Part of HSCN consumer handbook

Service levels and incident severity classification

This page defines each service failure severity level. It also describes the complaints and escalations policy network providers should have in place, and who has responsibility for data security over the network.

Summary

Service levels

CN-SPs shall comply with the minimum service levels set out in HSCN CN-SP Service Management Requirement Addendum which is available on the HSCN supplier information webpage.

These service levels apply during the Service Hours which are contracted between the HSCN consumer and the CN-SP.

Incident severity classification

The following access-level incident severity definitions shall be used as Incident Severity setting guidance.

Severity 1

Severity Core Level 1 resolution time SLA: <5 hours

Severity 1 – Access Level (guiding principles)

An incident which, in the reasonable opinion of the customer:

constitutes a loss of the service which prevents any traffic from routing correctly
has a critical impact on the activities of the customer
causes significant financial loss and/or disruption to the customer
constitutes a critical security risk for the customer
identified as having a clinical safety impact resulting in an impact to patient care

Non-exhaustive examples

Consumer connectivity to the HSCN is lost
HSCN traffic cannot be routed to the internet
Service Failure Thresholds are at risk of not being achieved

Severity Access Level 1 Resolution time SLA: Standard, Enhanced or Reduced

Severity 2

Severity 2 – Access Level Guiding Principles

An Incident which, in the reasonable opinion of the customer:

has an (non-critical) adverse impact on the activities of the customer and no workaround acceptable to the customer is available

Non-exhaustive examples:

Resilience reduced
Performance degraded
Risk of significant financial or clinical impact
Service Level Thresholds are at risk of not being achieved

Severity 2 Resolution time SLA: Standard, Enhanced or Reduced

Resolution time SLA: Enhanced
Severity	Action description	Timeframe
Severity 1	Incident Fix Time	2 hours maximum
Severity 1	Incident Response Time	20 minutes
Severity 1	Incident Update Time	60 minutes
Severity 2	Incident Fix Time	4 hours maximum
Severity 2	Incident Response Time	20 minutes
Severity 2	Incident Update Time	60 minutes

Resolution time SLA: Standard
Severity	Action description	Timeframe
Severity 1	Incident Fix Time	5 hours maximum
Severity 1	Incident Response Time	20 minutes
Severity 1	Incident Update Time	60 minutes
Severity 2	Incident Fix Time	8 hours maximum
Severity 2	Incident Response Time	20 minutes
Severity 2	Incident Update Time	60 minutes

Resolution time SLA: Reduced
Severity	Action description	Timeframe
Severity 1	Incident Fix Time	24 hours maximum
Severity 1	Incident Response Time	180 minutes
Severity 1	Incident Update Time	180 minutes
Severity 2	Incident Fix Time	48 hours maximum
Severity 2	Incident Response Time	180 minutes
Severity 2	Incident Update Time	180 minutes

Escalations and complaints

CN-SPs shall operate escalation and Complaints processes, and these shall comply with the follow principles:

The party raising the escalation or Complaint shall be kept informed of progress at an appropriate interval as agreed with the party raising the escalation.
All escalations and Complaints shall be managed to an appropriate conclusion with agreed remedial actions to prevent reoccurrence.
Escalations and Complaints shall not be closed without the agreement of the party that raised them.
Details of all escalations and Complaints shall be retained on the audit trail for a period of two years.
Activity should be undertaken by the party against whom the Complaint was made in order to minimise the re-occurrence of the issues underlying reported escalations and Complaints.

Any complaint that is not resolved within the estimated timescale for resolution may be escalated by the Customer to the HSCN Authority/Service Co-Ordinator for further support.

Escalations to NHS Digital

In certain instances, where there is significant impact or risk of impact, NHS Digital may be able to help by working with suppliers and consumers to progress and resolve incidents. NHS Digital may also follow-up any event with a post-mortem/lesson learned approach.

If a consumer is experiencing a fault or problem with their service, their CN-SP should always be the first point of contact for escalation. The CN-SP is responsible for end-to-end management of an incident.

We recommend for all organisations to document basic incident information such as:

incident references
description of issue and the impact of the incident on the organisation
when the incident occurred
when contact was made to the CN-SP (dates and times)
have SLAs been breached? If so, how and when?

You may need to refer to this documentation later if you escalate the case to NHS Digital.

NHS Digital may not be able to support if organisations:

have not escalated to their CN-SP as a first point of contact and exhausted the CN-SP escalation routes
are unable to provide basic incident details as listed above
have not allowed their CN-SP a reasonable amount of time to resolve their incident

The role of NHS Digital is to provide governance over the HSCN Operating Model and the suppliers providing HSCN. More on the remit of NHS Digital, CN-SPs and the consumer can be found in the chapter 'Roles and responsibilities'.

If you wish to escalate your concerns to NHS Digital’s HSCN service co-ordinator, please use the email template below. Please note this escalation route operates Monday to Friday, 9am to 5pm (excluding bank holidays).

[email protected] (click to open template)

Data security

HSCN is a hybrid wide area network that provides both private and Internet connectivity. The network benefits from a suite of security features implemented throughout HSCN to help detect, and prevent malicious activity, using state of the art technology offering enhanced protection to all HSCN consumers. The network does not however feature encryption by default. Data controllers remain responsible for implementing appropriate security, including encryption, to protect the data they are responsible for. CN-SPs are also obligated to support the use of encrypted traffic, or could provide this functionality themselves as part of an overlay to the HSCN access circuits.

As a pre-requisite to HSCN migration, your organisation will have signed the appropriate Connection Agreement with NHS Digital and, having done so, is bound to the terms and conditions therein many of which relate to ownership of data and data security over HSCN.

The Information Governance Toolkit (IGT) has now been replaced by the Data Security and Protection Toolkit (DPST). It is not necessary to complete a DSPT assessment to gain access to HSCN. However, all organisations that have or require access to NHS patient data and systems must use this toolkit at least annually, to provide assurance that they are practising good data security and that personal information is handled correctly.

Data controllers are responsible for the provision of security to prevent loss, tampering, authenticity or inappropriate usage of their information and the systems or services used to process and transmit their information.

This means that if patient data or personal data is transmitted across HSCN (or indeed any other network), then encryption must be used. It also means that if you provide systems or services over HSCN, it’s your responsibility to secure them and to make decisions about who, and how can access those systems or services.

The National Cyber Security Centre's Cloud security guidance provides useful information on encryption and how to protect your data in transit.

Please note, in the context of this information, that CN-SPs are obliged to operate their networks in line with ISO27001 requirements.

Last edited: 25 April 2022 12:57 pm

Internet explorer is no longer supported