NHS-HE Connectivity Project: An Update

NHS-HE Connectivity Project: An Update London Health Libraries NHS HE Conference 17 th November 2011 Malcolm Teague, JANET(UK) Malcolm.Teague@ja.net

NHS-HE Forum History Started in 2001 by Prof Roland Rosner of UCL, frustrated by lack of interface between sectors Informal but influential group from the NHS and University sectors Forum meets twice a year, funded facilitation since 2005 A parallel event in Scotland starting in 2006

What is the issue? Typical scenarios: Undergraduate students on placement in the NHS (e.g. About 13,000 medicine/dentistry at any one time, many more for nursing and related professions) NHS clinicians who also teach, undertake research, or are students themselves Collaborative research groups and research networks (c 1000m annual funding). Universities providing specific services Difficulties with different networks, systems & rules.

NHS-HE Connectivity Project Objective: To achieve good inter-operability between NHS and Higher Education (HE) networks that enable secure anytime, anywhere access by medical, nursing and allied profession students, clinical teachers and researchers www.nhs-he.org.uk To move away from 2 PC syndrome

Two approaches: 1. National infrastructure N3 JANET Gateways 2. Identifying local initiatives through the NHS-HE Connectivity Best Practice Working Group

N3 for NHS network in England and Scotland, JANET for Education & Research N3 Scotland Internet Scotland N Ireland Health & Social Services in NI (HSCnet) N3 England Active Gateway JANET England Wales NHS Wales (PSBA) Before the N3 JANET Gateways

N3 for NHS network in England and Scotland, JANET for Education & Research Health & Social Services in NI (HSCnet) N3 Scotland N3 England Internet 250 Mbps, Manchester Standby Gateway Active Gateway Scotland N Ireland JANET England Wales NHS Wales (PSBA) 250 Mbps, Kingston Exchange One way allowed Since 24 th June 2010

The New N3 Gateway(s) The new N3 JANET Gateway Service: Implemented on 24 th June 2010 2 Gateways at 250 Mbps active/standby Joint funded with DH/Connecting for Health All N3 JANET traffic (sessions initiated in N3, routed away from internet G/way) Contract for 5 years Full service management by N3

Gateway Phase II Project NHS working with JANET(UK) Project was given joint agreement to proceed in February 2011. To implement sessions initiated in JANET or bidirectional working if a suitable technical and information governance model can be found. Four potential services to investigate to proof of concept and to develop proposals. Initial workshops held April-June 2011

Sessions initiated in JANET i.e. To implement a solution for JANET users (or machine to machine) from JANET to N3 Rapid Risk Assessment conducted and final report concluded that there are no evidenced risks which cannot be appropriately managed Matrix of potential use cases SSL VPN/https technical proposal for specific agreed tunneling from specific JANET IP address range to specific NHS IP address range Information governance statement of compliance/information Governance Toolkit or equivalent for subset of JANET connected organisation involved current key step Not a given that the Information Governance can be resolved

User types? employed as function credentials Patient Identifiable Data (PID) possible? MoSCoW VPN required? risk NHS staff (permanent) Clinical NHS Smart Card yes MUST have WOULD like medium NHS staff (permanent) Clinical NHS Local yes MUST have WOULD like medium NHS staff (contract) Clinical NHS Smart Card yes MUST have WOULD like medium NHS staff (contract) Clinical NHS Local yes MUST have WOULD like medium Academic (medical) Clinical NHS Smart Card yes MUST have WOULD like medium+ Academic (medical) Clinical NHS Local yes MUST have WOULD like medium+ Student (medical) Clinical NHS Smart Card yes MUST have WOULD like medium Student (medical) Clinical NHS Local yes MUST have WOULD like medium machine (heart beat) Eduroam configured end point no MUST have COULD have low machine (autonomous) VC call? yes MUST have SHOULD have medium machine (autonomous) VC set up register user no MUST have COULD have low Academic ICT support IT support? yes SHOULD have MUST have low Academic ICT support IT support? no SHOULD have MUST have low NHS staff (permanent) non-clinical NHS Local no SHOULD have WOULD like low NHS staff (contract) non-clinical NHS Local no SHOULD have WOULD like low Academic (medical) non-clinical NHS Local no SHOULD have WOULD like low Student (medical) non-clinical NHS Local no SHOULD have WOULD like low

i.e. Current concept: Draft: from DH technical proposal

So... Bi-directional (access N3 from JANET) focus on the Information Governance requirements, top priority In parallel can develop the following to proposal stage only: Cross sector videoconferencing Secure data transfer Use of eduroam in the NHS Move towards federated access

Integration of video services Proposal and proof of concept for: Integration of the NHS (N3) and Academic (JANET) Video services Looking particularly at the new N3 vc service in England Want to be able to book and run videoconferences across the two booking systems Both have guest site facilities for IP and ISDN, the N3 vc service is about to allow guest IP access from the internet The guest IP access from the N3 vc service may be the solution waiting to see its impact (Guys & St Thomas one of the pilots)

Secure Data Transfer Solution required to enable staff operating in either JANET or NHS to securely exchange sensitive data or large datasets Initial scoping workshop held in May 2011 Use cases identified from requests for help DH has Secure File Transfer System on N3 but may not work for JANET community. NHSmail not thought to be the way forward because need capacity for the NHS Requirements being summarised in order to evaluate other options identified e.g. filesender Again to get to proposal and proof of concept

Widening eduroam Support Business case and proof of concept for: Support for eduroam (JANET Roaming Service) in NHS networks Enables visitor network access to basic services when at other sites. International facility well used in education & research Good reports where tried e.g. In Oxfordshire and Truro areas (on back of partner University eduroam)

Existing eduroam sites in London eduroam sites inside the M25 BBSRC- MRC Centre London Kingston University - Main Campus University of East London - Duncan House Birbeck College London Metropolitan University - Regent St University of East London - Stratford Campus Brunel University - Uxbridge Campus London Metropolitan University - Calcutta House University of Greenwich - Greenwich Campus Goldsmiths, Uni. of London - Rutherford Building LSE University of Greenwich - Avery Hill Campus Imperial - Hammersmith Hospital London School of Hygiene & Tropical Medicine University of London - Inst. of Advanced Legal Studies Imperial - Charing Cross Hospital Imperial - St Mary's Hospital Queen Mary, University of London - Mile End University of London - Senate House Queen Mary, University of London - Whitechapel University of London - UoL Union Imperial - Clayponds Village St Georges, University of London University of Westminster - Cavendish Imperial - Harefield Heart Science Centre School of Oriental and African Studies University of Westminster - Harrow Imperial - Pembridge Garden Halls UCL University of Westminster - Little Titchfield St Imperial - Evelyn Garden Halls University of East Anglia - UEA London University of Westminster - Marylebone Imperial - South Kensington Campus University of East London - Trinity Buoy Wharf University of Westminster - Regent St Institute of Education - University of London University of East London - Docklands Campus University of Westminster - Wells St Kings College London http://www.ja.net/services/authentication-and-authorisation/janet-roamingl.htm for more

Benefits for users Feature No need to go through the process of getting a guest account set up at every organisation visited. Same username and password regardless of location Guaranteed availability of broad set of protocols from guest network Network access at all participating organisations worldwide, helping to meet need for ubiquitous network access Free of charge at point of use: no subscription or usage charge High security credentials are never exposed and authentication interface cannot be hijacked. Benefit Convenience and avoidance of lost time Enhanced convenience Access to Internet, email, VPN etc. services provided by home organisation, leading to improved efficiency. Facilitates mobility, collaboration, secondments, meetings and study No subscription or airtime charges to pay Assured security of credentials when utilising eduroam guest (or home) networks

Benefits for host organisation & network manager Feature No need to go through the process of getting a guest account set up at every organisation visited. Same username and password regardless of location Guaranteed availability of broad set of protocols from guest network Network access at all participating organisations worldwide, helping to meet need for ubiquitous network access Benefit Convenience and avoidance of lost time Enhanced convenience Access to Internet, email, VPN etc. services provided by home organisation, leading to improved efficiency. Facilitates mobility, collaboration, secondments, meetings and study Free of charge at point of use: no subscription or usage charge High security credentials are never exposed and authentication interface cannot be hijacked. No subscription or airtime charges to pay Assured security of credentials when utilising eduroam guest (or home) networks

Possible within NHS use

Education or research user visiting an NHS site

NHS user visiting an education & research site SECURE RESOURCE GATEWAY JANET NETWORK N3 NETWORK NRPS HARPS Site A ORPS authenticates user ORPS checks users credentials as recognises they are not a Site B user Access-accept returned to visited site SITE B (HE INSTITUTION) ORPS SITE A (HOSPITAL) NHS User gaining eduroam access at an education site Access granted ORPS Wifi Access request from user Person from site A working at site B

Working hypothesis On an NHS visited site supporting eduroam, the NHS site might provide 4 levels of access: 1. To their own NHS users 2. To visiting NHS users who then might be allowed access within N3 3. To visiting Local Authority users, GCSX access possibly 4. To visiting education & research or unbadged users, internet access similar to existing eduroam

Issues to be resolved on eduroam include: Relies on bidirectional being allowed Allowable under eduroam branding? Radius hierarchy would be needed on N3 How to kick-start Proof of concept testing lab to lab about to start Outcome to be built in to proposal for deployment limit of current plan. Support for the proposal from potential users would be very valuable

Federated Access Solution required to create a federated identity framework between JANET and NHS (N3) to allow Service Providers in either domain to trust identities Initial scoping workshop held in May 2011 Proof of Concept testing proposal under development. Particularly focus: use of NHS smartcard credentials to provide identity management for web resources available through the UK access management federation

Federated Access Management (FAM) and the UK federation FAM is: A mechanism for allowing attribute based access control to local, national and international resources Student @ OU not Henry Hughes what SPs need The UK federation is: The UK s educational federation, operated by JISC Collections Funded by JISC and Becta (http://www.ukfederation.org.uk/ ). 884 members to date. Many federations now established worldwide Education, government, commercial participation From Henry Hughes, NHS-HE Forum May 09

Federated Authentication & Authorisation Identity Provider (IdP) I m AJones/T,t<*?I1, am I? Yes, you re licensed Site Are you a licensed user? They say I m licensed Licence OK! Service Provider (SP) User s identity and personal data are protected Publisher knows exactly what it needs 1. As now for JANET & Internet With thanks to Mark Tysom, JANET(UK)

Federated Authentication & Authorisation Identity Provider (IdP) I m AJones/T,t<*?I1, am I? Yes, you re licensed Open Athens Site Licence Are you a licensed user? They say I m licensed OK! Service Provider (SP) 2. NHS or education & research user & Internet (NHS procured library resources)

But in an ideal world... JANET IdP User NHS IdP Service Provider Other approved IdP

But complications e.g.1 JANET IdP User NHS IdP N3 Service Provider Other approved IdP

But complications e.g.2 JANET IdP User NHS IdP Service Provider N3 Other approved IdP

Current federation scope focused on the credentials from NHS smartcards providing an identity provider option for NHS users. And it is only going to be a proposal/proof of concept at this stage

NHS-HE Connectivity Best Practice Working Group How did the working Group evolve? In response to a presentation to the national NHS-HE Forum in Manchester on 24 th November 2010, it was agreed that work was required to find a way of developing some common and good practice guidance to overcome local access issues to applications that support learning and research. 10 years of discussion around the topic of inter-operability between NHS & HE networks. NHS-HE Connectivity Best Practice Working Group

What is trying to be achieved? Improve inter-operability between Universities and the NHS to support; Access to NHS systems from University networks Access to University systems from NHS networks Access to internet based systems and web sites from within the NHS, when these would otherwise be blocked. To leverage bandwidth available to University staff and students when they are on NHS sites. To put in place policies and procedures to support connectivity, whilst not increasing the risks of data security to either party. To give organisations confidence that they are implementing best / common practice. NHS-HE Connectivity Best Practice Working Group

Work Strands Strand 1 - N3 JANET Gateway Strand 2 - Access directly from NHS desktops Strand 3 - Use of terminal services Strand 4 - How the NHS and HE can network securely Strand 5 - Information Governance and Data Sharing NHS-HE Connectivity Best Practice Working Group

Strand 2 - Access directly from NHS desktops Developed a Web 2.0, Social Media and Standard Desktop Facilities paper which will highlight the risks and issues and give a list of sites and services that ; we would recommend are made widely available (white list) that should be supported at least in limited locations. could be best delivered via a University log in. Producing a case study into the potential use of proxies (where by the user authenticates to a University gateway for browsing beyond the host trust s usual browsing provision). Sample policies and procedures for adaptation with regard to issuing usernames and passwords to students. NHS-HE Connectivity Best Practice Working Group

What next? Launch of first resources on 29 th November 2011 At the NHS-HE Forum NHS-HE Connectivity Best Practice Working Group

Questions & Comments please Malcolm.Teague@ja.net 01752 240175 www.nhs-he.org.uk www.ja.net Thank you.