Internet First Policy

The strategic direction across UK Government has been Cloud First since 2013. This requires public sector organisations to consider and fully evaluate cloud solutions first before considering other options.

The Government Digital Services Technology Leaders Network reviewed the positioning of centralised private networks in January 2017 and confirmed that, for the vast majority of public services, the internet is OK. They went on to say that:

• new services should be made available on the internet, secured appropriately using the best available standards-based approaches
• when we are updating or changing services, we should take the opportunity to move them to the internet

In October 2018 the Secretary of State for Health stated in his Vision for digital, data and technology in health and social care, that online services, basic IT and clinical tools are far behind where they need to be and that "We need to take a radical new approach to technology across the system and stop the narrative that it’s too difficult to do it right in health and social care".

In line with the government strategic direction, NHS Digital implemented an Internet First policy in March 2018. It sets the principle that all new externally accessible digital services provided by NHS Digital should be internet facing by default and for existing digital services to be updated at the earliest opportunity. To help achieve this, NHS Digital has published guidance for health and social care organisations.

Making digital services available over the public internet supports the requirements for health and social care professionals to work flexibly from a variety of locations, using a range of access methods.  This will reduce complexity and cost for many organisations, particularly for small health and social care providers, and reduce reliance on the centrally provisioned private networks required to support many applications and systems today.

The policy is fully aligned to the Secretary of State’s architecture principles and to the NHS Long Term Plan’s objectives to increase productivity of NHS Staff and deliver digitally enabled care. 

Intended audience

This document should be used by:

NHS Digital – for anyone involved in the governance, commissioning, design, development or delivery of health and social care digital services.

Health and social care organisations – for anyone involved in the governance commissioning, design, development or delivery of health and social care digital services.

Third-party providers – for anyone involved in the governance, commissioning, design, development or delivery of third-party health and social care digital services.

Internet First definition

Internet First means that all new health and social care digital services should be made internet facing from day one and that existing services should be upgraded to meet these standards as soon as possible.

The policy is applicable to all health and social care digital services that present or expose services to end users or integrating systems outside of an internal network.

Benefits

The public internet provides all consumers with open access to web-based services (for example, clinicians and citizens) regardless of their network provider or location. The benefits of publishing digital services on the internet include:

• easier access to digital health and social care services
• improved interoperability between digital services
• increased innovation by improving accessibility to other digital service providers
• reduced complexity and duplication in network connectivity for health and care organisations

User registration or a password is usually required for the consumer to gain access to web-based services.

Governance

For health and social care organisations and third-party digital service providers this policy should be applied in their usual governance process, for example, in determining how to adhere to the architecture principle of Internet First and remove the reliance on private networks.

NHS Digital’s services will be governed as part of the enterprise architecture suite of policies and principles for use in commercial and architectural governance processes.

The following policy statements set out the expectations for health and social care digital services.

Scope of Internet First

The ‘Internet First’ approach should be considered if:

• you have digital services that need to be accessible outside of your internal network
• you have digital services that are dependent on a national private network

If you have digital services that fall into these categories, then you should work with your supplier to update them to become internet accessible. The Secretary of State has set an aspirational timeline for the health and social care sector of March 2021.

Principles

Digital services that help professionals working within the NHS perform their roles should be accessible and usable over the internet.

The principles associated with making all health and social care digital services available over the internet are described below.

1. Design and develop new digital services to be securely accessible over the internet by default.
2. Retire digital services that can be migrated or performed by an existing shared service, presented over the internet.
3. Design and develop internet facing digital services to be shared and re-used avoiding bespoke features that constrain re-use.
4. Design and develop existing digital services to be accessible over the internet at the earliest opportunity.  Near-term opportunities to achieve this within planned development lifecycles should be exploited to achieve early delivery over the internet.
5. Design and develop digital services with security in mind to protect your data at the application and user end, removing the reliance on networks which should be considered as ‘untrusted’.
6. Reliance on proprietary protocols for accessing or utilising digital services should be removed wherever possible.
7. Transforming digital services to be presented over the internet must not introduce additional risk to live services.
8. A data protection impact assessment must be carried out prior to exposing digital services to the internet.
9. Investments in new and existing digital services must support universal access for consumers and users.
10. Users must be kept informed to ensure business continuity is maintained during migration to the internet.  In particular, application sub-component dependencies should be managed carefully where systems are integrated.
11. Ensure users are sufficiently prepared to access the digital services they need over the internet (for example have sufficient bandwidth, resilience and quality of service).