This guidance supports HSCN consumers who request access to blocked internet resources.
As an HSCN consumer, you may find access to internet resources prevented for a number of reasons so it’s very important that you provide a screenshot when logging an incident via the HSCN Internet Access Form.
your HSCN consumer network service provider (CNSP) has advised the port you are trying to access is not an allowed any/any port and you still require access
your CNSP has advised you are trying to access something that has been placed on the deny list, but you still require access - these requests will only be approved in exceptional and business critical circumstances
Once completed, send the form to the NHS Digital National Service Desk (NSD) via your local IT support route. When they get the form the NHS Digital Data Security Centre (DSC) will assess the request. They will either:
make the necessary changes and confirm this to you
respond to advise that the request cannot be authorised
You can contact the NHS Digital National Service Desk by:
Internet Control Message Protocol and NHS Secure Boundary
A number of HSCN CNSPs have chosen to connect to NHS Secure Boundary using Prisma Access for Clean Pipe. If your CNSP has chosen this connection method it will no longer be possible to use Internet Control Message Protocol (ICMP) to test internet connectivity. All CNSPs were advised to carry out impact assessments and consult their customers when choosing how to connect to NHS Secure Boundary.
Users impacted by this can instead test internet connectivity by:
attempting to connect to public websites generally available (for example, Google, BBC News)
using Transmission Control Protocol (TCP) ping, an alternative to ICMP which is supported by the platform. is a TCP orientated ping alternative. A variety of TCP ping tools are available online and guidance on using TCP ping has been published by Microsoft
You should follow the standard process for contacting your CNSP, via your local service desk or network manager. Your CNSP will be able to provide further advice and guidance on testing access and connectivity
Common reasons for blocked internet access
Deny list and dynamic list block
A deny list incident occurs when you try to access a domain identified as malicious by the NHS Digital Security Centre. This includes spoofed NHS type domain websites, where a site appears to use the .nhs domain to impersonate an NHS site.
There are different types of dynamic list items. The common types are:
file - specific sites which have been temporarily blocked for analysis
category – a website placed into a disallowed category
emerging threat – a website which has been classified as potentially hostile or malicious
When you try to access a page that's blocked for one of the above reasons you may see a HSCN specific coaching page. It will inform you the page has been blocked by the HSCN internet security service. The screen you see will be different when accessing a HTTP or a HTTPS address.
When trying to access a page with a HTTP block you will see a HSCN specific message advising that the page is blocked.
When trying to access a page with a HTTPS block you will see a generic error message, which will differ depending on the internet browser used. Work is underway to introduce an HTTPS coaching page.
Ports are mostly used for devices and services which do not connect via a browser. Examples of port access issues include inability to access chip and pin services, telephony and CCTV. Although blocked ports are mostly unrelated to browser access, there are some URLs that are port specific and in these circumstances the connection would not work. In this scenario you wouldn’t see an error message or blocked coaching page.
File blocked incidents relate to files you are attempting to download from the internet, such as updates to software - for example, a change to a Warfarin dosage file. If a file is blocked, it won’t download. In this scenario you won’t see an error message or blocked coaching page.
Non-HSCN internet security service issues
There are circumstances outside of the HSCN internet security services remit which may cause connection problems to a destination website. If an incident is reported to the service provider and it’s found that the HSCN internet security service is not the cause this will be reported back to you.
Issues outside of the service that may cause connection problems include:
the end destination is using a Transport Layer Security (TLS) version, a type of internet security certificate, which does not meet NHS standards
a perceived man-in-the-middle (MITM) attack
If you can't reach the end destination for any of these reasons, your request may hang and not connect, or you may be presented with an error page.
Once it has been confirmed that the issue is not caused by the HSCN internet security service, your local IT service desk will need to investigate the matter further and contact the end destination for support as required.
Incident process for blocks
If you believe access has been prevented incorrectly you should log a service call with your local ICT service. They will check for local issues. If no local issues exist, you can then log a call with your HSCN CNSP via the normal HSCN support process.
Once logged, your CNSP will investigate whether or not the issues are within their domain. If the incident can be resolved by your CNSP, or if they find that the issue is within your local domain, they will take the necessary action and feed back to you. If they find that the issue is within the HSCN internet security service's domain your call will be forwarded onto the service provider for investigation.