NHS Secure Boundary
Our NHS Secure Boundary service is a perimeter security project supporting NHS organisations. Find out how we can help you secure your organisation.
NHS Secure Boundary service will remain available until July 2026
Since August 2019, NHS England, in partnership with its technology suppliers, have been supporting NHS organisations with their onboarding to Secure Boundary and operational delivery, aiming to offer an improved security posture for internet-facing traffic and publicly facing websites. This has provided the system with a significant level of protection and a central provision of on-going risk reduction and prevention of cyber events.
As we go past the 5-year milestone of the delivery of this service, we’d like to communicate the future for this national offering. We can confirm that the current service will remain available in its current state until July 2026. As we move into this extension period, we would like to ensure that there will be no interruption to the service that is currently being delivered. We expect change to be minimal until 2026 but we will keep you informed.
Working towards the future service offering
NHS England is currently working towards the future service offering for Secure Boundary post 2026. If you would like more information or to get involved with this, please contact your Cyber Regional Lead for details or email [email protected].
About our Secure Boundary service
Our Secure Boundary service provides a perimeter security solution offering protection against security threats.
This solution is part of a larger programme of work being delivered by NHS England’s Cyber Operations to ensure the confidentiality, integrity, and availability of patient data, as well as protecting clinical and business systems from emerging threats.
The solution uses next generation firewall (NGFW) and web application firewall (WAF) protection to protect internet traffic from digital and cloud-based threats.
There will be an initial cost to NHS organisations to fund the onboarding. The ongoing run service element is centrally funded and is therefore free for NHS organisations.
Service delivery and onboarding
We currently have 192 organisations onboarded to Secure Boundary, including 22 CNSPs. The high-level process for onboarding is:
- Expression of interest.
- Data validation.
- Onboarding costs agreed.
- Technical assessment.
- Implementation (migration support).
- Ongoing support.
The overall process to onboard is expected to take 6 to 8 weeks for a Prisma onboarding and 1 to 2 weeks for an Imperva onboarding. These timescales may vary depending on the size and complexity of the organisation onboarded.
Accenture will provide tier 2 support into the NHS Customer Service Function with tier 3 support from Palo Alto and Imperva.
Managed services will be delivered utilising an IT Service Management (ITMS) Framework with ISO 20000 accredited ITIL practices.
How it works
NHS Secure Boundary contains 2 main technology parts, protecting 2 types of internet traffic:
Bi-directional traffic (internal traffic)
This is traffic from within the NHS perimeter. Internet activity is protected by PaloAlto and Prisma Access technology.
Inbound traffic (external traffic)
This is traffic from outside of the NHS perimeter. Data is protected by the Imperva Incapsula web application firewall.
Components
Below are details of the different secure boundary components. You can expand them to find out more:
Features and capabilities
Here are some of the features and capabilities offered by the Secure Boundary service. Expand them to find out more:
IP allow list
During your organisation’s migration to NHS Secure Boundary, the public IP addresses will change.
If your organisation uses HSCN to access the internet, your CNSP will be in contact to communicate the new IP addresses. If your organisation is onboarding to NHS Secure Boundary directly to protect a local internet breakout, the new IP addresses will be communicated to you through your onboarding project manager.
Following this, your organisation will need to notify any services your organisation accesses to ensure they add the new IP address range to the allow list.
If you don't take action your organisation could lose access to any services that manage access through an allow list.
Register for the service
To register for the secure boundary service, or if you have any questions, please email [email protected]
Access our knowledge base
If you've already registered for NHS Secure Boundary, you can access our knowledge base, which contains guidance on the service.
How this service aligns with the Cyber Assessment Framework
Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).
Last edited: 4 February 2025 8:50 am