End-to-end security architecture for the NHSX Covid Pass app

Between 2019 and 2022, NHSX was the UK government unit responsible for driving digital transformation across the NHS and social care. It created a national vision for ‘What Good Looks Like’ in a digital healthcare system and established a Unified Tech Fund to allocate capital funding of £2.1 billion. It supported more than 60 NHS Trusts to improve their digital maturity and transformed the flow of data across the health and social care system via the creation of NHS Datastore.

In 2020, NHSX faced an unprecedented challenge when the COVID pandemic changed the world as we know it. As the initial crisis averted, the priority was to enable UK citizens to emerge from lockdown and return to work and travel safely. Key to achieving this was the rapid, agile rollout of the NHSX Covid Pass app. Mason Advisory was engaged to manage and deliver vital end-to-end security architecture and assurance for this multi-award-winning app, which restored UK citizens’ ability to move freely.

Challenge

The Covid Pass app had to be one hundred percent accessible, reliable, and usable for millions of people. It had to work seamlessly on a global basis to support international travel. And it had to be secured against all conceivable cyber threats to protect the citizen data which the app accesses.

What’s more, development, rollout, and full integration with the wider NHS app had to happen as quickly as possible. NHSX deployed the finest technical and strategic expertise from across government, civil service, and suppliers to work on this critical task. Mason Advisory was selected to oversee and assure the crucial security architecture arm of the programme.

Solution

Over an eighteen-month period, Mason Advisory worked hand in hand with the NHSX team. We took full responsibility for security architecture capability, from design and governance to practical delivery. It was a critical role in the app’s development, rollout, and maintenance. From day one, we embedded a DevSecOps approach, ensuring a consistent, agile and pro-active approach to the work.

Initially, our team reviewed the system security design, risks, controls, and measures, incorporating identified actions and enhancements into a security management plan (SMP) to provide overarching guidance and principles for the programme. We then continuously ran the entire security architecture arm of the work. We supported and mentored delivery teams to ensure effective implementation and embed a DevSecOps mindset across the programme.

Since the Covid Pass app, by necessity, needed to access third party data with the user’s permission, NHSX needed to understand and mitigate any potential threats. We designed and led ongoing threat modelling activities, advising on risk analysis and mitigation in line with important frameworks including the NIST (National Institute for Standards and Technology) cybersecurity framework. We provided cybersecurity incident support and investigations, both internally and across the supply chain. This included defining incident management response processes, co-ordinating and leading the work, and successfully defending against high profile cybersecurity threats in a live environment.

We also carried out a thorough DevSecOps review in line with the DORA (DevOps Research and Assessment) framework, introducing improved and compliant procedures to support the path to live activity. We supported staff and suppliers to implement improvements, significantly reducing rework and improving stability as each iteration of the app was released.

All of this work took place against a backdrop of complex, constantly changing external conditions. Rapid weekly releases had to be delivered in the context of this macro landscape. We supported delivery teams to anticipate directives and decisions which might impact on the app’s parameters, devising agile solutions to comply with governmental directives as they happened.

Outcome

Mason Advisory is proud to have played a pivotal role in developing, delivering, and assuring an agile technology rollout with a crucial social and economic impact. Collectively, the work of everyone involved enabled the UK to emerge from lockdown and begin to safely work, live, and travel again.

By the end of 2021, 141 million Covid passes had been generated using the app. What’s more, the app’s release triggered a 700% increase in uptake of the wider NHS app, bringing the total number of NHS app users to 28 million by the end of 2022. So, the Covid Pass app played a game changing role in the digitisation of NHS records and services, supporting the government’s long-term plan for digital healthcare across the UK.

The speed and success of the rollout has seen the Covid Pass app win multiple awards, including the Civil Service Award for Excellence in Delivery and the UK IT Industry Award for Emerging Technology of the Year.

“We consider our involvement in the groundbreaking rollout of the Covid Pass app to be a privilege. This programme demonstrates the capacity of technology not just to transform how we work, but to safeguard our whole way of life. Over an eighteen-month period, Mason Advisory worked hand in hand with top talent from the UK government and technology supply chain to achieve a fully secured, accessible, usable app. It has supported our emergence from lockdown, but it has also made a significant contribution to the digitisation of our healthcare system. It is a collective achievement that we are immensely proud to have been part of.”

Martin Lunt, Managing Director, Public Sector, Mason Advisory