The N3 (New National Network, which replaces the NHSnet) is the wide area networks that join the NHS and partner organisations across England (and the UK to a lesser extent). Access to N3/NHSnet is very carefully regulated, especially with respect to external agencies.
|
Obtaining an N3 connection |
|
In principle any organisation that has a need for an N3 connection and has a sponsoring NHS Trust can follow the IG Statement of Compliance process and seek an N3 connection.
A proper review of the requirements of the IG SoC and attendant IG Toolkit quickly reveals that the process, though well established, is substantial and demanding. In our experience, organisations should anticipate 6 months and some hundreds of thousands of pounds investment to achieve their own N3 connection.
Carelink can, in most cases, provide a quicker and more cost effective option using our N3 hosting services and/or our N3 aggregation service.
We can also provide consulting services around obtaining IGSoC, based on our many years of experience if required. | |
Previously this was managed by the NHS Information Authority, which allowed connections to the network to be made subject to a Code of Connection that defined the scope, security and policies for use of any external connections to the NHSnet. Subsequent to the NHS IA being subsumed by Connecting for Health there has been a move towards self certification in the form of the Information Governance Statement of Compliance (IGSoC) .
IGSoC is the agreement between NHS Connecting for Health and Approved Service Recipients (such as us) that sets out the information governance (IG) policy and terms and conditions for use of NHS Connecting for Health services.
It contains a number of obligations to enable use of NHS Connecting for Health services, which aim to preserve the integrity of these services.
IGSoC includes:
- The requirement that no Patient Identifiable Data or other sensitive data be stored or processed offshore, where the location is deemed non-compliant with the NHS CFH Offshore Policy*
- The right to audit by NHS Connecting for Health or nominated third parties
- Change Control Notification procedures and approvals processes
- The requirement for organisations to achieve, or be working towards, ISO27001
- The requirements for reporting security events and incidents.
The IGSoC is supported by the annual submission of the Information Governance Toolkit
Obtaining IGSoC is a fairly technical and complicated process, requiring both clear set up of robust security around any connection, agreement of usage policies, purchase of (surprisingly costly) N3 bandwidth, demonstrable compliance with security standards based on ISO27001 (BS7799) and potential submission to external audit.
All organisations that have an N3 connection have completed the IGSoC process. While many organisations have an N3 connection to, for instance, remote manage specific applicaitons installed in NHS organisations; there are very few options for hosting applications onto the NHS without going through the IGSoC process.
3rd Party N3 Hosting
BT, Cable and Wireless and ioko (through it's Carelink business) are the only organisations currnelty able to offer independant application and website hosting with IGSoC approved access to the N3 network.
The old NHS IA website has been decommissioned, however you can read their old hosting PDF here: secure_application_hosting.pdf