nhs-he connectivity project: an updatenhs-he connectivity project: an update ... nhs-he forum...
TRANSCRIPT
NHS-HE Connectivity Project: An Update
London Health Libraries NHS HE Conference
17th November 2011
Malcolm Teague, JANET(UK)[email protected]
NHS-HE Forum History
• Started in 2001 by Prof Roland Rosner of UCL, frustrated by lack of interface between sectors
• Informal but influential group from the NHS and University sectors
• Forum meets twice a year, funded facilitation since 2005
• A parallel event in Scotland starting in 2006
What is the issue?Typical scenarios:• Undergraduate students on placement in the
NHS (e.g. About 13,000 medicine/dentistry at any one time, many more for nursing and related professions)
• NHS clinicians who also teach, undertake research, or are students themselves
• Collaborative research groups and research networks (c £1000m annual funding).
• Universities providing specific services
Difficulties with different networks, systems & rules…….
NHS-HE Connectivity Project
Objective:”To achieve good inter-operability between NHS and Higher Education (HE) networks that enable secure anytime, anywhere access by medical, nursing and allied profession students, clinical teachers and researchers”
www.nhs-he.org.uk
To move away from 2 PC syndrome
Two approaches:
1. National infrastructure – N3 JANET Gateways
2. Identifying local initiatives through the NHS-HE Connectivity Best Practice Working Group
N3 Scotland
JANET
Active
Gateway
N3 England
Scotland
England
Wales
N Ireland
NHS Wales
(PSBA)
Health & Social Services in NI (HSCnet)
N3 for NHS network in England and Scotland, JANET for Education & Research
Internet
Before the N3 JANET Gateways
N3 Scotland
JANET
Active
Gateway
N3 England
Scotland
England
Wales
N Ireland
NHS Wales
(PSBA)
Health & Social Services in NI (HSCnet)
N3 for NHS network in England and Scotland, JANET for Education & Research
Internet
250 Mbps,Kingston Exchange
Standby
Gateway
250 Mbps, Manchester
Since 24th June 2010
One way allowed
The New N3 Gateway(s)
• The new N3 JANET Gateway Service: • Implemented on 24th June 2010• 2 Gateways at 250 Mbps active/standby• Joint funded with DH/Connecting for Health• All N3 JANET traffic (sessions initiated in N3,
routed away from internet G/way)• Contract for 5 years• Full service management by N3
Gateway Phase II Project
• NHS working with JANET(UK)• Project was given joint agreement to proceed in
February 2011.• To implement “sessions initiated in JANET”
or “bidirectional working” if a suitable technical and information governance model can be found.
• Four potential services to investigate to proof of concept and to develop proposals.
Initial workshops held April-June 2011
Sessions initiated in JANET
i.e. To implement a solution for JANET users (or machine to machine) from JANET to N3
Rapid Risk Assessment conducted and final report concluded that there are no evidenced risks which cannot be appropriately managed
Matrix of potential use cases
SSL VPN/https technical proposal for specific agreed tunneling from specific JANET IP address range to specific NHS IP address range
Information governance statement of compliance/Information Governance Toolkit or equivalent for subset of JANET connected organisation involved – current key step
Not a “given” that the Information Governance can beresolved
employed as function credentialsPatient Identifiable Data (PID) possible? MoSCoW
VPN required? risk
NHS staff (permanent) Clinical NHS Smart Card yes MUST have WOULD like medium
NHS staff (permanent) Clinical NHS Local yes MUST have WOULD like medium
NHS staff (contract) Clinical NHS Smart Card yes MUST have WOULD like medium
NHS staff (contract) Clinical NHS Local yes MUST have WOULD like medium
Academic (medical) Clinical NHS Smart Card yes MUST have WOULD like medium+
Academic (medical) Clinical NHS Local yes MUST have WOULD like medium+
Student (medical) Clinical NHS Smart Card yes MUST have WOULD like medium
Student (medical) Clinical NHS Local yes MUST have WOULD like medium
machine (heart beat) Eduroam configured end point no MUST have COULD have low
machine (autonomous) VC call ? yes MUST have SHOULD have medium
machine (autonomous) VC set up register user no MUST have COULD have low
Academic ICT support IT support ? yes SHOULD have MUST have low
Academic ICT support IT support ? no SHOULD have MUST have low
NHS staff (permanent) non-clinical NHS Local no SHOULD have WOULD like low
NHS staff (contract) non-clinical NHS Local no SHOULD have WOULD like low
Academic (medical) non-clinical NHS Local no SHOULD have WOULD like low
Student (medical) non-clinical NHS Local no SHOULD have WOULD like low
User types?
Draft: from DH technical proposal
i.e. Current concept:
So....
• Bi-directional (access N3 from JANET) – focus on the Information Governance requirements, top priority
• In parallel can develop the following to “proposal stage” only:• Cross sector videoconferencing• Secure data transfer• Use of eduroam in the NHS• Move towards federated access
Integration of video services
Proposal and proof of concept for:Integration of the NHS (N3) and Academic (JANET) Video services• Looking particularly at the new N3 vc service in England• Want to be able to book and run videoconferences across
the two booking systems• Both have guest site facilities for IP and ISDN, the N3 vc
service is about to allow guest IP access from the internet• The guest IP access from the N3 vc service may be the
solution – waiting to see its impact (Guys & St Thomas’• one of the pilots)
Secure Data Transfer
• Solution required to enable staff operating in either JANET or NHS to securely exchange sensitive data or large datasets
Initial scoping workshop held in May 2011
Use cases identified from requests for help
DH has Secure File Transfer System on N3 but may not work for JANET community.
NHSmail not thought to be the way forward because need capacity for the NHS
Requirements being summarised in order to evaluate other options identified e.g. filesender
Again to get to “proposal” and proof of concept
Widening eduroam Support
Business case and proof of concept for:Support for eduroam (JANET RoamingService) in NHS networks• Enables visitor network access to basic services
when at other sites.• International facility well used in education &
research• Good reports where tried e.g. In Oxfordshire and
Truro areas (on back of partner University eduroam)
Existing eduroam sites in Londoneduroam sites inside the M25
BBSRC- MRC Centre London Kingston University - Main Campus University of East London - Duncan House
Birbeck College London Metropolitan University - Regent St University of East London - Stratford Campus
Brunel University - Uxbridge CampusLondon Metropolitan University - Calcutta House University of Greenwich - Greenwich Campus
Goldsmiths, Uni. of London - Rutherford Building LSE University of Greenwich - Avery Hill Campus
Imperial - Hammersmith HospitalLondon School of Hygiene & Tropical Medicine
University of London - Inst. of Advanced Legal Studies
Imperial - Charing Cross Hospital Queen Mary, University of London - Mile End University of London - Senate House
Imperial - St Mary's HospitalQueen Mary, University of London - Whitechapel University of London - UoL Union
Imperial - Clayponds Village St Georges, University of London University of Westminster - Cavendish
Imperial - Harefield Heart Science Centre School of Oriental and African Studies University of Westminster - Harrow
Imperial - Pembridge Garden Halls UCL University of Westminster - Little Titchfield St
Imperial - Evelyn Garden Halls University of East Anglia - UEA London University of Westminster - Marylebone
Imperial - South Kensington CampusUniversity of East London - Trinity Buoy Wharf University of Westminster - Regent St
Institute of Education - University of London
University of East London - Docklands Campus University of Westminster - Wells St
Kings College London
http://www.ja.net/services/authentication-and-authorisation/janet-roamingl.htm for more
Feature Benefit
No need to go through the process of getting a guest account set up at every organisation visited.
Convenience and avoidance of lost time
Same username and password regardless of location Enhanced convenienceGuaranteed availability of broad set of protocols from guest network
Access to Internet, email, VPN etc. services provided by home organisation, leading to improved efficiency.
Network access at all participating organisations – worldwide, helping to meet need for ubiquitous network access
Facilitates mobility, collaboration, secondments, meetings and study
Free of charge at point of use: no subscription or usage charge
No subscription or airtime charges to pay
High security – credentials are never exposed and authentication interface cannot be hijacked.
Assured security of credentials when utilising eduroam guest (or home) networks
Benefits for users
Feature Benefit
No need to go through the process of getting a guest account set up at every organisation visited.
Convenience and avoidance of lost time
Same username and password regardless of location Enhanced convenience
Guaranteed availability of broad set of protocols from guest network
Access to Internet, email, VPN etc. services provided by home organisation, leading to improved efficiency.
Network access at all participating organisations – worldwide, helping to meet need for ubiquitous network access
Facilitates mobility, collaboration, secondments, meetings and study
Free of charge at point of use: no subscription or usage charge
No subscription or airtime charges to pay
High security – credentials are never exposed and authentication interface cannot be hijacked.
Assured security of credentials when utilising eduroam guest (or home) networks
Benefits for host organisation & network manager
Possible within NHS use
Education or research user visiting an NHS site
NHS user visiting an education & research site
SITE A (HOSPITAL)
ORPS
N3 NETWORK
SECURE RESOURCE
JANET NETWORK
ORPS checks users credentials as recognises they are not a Site B user
GATEWAY
NRPS
SITE B (HE INSTITUTION)
WifiORPS
Person from site A working at site B
Access-accept returned to visited site
Access request from user
Access granted
Site A ORPS authenticates user
NHS User gaining eduroam access at an education
site
HARPS
Working hypothesis
• On an NHS visited site supporting eduroam, the NHS site might provide 4 levels of access:
1. To their own NHS users2. To visiting NHS users who then might be allowed access
within N33. To visiting Local Authority users, GCSX access possibly4. To visiting education & research or “unbadged” users,
internet access similar to existing eduroam
Issues to be resolved on eduroam include:
• Relies on “bidirectional” being allowed• Allowable under eduroam branding?• Radius hierarchy would be needed on N3 • How to kick-startProof of concept testing “lab to lab” about to startOutcome to be built in to proposal for deployment –
limit of current plan.Support for the proposal from potential users
would be very valuable
Federated Access
• Solution required to create a federated identity framework between JANET and NHS (N3) to allow Service Providers in either domain to trust identities
Initial scoping workshop held in May 2011
• Proof of Concept testing proposal under development.
• Particularly focus: use of NHS smartcard credentials to provide identity management for web resources available through the UK
• access management federation
Federated Access Management (FAM) and the UK federation
FAM is:A mechanism for allowing attribute based access control to local,
national and international resources‘Student @ OU’ not ‘Henry Hughes’ – what SPs need
The UK federation is:The UK’s educational federation, operated by JISC CollectionsFunded by JISC and Becta (http://www.ukfederation.org.uk/ ). 884
members to date.
Many federations now established worldwideEducation, government, commercial participation
From Henry Hughes, NHS-HE Forum May ‘09
Site Licence
I’m “AJones/T,t<*?I1”, am I?
Federated Authentication & Authorisation
User’s identity and personal data are protectedPublisher knows exactly what it needs
Are you a licensed user?They say I’m licensedYes, you’re licensed
OK!Identity Provider (IdP) Service Provider (SP)
With thanks to Mark Tysom, JANET(UK)
1. As now for JANET & Internet
Site Licence
I’m “AJones/T,t<*?I1”, am I?
Federated Authentication & Authorisation
Are you a licensed user?They say I’m licensedYes, you’re licensed
OK!Identity Provider (IdP) Service Provider (SP)
2. NHS or education & research user & Internet (NHS procured library resources)
Open Athens
But in an ideal world.........
NHS IdP
Other approved IdP
Service Provider
UserJANET IdP
But complications e.g.1
NHS IdP
JANET IdP
Other approved IdP
Service Provider
User
N3
But complications e.g.2
NHS IdP
JANET IdP
Other approved IdP
Service Provider
User
N3
Current “federation” scope focused on the credentials from NHS smartcards providing an identity provider option for NHS users.
And it is only going to be a proposal/proof of concept at this stage
NHS-HE Connectivity Best Practice Working Group
NHS-HE Connectivity Best Practice Working Group
How did the working Group evolve?
In response to a presentation to the national NHS-HE Forum in Manchester on 24th November 2010, it was agreed that work was required to find a way of developing some common and good practice guidance to overcome local access issues to applications that support learning and research.
10 years of discussion around the topic of inter-operability between NHS & HE networks.
What is trying to be achieved?
NHS-HE Connectivity Best Practice Working Group
• Improve inter-operability between Universities and the NHS to support;• Access to NHS systems from University networks• Access to University systems from NHS networks• Access to internet based systems and web sites from within the
NHS, when these would otherwise be blocked.• To leverage bandwidth available to University staff and students
when they are on NHS sites.
• To put in place policies and procedures to support connectivity, whilst not increasing the risks of data security to either party.
• To give organisations confidence that they are implementing best / common practice.
Work Strands
NHS-HE Connectivity Best Practice Working Group
• Strand 1 - N3 JANET Gateway• Strand 2 - Access directly from NHS desktops• Strand 3 - Use of terminal services• Strand 4 - How the NHS and HE can network securely• Strand 5 - Information Governance and Data Sharing
Strand 2 - Access directly from NHS desktops
NHS-HE Connectivity Best Practice Working Group
• Developed a Web 2.0, Social Media and Standard Desktop Facilities paper which will highlight the risks and issues and give a list of sites and services that ;
• we would recommend are made widely available (white list)• that should be supported at least in limited locations.• could be best delivered via a University log in.
• Producing a case study into the potential use of proxies (where by the user authenticates to a University gateway for browsing beyond the host trust’s usual browsing provision).
• Sample policies and procedures for adaptation with regard to issuing usernames and passwords to students.
What next?
NHS-HE Connectivity Best Practice Working Group
Launch of first resources on 29th November 2011
At the NHS-HE Forum