Skip to main content

Part of Business Applications Guidance

Business applications: generic guidance

Current Chapter

Current chapter – Business applications: generic guidance


There are many business applications used by health and social care consumers. These include:

  • clinical applications such as electronic patient records, GPIT systems or diagnostics systems
  • voice communications
  • email services such as NHSmail;
  • national applications such as Summary Care Record (SCR) and eReferral service
  • patient access applications

These applications are increasingly moving to internet hosted applications.

NHS Digital is committed to supporting end consumers using these applications and other standard tools and products to collaborate and share information with their partners.

It is important that, regardless of the network used as transit, application services are configured to meet the security, performance and availability requirements of the health and social care business users.

The following guidelines apply to all application services. NHS Digital does not assure supplier services of commodity/off-the-shelf type applications.

All application/service procurements should follow the government Technology Code of Practice.

Information security

The NHS Digital Data Security Centre provides advice and guidance to health and social care organisations. They offer best practice advice along with a knowledge base of security information for the day to day security operational functions to assist health and social care organisations in key infrastructure management decisions.

This links below provide further information on these services.

NHS cyber security and CareCERT

Caldicott Guardian

Note that the guidelines provided are general good practice, and should be applied regardless of the network used, whether HSCN, the internet, cloud service connectivity, regional wide area networks (WANs) or direct connectivity to a supplier's data centre.

The sections covered within the appendices of this document refer to various security principles and guidelines. These principles and guidelines should be taken into consideration when an NHS organisation begins the process to procure HSCN business applications.

In addition, it is important to protect your local service whenever using cloud services. The National Cyber Security Centre best practice provides support in this context:

10 Steps to Cyber Security

When procuring application services, listed below are areas that should be considered as support for requirements on the service provided by a commercial third party supplier, regardless of the network connectivity method.

Cloud security principles

The National Cyber Security Centre publishes guidance on implementing security in cloud applications. These principles are useful for all application deployments even if hosted locally.

These principles should be used to assess all remotely hosted/cloud hosted applications.

Government frameworks include assessments of services against these principles.

NCSC also provide guidance on:


A good example of a standard used for security governance and operational controls.

Data Security and Protection Toolkit Assessment

Any commercial third party provider of applications needs to produce an Data Security and Protection Toolkit This is no longer tied to connection agreements for a specific network, as this applies regardless of the networks used for data transit.

The Data Security and Protection Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian's ten data security standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

Clinical Safety

The Health and Social Care Act 2012 mandates adherence to Clinical Risk Management standards where IT is developed and used to support health and care services.

DCB0129: Clinical Risk Management: its Application in the Manufacture of Health IT Systems, shall be complied with by manufacturers who are developing IT systems that utilise HSCN to support health or care services.

DCB 0160: Clinical risk Management: its Application in the Deployment and Use of Health IT Systems shall be complied with by organisations who are deploying and using IT systems that utilise HSCN to support health or care services.

Read more about resources supporting clinical risk management of IT systems. 


Consideration needs to be given to the service requirements - how the application is delivered and managed. Suppliers will often provide catalogues to detail these elements of their service. Consideration should be given to the following:

Service hours

What service hours support do you need - noting that a business critical application should match your operational hours. That is, if you'll use the application 24/7/365 you will need the service to be supported for these hours.

Service levels

Check for standard service level agreements (SLAs) - availability and incident fix times. Ensure these fit your requirements and that they reflect how critical the service is to running your business.

Ensure there is a plan for IT Service Continuity Management to the level required to support your business needs.

Higher service levels typically result in higher cost.

Having higher SLAs in your application than the SLAs for your network connectivity can result in unnecessary expenditure.

Service operations and management

For a service to meet the required service levels it is necessary to have a service organisation that meets basic best practice processes for areas such as service desk, service operations (backup and maintenance for example), service incident management, business continuity and disaster recovery.

Consider if the service provider works to established standards such as working to the Information Technology Infrastructure Library (ITIL) framework or having ISO20000 certification.

Service boundary

Check the supplier provided scope of the service boundary, where their responsibilities end and what the customer or another contracted provider needs to do, especially in terms of providing network connectivity. Use this provided information to check the network you plan to use to connect to the service is correctly specified.

Delivery support services - deployment and testing

What does the supplier offer in terms of support for project management, deployment and testing of the new application service within your organisation?

Also consider if there is a workable approach to collaboration with the incumbent supplier for migration.

Customer responsibilities

Ensure that all customer responsibilities are documented and understood, especially if there are responsibilities to specify sizing or capacity of the service.

There may also be minimum specifications for customer provided equipment (such as LAN/WAN infrastructure checks; local devices such as desktops). You'll be responsible for ensuring the local equipment meets the required specifications from the supplier, or service agreements may be breached.

Customer configurability

What toolsets are provided to allow you as the customer to configure and manage the service? Are there any self-serve options to make moves/adds/changes to the service?

Service transition and exit

Ensure that the approach to exiting the service and transitioning to a new service is documented and any required transitional assistance costs are understood.

Meeting all of these requirements is not mandatory; it depends on the size of your business and the criticality to your operations of the application service you are procuring. Review these categories in terms of what the supplier offers in order to evaluate what meets your needs and provides value for money.

NHS Digital assures all these requirements for national applications and assesses the network and other infrastructure requirements to support these critical business applications.

Last edited: 26 March 2021 4:47 pm