HSCN is an important transitional step towards the Internet First policy, making digital health and care services available over the internet. In this FAQs article we look at what will this mean for software providers and healthcare organisations in the future.
What is Internet First?
Internet First is a set of standards and guidelines defined by NHS Digital. In March 2018, it set the principle that all new externally accessible digital services should be internet facing by default. For existing services, these should remediate at the earliest opportunity.
What is the background to Internet First?
In January 2017 the UK government reviewed the use of centralised private networks in the NHS and announced that, for the majority of public services, the internet was OK to use. Making digital services available over the public internet supports the requirements for health and social care professionals to work flexibly from a variety of locations, using a range of access methods.
What has the government said about using the public internet?
NHS Digital has said they do not want to have any form of private networking going forward. Internet First means organisations must be ready within 5-10 years. Going forward there will be increased emphasis on security, compliance and service assurance to ensure services are delivered in a secure manner in accordance with the Internet First policy.
What role does NHS Digital play?
NHS Digital is the national information and technology partner to the health and social care system. Their aim is to use digital technology to transform NHS and social care and improve health and care services for patients. This strategy supports the aspirations set within the NHS Long Term Plan, of increasing productivity of NHS staff and enabling delivery of digitally enabled care.
What are the drivers for the transition from N3 to HSCN?
The Health and Social Care Network (HSCN) is a new data network which replaces N3. It has been designed to support the transition from private to public networking for a fixed amount of time. HSCN retains elements of the legacy N3 infrastructure that provides service continuity for existing customers.
How long is HSCN going to be here?
HSCN has a very definitive lifecycle. HSCN was never meant to be a long-term network, it is purely transitory. If you look at the connection agreement, the standards and the compliance models surrounding it, the technology within the network supports public IP addressing. It is designed so that when you move to the internet, there is very little mitigation to do.
What are the benefits of the Internet First policy?
- Internet First will enable delivery of a joined-up health and social care service which is easier to access.
If you think of patients as consumers, we want to take part in our care, we want to look at Apple health and access our health records on different devices and we want to understand where our data is. If you put it on the internet, using a common set of standards, you actually bring a joined-up service to the forefront which can be consumed by customers.
- Internet First will allow everyone to access a common platform with one set of standards
HSCN will allow everyone to use one network, a common platform, and there will be one set of standards to maintain.
- Increasing interoperability
This is aimed at getting all the myriad of healthcare applications talking to each other. The HSCN network is designed to facilitate interoperability, so that one application can talk to the next. Internet First is about new ways to deliver care using the best technology to meet the need.
- Reduced complexity and duplication in network connectivity for health and care organisations
The move away from private networks like N3 to HSCN will mean services will be run over the internet making it easier for the health and care sector to adopt internet and cloud-based services. This is also designed to support innovation by making digital tools available for the NHS, in the same way we do for other sectors.
What are the main two elements of the Internet First policy?
- When you are delivering applications it should be by default over the internet.
- When you are changing applications they should be re-developed to be delivered over the internet.
What are the nine principles of the Internet First policy?
There are some core principles that outline how new digital services should operate in guidance with the Internet First policy. Below are a set of Internet First principles that are to be mandatory by March 2021.
- When designing and developing digital services, make them securely accessible over the internet by default.
- If there is an existing shared service available on the web which is web-enabled, you should be transitioning from this app onto the shared service and retiring the application.
- Not only is it a common network, but a common set of standards to work to. You should not be using bespoke components. You should be using common APIs, and common standards. You should be able to re-use and recycle components.
- When upgrading applications, you must make it web-enabled.
- You must not introduce additional risk in moving to the internet and affect live services.
- Data sensitivity analysis is a must. You need to check your data flows to understand if it’s appropriate for the web and to determine which counter measures and controls need to go into place to make it web facing.
- Investments in new and existing digital services must support universal access for consumers. In short, technology investment and development should include ensuring accessibility, to accommodate the partially sighted for example.
- Business continuity is key: when transitioning services, your customers should be fully aware that this is happening.
- Ensure your users have got the capability to use new services. Consider if you have got sufficient bandwidth, quality of service and resilience in place to use the service.
What are the security considerations that organisations need to put in place for compliance in advance of Internet First?
There are different categories of organisation, each with their specific security standards to adhere to:
- NHS – covering both clinical and non-clinical aspects and referred to as consumers
- Service providers ie software vendors, resellers
- CNSPs like Redcentric
What do software service providers need to do as regards security standards?
There is a separate version of the HSCN Connection Agreement for service providers covering different controls and this must be completed first.
Key requirements for software service providers
- Service providers must maintain an Information Security Management System (ITSM) that conforms to either the Data Security and Protection Toolkit (DSPT) or BS ISO/IEC 27001: 2013If you have ISO27001 or Cyber Essentials Plus then parts of the DSPT are not required to be completed – this is reusable standards in action.
- The Information Security Management Systems baseline control set and BS ISO/IEC 27002: 2013 (Information technology – Security techniques – Code of practice for information security controls) should be followed. It is also advisable to supplement these with controls drawn from, for example, CIS20 and the NCSC.
- Service providers must maintain a security policy that sets out the security measures to be implemented and maintained in accordance with either DSPT or BS ISO/IEC 27001. That policy must include the scope of any and all services being provided for consumption by the NHS. It must be reviewed and updated by the service provider in a timely fashion and be reviewed annually.
- Service providers must conduct tests of their security policy and controls using a UKAS organisation if the ISO27001 framework is in play
- Security testing ie penetration or ITHC testing must also be conducted; tests have to be independently audited by either an accredited third party or a competent representative of the provider. NCSC have a web test tool that is available to the public sector for external vulnerability testing – https://www.ncsc.gov.uk/information/web-check
- Either party (service provider and customer) must notify the other immediately upon becoming aware of any breach of security. This includes an actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services.
What else do software service providers need to think about?
When delivering services to the NHS service providers should stay aligned with:
- NCSC’s (National Cyber Security Centre) cloud principles
- The Centre for Internet Security’s critical controls for cyber defence, known as CIS (CIS20 stands for the top 20 controls)
- The relevant GDPR and security obligations from the HSCN Connection agreement
As regards key Internet First principles, providers should look to:
- Build a data layer with registers and APIs: Efficient data management and discovery means that data should be stored once – usually where it is created – and made available where appropriate. Build registers of data and make them accessible over open application programming interfaces (APIs) to ensure service interoperability
- Use appropriate encryption when routing over the internet: If you are sending traffic over the internet, make sure it is encrypted using Transport Layer Security (TLS) version 1.2 as a minimum. Version 1.3 is current and 1.4 is imminent.
What do consumers (ie the NHS) need to consider?
Consumers should buy services via the public frameworks such as GCloud. But they must abide by all the relevant standards and controls in play, over and above their own organisational standards and local policies.
- GDS technology code of practice: The technology code of practice helps government design, build and buy better technology. It is used as a cross-government agreed standard in the spend control process. The technology code of practice is part of the transformation strategy 2017-2020
- NHS Digital cyber security
- HSCN Connection Agreement
- Data Security Protection Toolkit
- Data Security Centre: The Data Security Centre publishes cyber security guidance for public sector organisation employees –