NHS-HE Connectivity Project: An Update

London Health Libraries NHS HE Conference

17th November 2011

Malcolm Teague, JANET(UK)Malcolm.Teague@ja.net

NHS-HE Forum History

• Started in 2001 by Prof Roland Rosner of UCL, frustrated by lack of interface between sectors

• Informal but influential group from the NHS and University sectors

• Forum meets twice a year, funded facilitation since 2005

• A parallel event in Scotland starting in 2006

What is the issue?Typical scenarios:• Undergraduate students on placement in the

NHS (e.g. About 13,000 medicine/dentistry at any one time, many more for nursing and related professions)

• NHS clinicians who also teach, undertake research, or are students themselves

• Collaborative research groups and research networks (c £1000m annual funding).

• Universities providing specific services

Difficulties with different networks, systems & rules…….

NHS-HE Connectivity Project

Objective:”To achieve good inter-operability between NHS and Higher Education (HE) networks that enable secure anytime, anywhere access by medical, nursing and allied profession students, clinical teachers and researchers”

www.nhs-he.org.uk

To move away from 2 PC syndrome

Two approaches:

1. National infrastructure – N3 JANET Gateways

2. Identifying local initiatives through the NHS-HE Connectivity Best Practice Working Group

N3 Scotland

JANET

Active

Gateway

N3 England

Scotland

England

Wales

N Ireland

NHS Wales

(PSBA)

Health & Social Services in NI (HSCnet)

N3 for NHS network in England and Scotland, JANET for Education & Research

Internet

Before the N3 JANET Gateways

N3 Scotland

JANET

Active

Gateway

N3 England

Scotland

England

Wales

N Ireland

NHS Wales

(PSBA)

Health & Social Services in NI (HSCnet)

N3 for NHS network in England and Scotland, JANET for Education & Research

Internet

250 Mbps,Kingston Exchange

Standby

Gateway

250 Mbps, Manchester

Since 24th June 2010

One way allowed

The New N3 Gateway(s)

• The new N3 JANET Gateway Service: • Implemented on 24th June 2010• 2 Gateways at 250 Mbps active/standby• Joint funded with DH/Connecting for Health• All N3 JANET traffic (sessions initiated in N3,

routed away from internet G/way)• Contract for 5 years• Full service management by N3

Gateway Phase II Project

• NHS working with JANET(UK)• Project was given joint agreement to proceed in

February 2011.• To implement “sessions initiated in JANET”

or “bidirectional working” if a suitable technical and information governance model can be found.

• Four potential services to investigate to proof of concept and to develop proposals.

Initial workshops held April-June 2011

Sessions initiated in JANET

i.e. To implement a solution for JANET users (or machine to machine) from JANET to N3

Rapid Risk Assessment conducted and final report concluded that there are no evidenced risks which cannot be appropriately managed

Matrix of potential use cases

SSL VPN/https technical proposal for specific agreed tunneling from specific JANET IP address range to specific NHS IP address range

Information governance statement of compliance/Information Governance Toolkit or equivalent for subset of JANET connected organisation involved – current key step

Not a “given” that the Information Governance can beresolved

employed as function credentialsPatient Identifiable Data (PID) possible? MoSCoW

VPN required? risk

NHS staff (permanent) Clinical NHS Smart Card yes MUST have WOULD like medium

NHS staff (permanent) Clinical NHS Local yes MUST have WOULD like medium

NHS staff (contract) Clinical NHS Smart Card yes MUST have WOULD like medium

NHS staff (contract) Clinical NHS Local yes MUST have WOULD like medium

Academic (medical) Clinical NHS Smart Card yes MUST have WOULD like medium+

Academic (medical) Clinical NHS Local yes MUST have WOULD like medium+

Student (medical) Clinical NHS Smart Card yes MUST have WOULD like medium

Student (medical) Clinical NHS Local yes MUST have WOULD like medium

machine (heart beat) Eduroam configured end point no MUST have COULD have low

machine (autonomous) VC call ? yes MUST have SHOULD have medium

machine (autonomous) VC set up register user no MUST have COULD have low

Academic ICT support IT support ? yes SHOULD have MUST have low

Academic ICT support IT support ? no SHOULD have MUST have low

NHS staff (permanent) non-clinical NHS Local no SHOULD have WOULD like low

NHS staff (contract) non-clinical NHS Local no SHOULD have WOULD like low

Academic (medical) non-clinical NHS Local no SHOULD have WOULD like low

Student (medical) non-clinical NHS Local no SHOULD have WOULD like low

User types?

Draft: from DH technical proposal

i.e. Current concept:

So....

• Bi-directional (access N3 from JANET) – focus on the Information Governance requirements, top priority

• In parallel can develop the following to “proposal stage” only:• Cross sector videoconferencing• Secure data transfer• Use of eduroam in the NHS• Move towards federated access

Integration of video services

Proposal and proof of concept for:Integration of the NHS (N3) and Academic (JANET) Video services• Looking particularly at the new N3 vc service in England• Want to be able to book and run videoconferences across

the two booking systems• Both have guest site facilities for IP and ISDN, the N3 vc

service is about to allow guest IP access from the internet• The guest IP access from the N3 vc service may be the

solution – waiting to see its impact (Guys & St Thomas’• one of the pilots)

Secure Data Transfer

• Solution required to enable staff operating in either JANET or NHS to securely exchange sensitive data or large datasets

Initial scoping workshop held in May 2011

Use cases identified from requests for help

DH has Secure File Transfer System on N3 but may not work for JANET community.

NHSmail not thought to be the way forward because need capacity for the NHS

Requirements being summarised in order to evaluate other options identified e.g. filesender

Again to get to “proposal” and proof of concept

Widening eduroam Support

Business case and proof of concept for:Support for eduroam (JANET RoamingService) in NHS networks• Enables visitor network access to basic services

when at other sites.• International facility well used in education &

research• Good reports where tried e.g. In Oxfordshire and

Truro areas (on back of partner University eduroam)

Existing eduroam sites in Londoneduroam sites inside the M25

BBSRC- MRC Centre London Kingston University - Main Campus University of East London - Duncan House

Birbeck College London Metropolitan University - Regent St University of East London - Stratford Campus

Brunel University - Uxbridge CampusLondon Metropolitan University - Calcutta House University of Greenwich - Greenwich Campus

Goldsmiths, Uni. of London - Rutherford Building LSE University of Greenwich - Avery Hill Campus

Imperial - Hammersmith HospitalLondon School of Hygiene & Tropical Medicine

University of London - Inst. of Advanced Legal Studies

Imperial - Charing Cross Hospital Queen Mary, University of London - Mile End University of London - Senate House

Imperial - St Mary's HospitalQueen Mary, University of London - Whitechapel University of London - UoL Union

Imperial - Clayponds Village St Georges, University of London University of Westminster - Cavendish

Imperial - Harefield Heart Science Centre School of Oriental and African Studies University of Westminster - Harrow

Imperial - Pembridge Garden Halls UCL University of Westminster - Little Titchfield St

Imperial - Evelyn Garden Halls University of East Anglia - UEA London University of Westminster - Marylebone

Imperial - South Kensington CampusUniversity of East London - Trinity Buoy Wharf University of Westminster - Regent St

Institute of Education - University of London

University of East London - Docklands Campus University of Westminster - Wells St

Kings College London

http://www.ja.net/services/authentication-and-authorisation/janet-roamingl.htm for more

Feature Benefit

No need to go through the process of getting a guest account set up at every organisation visited.

Convenience and avoidance of lost time

Same username and password regardless of location Enhanced convenienceGuaranteed availability of broad set of protocols from guest network

Access to Internet, email, VPN etc. services provided by home organisation, leading to improved efficiency.

Network access at all participating organisations – worldwide, helping to meet need for ubiquitous network access

Facilitates mobility, collaboration, secondments, meetings and study

Free of charge at point of use: no subscription or usage charge

No subscription or airtime charges to pay

High security – credentials are never exposed and authentication interface cannot be hijacked.

Assured security of credentials when utilising eduroam guest (or home) networks

Benefits for users

Feature Benefit

No need to go through the process of getting a guest account set up at every organisation visited.

Convenience and avoidance of lost time

Same username and password regardless of location Enhanced convenience

Guaranteed availability of broad set of protocols from guest network

Access to Internet, email, VPN etc. services provided by home organisation, leading to improved efficiency.

Network access at all participating organisations – worldwide, helping to meet need for ubiquitous network access

Facilitates mobility, collaboration, secondments, meetings and study

Free of charge at point of use: no subscription or usage charge

No subscription or airtime charges to pay

High security – credentials are never exposed and authentication interface cannot be hijacked.

Assured security of credentials when utilising eduroam guest (or home) networks

Benefits for host organisation & network manager

Possible within NHS use

Education or research user visiting an NHS site

NHS user visiting an education & research site

SITE A (HOSPITAL)

ORPS

N3 NETWORK

SECURE RESOURCE

JANET NETWORK

ORPS checks users credentials as recognises they are not a Site B user

GATEWAY

NRPS

SITE B (HE INSTITUTION)

WifiORPS

Person from site A working at site B

Access-accept returned to visited site

Access request from user

Access granted

Site A ORPS authenticates user

NHS User gaining eduroam access at an education

site

HARPS

Working hypothesis

• On an NHS visited site supporting eduroam, the NHS site might provide 4 levels of access:

1. To their own NHS users2. To visiting NHS users who then might be allowed access

within N33. To visiting Local Authority users, GCSX access possibly4. To visiting education & research or “unbadged” users,

internet access similar to existing eduroam

Issues to be resolved on eduroam include:

• Relies on “bidirectional” being allowed• Allowable under eduroam branding?• Radius hierarchy would be needed on N3 • How to kick-startProof of concept testing “lab to lab” about to startOutcome to be built in to proposal for deployment –

limit of current plan.Support for the proposal from potential users

would be very valuable

Federated Access

• Solution required to create a federated identity framework between JANET and NHS (N3) to allow Service Providers in either domain to trust identities

Initial scoping workshop held in May 2011

• Proof of Concept testing proposal under development.

• Particularly focus: use of NHS smartcard credentials to provide identity management for web resources available through the UK

• access management federation

Federated Access Management (FAM) and the UK federation

FAM is:A mechanism for allowing attribute based access control to local,

national and international resources‘Student @ OU’ not ‘Henry Hughes’ – what SPs need

The UK federation is:The UK’s educational federation, operated by JISC CollectionsFunded by JISC and Becta (http://www.ukfederation.org.uk/ ). 884

members to date.

Many federations now established worldwideEducation, government, commercial participation

From Henry Hughes, NHS-HE Forum May ‘09

Site Licence

I’m “AJones/T,t<*?I1”, am I?

Federated Authentication & Authorisation

User’s identity and personal data are protectedPublisher knows exactly what it needs

Are you a licensed user?They say I’m licensedYes, you’re licensed

OK!Identity Provider (IdP) Service Provider (SP)

With thanks to Mark Tysom, JANET(UK)

1. As now for JANET & Internet

Site Licence

I’m “AJones/T,t<*?I1”, am I?

Federated Authentication & Authorisation

Are you a licensed user?They say I’m licensedYes, you’re licensed

OK!Identity Provider (IdP) Service Provider (SP)

2. NHS or education & research user & Internet (NHS procured library resources)

Open Athens

But in an ideal world.........

NHS IdP

Other approved IdP

Service Provider

UserJANET IdP

But complications e.g.1

NHS IdP

JANET IdP

Other approved IdP

Service Provider

User

N3

But complications e.g.2

NHS IdP

JANET IdP

Other approved IdP

Service Provider

User

N3

Current “federation” scope focused on the credentials from NHS smartcards providing an identity provider option for NHS users.

And it is only going to be a proposal/proof of concept at this stage

NHS-HE Connectivity Best Practice Working Group

NHS-HE Connectivity Best Practice Working Group

How did the working Group evolve?

In response to a presentation to the national NHS-HE Forum in Manchester on 24th November 2010, it was agreed that work was required to find a way of developing some common and good practice guidance to overcome local access issues to applications that support learning and research.

10 years of discussion around the topic of inter-operability between NHS & HE networks.

What is trying to be achieved?

NHS-HE Connectivity Best Practice Working Group

• Improve inter-operability between Universities and the NHS to support;• Access to NHS systems from University networks• Access to University systems from NHS networks• Access to internet based systems and web sites from within the

NHS, when these would otherwise be blocked.• To leverage bandwidth available to University staff and students

when they are on NHS sites.

• To put in place policies and procedures to support connectivity, whilst not increasing the risks of data security to either party.

• To give organisations confidence that they are implementing best / common practice.

Work Strands

NHS-HE Connectivity Best Practice Working Group

• Strand 1 - N3 JANET Gateway• Strand 2 - Access directly from NHS desktops• Strand 3 - Use of terminal services• Strand 4 - How the NHS and HE can network securely• Strand 5 - Information Governance and Data Sharing

Strand 2 - Access directly from NHS desktops

NHS-HE Connectivity Best Practice Working Group

• Developed a Web 2.0, Social Media and Standard Desktop Facilities paper which will highlight the risks and issues and give a list of sites and services that ;

• we would recommend are made widely available (white list)• that should be supported at least in limited locations.• could be best delivered via a University log in.

• Producing a case study into the potential use of proxies (where by the user authenticates to a University gateway for browsing beyond the host trust’s usual browsing provision).

• Sample policies and procedures for adaptation with regard to issuing usernames and passwords to students.

What next?

NHS-HE Connectivity Best Practice Working Group

Launch of first resources on 29th November 2011

At the NHS-HE Forum

Questions & Comments please

Malcolm.Teague@ja.net01752 240175www.nhs-he.org.ukwww.ja.net

Thank you.