HSCN is a hybrid wide area network that provides both private and Internet connectivity. The network benefits from a suite of security features implemented throughout HSCN to help detect, and prevent malicious activity, using state of the art technology offering enhanced protection to all HSCN consumers. The network does not however feature encryption by default. Data controllers remain responsible for implementing appropriate security, including encryption, to protect the data they are responsible for. CN-SPs are also obligated to support the use of encrypted traffic, or could provide this functionality themselves as part of an overlay to the HSCN access circuits.
As a pre-requisite to HSCN migration, your organisation will have signed the appropriate Connection Agreement with NHS Digital and, having done so, is bound to the terms and conditions therein many of which relate to ownership of data and data security over HSCN.
The Information Governance Toolkit (IGT) has now been replaced by the Data Security and Protection Toolkit (DPST). It is not necessary to complete a DSPT assessment to gain access to HSCN. However, all organisations that have or require access to NHS patient data and systems must use this toolkit at least annually, to provide assurance that they are practising good data security and that personal information is handled correctly.
Data controllers are responsible for the provision of security to prevent loss, tampering, authenticity or inappropriate usage of their information and the systems or services used to process and transmit their information.
This means that if patient data or personal data is transmitted across HSCN (or indeed any other network), then encryption must be used. It also means that if you provide systems or services over HSCN, it’s your responsibility to secure them and to make decisions about who, and how can access those systems or services.
The National Cyber Security Centre's Cloud security guidance provides useful information on encryption and how to protect your data in transit.
Please note, in the context of this information, that CN-SPs are obliged to operate their networks in line with ISO27001 requirements.