RiskTree purple logo

NHS Test & Trace

Supporting the Test & Trace Programme

2T Security Objective:

To manage cyber security to enable the Test and Trace programme to build and scale its services at a pace never seen within the Public Sector, in support of the national emergency, caused by COVID-19. The scope of work encompassed consideration of all aspects of the COVID-19 programme including: logistics with test kits and samples, collection of results, contact tracing, whole population data analytics, international travel, support payments, policy to process design, test and vaccination status. New systems were required, and existing ones needed to be scaled to deal with a 1000-fold data volume increase.

2T Security Outcome:

  • No reported security issues for any Test and Trace systems.
  • Secured the delivery of 85 systems alongside a build up from 0 to 55,000 staff within 6 months.
  • Avoided the stealth-creation of a National Identity Register whilst digitally collecting data about most of the population of the UK.
  • 2T Security stepped in to resolve security concerns which enabled the rest of the organisation to focus on its urgent objectives.

“The work 2T Security did for me was remarkable. We delivered 85 systems to 55,000 staff. It was an incredible thing, and they were right at the core of it.”

A secure digitally focused organisation

NHS Test & Trace was a ground-breaking project for its speed and complexity. It necessitated collaborative working within the NHS and across external suppliers in a manner never witnessed before and at a time that the UK was locked down. The Test and Trace programme touched systems across most of the NHS estate, and many other Government departments. These systems informed the Prime Minister’s daily Covid briefings, informed the various “lockdowns”, and subsequent easing of restrictions.

The Test and Trace programme rapidly evolved to meet the unprecedented demands caused by the Covid-19 pandemic. Systems that would normally take months to develop and deploy were being stood-up within a week, with normal controls that delay deployment being bypassed. 2T Security had to keep up with all running projects to ensure that important security controls were deployed, without negatively impacting the timescales.

2T Security is a long-term trusted advisor to various government departments, and viewed as a safe pair of hands. 2T Security were entrusted with the security for the Test and Trace programme because of our robust reputation and delivery.

Services provided by 2T Security include:

  • Security architecture – rapidly scaling an exceptionally experienced team of security architects to work at one with the Test and Trace projects to enable consistent security across the whole programme.
  • Risk assessment – Using expert security risk practitioners, identify and quantify the security risks of the Test and Trace systems, using the RiskTree tool and security architecture services for Test & Trace. 
  • Counter Fraud – using existing experience of work on value-bearing transactional systems, identify fraud opportunities introduced through policy, process or technical implementation and support the mitigation of the fraud opportunities identified.
  • Application Security – supporting the development of the phone contact tracking app including anonymisation requirements and positive case management.
  • Cloud Security Engineering – designing and overseeing implementation of the security for the new cloud-hosted platform for organization collaboration tooling, and hosting of all the critical business services.
  • Security testing – managing security testing for all existing, changed and new systems, including limited technical testing and management of pen testing suppliers. Interpretation of technical vulnerabilities and supporting the projects to remedy critical issues.
  • Security Culture – establishing a new capability for the organisation to promote user security awareness training, including supplier staff engagement/training, Citizen risky behaviours, Intranet Site and Policy Publication, Phishing programs, Exec/Board Education and Skills assessment.
  • Security operations and incident handling – supporting the build of a new Security Operations Centre through the development of processes required to enable the business to manage security incidents, provide education to business on how to carry our incident handling processes. Development of business requirements to enable engagement with incident response service providers. Test end to end incident handling processes.
More Case Studies