Skip to main content
HSCN network perimeter security guidance for CCGs and general practices

Guidance and useful documentation on clinical commissioning group (CCG) and general practice responsibilities for network perimeter security on the HSCN.

NHS England is accountable for the delivery of general practice IT services, delegating responsibility for delivering key elements of general practice IT services to CCGs. These arrangements promote equity and ensure a consistent core offer in all parts of the country. They give general practice the flexibility to meet local needs within a nationally agreed framework, adhering to national information governance and security standards, and are underpinned by a centrally managed assurance process.

The NHS information governance legal framework

NHS GP IT Operating Model

The CCG shall ensure that all consumer connections to external networks, including the Health and Social Care Network (HSCN) or the internet conform to:

Clinical commissioning group responsibilities

Clinical commissioning groups (CCGs) are recognised as being responsible for planning and commissioning health care services in their local area, including general practices. This includes the provision and distribution of network and information security policies, which are relevant to the organisations within their jurisdiction.

The CCG's risk assessments shall include all aspects of the networks that are used to support business processes. The risk assessment shall identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability.

There are several guides, best practices and specifications published by the NHS defining appropriate security countermeasures for network perimeter boundaries. These documents provide guidance on how an organisation should implement an organisation wide boundary protection scheme.  This will help organisations to have procedures and processes in place that will enable them to successfully and securely:

  • configure systems, devices and software across networks
  • lockdown systems, devices and software across networks
  • manage gateways to other networks
  • monitor networks and react to incidents

The General Practice IT Infrastructure Specification document, published by NHS England states:

"Protecting the network usually comprises stopping unauthorised access either by people on the outside trying to get in or by stopping people connecting unauthorised devices to the network on the premises."


"Network security should enable safe usage rather than block staff from doing their job."

HSCN Connection Agreement 

Every organisation (or CCG signing on behalf of the general practice) that wishes to use HSCN must complete a Connection Agreement. See the Connecting to HSCN page. 

The term 'use HSCN', means 'send or receive data across HSCN'. Signing this agreement will mean that the organisation is ready to be connected to the HSCN once an HSCN supplier has been selected.

The HSCN does not help secure data in any way as it passes across the network. Responsibility for providing sufficient security lies with the sending and receiving organisations and the providers and users of sites or applications that are accessed through the HSCN.

This includes providing assurances that any service or application available on the HSCN or any organisations or users on the network are authentic and appropriately secured.

Network perimeter security

The National Cyber Security Centre (NCSC) provides guidance for securing data networks, including boundary protection.

Managing the network perimeter

Manage access to ports, protocols and applications by filtering and inspecting all traffic at the network perimeter. This is to ensure that only traffic which is required to support the business is being exchanged. Control and manage all inbound and outbound network connections and deploy technical controls to scan for malicious content.

The following principles apply:

  1. Create a buffer zone between the HSCN, the internet and the local networks used by the business.
  2. The countermeasures applied should deny traffic by default and an allow list should be applied that only allows authorised protocols, ports and applications to exchange data across the local network/HSCN boundary. This will reduce the exposure of systems to network based attacks.
  3. Ensure there is an effective process for managing changes to avoid workarounds.


A router configured to route without additional security counter measures applied will blindly pass traffic between networks completely unaware of malicious or compromising traffic.

Further guidance

The National Cyber Security Centre (NCSC) provides guidance regarding the security characteristics for firewalls, which can be used as an aid to product selection.

Last edited: 26 March 2021 5:16 pm