HSCN internet access issues guidance

The HSCN Internet Access Form replaces the Data Security Centre (DSC) Firewall Change Request Form.

The form can be used if:

• your consumer network service provider (CNSP) has advised the port you are trying to access is not an allowed any/any port and you still require access
• your CNSP has advised you are trying to access something that has been placed on the deny list, but you still require access - these requests will only be approved in exceptional and business critical circumstances 
• you had access to a site on the Transition Network (previously N3) however you do not have the same access on HSCN

Once completed, send the form to the NHS Digital National Service Desk (NSD) via your local IT support route. When they get the form the NHS Digital Data Security Centre (DSC) will assess the request. They will either:

• instruct Capita to make the necessary changes and confirm this to you
• respond to advise that the request cannot be authorised

You can contact the NHS Digital National Service Desk by:

Telephone: 0300 303 5035

Email: ssd.nationalservicedesk@nhs.net 

National Service Desk portal (TN or HSCN connection required) 

A number of HSCN Consumer Network Service Providers (CNSPs) have chosen to connect to NHS Secure Boundary using Prisma Access for Clean Pipe.  If your HSCN CNSP has chosen this connection method it will no longer be possible to use Internet Control Message Protocol (ICMP) to test internet connectivity. All HSCN CNSPs were advised to carry out impact assessments and consult their customers when choosing how to connect to NHS Secure Boundary.

Users impacted by this can instead test internet connectivity by:

• Attempting to connect to public websites generally available (for example, Google, BBC News).
• Using Transmission Control Protocol (TCP) ping, an alternative to ICMP which is supported by the platform. is a TCP orientated ping alternative. A variety of TCP ping tools are available online and guidance on using TCP ping has been published by Microsoft.

You should follow the standard process for contacting your CNSP, via your local service desk or network manager. Your CNSP will be able to provide further advice and guidance on testing access and connectivity

Deny list and dynamic list block

A deny list incident occurs when you try to access a domain identified as malicious by the NHS Digital Security Centre. This includes spoofed NHS type domain websites, where a site appears to use the .nhs domain to impersonate an NHS site.

There are different types of dynamic list items. The common types are:

• file - specific sites which have been temporarily blocked for analysis
• category – a website placed into a disallowed category 
• emerging threat – a website which has been classified as potentially hostile or malicious 

When you try to access a page that's blocked for one of the above reasons you may see a HSCN specific coaching page. It will inform you the page has been blocked by the HSCN Advanced Network Monitoring (ANM) service. The screen you see will be different when accessing a HTTP or a HTTPS address.

When trying to access a page with a HTTP block you will see a HSCN specific message advising that the page is blocked.

When trying to access a page with a HTTPS block you will see a generic error message, which will differ depending on the internet browser used. Work is underway to introduce an HTTPS coaching page.

Blocked port

Ports are mostly used for devices and services which do not connect via a browser. Examples of port access issues include inability to access chip and pin services, telephony and CCTV. Although blocked ports are mostly unrelated to browser access, there are some URLs that are port specific and in these circumstances the connection would not work. In this scenario you wouldn’t see an error message or blocked coaching page.

File blocked

File blocked incidents relate to files you are attempting to download from the internet, such as updates to software - for example, a change to a Warfarin dosage file. If a file is blocked, it won’t download. In this scenario you won’t see an error message or blocked coaching page.

Non-ANM issues

There are circumstances outside of ANM’s remit which may cause connection problems to a destination website. If an incident is reported to the ANM service provider and it’s found that ANM is not the cause this will be reported back to you.

Issues outside of ANM that may cause connection problems include:

• the end destination is using a Transport Layer Security (TLS) version, a type of internet security certificate, which does not meet NHS standards
• a perceived man-in-the-middle (MITM) attack 
• inability (after migrating) to access a site on HSCN you could previously access on the Transition Network - this could be due to an issue with an access control list (ACL) at the end destination

If you can't reach the end destination for any of these reasons, your request may hang and not connect, or you may be presented with an error page.

Once it has been confirmed that the issue is not ANM related, your local IT service desk will need to investigate the matter further and contact the end destination for support as required.

Incident process for blocks

If you believe access has been prevented incorrectly you should log a service call with your local ICT service. They will check for local issues. If no local issues exist, you can then log a call with your HSCN consumer network service provider (CNSP) via the normal HSCN support process.

Once logged, your CNSP will investigate whether or not the issues are within their domain. If the incident can be resolved by your CNSP, or if they find that the issue is within your local domain, they will take the necessary action and feed back to you. If they find that the issue is within the ANM domain your call will be forwarded onto the ANM service provider for investigation.

The process below shows the stages of finding and reporting an ANM issue. The incident may be resolved and closed at any stage of this process.