Skip to main content
HSCN consumer handbook: contents

Service levels and incident severity classification


Summary

This page defines each service failure severity level. It also describes the complaints and escalations policy network providers should have in place, and who has responsibility for data security over the network.

Service levels 

CN-SPs shall comply with the minimum service levels set out in the HSCN CN-SP Service Management Requirement Addendum.

These service levels apply during the service hours contracted between the HSCN consumer and the CN-SP.

Incident severity classification

The following incident severity definitions shall be used as incident severity setting guidance.

Severity 1 service failure 

A service failure which, in the reasonable opinion of the affected HSCN consumer or NHS Digital, causes:

  • loss of interconnect between a CN-SP and the internet that results in a loss of connectivity for one or more HSCN consumers
  • loss of interconnect between a CN-SP and a Peering Exchange Network provider that results in a loss of connectivity for one or more HSCN consumers
  • any HSCN consumer service to be isolated from a CN-SP network
  • any network security incident as defined by CAS (T) or within a CN-SP’s service boundary

Resolution time service level agreement (SLA): <5 hours

Severity 2 service failure 

An incident which, in the reasonable opinion of the consumer has the potential to:

  • cause a loss of all resilience for the HSCN consumer
  • cause a loss of all resilience between CN-SP and the internet
  • cause a loss of all resilience between a CN-SP and the Peering Exchange Network provider
  • cause network performance degradation affecting all available connections to multiple HSCN consumers
  • prevent a significant number of end-users from working and where no workaround exists
  • critically impact the ability of the HSCN consumer to carry out its statutory obligations
  • cause major financial loss to the HSCN consumer

Resolution time SLA: <8 hours

Severity 3 service failure

 An incident which, in the reasonable opinion of the consumer, has the potential to:

  • have a major adverse impact on the activities of the consumer which can be reduced to a moderate adverse impact due to the availability of a workaround acceptable to the consumer
  • have a moderate adverse impact on the activities of the consumer
  • constitute a non-serious/non-critical security risk

 

For example:

Reporting capability is not available or is inaccurate.

Resolution time SLA: <24 hours

Severity 4 service failure

An incident which, in the reasonable opinion of the consumer has the potential to have a minor adverse affect on the services provided to the consumer.

 

For example:

Information available the consumers is incorrect but will only cause a minor adverse impact.

Resolution time SLA: <2 weeks

Severity 5 service failure

An incident which, in the reasonable opinion of the consumer, has the potential to have a very minor adverse affect on the services provided to the consumer.

For example:

Information available on consumers is cosmetically incorrect.

Resolution time SLA: <5 weeks

Higher severity service incidents (HSSIs), sometimes referred to by suppliers as 'major incidents', are incidents that cause a serious interruption of business activities. For each severity level, the resolution time SLA may differ if the HSCN consumer has selected an alternate HSSI fix level in its Customer Service Specification Template under Crown Commercial Services framework RM3825.

Escalations and complaints

CN-SPs shall operate escalation and complaints processes, and these shall comply with the following principles:

  1. The party raising the escalation or complaint shall be kept informed of progress at an appropriate interval, as agreed with the party raising the escalation.
  2. All escalations and complaints shall be managed to an appropriate conclusion with agreed remedial actions to prevent reoccurrence.
  3. Escalations and complaints shall not be closed without the agreement of the party that raised them.
  4. Details of all escalations and complaints shall be retained on the audit trail for a period of two years.
  5. Activity should be undertaken by the party against whom the complaint was made in order to minimise the re-occurrence of the issues underlying reported escalations and complaints.

Data security

HSCN is a hybrid wide area network that provides both private and internet connectivity. The network benefits from security features implemented throughout HSCN to help detect, and prevent, malicious activity. It uses state of the art technology that offers enhanced protection to all HSCN consumers. The Cyber Security Operations Centre (CSOC) will contact organisations upon detection of any suspicious looking traffic that indicates a local compromise.

The network does not feature encryption by default. Data controllers remain responsible for implementing appropriate security, including encryption, to protect the data they are responsible for. CN-SPs must also support the use of encrypted traffic or could provide this functionality themselves as part of an overlay to the HSCN access circuits.

Your organisation must have signed the appropriate HSCN Connection Agreement with NHS Digital before migrating to HSCN. Therefore, you are bound to its terms and conditions relating to ownership of data and data security over HSCN.

The Information Governance Toolkit (IGT) has been replaced by the Data Security and Protection Toolkit (DPST). It is not necessary to complete a DPST assessment to gain access to HSCN. However, all organisations that have or require access to NHS patient data and systems must use this toolkit at least annually, to provide assurance that they are practising good data security and that personal information is handled correctly.

Data Controllers are responsible for providing security to prevent loss, tampering or inappropriate usage of their information. This includes the systems or services used to process and transmit their information.

This means that if patient data or personal data is transmitted across HSCN (or indeed any other network), then encryption must be used. It also means that if you provide systems or services over HSCN, it’s your responsibility to secure them and to make decisions about who can access those systems or services.

The National Cyber Security Centre have provided guidance on encryption and how to protect your data in transit.

Please note, in the context of this information, that CN-SPs must operate their networks in line with the requirements set out in the Communications-Electronics Security Group (CESG) Assured Services (Telecoms) CAS(T) scheme.

Last edited: 2 August 2019 2:29 pm