items quota (called the dumpster) of 4GB. The deleted items in the dumpster are retained for 180 days in line with the NHSmail Data Retention Policy.

• For accounts that are sending a large number of emails (such as the use of applications), there may be an issue whereby mail cannot be sent as the dumpster is over the 4GB quota.

• The NHSmail team is working to resolve this, but if this issue arises for any of your users, you will need to purchase a larger mailbox via Accenture from the additional services catalogue.

10

NHSmail Portal

Portal defect fixes, new features and upcoming developments 11

Portal update Subject to testing, Accenture have informed us that the next portal release date is now scheduled for 30 June 2017 • Includes the 43 bugs and PBIs Continued development in June has seen the below complete but not yet released: • Prevent CSV duplication email / not receiving emails (Bug) • Bulk management of contacts • Add all Admin roles to Org Admin Report • Update Skype Banner on Home Page • Resource mailboxes (create, list etc.) • LA report show all LAs, not just those from my org (Bug) • Add ODS to duplicate report

12

Portal update All Admin Roles in my report

13

Portal update Bulk action on contacts

14

Portal update Items to be worked on shortly • Bulk import to static DL • Navigate directory hierarchy • eDiscovery of 180 days email • Outlook Anywhere restriction by org • Organisation mobile device policies • Application account

15

Questions?

16

Skype for Business

17

Skype for Business IM&P • Instant Messaging and Presence (IM&P) has been fully

deployed since February 2017. • Usage of the service has steadily increased but we are

keen to continue up-take. • To make use of the free Skype for Business offering users

require an install of software locally - be that on their desktop / laptop / mobile or tablet.

• For those who have not progressed the service we have prepared a number of documents to help with the configuration

18

Skype for Business IM&P • Over the coming weeks there will be a series of initiatives

to promote awareness and usage of the platform. • We are planning communications to users about the Skype

for Business service. • In preparation for this LAs should be aware that they may

be taking additional requests from users asking for the deployment of software.

• We will also be publishing further communications support materials shortly.

19

Skype for Business IM&P • A number of organisations are already using the facilities • We are eager to know how it is being used and are looking

to build a repository of use cases • We will be contacting some of those organisation who we

know are making extensive use of the system to look to see if there are some lessons to be learnt for all.

• Your support in this would be greatly appreciated and if you wish contribute, please contact feedback@nhs.net

20

Skype for Business – Audio & Video • Usage of the audio and video services continues to

increase. • The additional top up service is available on the

catalogue • Those organisations looking to these services should

contact nhsmail.development@accenture.com

21

Skype for Business federation

22

Skype for Business federation • The NHSmail Skype for Business offering will enable

interoperability with other third party Skype for Business deployments who meet the minimum security requirements (IG Toolkit / PSN Code of Connection / secure email standard or equivalent.)

• Organisations using consumer Skype or using non-Skype products are out of scope for this project.

• Organisations who do not meet the above security requirements are also out of scope for this project.

23

Federation Approach & Availability

• Skype for Business Federation Service will conduct a small-scaled “first of type” approach for other Skype for Business federated instances with- – NHS England – Leeds City Council

• This approach will focus on identifying potential use cases, benefits and learning to inform the approach to on-boarding/off-boarding/revalidation, technical capabilities and limitations, communications and how local organisations intend to use the tools.

• The “first of type” activities will start and run throughout July 2017 and we

anticipate availability of federation for organisations later in the summer.

24

Questions?

25

NHSmail and Relay Service Mail Hygiene

26

Areas we’ll cover • NHSmail and WannaCry • High level mail hygiene service overview • NHSmail and the Relay Service

– Improvements we’ve recently implemented and in the process of – Spoofed email – Macro enabled viruses – Whitelisting – Compromised accounts – Reporting spam

27

NHSmail and WannaCry • NHSmail was not compromised • NHSmail did not propagate the malware into the NHS;

no files associated with WannaCry passed through the NHSmail defences.

• Active checking of the mailboxes failed to discover any incidences of the malware or its variants

• All core servers are patched in line with Microsoft’s guidance

• Service protecting firewalls configured in line with guidance from security colleagues

28

Service Components

29

> 1 Billion message per month from the internet

Blocks > 800 million spam or virus infected messages

Delivers 200 million messages

NHSmail and locally deployed scanning services

Deep analysis on 250,000 suspicious files

Internet hosted cloud filter

On premise Scan

Advanced persistent threat scan

Implemented Improvements • In the last few months the following enhancements have been

made: – Bulk submission and reporting tool between Accenture and Mail Hygiene

component provider to provide very rapid analysis of false positives – Real time checking against malicious email senders – Blocking spoofed iCloud accounts – Real time alerting of zero day exploits from other Mail Hygiene

component provider customer base.

30

Forthcoming developments • The mail hygiene components are the most actively tuned/

updated components of the service. Shortly we will be: – Deploying additional version updates (just completing testing and

scheduled for deployment). – Adding additional advanced persistent threat detection capabilities – For NHSmail users continuing to improve the phishing/malware removal

process.

• We will also be adding statistics to the reporting so the performance of the service can be seen (by September 2017).

31

Spoofing or Forged Email • Pretending to send an email from a specific system • Actively exploited functionality (for good reasons and bad reasons) • Used typically in phishing scams • Per month the service processes

– 1 million spoofed emails from the Internet – 3 million spoofed emails from N3

• For NHSmail – We send email digitally signed with domain keys identified email – We advertise to other email systems which IP addresses NHSmail sends from

(Sender Policy Framework) and advise them to put spoofed email in junk mail folders (Domain Message Authentication Reporting and Conformance)

– We insert a warning into spoofed messages received

32

Spoofing of Forged Email – Next Steps • For NHSmail

– Deliver all spoofed email to junk mail folders [date to be agreed] – Enable a process to request application access over the Internet – Then set the policy to reject all spoofed email from the Internet – Update our policy to advise all Internet hosted mail servers to reject spoofed

messages – Consider what to do with spoofed email on SWAN/HSCN

• For locally run email services – You are able to set your own policy based on your preferred approach to spoofing

33

Macro Enabled Viruses • Summer 2016 we were forced to block docm files as it became a

malicious attack vector where attachments could execute harmful payloads in protected mode. At its height the service went from processing a few hundred files a day to over half a million malicious docm files that the service blocked.

• Other types of macro enabled office files continue to be used as an attack vector but currently can only execute in protected mode.

• In May 2017, we implemented a change that now blocks email from a wider range of known malicious mail servers

• The new advanced persistent threat capability is able to better detect ‘dial back’ or ‘dropper’ functionality in macros

• We have requested a new feature from our Mail Hygiene component provider to block macro files that attempt to connect to the Internet

34

Whitelisting • Whitelisting is not supported:

– email addresses can easily be forged – IP addresses to a lesser degree – A compromise to a whitelisted system would leave the service totally vulnerable

• Where there is a false positive (item marked as spam) this should be reported to the helpdesk for analysis by Mail Hygiene component provider to ascertain why. The helpdesk should then offer either advice on message formatting (typically non RFC compliant messages get marked as spam) or provide updated signatures to the service.

35

Compromised NHSmail Accounts • Compromised accounts can be a source of phishing

emails. • To help minimise the risk of compromised accounts we will

add multi factor authentication to the portal – Mandatory for all with administrator access – Optional for all other users with local ability to enforce at a per

user level – Will utilise google authenticator

• We are also bringing in controls to allow organisations to locally decide which networks and protocols users can access e.g. only allow Outlook on SWAN.

36

Reporting Spam/Phishing • Via spamreports@nhs.net • Almost all reports sent in are wrongly reported -

solicited email • Accenture review and directly upload to the mail

hygiene provider for analysis • Format message is required in limits effective analysis/

submission • Investigating a report phishing button for Outlook and

OWA to simplify reporting.

37

Questions?

38

www.digital.nhs.uk @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303 5678