Assuring secure communications at scale for UK public sector 

Challenge

The public sector organisation needed proof that a new cloud-based patient communications platform would remain secure, resilient and compliant under realistic peak usage

Approach

We applied a Total Quality assurance model, combining penetration testing with realistic stress and load testing, then retesting to check fixes.

Results

Issues were identified and fixed pre-launch and we proved that the platform stayed secure under load, giving confidence to proceed with a national rollout.

For citizen-facing health services, digital transformation is not simply about modernisation. It’s about maintaining trust at scale. 

When a government health service writes to a patient, that communication often contains appointment details, test results, referral information or sensitive clinical correspondence. Citizens expect that information to be accurate, private and accessible, every time. 

As part of a nationwide cloud-first transformation programme, a national government body was preparing to launch a new third-party digital communication platform to deliver secure online health correspondence. 

The ambition was to: 

  • reduce reliance on paper
  • improve accessibility and convenience
  • enable faster, more efficient communication
  • build a modern, scalable digital health service

But when services handle highly sensitive medical information, modernisation must never compromise confidentiality. 

Before rollout, the organisation needed certainty that the platform would remain secure and resilient. Not just under ideal conditions, but under real-world population usage. 

NHS nurse using secure communications on laptop

The challenge: Learning from international experience 

The platform that was chosen for deployment had already been rolled out in other countries. In one case, weaknesses were exposed when the system experienced sustained high user volumes. 

These issues were not caused by a cyberattack, but by how the system behaved under pressure, showing how performance, resilience and security are closely linked in complex digital environments. 

For a government health service operating under strict data protection laws, this made the next step clear: before a national rollout, the platform had to be tested under realistic, high-volume conditions to confirm that the same risks would not occur. 

Exec presenting cyber consulting services

The organisation needed to be confident that the system would stay: 

1

secure under both normal and peak usage 

2

resilient under stress 

3

compliant with data protection obligations 

4

safe to scale progressively to a large-scale roll-out 

Traditional penetration testing on its own would not provide sufficient assurance. The platform had to be proven secure not only against attack, but under operational load.  

Our approach: A Total Quality assurance model 

Resillion was brought in to provide coordinated assurance across both cyber security and system performance – using a Total Quality approach that integrated multiple disciplines in a structured sequence. 

Rather than treating security and quality as separate workstreams, we brought them together to provide holistic assurance ahead of go-live. 

Trusted medical care ensuring your health is well protected

Phase 1: Security Assessment

We undertook a comprehensive penetration test of the third-party digital communication platform, assessing: 

  • authentication controls 
  • data access boundaries 
  • configuration security 
  • integration points 
  • potential attack vectors 

This established a clear baseline security posture and identified areas requiring remediation. 

Phase 2: Stress and load testing under realistic conditions

To address the risks that had been identified in other non-UK deployments, we designed a structured stress and load testing programme that mirrored realistic user behaviour and traffic patterns. 

This involved: 

  • detailed front-end scoping to model expected adoption rates 
  • designing traffic volumes aligned to projected population usage 
  • simulating authentication and message access journeys 
  • sustained and peak load testing scenarios 
  • monitoring system behaviour, data handling and session integrity under stress 

The testing was designed to mirror the real-world conditions where issues had previously appeared in other countries. 

During testing, additional performance and configuration problems were found and fixed before rollout, making the platform more robust. 

Most importantly, the testing confirmed that the system remained secure and that heavy user load did not weaken core security controls. 

Phase 3: Remediation verification

Following remediation activity, we conducted structured retesting to check that the issues that we’d identified had been fully resolved and that no new risks had been introduced. 

This provided documented, defensible assurance before the go-live. 

Why this mattered

The platform supports secure digital communication between the health service and citizens, handling highly sensitive personal information. 

If vulnerabilities had emerged after large-scale deployment, consequences could have included: 

Performance Testing

Exposure of sensitive data 

Power of AI-generated code

Regulatory scrutiny 

Health Operating theatre

Operational disruption 

IT engineer reviewing code

Reputational damage 

Mobile Device Security

Loss of public trust in digital healthcare services 

By proactively testing under the same conditions that had exposed weaknesses elsewhere, the organisation reduced the likelihood of similar incidents occurring in its own rollout. 

A true Total Quality engagement 

This work demonstrated Total Quality in action. 

A conventional penetration test may not identify issues that only appear when things scale up. A conventional performance test may not interpret system behaviour through a security lens. 

By bringing together both disciplines, we delivered: 

 

1 penetration testing team working at a desk together

A coordinated view of confidentiality, integrity and availability 

2 Software Defect Prediction

Validation of system behaviour under realistic operational conditions 

3 Performance Testing

Reduced risk of cross-disciplinary blind spots

4 Smart meter testing dashboard

Clear assurance reporting for senior stakeholders 

5 Health Team meeting

Confidence to proceed with phased national rollout 

Total Quality means combining assurance activities to reflect real-world risk. 

Results: Secure, scalable digital health communications 

Through a coordinated assurance programme, the government gained: 

  • confidence in the security and resilience of its digital communication platform 
  • validation of performance under realistic stress conditions 
  • reduced risk prior to national scale-up 
  • stronger regulatory assurance 
  • a robust foundation for continued cloud-based transformation 

For citizen-facing health services, digital transformation is not simply about modernisation – it is about maintaining trust at scale. 

Total Quality ensures that trust is engineered in from the outset – not tested after the fact. 

Scientists designing robotics in futuristic labora

FAQs

Didn’t find the answer you were looking for? Our team is happy to help just reach out and we’ll get back to you soon.

Why isn’t a standard penetration test enough for citizen-facing healthcare platforms?

Because systems can behave differently under sustained high traffic, and performance bottlenecks can expose security and data-handling risks that don’t appear in attack-only testing.

What is 'security under load'?

Security under load means verifying that core security controls—authentication, authorisation, session handling and data access boundaries—remain effective during peak and sustained usage.

What is stress testing vs load testing?

Load testing checks performance at expected volumes, while stress testing pushes beyond expected peak to find failure points and confirm the system degrades safely.

What did Resillion test on the digital communication platform?

We assessed authentication, data access boundaries, configuration security, integration points and likely attack vectors, then validated system behaviour under realistic user journeys at high volumes.

How did you make the test conditions realistic?

We modelled adoption rates and traffic patterns, simulated real login and message-access journeys, and ran sustained plus peak scenarios aligned to projected population usage.

What risks were you trying to prevent before rollout?

Data exposure, regulatory scrutiny, operational disruption, reputational damage and loss of public trust, especially risks that emerge when systems are pressured by heavy demand.

How do performance issues become security issues?

Under strain, systems may mis-handle sessions, timeouts, access controls or logging - creating openings for data leakage, privilege errors or weakened enforcement of security policies

What is remediation verification (retesting) and why does it matter?

After fixes are implemented, retesting confirms the issues are fully resolved and ensures no new vulnerabilities or regressions were introduced.

Related Insights

Providing solutions in a unified, structured approach across all critical domains to enable end-to-end quality.

Insights
Person wearing glasses reflecting AI data.
Cyber Security Services, General

Mythos, AI and the danger of responding to cyber security risk with panic

Read more
Octopus Energy logo
Automotive, Energy and Utilities, Total Quality

Delivering the UK’s first Vehicle-to-Grid bundle certification with Octopus Energy 

Read more
Worldwide connectivity and digital infrastructure represented by glowing Earth network
Cyber Security Services

When tensions rise, cyber responds 

Read more
A4_Total_Quality_for_Consumer_Electronics
Conformance & Interoperability, Consumer Electronics, Total Quality

Total Quality for consumer electronics

Read more
Man on radio
Energy and Utilities, Total Quality

Total Quality for energy and utilities

Read more

Get in touch

Providing solutions in a unified, structured approach across all critical domains to enable end-to-end quality – Because we’re the only ones who can.

Software testing specialist