Separation
Public Wi-Fi traffic must remain logically separated from all other classes of traffic, end-to-end, from wireless access point to Internet egress. (This is including ingress into the Secure Boundary service)
The same physical equipment may be used.
Priority
Health and social care business traffic must be prioritised over Public Wi-Fi traffic, with Public Wi-Fi traffic being queued or dropped where business traffic demands all available bandwidth.
Flow Capture
Public Wi-Fi traffic is exempt from the centralised collection of IPfix data.
Content Scanning and Blocking
Public Wi-Fi traffic may, by arrangement, be sent to the NHS Digital Secure Boundary solution or it may break out to the internet at the Consumer Network Service Provider (CNSP) perimeter.
If the CNSP does not utilise Secure Boundary then it must ensure that the content is scanned and that, at a minimum, access is denied to sites on the Internet Watch Foundation blocklist.
If public wi-fi traffic is directed via NHS Secure Boundary, then the CNSP isn’t required to provide any content scanning as that will be provided by NHS Secure Boundary service. The requesting organization would need to adjust its Public Wi-Fi Acceptable usage agreement to state that the traffic is being scanned.
NHS Secure Boundary will provide basic filtering and DDos protection. But NHS digital shall not capture, intercept, decrypt or analyse traffic for Public Wifi.
Policy and guidance
The existing policies and guidance for Public Networks for NHS Wi-Fi remain in force:
How to set up NHS Wi-Fi
NHS Wi-Fi technical and security policies and guidelines
Traffic separation forms part of the network boundary protection that health and social care organisations should be implementing, details of which can be found within the following NCSC guidance for Network security and preventing lateral movement:
National Cyber Security Centre - 10 steps to cyber security
National Cyber Security Centre - Preventing lateral movement