Smartcard VPN Access to the NHS National Network Service Description

Transcription

1 Smartcard VPN Access to the NHS National Network Service Description Page 1 Issue 1 - December 2014

2 1. Introduction Smartcard VPN Access to the NHS National Network is a simple to use Secure Remote Access Service (RAS) providing a fast and secure way for healthcare professionals to access NHS applications whilst away from their usual work location. The Service uses the NHS issued Smartcard (JCOP41 or later) to provide the two factor authentication required by the NHS in support of RAS services. Provision of a RAS service using the NHS issued Smartcard and a static IP address for authentication and individual user traceability. Each authentication required real time checking for rescinded cards meaning that once a Smartcard is revoked centrally, access to VPN and NHS applications are simultaneously barred. End user service commissioning process/documents for local IT departments to implement the service Configuration support for VPN software and associated supported operating systems (Windows 7 32-bit, and Windows 8 32-bit and 64bit) but not smartcard readers/reader software outside of the supported environments which is a Customer responsibility. Access to the Internet once remotely connected via the Service. Assignment of local LAN WINS/DNS configurations which must be requested at the time of order, facilitate access to local networks BT will supply to Customers, by provision of a link, at order fulfilment time, a Smartcard VPN Access to the National NHS Network Enablement Guide for local network and firewall configuration requirements. The authentication platforms and VPN infrastructure are hosted in secure UK data centres, with connectivity to the NHS National Network and the internet. Important Note: Customer lost/stolen smartcards and PIN resets are resolved by NHS SPINE and local IT helpdesks, not BT. Page 2 Issue 1 - December 2014

3 2. Overview of Smartcard VPN Services The core components of the Smartcard VPN Access service are: Remote Access Service authentication by healthcare professionals using NHS-issued smartcards (no need to distribute a second authentication method). The Service supports defined Windows 7 32-bit (BT identity Agent) and Windows 8 32-bit (BT Identity Agent) with Windows 64-bit (the Microsoft Identity Agent) are the warranted environments in terms of software. The Helpdesk (as a desk a desk single point of contact for all Trouble to Resolve issues) is designed for local IT helpdesks to raise specific VPN access issues, or assistance in resolving WINS/DNS issues. The Helpdesk will assist in all contract changes, queries and service issues. No usage charges. Two year term with annual invoicing. Connectivity to the NHS National Network and onward connectivity to Customer own NHS Network-connected LANs. Page 3 Issue 1 - December 2014

4 3. Product overview Smartcard VPN Access to NHS National Network service This Service provides a Remote Access Service based on the use of an NHS-issued Smartcard and the use of the VPN client software to create a secure data path via the Internet to the National NHS Network. There are no controls placed on the destination addresses reachable by the NHS end users. The Service will be delivered using the following components: Hardware: Customer provided portable computer platform and a tablet/computer platform for the residence of the NHS Smartcard reader. Healthcare professionals own NHS Smartcard (JCOP 41 or later). Network Access: GPRS, 3G, 4G, DSL, Wi-Fi Hotspots, Managed WLAN or Private Wi-Fi from a number of commercial providers of these services but provisioned by the Customer, independently of the Service. Security: The Customer is responsible for ensuring security in line with appropriate NHS security policies including for all for Customer device (i.e. PCs/end devices). Two- factor authentication for this Service will be enabled by the use the NHS provided PIN available on the NHS provided Smartcard, and the X.509 digital certificate, inherent in the Smartcard provided to the NHS end user. Software: VPN client software allows the formulation of the SSL cryptographic tunnel between the end device and the Virtual Private Network concentrators. A link to the VPN Client software for supported operating systems, will be provided (via ) as part of the provisioning process for the VPN service. This software may be upgraded by the end user, in line with Cisco release of the software, but support of new releases of VPN software (not provided at the time of provisioning) is subject to testing and release by BT. User Enablement: To use the Service the Customer must ensure the instructions in the Smartcard VPN Access to the National NHS Network Enablement Guide are implemented. The Guide will be be issued to the customer on despatch of the Smartcard activation information. It is possible that local firewalls will require changes to configuration to allow VPN traffic into the local network see Smartcard VPN Access to the National NHS Network Enablement Guide. The Guide will provide the information to enable Customer IT teams to configure local firewalls to allow traversal of VPN traffic from the NHS National Network and local networks. Helpdesk support for the Service (set up and ongoing) is provided UK time Monday to Friday 0800 to excluding public holidays in England. The Helpdesk will not diagnose, or support smartcard reader-based issues, outside of the supported operating systems and Identity Agent clients. Page 4 Issue 1 - December 2014

5 3.1. Security The Service complies with IG security policy for platform design and build. It is the responsibility of the Customer and healthcare professional to comply with appropriate, prevailing NHS IT security policies or other local information governance security/ good practice operational requirements. To use the Service the Customer and healthcare professional must supply a laptop or PC with a supported operating system (currently Microsoft Windows or Windows 7/8) and specification that has associated VPN client software, and NHS Smartcard/ card reader and appropriate middle ware. It is the responsibility of the customer to download the VPN client software from the relevant locations and configure them correctly. Personal firewall and anti-virus software should be implemented on the remote devices, in accordance with current NHS Security policy and local IT policies - this is not a BT responsibility. Page 5 Issue 1 - December 2014

6 3.2. Ordering the service The Customer will use the G-Cloud portal to request the service, which is via a G-Cloud call-off contract. The Customer will be asked to provide: o Access agreement number o Customer (individual or trust) o Billing address o Account holder name o address o 12-Digit NHS Smartcard Numbers and WINS/DNS settings of smartcards requiring the VPN service Billing Billing will be in advance annually Technical Assistance and Fault Reporting A link to the Smartcard VPN Access to the National NHS Network Enablement Guide will be provided with the Service, which can be used by to local IT teams to aid the end users connectivity. If a fault arises, the healthcare professional should call their local IT Helpdesk. Page 6 Issue 1 - December 2014