For any healthcare organisation evaluating a new digital health solution, security and clinical safety are not secondary considerations - they are the starting point. Data breaches in healthcare carry consequences that extend far beyond financial penalties: compromised patient safety, eroded clinical trust, and harm to vulnerable individuals. OX.DH was designed from the outset with this responsibility at its core.
Our cloud-native architecture, built entirely on Microsoft Azure, means that security is not bolted on as an afterthought - it is inherent to the infrastructure our solutions run on. Microsoft invests billions of dollars annually in the security of its cloud platform, and as a Microsoft partner, OX.DH and our clients benefit directly from that investment. Every solution we deliver is secure by design and secure by default.
Information Security: ISO 27001 Certified
OX.DH holds ISO 27001 certification - the internationally recognised gold standard for information security management. Awarded by the independent British Assessment Bureau, this certification confirms that OX.DH has provably implemented information security best practice across every aspect of the organisation, including:
- Confidentiality clauses and data handling agreements across all partnerships and supply chain relationships
- Mandatory and rigorous information governance training for all staff
- End-to-end encryption of data in transit and at rest
- Comprehensive data protection policies aligned with UK GDPR
- Formal disaster recovery and business continuity planning
- Regular internal and external security audits
ISO Certificate Registration Number: 238966
ICO Registration Number: ZA775523
Cyber Security: Cyber Essentials Plus
OX.DH consistently exceeds the requirements for Cyber Essentials Plus certification and meets the National Data Guardian's 10 Security Standards as part of the Data Security and Protection Toolkit. These assurances have been independently verified by NHS England as part of OX.DH's onboarding onto the NHS Digital DFOCVC Framework.
Our Security Operations Centre (SOC) uses Microsoft Sentinel for continuous perimeter monitoring. Sentinel is configured to detect and automatically respond to unusual activity in real time - for example, if a user account authenticates from the UK and then attempts a login from a different country within minutes, Sentinel will automatically suspend that account and require escalation before access is restored. This kind of intelligent, automated threat response is built into the foundation of every OX.DH deployment.
Beyond perimeter protection, our security posture includes:
- Data exfiltration monitoring - automatically blocking or alerting on unauthorised data transfers
- Impossible login detection - policy-based controls that identify and act on anomalous authentication patterns
- Customisable security configurations - tailored to meet the specific requirements of each client organisation
- Single sign-on via NHS.net AAD - eliminating separate credential management and reducing the risk of credential-based attacks
- Role-based access control - ensuring clinicians and administrators only access the data and functions relevant to their role
Clinical Risk Management: DCB0129 and DCB0160
Clinical safety sits at the forefront of the design and development of every OX.DH solution. We have implemented a robust system of procedures to meet the legal obligations of the Health and Social Care Act 2012 and to ensure full compliance with the NHS clinical risk management standards:
- DCB0129 - Clinical Risk Management: its Application in the Manufacture of Health IT Systems
- DCB0160 - Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems
These standards require formal clinical risk assessment throughout the development lifecycle, ensuring that patient safety considerations are identified, documented, and mitigated before any system reaches clinical use. Compliance with both standards has been independently verified by NHS England as part of OX.DH's qualification onto the NHS Tech Innovation Framework (TIF) and the NHS Digital DFOCVC Framework.
Clinical safety is not a compliance exercise at OX.DH - it is an engineering discipline. Features such as patient verification at the point of joining a virtual consultation, full audit trails across all clinical interactions, and configurable clinical workflows are all direct expressions of clinical safety thinking embedded in the product.
NHS Framework Approvals
OX.DH's security and clinical safety credentials have been scrutinised and approved through two major NHS procurement frameworks:
- NHS Tech Innovation Framework (TIF) - OX.DH's primary care solution OX.gp was approved by NHS England in July 2025 as part of a new generation of electronic patient record systems for GPs, having met TIF's rigorous technical and clinical safety requirements
- NHS Digital DFOCVC Framework - OX.DH's virtual consultation and waiting room solutions are approved under the Digital First Online Consultation and Video Consultation Framework, confirming their suitability for use across NHS organisations
Our Technology Partners
OX.DH's security posture is reinforced by the quality of our technology partnerships. We are a Microsoft Partner, building all of our solutions on Microsoft Azure - widely recognised as one of the most secure cloud platforms available, with dedicated compliance coverage for healthcare regulations in the UK, EU and Australia. Our close association with the University of Oxford and our support for HL7 FHIR interoperability standards further underpin our commitment to trusted, standards-based healthcare technology.
Protecting Against Digital Exclusion
Security and inclusivity are not opposing goals. OX.DH's solutions are designed to be accessible to all patients, including those with limited digital confidence or access. Where digital engagement is not possible for some patients, our platforms support alternative pathways - ensuring that improved security does not inadvertently create new barriers to care for vulnerable individuals.
Have a Security or Compliance Question?
We welcome detailed security discussions with IT leads, information governance teams, and procurement officers. If you have specific questions about our security architecture, data residency, penetration testing history, or clinical risk documentation, please get in touch with our team. We are happy to provide detailed technical information to support your due diligence process.
Related Resources
