HSCN is a hybrid wide area network that provides both private and internet connectivity. The network benefits from security features implemented throughout HSCN to help detect, and prevent, malicious activity. It uses state of the art technology that offers enhanced protection to all HSCN consumers. The Cyber Security Operations Centre (CSOC) will contact organisations upon detection of any suspicious looking traffic that indicates a local compromise.
The network does not feature encryption by default. Data controllers remain responsible for implementing appropriate security, including encryption, to protect the data they are responsible for. CN-SPs must also support the use of encrypted traffic or could provide this functionality themselves as part of an overlay to the HSCN access circuits.
Your organisation must have signed the appropriate HSCN Connection Agreement with NHS Digital before migrating to HSCN. Therefore, you are bound to its terms and conditions relating to ownership of data and data security over HSCN.
The Information Governance Toolkit (IGT) has been replaced by the Data Security and Protection Toolkit (DPST). It is not necessary to complete a DPST assessment to gain access to HSCN. However, all organisations that have or require access to NHS patient data and systems must use this toolkit at least annually, to provide assurance that they are practising good data security and that personal information is handled correctly.
Data Controllers are responsible for providing security to prevent loss, tampering or inappropriate usage of their information. This includes the systems or services used to process and transmit their information.
This means that if patient data or personal data is transmitted across HSCN (or indeed any other network), then encryption must be used. It also means that if you provide systems or services over HSCN, it’s your responsibility to secure them and to make decisions about who can access those systems or services.
The National Cyber Security Centre have provided guidance on encryption and how to protect your data in transit.
Please note, in the context of this information, that CN-SPs must operate their networks in line with the requirements set out in the Communications-Electronics Security Group (CESG) Assured Services (Telecoms) CAS(T) scheme.