Skip to main content

BETA – Enabling infrastructure

All NHS digital, data and technology services must be designed to meet NHS operational and user needs in line with the principles of the Technology Code of Practice.

Infrastructure decisions should consider public cloud in adherence to the Government's Cloud First Policy. Such decisions should be underpinned through an understanding of the total cost of ownership of operating services for their full lifecycle including exit, together with maximising the benefits that cloud options can offer.

The provisioning mechanism of cloud based services should consider the best modernisation approach. While Platform as a Service (PAAS) and Infrastructure as a Service (IAAS) require less effort to adopt (rehosting), maximum return comes from rearchitecting/ rebuilding as cloud native (serverless) applications. A well architected review with the relevant cloud provider will allow Organisations to deliver the best value and modernisation from their investment. Additional Information on Cloud is available from NHS Digital which includes Cyber Security information.

User access to systems and services should be delivered via the internet in support of a cloud first approach. For health and social care staff this should typically be via HSCN connectivity which provides both Internet access as well as access to critical health and social care systems not yet available over the internet.

NHS systems should be challenged to continually innovate and evolve whilst aligning to wider strategies. Services should be designed with security at their core, based on open standards supporting safe interoperability with the wider health and care ecosystem. They should offer operational performance, scalability and recovery commensurate with business impact and operational service needs.

In meeting these objectives, national services must be designed in accordance with all principles defined the Technology Code of Practice. NHS Digital follows these key principles:

  • Make use of open standards
  • Make things secure
  • Make privacy integral

In upholding these principles, NHS Digital supports the NHS and the supplier community through:

  • The development of open APIs and a service wrap to enable access to national services
  • The publication of standards to support interoperability in integrating local services
  • The provision of support services to facilitate onboarding third-party services for integration with national services

This section covers:

  1. Enabling National services 
  2. Connecting to national services
  3. Standards and interfaces
  4. Support services
  5. Meeting key Technology Code of Practice principles
  6. Service specific considerations


Spine allows information to be shared securely through national services such as the Electronic Prescription Service, Summary Care Record and the e-Referral Service.

NHS Digital develops and maintains Spine through the Digital Delivery Centre. Recent developments include enabling the sharing of child protection information via the Child Protection Information System, and developing ways to allow easier access to demographic data through the Spine Mini Service.

Third-party suppliers use the Message Implementation Manual (MIM) available on the Technology Reference Data Update Distribution (TRUD). The following MIM references apply:

Demographics (PDS domain)

  • 2.3 – P1R1
  • 3.1.11 – P1R2, superset of 3.1.10 and 3.1.11
  • 4.2.00 – P1R2
  • 6.3.01 – P1R2
  • 7.2.00 – P1R2

Clinicals (PSIS and GP Summary domains)

  • 4.2.00 – PSIS Event (List) Query and GP Summary
  • 6.3.01 – PSIS Document query only

Prescriptions (Medication Management domain)

  • 3.1.07 – EPS Release 1
  • 4.2.00 – EPS Release 2


  • 2.3 – Choose and Book (eBooking) Release 1 via intermediary messaging
  • 3.1.09 – Choose and Book (eBooking) Release 2 via intermediary messaging
  • 4.2.00 – GP2GP v2

Care Identity Service (CIS)

Ensures that services are able to permit or deny individuals’ access to clinical data based on an authentication against a strongly assured identity, and that this access is robustly audited for every access. The service is predominantly used by care professionals.

This is provided via a national network of Registration Authorities who perform face-to-face identity checks and issues unique, personalised smartcards as well as ongoing administration and replacements.

Services use the smartcard to gather identity information on the user, their organisation(s) and their role(s) within the same organisation(s). This is then used by the service to determine whether the user has the required access rights to data and thus whether they will be granted or denied access to it.

The core CIS sub-services to support this, and the connection information for each are:

Spine Security Broker

  • ‘2087 External Interface Specification: Part 6 Spine Security Broker’     
  • ‘2087 External Interface Specification: Part 7 Spine Security Broker APIs’    

Spine Directory Service

  • ‘2087 External Interface Specification: Part 5 SDS’

NHS Identity

NHS Identity currently provides authentication services to allow controlled access to less sensitive clinical data and is being expanded to eventually replace CIS as the authoritative source of identities for use by care professionals within the NHS and into social care.

Ultimately, NHS Identity will support:

  • Different levels of identity assurance. This allows the creation of users with lower levels of access than CIS currently provides and hence allows commensurate levels of identity checking – a user not requiring access to sensitive clinical data might be allowed to self-register, whilst users needing clinical data would still require face-to-face checking.
  • Use of authentication devices other than smartcards, potentially including specific mobile devices, hardware cryptographic devices and biometrics.
  • Access from, and via, the internet, not just the N3/HSCN networks as for CIS

Use of NHS Identity requires the use of the following standard interfaces:

OpenID Connect



In addition to the above open standards, you can view NHS Identity specific information and more general background.

The following guidelines are used to define the authentication and identity assurance processes used within NHS Identity:

Her Majesty’s Government Good Practice Guide 44 (HMG GPG44)

Her Majesty’s Government Good Practice Guide 45 (HMG GPG45)

US National Institute of Standards and Technology (NIST) Digital Identity Guidelines (NIST 800-63)

NHS Login

Onboarding processes for NHS Login are in the process of being developed and tested.

  1. An engagement lead is the first point of contact
  2. An onboarding team are developing an ‘onboarding process’ with the wider Service Management team.
  3. The first 5 early adopters of NHS Login are testing an onboarding process as part of the overall service development

The NHS Login programme has published the following standards:

Identity verification and authentication standard (Process Standards)

External Interface Specification (Tech Standards)

Secure email

Health and social care email services must be designed in accordance with the principles of DCB 1596 secure email standard. The secure email standard:

  • helps users exchange sensitive/patient data without undue burden at the first attempt without having to understand anything about the receiving email service
  • ensures systems are not susceptible to forged email (spoofing) so an email message and the signature of the sender can be accepted/treated in the same way as a signed piece of paper to eliminate the need to use paper-based or facsimile submissions where a signature is required

It is based on the following open email standards:

  1. Transport Layer Security (TLS) v1.2 or v1.3 is required to encrypt and secure email in transit.
  2. Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting and Conformance (DMARC) and Domain Keys Identified Email (DKIM) are required to prevent email being forged (spoofed). 
  3. ISO/IEC 27001:2013 is required, covering the scope of the email service only, to ensure that the email once received is properly looked after. This reduces burden by not requiring the entire organisation and all of its systems/services to be accredited to ISO/IEC 27001: 2013.

NHSmail is the most commonly used secure email and collaboration service in health and social care with over a million regular users of the service across England and Scotland. The service offers secure email, instant messaging and video conferencing. Other accredited systems that includes Office 365 are published here.

Read more about the Secure Email Standard here.


NHS WiFi is intended to enable people who are receiving care to be better connected by providing free wireless access across the NHS, and progressively supporting health and care professionals to have access to services, tools and technologies to deliver better care.

In order to ensure that a standardised, high quality WiFi service is available across GP Practices and NHS Trusts in England, NHS Digital has published a suite of technical and security policies and guidelines. These have been developed based on industry best practice and in conjunction with local NHS organisations, patients, and suppliers.

These policies and guidelines, which include accessibility, usability, information governance and information security define the minimum standards to be achieved by suppliers in order to provide a uniform and consistent service for NHS WiFi across the primary and secondary care estate.

NHS WiFi Technical and Security Policies and Guidelines.

Read more about NHS WiFi here.

The Health and Social Care Network

It is vitally important that health and care providers have access to highly reliable, best value and appropriately sized data network connectivity, capable of supporting the increasing demand for digital services.

The Health and Social Care Network (HSCN) provides the default standards for highly performant, security enhanced and best value data network connectivity in health and care.  The nineteen suppliers who are accredited to HSCN standards all provide:

  • the ideal underlying connectivity to support the increased adoption of internet and cloud-based services
  • continued access to the critical applications, systems and services that are not yet developed to be accessible over the internet (the Spine for example)
  • vendor agnostic connectivity that provides flexibility for innovators to build value add solutions (such voice and video) on top of the network and enable health and care organisations to adopt flexible and remote work patterns

Health and Social Care Network services are designed in accordance with industry wide area networking standards as well as The HSCN Operational Design Overview and the Solution Design

Read more about HSCN here.

Internet first

In order to improve interoperability between online health and care systems and support more ubiquitous access to patient records, health data and diagnostic tools, health and care IT systems, services and applications should be made available over the internet.

This means NHS IT system suppliers and health and care providers should ensure:

  • all new NHS IT systems, services and applications are fully accessible over the internet from day one
  • all existing IT systems, services and applications are developed to be made fully accessible over the internet at the earliest opportunity

The internet first standards are in line with previously published government and health and social care policy.

Standard capabilities for Local Health and Care Record

NHS England has defined the concepts and constructs of a Local Health and Care Record (LHCR) regional organisation to implement longitudinal care record and secondary use services. In partnership with NHS Digital those constructs, and concepts have been elaborated to describe 22 standard capabilities across 5 broad domains which are being used to measure the maturity of a LHCR exemplar implementation against a funding agreement.

Read more about LHCRE here.

e-Referral Service

The e-RS (e-Referral Service) combines electronic booking with a choice of place, date and time for first hospital or clinic appointments. Patients can choose their initial hospital or clinic appointment, book it in the GP surgery at the point of referral, or later at home on the phone or online.

The product has been designed and built with extensive user research and feedback, based around GDS design standards, also working to NHS Digital design principles, policies and standards.

Read more about e-RS here.

API specifications can be found here.

Assurance approach

The assurance processes for assuring connectivity to national Spine services has evolved over many years based on feedback from the implementation community and a desire to reduce burden in a manner that is complementary to the levels of risk than any implementation presents.

The assurance process is governed by a multi-disciplinary group and managed by the NHS Digital Solution Assurance service.

The Solution Assurance service enables and champions interoperability and compliance with national standards. Technical and clinical safety assurance is conducted according to equitable, transparent and repeatable processes based on identification and mitigation of risk in support of national standards DCB 0129 and DCB 0160. NHS Digital Solution Assurance test practices align to the principles detailed in ISO29119.

Programmes of work such as the National Record Locator Services, National Event Management Service and the GP IT Futures Programme are all exploring means to simplify and improve the onboarding process for implementers.

The processes are evolving and are extensively documented. Contact the Solution Assurance service directly should more details be required.

Nationally defined messaging APIs

ReST and Messaging APIs conforming to the HL7 FHIR standards, covering national systems and profiles for use in local integration.

Read here for more information on Nationally defined messaging APIs.

DCB, ISB and SCCI standards and collections

NHS Digital maintain a set of Data Collection Board (DCB), Information Standards Board (ISB) and Standardisation Committee for Care Information (SCCI) approved standards.

Read here for the full list of DCB, ISB and SCCI standards and collections


GP2GP allows patients' electronic health records to be transferred directly, securely, and quickly between their old and new practices, when they change GPs. This improves patient care by making full and detailed medical records available to practices, for a new patient's first and later consultations.

Read more about GP2GP here

GP Connect

GP Connect is a service that will allow GP practices and authorised clinical staff to share and view GP practice clinical information and data between IT systems, quickly and efficiently. This will make sure patient medical information is available to clinicians when and where they need it, improving patient care.

Read more about GP Connect here

Spine Mini Services

An easy way for systems to get information from Spine.

  • Patient Demographics Service
  • Summary Care Record

Read more about Spine Mini Services here 

Spine Opentest environment

For suppliers developing healthcare applications.

  • Personal Demographics Service (PDS)
  • Personal Spine Information Service (PSIS)
  • Electronic Prescription Service (EPS)
  • Access Control Service (ACS) and message forwarding
  • Child Protection - Information Sharing (CP-IS)
  • Insight Segmentation and Registration Toolkit (ITK) services
  • Care Identity Service authentication / NHS Identity
  • Messaging tools

Read more about Opentest here

NHS Business Partners programme

The ‘de-facto’ team for on-boarding new suppliers onto Spine.

Read more about the NHS Business Partners programme here

Interoperability Toolkit

The Interoperability Toolkit (ITK) is a set of common specifications, frameworks and implementation guides that support interoperability.

Read more about the Interoperability Toolkit here

Data Security and Protection Toolkit

The Data Security and Protection Toolkit is an online self-assessment tool that all organisations must use if they have access to NHS patient data and systems.

Read more about the DSPT here 

Health Developer Network

Information and tools to help developers create software for health and social care.

Read more about the Health Developer Network.

Target Operating Model

The Target Operating Model (TOM) is a service assessment tool to assess technical conformance of a third-party service when connecting with national services managed by NHS Digital.

Technical Conformance assessment involves local testing against an NHS Digital supplied interface stub, followed by end-to-end testing in a live like environment. Once these tests are completed to a satisfactory level, NHS Digital confirm that technical conformance is complete and a connection agreement can be entered into.

This TOM is provided to end user organisations to assist them in assessing and agreeing the service provided by the third-party supplier.

Sections covered in the TOM include:

  • information governance and security
  • clinical safety
  • system/service architecture

Make use of open standards

We promote the use of secure ReST and Messaging APIs using FHIR data models for national services and for use in local integrations. Our published APIs conform to the HL7 FHIR standards and aligned to GDS data standards. Information on APIs is provided publicly on the Health Developer Network API Hub pages.

Make things secure

We support health and care organisations to manage cyber security risk. This enables the safe and secure use of data and technology to deliver improved patient care. Information on how we secure data is provided publicly on the NHS Digital Data Security Centre pages.

Make privacy integral

NHS Digital services are fully GDPR compliant. Information on how we hold and share data is provided publicly on the NHS Digital GDPR pages.

Internet facing services

NHS Digital is currently designing a solution to provide the ability to access Spine Core services via the internet and support business continuity by providing service via N3/Transition Network/HSCN.

Preliminary discovery work is underway and will be completed by the end of February 2019. It is estimated that the work will be completed within 6 months.

Consistent Staff Identity

The Consistent Staff Identity will allow (initially) clinical staff to be in a position to prove all required aspects of their identity at any required time. The individual will have all aspects of their identity available to share from their mobile device with any employer/organisation when required. The aspects of identity will include:

  • proof of ownership of the identity
  • professional registration status
  • validation/re-validation status
  • other aspects as required

NHS Identity are feeding into this in two ways.

  1. As a provider of assured identities (including in the future via self-service processes)
  2. As a provider of an authentication service on approved mobile devices to agreed standards (FIDO)
Last edited: 12 October 2020 9:45 am