Credit: QuoteInspector/CC BY-ND 4.0

The NHS Covid Pass system has undergone a £300,000 assessment of its cybersecurity set-up and key risks.

Newly published commercial documents reveal that, on 18 October, the Department of Health and Social Care signed a deal with IT consultancy Mason Advisory. The engagement, awarded via the cloud support lot of the G-Cloud 12 framework, ran until 31 March and covered the provision of the tech firm’s ‘cybersecurity assessment and implementation’ service.

According to the service’s listing on the Digital Marketplace platform, it offers customers support with the “development and review of cyber strategy and roadmaps” as well as “detailed cyber maturity and resilience assessments”.

For a cost of between £600 and £1,400 per person per day, buyers can also receive outsourced expert assistance with “incident and event response management”.

The text of the contract reveals that health-service tech agency NHSX was seeking support with “security architecture and infosec risk management”.

Four types of services are listed in the deal, beginning with a “mobilisation” period in which the supplier was expected to “conduct knowledge transfer and on-board additional resource”.

Related content

• Booster jabs included on NHS Covid Pass
• Venues urged to update verifier app as Covid Pass restrictions loom
• NHS Covid Pass looks to ‘next phase’ and improvement of user experience

Mason Advisory was also contracted to provide monthly updates on: security design; threat, controls and risk management; and collaboration and reporting.

Over the course of its five-month term, the deal was worth £293,579 to the Salford-headquartered firm. 

Three other companies were listed in the contract as subcontractors or partners to the work: Ultima Business Solutions; Grayce Group; and Trysnet Solutions.

Since the launch of the digital vaccine passport system in May 2021, millions of citizens have accessed the Covid Pass – principally via the NHS App, which now has more than 22 million users across England. All but about 250,000 of these have adopted the technology since the start of the pandemic – including 18 million that have downloaded the app since the creation of the Covid Pass.

The app offers users two types of pass: one for use in domestic settings; and another that can be used for international travel. The latter version is now available for anyone aged 12 and upwards.

The domestic passes – which are only available to adults – are no longer a legal requirement for any venues or events, although businesses can still use the system as part of their own conditions of entry, if they so wish.

The passes contain a secure QR code which staff at travel hubs or venues can scan to verify its authenticity. The Covid Pass has been certified as interoperable with the equivalent EU system, meaning the UK-issued passes can now be scanned at locations across all member states, as well as in 37 other countries and regions that have also achieved certification.