NHS-Digital have issued a guidance regarding the connection of the Health and Social Care Network to the Public cloud providers.

 

The document is still in draft stage and, prior to publishing the document to the wider market, seek comments from HSCN CN-SP’s or other interested parties.

 

Please review and send any comments to HSCN@innopsis.org where they will be anonymised and published on this page.

 

Comments

 

 

Comment 1

We would like to see better clarity on Security Requirement with clear delineation between Customer, CNSP, CSP and NHS Digital responsibilities. Current guidelines are merely links to a number government guidance pages which are open to interpretation. Clarity on requirements and responsibilities increases competition.

 

Response

The roles and responsibilities are defined within the following section of the document (Roles and Responsibilities)

 

NCSC (National Cyber Security Centre) Cloud Security Principles Data Security and Protection Toolkit (DSPT) HSCN ITSP Connection agreement HSCN Consumers   Connection agreement HSCN Obligations Framework Health and Social care Cloud Security – Good practice guide HSCN Cloud Service Provider (CSP) Policy Validate HSCN Compliance and Authority approval received
Consumer x x x x

CSP

(Cloud Service Provider)

x x x x x x
CNSP x x x x x
ITSP x x x x x

The appropriate guidance relates to the type of system, the organisations risk appetite and the classification of data and endpoints accessing those systems.  Therefore we can’t provide mandated statements on what every organisation should do in every situation, as it is up to the individual organisations to assess their needs etc.

Each of the use cases have defined where the points of control are and which organisation/role is responsible.

 

Comment 2

It should be the choice of the CNSP to decide what Cloud Access to which Cloud Service Providers they will deliver. It would be onerous and unnecessary if these public cloud connectivity options were mandated by the HSCN obligations on all CN-SP’s.

Response

These capabilities are not mandatory.  The CNSP can choose if they offer that connectivity to fulfil the use cases.  This is the guidance for how CNSP should implement those services if they wish/require.

 

Comment 3

For access to Office 365 via Azure Expressway, it must be the responsibility of the CN to negotiate this with Microsoft. Office 365 Access via Expressway is only available from Microsoft when regulatory requirements demand it.

Response

That was intentionally left out of that document, It does state that Cloud specific documentation may become available in the future.   For example guidance on implementing Microsoft Application Peering and Office 365.  We will ensure that when that section/document is created it has that detail/requirement included.