Skip to main content

Part of Business Applications Guidance

Industry standards


A list and links to specific industry standards applicable to the service.

  1. TLS version 1.0: RFC 2246
  2. (IETF) IPSec protocols RFC4301/4302/4303
  3. Mobile IPv4 RADIUS RFC5030

IG, security and user considerations

A key consideration for any remote access service is the requirement that patient data is safe and protected. There are many rules that govern controls and protection when accessing systems and application remotely. Some of these rules are provided via national guidance and others are defined and managed by the local health and social care organisation (by their Caldicott Guardian) and as part of end users terms of service usage. The list below is only a small sample of some of the high level security considerations.

Provision of a securely managed remote access service platform adhering to ISO27001 standards:

  1. Locally managed services compliance
  2. Cloud based solution accreditation

Ensuring remote access users are authenticated onto the platforms:

  1. The correct authentication architecture is deployed e.g. Users are only allowed access to services/ applications that they are authorised to use.
  2. Adherence to current NHSData Security and Protection Toolkit, CESG and GDS security principles 
  3. Appropriate tools to monitor and audit usage of services
  4. End user management
  5. Ensuring that software updates and patches are applied 
  6. Password management /User authentication management

Device/machine management:

  1. Ability in managing lost or stolen devices effectively

Central remote access infrastructure security

  1. Firewall management
  2. Patching management
  3. Anti-Virus management

The items above are just a very small sample of key security considerations. Open a detailed view of the security requirements and obligations for NHS IT systems, administrators and users.

Data Security and Protection Toolkit

Last edited: 15 December 2020 4:35 pm