We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
NHS Secure Boundary
Our NHS Secure Boundary service is a perimeter security project supporting NHS organisations. Find out how we can help you secure your organisation.
About our secure boundary service
Our secure boundary service provides a perimeter security solution offering protection against security threats. It’s free for NHS trusts and Commissioning Support Units (CSUs).
This solution is part of a larger programme of work being delivered by NHS Digital’s Data Security Centre (DSC) to ensure the confidentiality, integrity, and availability of patient data, as well as protecting clinical and business systems from emerging threats.
The solution uses next generation firewall (NGFW) and web application firewall (WAF) protection to protect internet traffic from digital and cloud-based threats.
Benefits
Find out about the benefits of NHS Secure Boundary.
An increased visibility of network traffic, so NHS organisations can better manage their own risk.
It enables us to identify malicious content within encrypted traffic on behalf of the wider NHS.
It provides enriched threat intelligence, enabling us to respond quickly across the NHS during incidents.
Advanced threat protection provides a detailed view of what's happening locally.
It provides capabilities to improve Data Security Protection Toolkit (DSPT) and Cyber Essentials plus (CE+) assessment scores.
The solution is compliant with CE+, DSPT, National Cyber Security Centre (NCSC) and IT Healthcare (ITHC) regimes and will remain compliant throughout the development of the service.
It's procured at scale to one national standard, enabling improved planning and better value for money for the NHS.
The solution is free (centrally funded) for NHS organisations.
How the service is being developed
Find out how the service is being developed by expanding each phase:
Set up
This phase ran until December 2019 and consisted of configuring and testing the platform, and the design and build of operational services, processes and procedures.
Onboarding
The onboarding phase will consist of project teams working with NHS organisations and consumer network service providers to deploy the service.
This phase is expected to last for two years.
Run
Accenture will provide tier 2 support into the NHS Customer Service Function with tier 3 support from Palo Alto and Imperva. Managed services will be delivered utilising an IT Service Management (ITMS) Framework with ISO 20000 accredited ITIL v3 processes.
This phase is expected to last for at least five years.
How it works
NHS Secure Boundary contains two main technology parts, protecting two types of internet traffic:
Bi-directional traffic (internal traffic)
This is traffic from within the NHS perimeter. Internet activity is protected by PaloAlto and Prisma Access technology.
Inbound traffic (external traffic)
This is traffic from outside of the NHS perimeter. Data is protected by the Imperva Incapsula web application firewall.
Components
Below are details of the different secure boundary components. You can expand them to find out more:
Palo Alto Prisma Access
This is a software as a service (SaaS) based, modern next-generation firewall (NGFW) capability in the cloud, which can be used by NHS organisations to increase their digital security.
It includes:
- stateful High Availability (HA) pairs of VM-Series NGFW
- the ability to be hosted across availability zones
- dedicated firewalls for each tenant
- a bandwidth pool apportioned to tenants based on identified bandwidths
Cortex Data Logging Service
This collates all logs from the firewalls and management platforms within the solution.
It includes:
- retention of traffic, configuration and systems logs for six months
- forwarding of filtered logs to the Data Security Centre Cyber Security Operations Centre (CSOC), enabling us to monitor cyber events across the NHS estate, and provide rapid protection as incidents and risks emerge
WildFire
WildFire is a sandboxing platform designed to identify zero-day threats.
It includes:
- file sandboxing for analysis of unknown threats
- creation of signatures to block malware and block the other behaviours
- dissemination of threat signatures to all Wildfire users, so detection by one can protect all
- static and dynamic analysis over multiple operating systems and application versions
Panorama Management Console
Management of the Prisma platform will be done via the central management console, Panorama.
It includes:
- a common Graphical User Interface (GUI) integrated with NHS Mail Single Sign On (SSO)
- a tenant-in-tenant approach to provide global and local control
- Amazon Web Services (AWS) hosted Panorama with additional NGFWs and role-based access control
MineMeld
MindMeld is a platform taking in threat data from sources outside of the secure boundary, allowing that threat data to be used by the firewalls in the solution.
It includes:
- aggregation and correlation of threat intelligence feeds
- enforcement of new prevention controls, including IP deny lists
Imperva Cloud Web Application Firewall (WAF)
This is a SaaS based WAF solution to protect applications from malicious online attacks.
It includes:
- protection against the most critical web application security risks, such as Structured Query Language (SQL) injection, cross-site scripting, illegal resource access, remote file inclusion
- multiple capability offerings to meet current and future requirements whilst being cost effective
Capabilities
Here are some of the capabilities offered by the secure boundary service. Expand them to find out more:
Uniform Resource Locator (URL) filtering
Monitors and controls access to websites and website categories.
Application ID (APP ID)
Visibility of active applications.
Decryption
Selective decryption of traffic for the advanced detection of threats.
WAF
Protects publicly hosted web services from a wide range of online threats.
IP allow list
During your organisation’s migration to NHS Secure Boundary, the public IP addresses will change.
If your organisation uses HSCN to access the internet, your CNSP will be in contact to communicate the new IP addresses. If your organisation is on-boarding to NHS Secure Boundary directly to protect a local internet breakout, the new IP addresses will be communicated to you through your on-boarding project manager.
Following this, your organisation will need to notify any services your organisation accesses to ensure they add the new IP address range to the allow list.
If you don't take action your organisation could lose access to any services that manage access through an allow list.
NHS related services that may implement allow list access
As we progress through on-boarding, NHS related services using IP allow lists to control access will become known and will be advertised on this support page.
Several services outlined below are thought to use allow list access.
If you are aware of any services that use allow list access but do not appear on this list, please email the NHS Secure Boundary team at nhssecureboundary@nhs.net so records can be updated.
Service | Type | Contact | Phone number |
---|---|---|---|
Easy (Giltbyte) | Finance | enquiries@giltbyte.com | N/A |
ISOxford | Library | support@isoxford.com | N/A |
NHS Resolution | Risk and legal | helpdesk@resolution.nhs.uk | 020 7811 2820 |
Open Athens | Library | https://www.openathens.net and support.phpcontact@openathens.net |
0300 121 0043 |
PharmPress (Digital BNF) | National | pharmpress-support@rpharms.com | N/A |
Phin | SFTP | dataquality@phin.org.uk | N/A |
Warwick University | Medical study | STRESS-L@warwick.ac.uk and adaptsepsistrial@warwick.ac.uk |
N/A |
York University | Remote access to HYMS University | itsupport@york.ac.uk | 01904 323838 |
Ignaz | Smartphone app for healthcare professionals | IGNAZ.YH@hee.nhs.uk | N/A |
National Joint Registry | Joint replacement registry | enquiries@njrcentre.org.uk | 0845 345 9991 |
NYH Trauma Network | Major trauma network for North Yorkshire and Humberside | support@seegeen.uk | 01482 622394 |
Taycare | Orthotics | Technical@taycare.com | 0113 231 1800 |
Infopoint ESR | Human resources and payroll database system | esr.pmo@nhs.net | IBM Servicedesk: 0845 600 8249 |
NHS Blood and Transplant | Blood and transplantation service to the NHS | customer.services@nhsbt.nhs.uk | 0300 123 23 23 |
National Institute for Health and Care Excellence (NICE) – Clinical Knowledge Summaries | Providing primary care practitioners with a summary of the current evidence base and practical guidance on best practice | https://cks.nice.org.uk/ | 0300 323 0140 |
Webinars
We're holding a series of briefings in May 2020 to explain the solution, answer questions and explain how NHS organisations can sign up to the service. We recommend representation from technical, service and project management staff within NHS Trusts and CSUs.
The dates are:
- Monday 15 June - 3pm to 4pm
- Monday 22 June - 3pm to 4pm
- Monday 29 June - 3pm to 4pm
- Monday 13 July - 3pm to 4pm
- Monday 27 July - 3pm to 4pm
Email nhssecureboundary@nhs.net to book a place.
Register for the service
To register for the secure boundary service, or if you have any questions, please email nhssecureboundary@nhs.net.
Access our knowledge base
If you've already registered for NHS Secure Boundary, you can access our knowledge base, which contains guidance on the service.