A number of recent security bulletins and press articles have highlighted concerns relating to the use of Huawei products in the provision of network and communication services.
In order for a supplier to be permitted to supply HSCN services they must demonstrate capabilities against specific technical and security standards.
The primary security obligation for HSCN is CAS(T) certification. The HSCN Information Assurance Requirements for HSCN suppliers are based on the CAS(T) (CESG Assured Service (Telecommunications)) requirements. These controls are taken from ISO/IEC-27001:2013 (ISO27001) and were initially identified in consultation with the Telecoms Industry, CESG (now the National Cyber Security Centre) and NHS Digital.
Further information on CAS(T) certification can be found via the National Cyber Security Centre website. These controls ensure that HSCN suppliers achieve and maintain appropriate standards for their Information Security Management Systems, Processes and Plans and include risk assessments as well as arrangements for supporting business and service continuity.
To attain HSCN compliance suppliers need to continually demonstrate they are competent across all these areas. These competencies are also evaluated as part of the procurement process when procuring HSCN via the CCS Dynamic Purchasing System which includes standard templates and evaluation models.
In response to recently highlighted concerns about Huawei products, NHS Digital will be insisting that all HSCN Suppliers review and update their Security Management Plans and Systems. This will ensure that HSCN suppliers are familiar with the concerns, assess and address any associated risks and take remedial actions where necessary. This will be required by HSCN suppliers as part of their obligations under the HSCN compliance framework. Suppliers will need to comply and ensure their updated Security Management Plans continue to demonstrate their HSCN services remain sufficiently robust in terms of the standards required by HSCN and CAS(T) compliance.