Skip to main content

HSCN network perimeter security guidance for CCGs and general practices

Guidance and useful documentation on clinical commissioning group (CCG) and general practice responsibilities for network perimeter security on the HSCN.

NHS England is accountable for the delivery of general practice IT services, delegating responsibility for delivering key elements of general practice IT services to CCGs. These arrangements promote equity and ensure a consistent core offer in all parts of the country. They give general practice the flexibility to meet local needs within a nationally agreed framework, adhering to national information governance and security standards, and are underpinned by a centrally managed assurance process.

The NHS information governance legal framework

NHS GP IT Operating Model

The CCG shall ensure that all consumer connections to external networks, including the Health and Social Care Network (HSCN) or the internet conform to:

CCG responsibilities

CCGs are recognised as being responsible for planning and commissioning health care services in their local area, including general practices. This includes the provision and distribution of network and information security policies, which are relevant to the organisations within their jurisdiction.

The CCG's risk assessments shall include all aspects of the networks that are used to support business processes. The risk assessment shall identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability.

There are several guides, best practices and specifications published by the NHS defining appropriate security countermeasures for network perimeter boundaries. These documents provide guidance on how an organisation should implement an organisation wide boundary protection scheme.  This will help organisations to have procedures and processes in place that will enable them to successfully and securely:

  • configure systems, devices and software across networks
  • lockdown systems, devices and software across networks
  • manage gateways to other networks
  • monitor networks and react to incidents

Further detail can be found in the Boundary Protection – Good Practice Guide published by NHS Digital.

The General Practice IT Infrastructure Specification document, published by NHS England states:

"Protecting the network usually comprises stopping unauthorised access either by people on the outside trying to get in or by stopping people connecting unauthorised devices to the network on the premises."

and

"Network security should enable safe usage rather than block staff from doing their job."

HSCN Connection Agreement 

Every organisation (or CCG signing on behalf of the general practice) that wishes to use HSCN must complete a Connection Agreement. See the Connecting to HSCN page. 

The term 'use HSCN', means 'send or receive data across HSCN'. Signing this agreement will mean that the organisation is ready to be connected to the HSCN once an HSCN supplier has been selected.

The HSCN does not help secure data in any way as it passes across the network. Responsibility for providing sufficient security lies with the sending and receiving organisations and the providers and users of sites or applications that are accessed through the HSCN.

This includes providing assurances that any service or application available on the HSCN or any organisations or users on the network are authentic and appropriately secured.

Network perimeter security

The National Cyber Security Centre (NCSC) provides guidance for securing data networks, including boundary protection.

Managing the network perimeter

Manage access to ports, protocols and applications by filtering and inspecting all traffic at the network perimeter. This is to ensure that only traffic which is required to support the business is being exchanged. Control and manage all inbound and outbound network connections and deploy technical controls to scan for malicious content.

The following principles apply:

  1. Create a buffer zone between the HSCN, the internet and the local networks used by the business.
  2. The countermeasures applied should deny traffic by default and a whitelist should be applied that only allows authorised protocols, ports and applications to exchange data across the local network/HSCN boundary. This will reduce the exposure of systems to network based attacks.
  3. Ensure there is an effective process for managing changes to avoid workarounds.

Note

A router configured to route without additional security counter measures applied will blindly pass traffic between networks completely unaware of malicious or compromising traffic.

Recommended network perimeter security options 

To comply with the HSCN Connection Agreement and the national information governance and security standards one of the following network perimeter security options must be adopted.

Customer premises equipment (CPE) router with context-based access control (CBAC)

As a minimum, the HSCN CPE router shall be deployed with a whitelist CBAC policy applied. In general terms this means that the router configuration should begin with a 'deny all traffic' principle and apply controls to allow only specific network traffic types to and from authorised network locations.

CBAC is an extension of standard access controls whereby the traffic’s application-layer protocol data is inspected to determine the state of a given Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) session.

Note - if the consumer organisation already has a managed connection on the Transition Network (TN) then the redacted TN CPE router configuration should provide the context-based access controls currently applied.

CPE router with built in stateful firewall capabilities

Whilst an access control list (ACL) and a firewall have some similar aspects they are significantly different. An access control list is a configuration with a type of network logic that can permit or deny certain network packets through a network interface. A firewall will inspect the network traffic passing through and make decisions about what to let through and what to block. The most important difference is that an ACL is stateless, so it will accept or deny each individual packet without knowledge of what came before or afterwards. A firewall is stateful, which means it is capable of not only understanding each packet but also has the capability of understanding the entire session.

CPE router with separate firewall

A consumer organisation may wish to acquire a CPE router from their HSCN supplier but provide a separate stateful firewall device that can be acquired as either a managed service or managed locally. 

Bespoke – for example, aggregated connections with centralised perimeter security

This option covers opportunities not discussed in the three above and is not intended to be prescriptive. For example, a HSCN supplier may choose to aggregate consumer connections by providing private connectivity to centrally hosted perimeter controls before breaking out onto HSCN (and the internet).

Further guidance

The National Cyber Security Centre (NCSC) provides guidance regarding the security characteristics for firewalls, which can be used as an aid to product selection.

Last edited: 23 November 2018 4:33 pm