The HSCN: Technical Deep Dive

Estimated Read Time: 13 minutes

Introduction

The Health and Social Care Network (HSCN) is a network connectivity solution owned by NHS Digital, that allows connected organisations to reach both centrally hosted NHS services, and other HSCN consumers.

It was designed as a replacement for the legacy N3 Network, which was operated by BT, and is a modern architecture that provides greater scale, security and performance compared to traditional connectivity methods.

This blog aims to provide a technical overview of the HSCN, explaining how it connects organisations and considerations you should keep in mind when consuming or providing HSCN services.

High Level Overview

At its core, the HSCN operates in a very similar fashion to the Internet. HSCN consumers (customers, organisations) connect to a CN-SP (Consumer Network Service Provider), who in turn connect into the wider HSCN.

CN-SPs operate in a very similar fashion to an Internet Service Provider (ISP), with a number of available providers able to deploy connectivity solutions for their customers.

Any organisation that needs to consume or provide NHS services can be connected to the HSCN, and the process for getting connected is straightforward.

Components

There are multiple components that form the HSCN, and it is recommended that consumers have an understanding of what the components do, and how they fit into the overall solution.

Peering exchange

The Peering Exchange is the backbone of the HSCN, and follows a standard architecture found in many Internet Exchanges around the world.

It is responsible for providing high speed, redundant connectivity between the CN-SPs, and serves as a central aggregation/peering point that ensures all providers connect via a standard pattern.

The Peering Exchange comprises a geo-diverse topology deployed in both London and Manchester, with a redundant pair of network switches in each location. The locations are connected via redundant, high speed links.

All CN-SPs are obligated to physically connect to these switches in both locations, ensuring the entire solution is resilient and protected against hardware failure.

The Peering Exchange also provides redundant route servers that simplify and aggregate the logical peerings between all CN-SPs. They are responsible for creating a full mesh between all CN-SPs from a routing perspective, without the overhead of having to manually create all the required peerings.

CN-SPs

CN-SPs are responsible for connecting HSCN consumers to the Peering Exchange, and the wider HSCN network. All CN-SPs go through an extensive audit process before being certified, with a list of mandatory obligations they must follow both from a technical capability and operational perspective.

Whilst the architecture of each CN-SP is unique, the below diagram shows a typical setup of a CN-SP that connects to the Peering Exchange, and their customers.

Having a wide variety of available CN-SPs is one of the driving forces behind the HSCN and the migration away from the legacy N3 network. By allowing for competition, NHS Digital are ensuring the HSCN consumers have the freedom of choice and all CN-SPs are obligated to provide a good service at a reasonable price.

DNS

To allow for DNS resolution over the HSCN, NHS Digital provides a redundant DNS service that allows for the resolution of HSCN-only FQDNs, with an upstream forwarder that allows for resolution of Internet FQDNs.

For organisations who do not require any Internal DNS resolution, they are able to resolve against the HSCN DNS servers directly. For organisations who do require internal resolution, they are able to use the HSCN DNS servers either via a conditional forwarder, or as an upstream resolver.

IP Space

The most complex component of the HSCN is the routing and general IP allocation methodology, and is a common pitfall / source of confusion we see for new consumers connecting to the HSCN.

As the HSCN provides connectivity to a wide variety of organisations, all who have unique IT teams and architectures, a common issue is overlapping internal RFC1918 IP space between different organisations.

This is an issue over any shared communication network, with the most common example being the Internet. In these scenarios, it is common for consumers to be allocated a unique IP range that is publicly routable and therefore cannot conflict with other organisations.

However, to provide this functionality on the HSCN, NHS Digital would have to procure and provide a huge amount of public address space due to the volume of connected HSCN consumers. This would carry an enormous cost, and would severely limit the scalability and flexibility of the HSCN.

To combat this, NHS Digital utilises RFC1918 private IP address space, allocating organisations IP ranges as requested. Whilst these are technically private addresses, they are regarded as “public” HSCN ranges, and are used as a method of providing inter-organisation communication without the high cost.

All HSCN consumers must route out to the HSCN sourced from a HSCN “public address”, and any service made available on the HSCN must be presented as such. 

Routing

At the time of writing, there are 32 thousand unique HSCN IP prefixes advertised via the peering exchange. Whilst this allows for flexibility with organisations able to advertise their HSCN public space as desired, this causes complications from a routing perspective due to the sheer volume of prefixes, and the fact these may overlap with an organisations internal routing.

To resolve this issue, many CN-SPs (such as Cloud Gateway) will aggregate the HSCN routing table down to a set of large, generic prefixes, which are then advertised onto their customers. This cuts down the amount of prefixes being advertised, and also ensures that any conflicting, but more specific, prefixes within the HSCN consumer network always prefer the internal route.

Considerations

Over the several years we have provided HSCN connectivity, Cloud Gateway has supported hundreds of customers along their journey of getting connected and helping them to both provide and consume HSCN services.

Whilst NHS Digital have designed and built a technical solution that is truly impressive, we have identified a few key considerations that we recommend all prospective, current and future HSCN consumers understand to avoid any potential issues with their HSCN solution.

IP Space

The most bespoke/unique aspect of the HSCN is the allocation of unique IP space and potentially conflicting ranges. It’s important to know how you would consume the service and what changes need to be made on your network. For many organisations, connecting to the HSCN is a very simple process and will work as expected, but we have seen edge cases where a unique internal architecture has required a bespoke design.

We would also strongly recommend requesting your own HSCN IP space, that is fully owned by your organisation. Whilst all CN-SPs have HSCN IP space and are able to allocate this to customers, that IP space is ultimately owned by the CN-SP, meaning it cannot be easily transferred. Many providers are more than happy to provide you with these allocations, as it locks you into their service and makes moving to a new provider difficult.

To avoid this, having your own IP space allows you to be truly flexible in moving/changing CN-SPs. NHS Digital have made requesting IP space a very simple process, and we have often seen this take less than 24 hours. As a HSCN customer, you should expect high quality service from any CN-SP, and taking this step ensures you are able to migrate to a new provider whilst keeping the same IP range if required.

Security

There is a common misconception that because the HSCN is a private network, that it is regarded as secure and is not subject to the same security controls as other environments.

Whilst it is certainly more secure than a fully untrusted network, such as the Internet, and NHS Digital have implemented a number of security controls that improve the overall security stance of the HSCN, it should still be treated as an untrusted network.

It is the responsibility of the HSCN consumer to ensure that you are consuming and providing HSCN resources securely, and implementing security controls that protect your environment from any malicious traffic.

In 2017, the NHS were the subject of a major cyberattack that utilised the “Wannacry” ransomware, which infected thousands of vulnerable Windows machines across hundreds of NHS organisations. Whilst the root cause was an unpatched vulnerability in the Windows OS of these machines, the attack utilised the Internet and legacy N3 network to spread between these organisations.

We would highly recommend adopting a zero trust approach to your HSCN connectivity, with at least 1 (or ideally 2) firewall solutions in the path between your users and the HSCN. Limit outbound access to only services you are consuming, blocking all other outbound traffic. If you are offering a solution that requires inbound access, only permit access from trusted endpoints and only on the required ports.

If you are transmitting sensitive data, we recommend creating a VPN tunnel over the HSCN as you would the Internet, ensuring your data is encrypted in transit and cannot be intercepted.

CN-SPs like Cloud Gateway can provide security solutions as part of your HSCN service, providing the required level of protection without requiring the additional overhead of managing the solution yourself.

Whilst it is ultimately the responsibility of your organisation to define the risk appetite and security posture, we advise speaking to your CN-SP and understanding their recommendations on how to securely access the HSCN.

Choose the right CN-SP

There are around 20 accredited CN-SPs who can provide HSCN services. All CN-SPs must follow a set of NHS Digital defined obligations and pass regular audits to ensure they are doing so.

When choosing a supplier, we recommend approaching multiple suppliers to discuss your requirements, and evaluate their proposed solutions. The HSCN has been designed to give the customer choice in this aspect, and provide you control in picking a supplier that best suits your organisation.

When evaluating potential suppliers, think about:

• Support: In the event of an emergency, will the supplier be able to fully support your organisation? What is the day to day support experience like?

• Security: How security conscious is the supplier? Do they prioritise security, or is it an afterthought?

• Cost: How much does the supplier’s solution cost? Is it competitive with others in the market?

• Experience: Is working with the supplier a positive experience? Have they been clear, concise and focused on your requirements?

Conclusion

The HSCN is more complex than its documentation suggests. Success requires understanding the unique IP allocation model, implementing proper security despite it being a "private" network, and choosing a CN-SP based on support quality rather than just cost.

Our key recommendations: request your own IP space from NHS Digital, treat the HSCN as untrusted from a security perspective, and thoroughly test routing before production. These fundamentals will save you significant troubleshooting time later.

If you need help with your specific HSCN requirements or have questions about implementation, get in touch with us here: