N3 Cloud Services
Unified Communications is the integration of real-time communication services like WebEx and MeetMe.
N3 Mobile Health Worker offers key benefits to clinicians on the move by increasing their efficiency, which results in improved patient care.
N3's On Demand Compute is a hosted data centre service that enables you to create, deploy, monitor and manage your data centre infrastructure through a self-service portal.
Connect to N3 through IPstream & Business DSL – intended for GPs, small clinics & temporary sites. Connect up your main and branch sites with our VPN solutions.
N3's remote worker services for NHS users – connect to N3 wherever you are.
Private Circuit and Ethernet connectiions for larger NHS sites that run applications like Choose & Book, electronic prescriptions and PACs.
The new Healthcare Security Token enables AQPs and non-NHS organisations to access patient information and national NHS applications like Choose & Book and other services from anywhere.
The N3 PSN products enable customers to connect to N3 PSN. These products are based on non-resilient DSL and non-resilient Ethernet services.
Quick summary of N3 features, benefits and technology.
IP Address ranges used by the NHS; legacy, policy and user requests.
Physical security, securing patient data and responsibilities, plus security checklist.
nhs.uk domain, internal vs external DNS and record change requests.
Order an N3 service, fund my N3 connection, migrate my N3 connection, manage a change to a CoIN, Contact N3 and raise a complaint.
The N3 user guides will help get the best from your N3 products and services.
Frequently Asked Questions will give you answers to voice services, security, internet gateway, GP NGA and general queries.
Access N3 product and service brochures about voice services, video and web conferencing, Mobile Health Worker, On Demand Compute and VPN.
Register for the latest N3 events including the N3 User Forum.
Read the latest N3 case studies that demonstrate the cash releasing, innovation, productivity improving potential of N3 products and services that can improve clinician's efficiency and patient experience.
The N3 Event Replay site is regularly updated with videos and presentation material from our User Forum events.
New to N3?
Find out how N3 has helped enable 21st Century healthcare for the NHS and is an enabler for innovative IT solutions such as using video conferencing for a telestroke service.
Find out how N3 are delivering high quality services with service delivery processes conforming to best practices.
We are in constant dialogue with our customers about the service they receive from us. Find out how N3 analyse and act on customer feedback.
N3 are very proud of the many awards that we have won over the last few years. Find out what awards we have won that demonstrate the excellence of our network, our services and our commitment to the NHS.
N3 is enabling sustainable benefits for the NHS, by stimulating a change in the way people work, providing accessibility to national applications to enable local services and reduce wastage and using new technologies to enable collaborative working
N3 Network Security
N3 is a very large network, with 1.3 million NHS end users and over 40,000 connections in England and Scotland connected to regional Points of Presence (PoPs). A high speed any to any Multi-Protocol Label Switching (MPLS) core is used to connect the N3 PoPs. There are currently twelve major data centres connected directly to the MPLS network to provide national and local services and applications. Two additional data centres provide authentication and access profiling.
The network has a very wide variety of end user NHS organisations from GP practices to large hospitals with dedicated IT staff. It has gateways to other networks, most notably the Internet. A number of approved NHS suppliers are connected to N3.
All involved have security responsibilities:
- network owners - the Health and Social Care Information Centre and NHS National Services Scotland who set security policy, rules and requirements.
- service provider - N3SP by ‘building-in' network security through design and operation
end users - anyone who connects to and uses N3 by acting responsibly, following the Health and Social Care Information Centre and NHS National Services Scotland policy and rules and maintaining good security practices
The N3 network is a private data network designed to ensure:
- Confidentiality with physical and logical restrictions to network access
- Integrity with authorised user access
Only NHS organisations and approved third parties can connect to N3. Third party access is normally restricted in terms of types of network traffic and N3 destinations
- Availability with resilience and fallback built into the core network design and access (catalogue) services
The level of resilience at an end user site depends on the Catalogue Service in use
Data sent across N3 is not encrypted (unless using the VPN N3-12-4 Catalogue service which encrypts traffic across the Internet and the N3 network to a specific site). As with any data network there is a risk that data can be intercepted. There are number of security factors that minimise the chances of this happening, including:
- physical and organisational security of the core network, data circuits and end users equipment
- N3SP service level agreements/contractual agreements to ensure secure network operation
- established policies, rules and in some cases laws to control user behaviour
N3 PoPs and Community of Interest Network (COIN) gateways are housed in physically secure BT premises. N3SP has applied additional security for the N3SP equipment cabinetswith a remote locking and unlocking solution. This ensures only authorised personnel can access the cabinets following request and authorisation from the N3 Operational Support helpdesk. Alarms are generated if unauthorised entry is attempted or there is an unusual condition or problem detected. This will allow the N3 Operational Support helpdesk to carry out an investigation
Data transmitted across N3 is not encrypted (unless using the VPN N3-12-4 Catalogue service which encrypts traffic across the Internet and the N3 network to a specific site). Thus N3 is not considered secure enough to transmit patient identifiable or similarly sensitive data across. It does not meet the Caldicott Guidelines requirements alone. It is the joint responsibility of the sender(s) and receiver(s) of such data - not the Health and Social Care Information Centre, NHS National Services Scotland or N3SP to implement a solution that conforms.
The normal practical solution is to encrypt application data where it traverses N3 between users and application providers. The encryption method must meet the Health and Social Care Information Centre and NHS National Services Scotland requirements.
Network border security - firewalls
The core of the N3 network is protected from individual end users and vice versa by firewalls, devices that only allow certain types of IP data to pass. Firewall rules control what types of IP data packets can pass. Firewalls are also used to protect N3 at its gateways to other networks. All of these firewalls are mandatory.
Firewalls are often used to protect a small network where it connects to a larger network; such as where a GP surgery connects to the N3 Wide Area Network. The firewall passes data in both directions to make the connection useable, but it will only do this if the session (streams of data traffic back and forth to complete a task, such as browsing a web site) is started by a user/device on the small network. In this way firewalls protect the user's local network from users on the larger network they're connected to.
For GP and similar lower-speed user N3 catalogue (access) services the firewall is within the router that terminates the N3 connection at the user's premises. Users with these types of service can request changes to the standard firewall rule set configured by N3SP on the router to meet local needs.
Larger NHS sites and organisations use N3 catalogue (access) services where the firewall is not built into the terminating router. They must deploy their own compliant firewall between N3 and their local network, in line with the Health and Social Care Information Centre and NHS National Services Scotland security rules. They are responsible for managing and configuring their own firewall rules.
The Internet Gateway firewall rule set controls N3 user access to the Internet. The rule set has evolved to meet NHS business needs and is controlled by the Health and Social Care Information Centre. End users must contact the Health and Social Care Information Centre with any change requests to the Internet Gateway rules.
the Health and Social Care Information Centre and NHS National Services Scotland also set the firewall rules for other N3 gateways. These include:
- NHS Wales and NHS Northern Ireland networks
- pharmacies and procurement networks
- Social Services
- government departments
Anti-virus/Anti-worm/Denial Of Service Attack Measures
N3SP is responsible for the security of the N3 network infrastructure such as routers, firewalls and DNS servers.
N3SP monitors the network for unusual activity that may indicate virus or denial of service activity. N3SP will investigate such activities and will alert the Health and Social Care Information Centre and NHS National Services Scotland. N3SP will request that NHS the Health and Social Care Information Centre and NHS National Services Scotland contact the affected or offending end user to apply appropriate fixes.
The network owners and N3SP will make every reasonable attempt to prevent any malicious data traffic from entering the N3 network. However it is not possible to monitor and verify all data traversing N3 due to the sheer volume of traffic. Network performance would also be significantly degraded if this took place. A significant proportion of the data passed over N3 is encrypted to protect patient data confidentiality. This prevents virus and worm detection. N3 users are therefore responsible for ensuring that their own systems and data are well protected. Below is a checklist to help with this.
User Security Checklist
Important network and data security responsibilities for end users (organisations and individuals):
- Ensure physical security of
- site computer systems
- N3 terminating router etc on site
- Ensure up-to-date PC protection
- anti-virus and anti-worm
- Spyware and Malware
- Ensure the N3 connection is
- only used in conformance with the N3 access agreement
- used in conformance with the Health and Social Care Information Centre Information Governance guidelines
- only used in line with local organisation operating procedures
- Ensure strict but practical access control
- Monitor use of the N3 network through organisational compliance programmes
- Ensure staff vetting and information security training and awareness procedures are in place
- Where there is no firewall protection provided or it has been removed from the N3 router at customer's request, the end user is responsible for the management and security of their own firewall which has been approved by the Health and Social Care Information Centre Information Governance.
- Ensure that all borders are disabled or safe e.g. wireless LAN, Bluetooth, modem links, alternative ISP connections. Good practice guidelines can be viewed on the the Health and Social Care Information Centre intranet site, accessible via the N3 network.
- Ensure that all router/hub/switch ports and other access points are closed/locked down to prevent unauthorised access.
- Protect any data against malicious or accidental loss. N3SP and the N3 network owners are not responsible for data loss, unless it is due to shortcomings in the design or implementation of the network.
- Ensure a local security policy is implemented, including the use and security of removable media, Internet access/use.
- Securing Patient Identifiable Data within local and remote applications to Caldicott Guideline standards
- Carry out appropriate and robust compliance security checks for current or potential sub-contractors