HSCN connectivity options

HSCN will create the effect of a single network across health and social care providers and their partners.

This page describes a number of potential options for connecting to HSCN from sites of various sizes and types, and provides guidance on selecting the appropriate connectivity service. Each diagram shows a high-level example of how sites of different types may connect to the HSCN, though the service chosen will be determined by the customer’s business requirements. Further guidance on business requirements, principles and considerations, connectivity technologies, security and firewalls, and more is given in the sections below.

This scenario shows how connectivity may be provided for a small site such as a GP surgery or clinic where there is no requirement for a backup connection.

HSCN connectivity will typically be provided over a wired broadband service such as asymmetric digital subscriber line (ADSL) or ADSL2+, directly to the HSCN consumer network service provider (CN-SP).

This scenario shows how connectivity may be provided for a small site such as a GP surgery or clinic with an internet broadband connection and no requirement for resilience.

The internet broadband connection would typically be provided over ADSL or ADSL2+ with connectivity to HSCN via a managed virtual private network (VPN) overlay service.

This scenario shows how connectivity may be provided for a small site such as a GP surgery or clinic where there is a requirement for a resilient service.

The primary service shown in this example is a wired broadband (ADSL or ADSL2+ for example) connection directly to the HSCN CN-SP. The backup connection is an internet broadband service (again, ADSL or ADSL2+ for example), with connectivity to HSCN via a managed VPN overlay service.

This scenario shows how connectivity may be provided for a small site such as a GP surgery or clinic where there is a requirement for a resilient service.

The primary connection is wired broadband (ADSL or ADSL2+ for example) directly to the HSCN CN-SP.

The backup connection uses a private Access Point Name (APN) as standard, delivering enhanced security. It is important to note that the reliability and availability of the 3G/4G connection will vary with location.

This scenario shows how connectivity may be provided for a small/medium sized site such as a GP surgery or clinic where a resilient, higher capacity broadband service may be required.

Both the primary and backup connections use wired broadband, but business requirements may determine that ADSL or ADSL2+ is not sufficient and a higher capacity solution such as fibre to the cabinet (FTTC) or cable (Data Over Cable Service Interface Specification or DOCSIS) may be required.

This scenario shows how connectivity may be provided for a small/medium sized site such as a GP surgery or clinic that needs a resilient service with a higher-bandwidth synchronous primary connection.

The primary connection is Ethernet, shown here as ‘sub-100Mbit/s’, and would typically be delivered over a 100Mbit/s bearer circuit configured with the required committed data rate.

The backup connection uses wired broadband that would typically be provided over ADSL or ADSL2+ depending upon requirements and availability.

This scenario shows how connectivity may be provided to a medium sized site such as a large GP surgery, clinic or a small hospital that needs a resilient service with a higher-bandwidth connection.

The primary connection is Ethernet, with the example showing ‘100Mbit/s’. This would typically be delivered over a 1Gbit/s bearer circuit configured with the required committed data rate.

The backup connection uses ‘superfast’ or ‘ultrafast’ wired broadband provided over FTTC, fibre to the premises (FTTP), or cable (DOCSIS) depending upon backup requirements and availability.

This scenario shows how connectivity may be provided to a medium sized site such as a large GP surgery, clinic or a small hospital that needs a resilient, higher-bandwidth connection.

Both the primary and backup connections are Ethernet, with this example showing ‘100Mbit/s’. The connections would typically be delivered over 1Gbit/s bearer circuits configured with the required committed data rate.

This scenario shows how connectivity may be provided to a large site such as a hospital trust or large clinic or community site that requires a resilient, higher-bandwidth connection with the customer premises equipment managed by the network provider.

Both the primary and backup connections are Ethernet, with this example showing ‘1Gbit/s’ for each. The connections would typically be delivered over 1Gbit/s bearer circuits configured with the required committed data rate.

This scenario shows how connectivity may be provided to a medium sized site occupied by staff from two or more organisations.

The primary connection is Ethernet, with the example showing ‘100Mbit/s’. This would typically be delivered over a 1Gbit/s bearer circuit configured with the required committed data rate.

The backup connection uses ‘superfast’ or ‘ultrafast’ wired broadband provided over FTTC, FTTP, or cable (DOCSIS) depending upon backup requirements and availability.

This scenario shows how connectivity may be provided to a data centre hosting one or more national applications.

The service utilises high capacity dual resilient secure circuits for both the primary and backup connection. These would typically be high-speed Ethernet, with the example showing ‘1Gbit/s+ indicating that the services are delivered over 10Gbit/s bearer circuits configured with the required committed data rate. In this scenario, both the primary and backup connections are provided by the same CN-SP.

For the network scenarios illustrated designing network principles has been summarised in an 8-step process that makes up the structured network design methodology used generally within the industry.

Each of these 8 steps represent a specific network design task that must be completed as part of a project. The specific steps involved in any network design project include:

1. Identifying customer requirements
2. Identifying and analysing the current network
3. Designing for network topologies and customer end site services
4. Planning the network / customer implementation
5. Proof of concept (building pilots or prototypes)
6. Documenting the network design
7. Implementing and verifying the network design with robust test plans
8. Monitoring and revising the network design

Business requirements considerations can be usefully divided into:

• planning processes for the NHS site connection
• addressing bandwidth management in support of business activities
• capacity planning

Business requirements 1: planning

Points to consider in the planning process include:

• existing voice and data traffic on the network 
• devices connected to the network, such as routers, switches, PBXs, domain controllers 
• connectivity to the public switched telephone network (PSTN), if needed 
• network redundancy and resilience 
• network security requirements - the NHS Digital Firewall Technologies GPG provides guidance on accreditation and common criteria when planning a firewall deployment
• growth of data volumes over time: 6 months - 1 year as business changes 
• the number of concurrent users 
• user response times  
• long-running versus intermittent applications 
• internet access requirements

Business requirements 2: bandwidth management

To aid and address bandwidth management in support of business activities you should consider:

• current and potential users of network resources
• primary activities, such as email, file transfers and the applications to support them
• the types of devices to be used, such as PCs, laptops, wireless devices and printers
• use of roaming profiles and how this is being handled
• expectations for network performance
• other applications currently being used, such as voice, and video
• applications planned for future use
• the amount and frequency of data which users plan to download or upload
• security issues like data encryption

Business requirements 3: capacity planning

The steps below outline a simple methodology for capacity planning. This should be a regular activity.

1. Understand the network's activities, such as the work it's expected to support. This includes local, national and core business applications such as email, voice communications, PACS and remote access.
2. Discuss short, medium, and long-term service and usage requirements of network users.
3. Gather network performance data from endpoints, routers, switches and other devices.
4. Review network performance audit reports if available.
5. Analyse bandwidth usage and whether the existing network infrastructure is sufficient for the demand.
6. Determine the number and type of devices the network will need to support currently and, in the future, 6 months/12 months.
7. Use capacity planning and network design tools to analyse network configurations.
8. Based on the results of network analysis, determine the aggregate amount of bandwidth required, and correlate this into the type of circuit(s) that will support the traffic.
9. Analyse the need for network redundancy and how this will translate into additional capacity.
10. Test and validate the new wide area network (WAN) configuration using traffic generators as mentioned earlier along with network design software.
11. Assess any previously identified capacity issues and ensure these are addressed in the capacity management processes.

Common Criteria

Common Criteria (ISO-15408) is a framework for the evaluation of IT products and systems that is recognised internationally by its member countries. Alongside the standard exists a sub-treaty - Common Criteria Recognition Arrangement (CCRA), but it should be noted that only evaluations up to Evaluation Assurance Level 4 (EAL4) have been mutually recognised under this agreement. 

Subsequently, the CCRA advised that mutual recognition by its members should be limited to EAL2, as there was little point having new products and systems evaluated to EAL4. (NB: Previously evaluated products will remain certified to their accredited assurance level for the stated version of the product). Common Criteria has undergone a period of transition, moving away from the model of assurance against evaluation assurance levels, to the adoption of Protection Profiles (PPs). 

Gradually more and more newly evaluated products and systems will be given an assurance level of "PP Compliant" instead of a particular EAL number. PPs are developed through collaboration between government agencies of CCRA participants, product vendors and labs. These PPs may then be used for procurement purposes within other CCRA member nations. 

By building technical communities (TCs), in time, the level of standardisation will be increased through the development of collaborative Protection Profiles (cPPs). More and more new products are being evaluated against relevant cPPs. For example, for firewalls: 'collaborative Protection Profile for Stateful Traffic Filter Firewalls'. Therefore it is recognised that the cPP evaluation process has been sufficiently developed to the point where the previous guidance, that EAL2 compliance is sufficient, should be revised.

National Cyber Security Centre commercial product assurance

In the UK NCSC have developed their Commercial Product Assurance (CPA) scheme, which certifies commercial security products for use by government, the wider public sector and industry. It consolidates previous NCSC schemes to provide simplified certificate-based assurance of security products for use in lower threat environments. It is based on 3 grades that will map to a 3-tier government classification model (OFFICIAL, SECRET and TOP SECRET). CPA foundation grade maps directly to the OFFICIAL Tier and is expected to be used for the vast majority of security products carrying information that is created or processed by government and the wider public sector. There is currently no direct mapping between CPA and Common Criteria, however it is possible that in time NCSC may be able to harmonise CPA and Common Criteria to meet the foundation grade.

The summary table below reflects the current security advice regarding the recommended assurance levels of new network security products deployed within the HSCN/Transition Network (TN).

Notes

1. For Common Criteria only listed certified products should be used - https://www.commoncriteriaportal.org/index.cfm.
2. For NCSC CPA only listed certified products should be used.
3. Relevant cPPs listed at https://www.commoncriteriaportal.org/pps/collaborativePP.cfm?cpp=1&CFID=46510801&CFTOKEN=3400155cadb68958-F58241EF-155D-01DB-13F499DB4D0CBD8F, NIAP-approved PPs listed at https://www.niap-ccevs.org/Profile/PP.cfm.
4. NCSC CPA certification is currently time limited, therefore date of expiry will need to be monitored.

The table below gives a list of technologies that are used to provide the connectivity services shown in the scenarios presented in this document.

Note that the technologies and speeds offered for primary and secondary connections will vary depending upon supplier service offerings, capabilities, and geographical coverage. The speeds shown in the table are the "theoretical maximum" for each service. The actual speed delivered will be lower, particularly for copper DSL broadband services, where the delivered bandwidth is dependent upon a number of factors including the distance from the site to the exchange and the quality of the copper cables.

Presented here is a brief list of emerging technologies that are part of the next generation communication systems of truly converged networks where wired and wireless communications will use the same infrastructure.

5G - converged networks

5G describes the next phase of mobile telecommunications standards beyond the current 4G/ Long Term Evolution (LTE). 5G should allow for an application end-to-end latency of 1 milliseconds or less, according to an Ericsson white paper of April 2016. Devices and applications will automatically select the network which best suits their needs. Industry and research expect a commercial roll-out of 5G in 2020.

Vectoring

Vectoring is a transmission method for the very high speed digital subscriber line (VDSL) - technology to limit interferences on copper wires (cross talk cancellation). It is fast to install as it builds on the existing street cabinet infrastructure. Vectoring offers further transmission and range improvements (100/40 Mbps down-/upstream rate within 200 metres, and 50 Mbps downstream within 600 metres efficiency range).

G.fast and VDSL2 Annex Q

Achieving higher bandwidths on copper-based infrastructure, amongst other methods currently being pursued, is to transmit signals at a higher frequencies range.

G.fast and VDSL2 Annex Q are technologies which reach, in a combination with vectoring, transmission of signals with 35 Megahertz (VDSL2 Annex Q) or 100 Megahertz and more. However, bandwidths of several hundred Mbps via copper cable are maintained only via relatively short distances (aggregate rates of 300 Mbps within 250 metres efficiency range). Therefore, this technology is primarily intended to be used for fibre to the premises/building (FTTP/FTTB) infrastructures.

3G - Third generation of mobile systems. Provides high-speed data transmission and supports multi-media applications such as video, audio and internet access, alongside conventional voice services.

4G - Fourth generation of mobile systems. It is designed to provide faster data download and upload speeds on mobile networks.

Access network - An electronic communications network which connects end-users to a service provider; running from the end-user's premises to a local access node and supporting the provision of access-based services. It is sometimes referred to as the 'local loop' or the 'last mile'.

ADSL - Asymmetric digital subscriber line. A digital technology that allows the use of a standard telephone line to provide high-speed data communications. Allows higher speeds in one direction ('downstream' towards the customer) than the other.

APN - Access Point Name as standard, delivering enhanced security.

Broadband - A data service or connection generally defined as being 'always on' and providing a bandwidth greater than narrowband connections.

CN-SP - Consumer network service provider

DOCSIS - Data Over Cable Service Interface Specification. It is a standard for the high speed transmission of data over cable networks.

DSL - Digital subscriber line. A family of technologies generally referred to as DSL, or xDSL, capable of transforming ordinary phone lines (also known as 'twisted copper pairs') into high-speed digital lines, capable of supporting advanced services such as fast internet access and video on demand. ADSL and VDSL (very high speed digital subscriber line) are variants of xDSL).

FTTC - Fibre to the cabinet. Access network consisting of optical fibre extending from the access node to the street cabinet. The street cabinet is usually located only a few hundred metres from the subscribers' premises. The remaining segment of the access network from the cabinet to the customer is usually a copper pair.

FTTH/FTTP - Fibre to the home/premises. A form of fibre optic communication delivery in which the optical signal reaches the end user's home or place of work.

IP - Internet Protocol. This is the packet data protocol used for routing and carrying data across the internet and similar networks.

IPv4 - The fourth and most widely used version of the Internet Protocol. It defines IP addresses in a 32-bit format, which looks like 111.111.111.111

IPv6 - The successor to IPv4. It uses 128-bit addresses, increasing the number of possible addresses.

ISP - Internet service provider. A company that provides access to the internet.

MNO - Mobile network operator, a provider who owns a cellular mobile network.

Modem sync speed - The modem sync speed represents the highest possible speed at which data can be transferred across the line.

Not-spot - An area which is not covered by fixed or mobile networks.

Peering Exchange - For example, LINX London Internet Exchange. A not-for-profit membership organisation that provides peering services to Internet Service Providers.

RIPE NCC - Europe and the Middle East, Réseaux IP Européens Network Coordination Centre - The regional internet registry with responsibility for Europe, the Middle East and parts of Central Asia. It oversees the allocation and registration of IP addresses in these areas.

RIR - Regional internet registry. Provide blocks of IP addresses to telecommunications companies and internet service providers within an allocated region.

Smartphone - A mobile phone that offers more advanced computing ability and connectivity than a contemporary basic 'feature' phone.

Superfast broadband - The next generation of faster broadband services, which delivers headline download speeds of greater than 30 Mbit/s.

Usage cap - Monthly limit on the amount of data that users can download, imposed by fixed and mobile operators for some of their packages.

VDSL - Very high speed DSL. A high speed variant of DSL technology, which provides a high headline speed through reducing the length of the access line copper by connecting to fibre at the cabinet.

VoIP - Voice over Internet Protocol. A technology that allows users to send calls using internet protocol, using either the public internet or private IP networks.

Wi-Fi - A short range wireless access technology that allows devices to connect to a network through using any of the 802.11 standards. These technologies allow an over-the-air connection between a wireless client and a base station or between two wireless clients.

xDSL - The generic term for the digital subscriber line (DSL) family of technologies used to provide broadband services over a copper telephone line.