Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Consumer guidance

Guidance if you are responsible for commissioning or procuring digital services, provided by others, that your organisation uses. This guidance will give you a high level overview of the steps you should take to bring your organisation into line with Internet First policy.

You will need to work with your suppliers and providers to:

  • remediate services your organisation uses, so that they can be made available over the public internet
  • ensure any new services are designed to be available over the public internet

The responsibility for services meeting mandatory standards rests with you, the consumer, as well as the supplier you use, so it is important you understand these standards when commissioning new services or remediation of existing services.

You need to:

  1. Audit the current situation – create an asset register of existing digital services, and how they are currently hosted and made available (or review your existing register)
  2. Include any digital services which are not yet in use but are being procured or planned.
  3. Work with your suppliers and create an implementation plan to remediate existing digital services so that they are available over the public internet, and ensure that any planned digital services will be designed to meet the Internet First policy.

1. Audit your existing digital services

It is important to fully understand and document your estate. This will give you an up to date picture of the Digital Services consumed and hosted by your organisation, and what will need to change to meet the Internet First policy. You will then be in a strong position to move forward.

Benefits include:

  • building an understanding of the scale of change required for your organisation so that you can plan effectively for delivery and implementation
  • the information will help you to complete future required submissions, for example to the Data Security and Protection Toolkit.

Create an asset register

You will probably already have an asset register you can build on to use for your Internet First implementation plan – for example your Business Continuity and Disaster Recovery (BCDR) register or service management register.

Include services provided by:

NHS Digital

NHS Digital provides many Digital Services nationally. Some of these services may enable others meet the Internet First policy, such as Spine services, and it is important to be aware of these dependencies.

other suppliers or providers

You will need to review contracts, and contact suppliers or organisations who provide services you share to discuss how they plan to meet the Internet First policy, and when.

your organisation to other organisations

Your organisation may host and share Digital Services with other organisations outside your Local Area Network (LAN), particularly neighbouring organisations within the same Sustainability Plan (STP). You will need to discuss the move to Internet First with these organisations to help them with their own plans.

Firewall rules and network analysis tools can help you identify Digital Services that your organisation uses (consumes).

Detail how these services are made available

Understanding how Digital Services are currently made available (for example, how they are hosted, the network they run across and dependencies on other Digital Services) will help you identify what will need to change as services move to being made available over the public internet.

NHS Digital services

Many health and care services rely on integration with the systems and services that we provide. 

The NHS Digital services that enable and support health and care include:

  • SPINE – by building the Spine Internet Gateway (along with the national API Management portal) 
  • The Electronic Referral Service 
  • The Care Identity Service (NHS Smartcard) by building NHS Identity 
  • The NHS Data Landing Portal 
  • NHSMail2 
  • The Electronic Prescription Service 
  • The Summary Care Record Service 
  • The Secondary Users Service2  

We are working to make all NHS Digital services available over the public internet by March 2021.

Find out which NHS Digital services are already available over the public internet.

Other suppliers or providers, or Digital Services you provide

The Digital Services you currently use may not be suitable for use over the internet.

In the past, the use of national applications (for example Spine based Digital Services) has been reliant on the central private network (N3/HSCN).  In addition, organisations may have some locally provisioned Digital Services that have an interface to the national applications or a reliance on the central private network.  It is critical that you understand and document these relationships.

You need to determine and document:

Your organisation’s network and infrastructure architecture and the network connectivity services consumed by your organisation

You should review the technical architecture of your Digital Services, particularly any data centre connections, hosting provisions and network connectivity (for example inter-site connections and back-up connections). 

As part of moving to an Internet First model, which will involve a move away from the national private network, you need to consider:

  • network sizing
  • contractual arrangements with your network provider
  • cyber and data security (application hardening)
  • how your infrastructure is built
  • the latency of Digital Services
  • service levels and availability of Digital Services 
Your organisation's use of IP addressing

It is likely that Digital Services that are reliant on private networking are accessed using private IP addresses which will not allow access over the internet. Get more information on IP, DNS and hosting guidance.

Your organisation’s security architecture

You may need to improve security architecture when your services move from private networking to the public internet. Get more information on cyber and data security and information governance.

Bandwidth requirements

You should assess current and future bandwidth requirements of the Digital Services your organisation uses. This will affect your required network capacity as you move towards all services being available through the public internet rather than a private network. Get more information on network sizing and capacity.

2. Add services being planned or commissioned

Review roadmaps and plans across the organisation and add any future Digital Services to your asset register.

Review your asset register

You should review the register with all stakeholders within your organisation, and any external organisations you share services with.

You need to ensure it is as accurate as possible, and identify dependencies across services.

3. Create an implementation plan

Once you have a definitive register of the Digital Services you will need to remediate or procure in line with the Internet First policy, you can begin to plan with suppliers and those you share services with.

Clinical safety

Clinical safety is a critical consideration in the development and implementation of Digital Services. View guidance on clinical safety standards.

User requirements

Planning should take current and future user requirements, and organisational strategy, into account. This could include:

  • future business models and any future plans for citizen and patient access to services
  • hosting
  • future accessibility requirements
  • types of devices used
  • remote working capability

Technical considerations

You will need to look at technical considerations, including network sizing and cyber security standards.

View technical guidance for developing Digital Services to meet Internet First policy

Business change

A comprehensive implementation plan will build on your asset register to plan effectively for the necessary changes:

  • allowing the right things to be done at the right time
  • understanding the sequence of events
  • allowing prioritisation of activity
  • allowing business events to take place (governance, business cases, budgeting, approvals and so on) in good time

As you gain an understanding from suppliers of when and how changes will be implemented, and work with those you may provide services to, it is important to include changes to business operations in your plans.

These changes may include:

  • how a user accesses the service
  • authentication processes
  • where you can access the services from – a service available over the public internet may allow users to access it remotely and this might involve purchasing remote working hardware.

Users may need new instructions on how a service is accessed and used, and this should be included in an implementation plan.

Implementation plans should be reviewed by all stakeholders.

Once this is complete, you can begin to put the planned actions into practice. This is likely to be in a deployment project type setting and in line with organisational governance.

Last edited: 13 June 2022 8:03 am