Skip to main content

Internet First policy and guidance

This is the Internet First policy, standards and guidelines defined by NHS Digital. The document will help health and social care organisations make their digital services accessible over the internet. It will help describe how to make them secure, scalable and where possible consistent.



The strategic direction across UK Government has been Cloud First since 2013. This requires public sector organisations to consider and fully evaluate cloud solutions first before considering other options.

The Government Digital Services Technology Leaders Network reviewed the positioning of centralised private networks in January 2017 and confirmed that, for the vast majority of public services, the internet is OK. They say that new services should be made available on the internet, secured appropriately using the best available standards-based approaches. When we are updating or changing services, we should take the opportunity to move them to the internet. The Government Transformation Strategy February 2017 extended the digital agenda from the citizen to maximising the benefit of collaboration and flexibility across departments and government bodies.

In October 2018 the Secretary of State stated that online services, basic IT and clinical tools are far behind where it needs to be and that "We need to take a radical new approach to technology across the system and stop the narrative that it’s too difficult to do it right in health and social care" in his Vision for digital, data and technology in health and social care.

In line with the government strategic direction NHS Digital implemented an Internet First policy in March 2018. It sets the principle that all new externally accessible digital services provided by NHS Digital should be internet facing by default and for existing digital services to remediate at the earliest opportunity. The Secretary of State vision is for everyone to have access to digital health and social care services. To achieve this, the Internet First policy has been extended to become the Internet First policy and guidance.

Making digital services available over the public internet supports the requirements for health and social care professionals to work flexibly from a variety of locations, using a range of access methods. This will reduce complexity and cost for many organisations, particularly for small health and social care providers.

The policy is fully aligned to the Secretary of State aspirations and to the NHS Long Term Plan's objectives to increase productivity of NHS Staff and deliver digitally enabled care. This Internet First policy and guidance supports the strategy and governance to remove the reliance of health and social care digital services on a central private network.

Internet First definition

Internet First means that externally accessible health and social care digital services must be securely accessible over the public internet by default. This requires:

  • health and social care organisations to have sufficiently scaled and functional Internet connectivity to support the needs of the organisation in consuming and where applicable providing internet hosted services
  • IT service providers to offer suitable secure user access to externally accessible systems and services over the internet
  • IT service providers to offer suitable secure application interfaces to externally accessible system and services over the internet
  • digital services to be accessible over the internet at the earliest opportunity

HSCN has been designed to support the transition from private to public networking from the outset.

The public internet is that part of the internet that is open access to all consumers (for example, clinicians and citizens) regardless of the provider or location. However, user registration or password is usually required for the consumer to gain access.

Internet First applies to digital services

Digital services are the systems, applications and services used by healthcare professionals who require them to be externally accessible. It means going beyond being an on-premise service, accessible only on a local area network.

The network policy in health and care is that all digital services should use the internet to communicate unless they have specific (exceptional) needs that the internet cannot meet. However, many digital services will be affected. Priority should be given to those digital services that have significant numbers of users or which other digital service providers use to deliver complementary services. For example; digital services accessed for patient care, used by health and social care staff, authenticating users of a service, or structured/unstructured messaging.

Digital services that will be retired or replaced prior to March 2021 are out of scope of the policy and guidance.

Intended audience

This document should be used by:

NHS Digital – for anyone involved in the governance, commissioning, design, development or delivery of health and social care IT systems and applications.

Health and social care organisations – for anyone involved in the governance, commissioning, design, development or delivery of health and social care IT systems and applications.

Third-party providers – for anyone involved in the governance, commissioning, design, development or delivery of third-party health and social care IT systems, services and applications.

Making health and social care digital services available over the internet

The principles associated with making all health and social care digital services available over the internet are described below. In addition, signposting to details of existing standards associated with this aim are provided in later sections.

The Internet First principles

  1. Design and develop digital services to be securely accessible over the internet by default.
  2. Where a digital service can be migrated or performed by a shared service presented over the internet, the application should be retired, and the functionality provided by the shared service.
  3. Internet facing digital services should be designed to be shared and re-used.  They should avoid bespoke features that constrain re-use.
  4. Existing digital services should be developed to be accessible over the internet at the earliest opportunity.  Near-term opportunities to achieve this within planned development lifecycles should be exploited to achieve early delivery over the internet.
  5. Transforming digital services to be presented over the internet must not introduce additional risk to live services.
  6. Data sensitivity analysis must be carried out prior to exposing digital services to the internet.
  7. Investments in new and existing digital services must support universal access for consumers.
  8. Users must be kept informed to ensure business continuity is maintained during migration to the internet.  In particular, application sub-component dependencies should be managed carefully where systems are integrated.
  9. Ensure users are sufficiently prepared to access the digital services they need over the internet (for example have sufficient bandwidth, resilience and quality of service).


The benefits of publishing digital services on the internet include:

  • easier access to digital health and social care services
  • improved interoperability between digital services
  • increased innovation by improving accessibility to other digital service providers
  • reduced complexity and duplication in network connectivity for health and care organisations

Consumer access to the internet

Health and social care organisations need to ensure that their internet provision meets the needs of their organisation and enables safe, secure use of data and technology. Connectivity should be suitably scaled and designed to support the operational needs of the business when consuming internet hosted services from all its locations where health and social care is delivered. The connectivity needs to adequately support the business continuity and clinical safety of the organisation.


Internet connectivity

1. Connectivity must be sized to support the amount of internet traffic required for each site within the organisation with enough upload and download bandwidth. There must be enough bandwidth to support the internet traffic of each site within the organisation. For organisations with requirements to regularly upload data they are likely to require a symmetric internet service.

2. Connectivity must be provisioned with resilience based on the organisation’s criticality of internet traffic and availability requirements. Service providers should ensure the availability figures of their internet provision are aligned to the availability of the application(s) which will typically require redundant connections.


3. Internet connectivity must have perimeter security protection with context-based access control and stateful firewall capabilities.

4. Where internet connectivity is not provided by a HSCN consumer network service provider consideration should be given to additional security protection. This includes, but is not limited to, detection and reporting of anomalous network traffic. Guidance is provided by National Cyber Security Centre.


5. An organisation that is providing or accessing clinical services over its internet provision should comply with DSB 0160 Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.


Organisations should ensure they can provide evidence that they have sufficient internet capacity and resilience at each site with sufficient perimeter security protection for inbound and outbound traffic.

Clinical safety

Clinical safety approval as per DSB 0160 Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems should be undertaken. 

IT service providers

IT service providers need to ensure that digital services they provide for use in health and social care are, by default, securely accessible and have sufficient network capacity and performance to operate over the internet.

This also applies to a health and social care organisation providing digital services to other organisations.


Information security

1. Each service provider must maintain an information security management system that conforms to either the:

2.  Each service provider must maintain a security policy which sets out the security measures to be implemented and maintained in accordance with either DSPT or BS ISO/IEC 27001, BS ISO/IEC 27002 and the Information Security Management System.

The security policy must be reviewed and updated by the service provider in a timely fashion and will be reviewed annually.

3. Each service provider must conduct tests of their security policy in accordance with the provisions of the service provider’s security policy relating to security testing. The tests must be independently audited by either an accredited third party or representatives of the customer. Further advice is provided by the National Cyber Security Centre about using a Check Service provider.

4. Either party (service provider and customer) must notify the other immediately upon becoming aware of any breach of security. This includes an actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services.

5. All traffic traversing the internet should be encrypted using Transport Layer Security (TLS) version 1.2 or better for secure communication.


6. Organisations should ensure they have taken into consideration reliance on internet connectivity to access systems as part of their clinical risk assessments as part of ISB 0129 Clinical Risk Management: its Application in the Manufacture of Health IT Systems.

Standards and guidance

The existing standards relevant to the application of the Internet First policy include:

GDS Technology Code of Practice

The Technology Code of Practice is a set of criteria to help government design, build and buy better technology. It is used as a cross-government agreed standard in the spend control process. The Technology Code of Practice is part of the Transformation Strategy 2017-2020.

NHS Digital Cyber Security Guidance

The Data Security Centre publish a range of standards and guidance:

National Cyber Security Centre

The National Cyber Security Centre publish a range of standards and guidance to support cyber security:

Cyber security guidance for public sector organisations employees

Organisation Standards and Guidance

Every organisation will have its own standards and guidance which should be followed and adopted. The links below contain useful information and guidance material that can be used to inform local policy:

International Organisation for Standardisation: ISO/IEC 27000 family - Information security management systems


Organisations should govern their Internet First programmes of work through their usual governance processes.

Future ambitions

It is intended that all NHS organisations, along with their suppliers, adopt and adhere to these Internet First standards when procuring, managing and delivering digital services. The aim is to promote best practice and embed good working standards within IT contracts across the NHS.

In order to support the safe and timely passage of all health and social care digital services to the internet, NHS Digital will publish the Internet First Target Operating Model with associated standards and the roadmap of NHS Digital strategic enablers to aid system remediation. By strategic enablers we are referring to our core digital services that support the implementation of the Internet First principles.

Download this page as a PDF

Last edited: 1 October 2019 11:34 am