Skip to main content

Internet First industry standards and guidance

Version: 2.01

Release date: 28 January 2020

A signpost to industry based standards and guidance that will help health and social care organisations to make their digital services accessible over the internet. It helps describe how to make them secure, scalable and where possible consistent. 

These updated standards and guidance have been separated from the policy. They include further clarification of existing content and additional links to relevant industry standards and guidance following consultation. 


Internet First

Internet First means that all new health and social care digital services should be made internet facing from day one. Existing digital services must be updated to be securely accessible over the internet at the earliest opportunity. This requires:

  • IT service providers (internal and third party) to offer suitably secure user access to externally accessible systems and services over the internet
  • IT service providers to offer suitable secure application interfaces to externally accessible system and services over the internet
  • health and social care organisations to have sufficiently scaled and functional internet connectivity to support the needs of the organisation in consuming and where applicable providing internet hosted services

The Internet First policy does not apply to those digital services that are accessed by users solely on a local area network or are due to be decommissioned by March 2021.

The design and development of health and social care digital services must comply with current legal, regulatory and policy obligations.

Standards relevant to the application of the Internet First Policy include:

Information Commissioner’s Office

The General Data Protections Regulation (GDPR) guide helps organisations to comply with legal obligations on data protection.

Data protection impact assessment is a process to help you identify and minimise the data protection risks of a project.

GDS Technology Code of Practice

The Technology Code of Practice is a set of criteria to help government design, build and buy better technology. It is used as a cross-government agreed standard in the spend control process. The Technology Code of Practice is part of the Transformation Strategy 2017-2020.

NHS Digital cyber security guidance

The Data Security Centre publish a range of standards and guidance to manage cyber security risk. This enables the safe and secure use of data and technology to deliver improved patient care.  

  • the Data Security and Protection Toolkit is an online self-assessment tool that all organisations must use if they have access to NHS patient data and systems to provide assurance that they are practising good data security and that personal information is handled correctly
  • to view the latest cyber security threat intelligence bulletins, visit the CareCERT Information Sharing Portal - you can access this portal only through N3/Transition Network/Health and Social Care Network - for general CareCERT queries email:
  • to help your organisation improve its response and resilience to cyber security incidents, see the Cyber Security Support Modela centrally funded service tailored to your organisation’s needs and priorities

National Cyber Security Centre

The National Cyber Security Centre publish a range of standards and guidance to support cyber security:

Organisation standards and guidance

Every organisation will have its own standards and guidance which should be followed and adopted. The links below contain useful information and guidance material that can be used to inform local policy:

Consumer access to the internet

Health and social care organisations need to ensure that their internet provision meets the needs of their organisation and enables safe, secure use of data and technology. 

Connectivity should be suitably scaled and designed to support the operational needs of the business when consuming internet hosted services from all its locations where health and social care is delivered. The connectivity needs to adequately support the business continuity and clinical safety of the organisation.

NHS Digital will publish further guidance to help organisations provision appropriately specified connectivity services. 


Internet connectivity

1. Connectivity must be sized to support the amount of internet traffic required for each site within the organisation with enough upload and download bandwidth. There must be enough bandwidth to support current and future internet traffic of each site within the organisation. For organisations with requirements to regularly upload data they are likely to require a symmetric internet service.

2. Connectivity must be provisioned with resilience based on the organisation’s criticality of internet traffic and availability requirements. Service providers should ensure the availability figures of their internet provision are aligned to the availability of the application(s) which will typically require redundant connections.


3. Internet connectivity must have perimeter security protection with context-based access control and stateful firewall capabilities. If your Internet connectivity is provided as an HSCN service it will already have these features.

4. Where internet connectivity is not provided as an HSCN service, consideration should be given to additional security protection such as the NHS secure boundary service. This includes, but is not limited to, detection and reporting of anomalous network traffic.  Guidance is provided by National Cyber Security Centre.

5. An organisation must perform a data protection impact assessment (DPIA) before providing digital services over its internet connection.


6. An organisation that is providing or accessing clinical services over its internet provision should comply with DCB 0160 Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.

Clinical safety

Clinical safety approval as per DCB 0160 Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems should be undertaken.

IT service providers

IT service providers need to ensure that digital services they provide for use in health and social care are, by default, securely accessible and have the performance and integrity to operate over the internet.

This also applies to a health and social care organisation providing digital services to other organisations.



1. An information security management system must be maintained to ensure security of assets and sensitive information and conforms to the:

All organisations that have access to NHS patient data and systems MUST publish a Data Security and Protection Toolkit (DSPT) self-assessment to provide assurance that they are practicing good data security and that personal information is handled correctly.

2.  A security policy must be maintained which sets out the security measures to be implemented and maintained in accordance with either DSPT or BS ISO/IEC 27001, BS ISO/IEC 27002 and the Information Security Management System.

The security policy must be reviewed and updated by the service provider in a timely fashion and will be reviewed annually.

3. Tests must be conducted in accordance with the provisions of the service provider’s security policy relating to security testing.  The tests must be independently audited by either an accredited third party or representatives of the customer.  Further advice is provided by the National Cyber Security Centre about using a Check Service provider.

4. Either party (service provider or customer) must notify the other immediately upon becoming aware of any breach of security. This includes an actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services.

5. All traffic traversing the internet should be encrypted using Transport Layer Security (TLS) version 1.2 or better for secure communication.


6. Organisations should ensure they have taken into consideration reliance on internet connectivity to access systems as part of their clinical risk assessments as part of DCB 0129 Clinical Risk Management: its Application in the Manufacture of Health IT Systems.

IT service suppliers must support interoperability across the health and social care system by ensuring that the national standards to develop and support exchange of information and data are adopted and implemented. NHS Digital provides further information on the use of Fast Healthcare Interoperability Resources (FHIR) based Application Programming Interfaces (APIs).


Organisations should govern their Internet First programmes of work through their usual governance processes.

Further information

  1. internal

    Internet First

    Health and care services now have an Internet First policy that states new digital services should operate over the internet. Existing services should also be updated to do the same at the earliest opportunity and ideally by March 2021.

  2. internal

    Internet First Policy

    In line with the government strategic direction, this is the Internet First policy defined by NHS Digital.

Last edited: 21 February 2020 11:24 am