HSCN internet access issues guidance

As an HSCN consumer, you may find access to internet resources prevented for a number of reasons so it’s very important that you provide a screenshot when logging an incident via the HSCN Internet Access Form.

The NHS National Ruleset Forms replace the Data Security Centre (DSC) HSCN ANM Firewall Change Request Form.

Following the migration to NHS Secure Boundary, changes to the National Ruleset should be made by an Authenticated User on the Secure Boundary Platform.

The form can be used if:

• your CNSP has advised the port you are trying to access is not an allowed any/any port and has advised you submit a completed form to them
• you are a Secure Boundary Authenticated User at a Direct Connect Organisation

Once completed, the form should be sent to the NHS Digital Exeter Helpdesk (EHD) via your local IT support route. When they get the form the NHS Digital DSC will assess the request and either, instruct Accenture to make the necessary changes and confirm this to you or respond to advise that the request cannot be authorised.

For further details and guidance on using this form please see HSCN internet access issues guidance.

You can contact the NHS Digital Exeter Helpdesk by:

Telephone: 0300 303 4034

E-mail: exeter.helpdesk@nhs.net

A number of HSCN CNSPs have chosen to connect to NHS Secure Boundary using Prisma Access for Clean Pipe. If your CNSP has chosen this connection method it will no longer be possible to use Internet Control Message Protocol (ICMP) to test internet connectivity. All CNSPs were advised to carry out impact assessments and consult their customers when choosing how to connect to NHS Secure Boundary.

Users impacted by this can instead test internet connectivity by:

• attempting to connect to public websites generally available (for example, Google, BBC News)
• using Transmission Control Protocol (TCP) ping, an alternative to ICMP which is supported by the platform. is a TCP orientated ping alternative. A variety of TCP ping tools are available online and guidance on using TCP ping has been published by Microsoft

You should follow the standard process for contacting your CNSP, via your local service desk or network manager. Your CNSP will be able to provide further advice and guidance on testing access and connectivity

Deny list and dynamic list block

A deny list incident occurs when you try to access a domain identified as malicious by the NHS Digital Security Centre. This includes spoofed NHS type domain websites, where a site appears to use the .nhs domain to impersonate an NHS site.

There are different types of dynamic list items. The common types are:

• file - specific sites which have been temporarily blocked for analysis
• category – a website placed into a disallowed category 
• emerging threat – a website which has been classified as potentially hostile or malicious 

When you try to access a page that's blocked for one of the above reasons you may see a HSCN specific coaching page. It will inform you the page has been blocked by the HSCN internet security service. The screen you see will be different when accessing a HTTP or a HTTPS address.

When trying to access a page with a HTTP block you will see a HSCN specific message advising that the page is blocked.

When trying to access a page with a HTTPS block you will see a generic error message, which will differ depending on the internet browser used. Work is underway to introduce an HTTPS coaching page.

Blocked port

Ports are mostly used for devices and services which do not connect via a browser. Examples of port access issues include inability to access chip and pin services, telephony and CCTV. Although blocked ports are mostly unrelated to browser access, there are some URLs that are port specific and in these circumstances the connection would not work. In this scenario you wouldn’t see an error message or blocked coaching page.

File blocked

File blocked incidents relate to files you are attempting to download from the internet, such as updates to software - for example, a change to a Warfarin dosage file. If a file is blocked, it won’t download. In this scenario you won’t see an error message or blocked coaching page.

Non-HSCN internet security service issues

There are circumstances outside of the HSCN internet security services remit which may cause connection problems to a destination website. If an incident is reported to the  service provider and it’s found that the HSCN internet security service is not the cause this will be reported back to you.

Issues outside of the service that may cause connection problems include:

• the end destination is using a Transport Layer Security (TLS) version, a type of internet security certificate, which does not meet NHS standards
• a perceived man-in-the-middle (MITM) attack

If you can't reach the end destination for any of these reasons, your request may hang and not connect, or you may be presented with an error page.

Once it has been confirmed that the issue is not caused by the HSCN internet security service, your local IT service desk will need to investigate the matter further and contact the end destination for support as required.

Incident process for blocks

If you believe access has been prevented incorrectly you should log a service call with your local ICT service. They will check for local issues. If no local issues exist, you can then log a call with your HSCN CNSP via the normal HSCN support process.

Once logged, your CNSP will investigate whether or not the issues are within their domain. If the incident can be resolved by your CNSP, or if they find that the issue is within your local domain, they will take the necessary action and feed back to you. If they find that the issue is within the HSCN internet security service's domain your call will be forwarded onto the service provider for investigation.