New guidance from NHS Digital for the hosting of NHS and Social Care data

(Matt Stibbs) #1

NHS Digital have issued new guidance about the hosting of NHS and Social Care data, including guidance as to how off-shoring can be used.

This means a couple of things:

  • No longer the case that data can only be stored within English data centres
  • The OFFICIAL categorisation means no special security requirements are put on NHS and Social Care data over and above the usual security requirements - no ‘special snowflake’ treatment

Of course, making use of off-shoring will need all of the same risk assessments and governance frameworks in place - this does not just mean “it’s safe to store data off shore” - it means “it’s ok to store it off-shore if you can guarrantee the security just as you would on-shore”.

(dunmail) #2

Welcome to see this guidance!

Ironically, the change to offshoring means that cloud provider regions that were previously off-limits can now be used, so suppliers could have adopted cloud about 5 years ago …

(Marcus Baw) #4

Excellent news and thanks for posting @matthew.stibbs

Just need to get rid of N3/HSCN now and progress can start happening with the same lack of barriers that non-NHS tech enjoys :slight_smile:

(dunmail) #5

You’ll be pleased to hear that there are secure mechanisms for linking N3/HSCN to cloud resources - this massively lowers the barrier as with a little bit of thought we can develop solutions on internet-facing environments that can be easily deployed to N3/HSCN connected environments.

(Marcus Baw) #6

Excellent news @dunmail. I’d heard of services like RedCentric being used to link N3 to cloud services but haven’t personally used them yet.

Do you have experience of linking N3 to deployed cloud services Dunmail? If so, would you be up for writing a blog-post style HOWTO on here? I’d love to start turning openhealthhub into a resource for helping people solve these kinds of problems.

(tony) #7

+1 for a blog post of that type, it would be very useful.

(dunmail) #8

I’m wary that a blog post might not make it to the top of my TODO list for quite a while, so here’s a summary of how Black Pear are using AWS, including links to all the relevant resources:

The design is relatively simple:

  1. Create a VPC on AWS ( - this will be the Gateway VPC
  2. AWS DirectConnect ( is used to securely route traffic from N3/HSCN to the Gateway VPC on AWS. (The Gateway VPC is then effectively a little bubble of N3 running on AWS).
  3. Host proxy servers for both inbound and outbound traffic in the Gateway VPC. Choose your favourite software! (We run Ubuntu + haproxy/nginx/squid/postfix).
  4. Create a second VPC on AWS - this is the Private VPC and must not be routable from the internet.
  5. The Private VPC is used to host application servers.
  6. Finally, VPC peering ( is configured to route traffic between the Gateway and Private VPCs.

Job done :slight_smile:

AWS have published a helpful set of guidance describing Cloud architectures for UK-OFFICIAL workloads: This includes a candidate architecture that can quickly be adapted to NHS requirements. You can try these out on any AWS account …

We use Redcentric to provide N3 connectivity for our production services on AWS (
This is straightforward, but there are some pre-requisites for connecting to N3:

  1. Design documentation (the Logical Connection Architecture) is used to show that the connection will be safe, secure and comply with NHS requirements.
  2. The Information Governance Toolkit ( is used to show that your organisation has a robust information governance framework in place.

Once the agreement and documentation were in place, the connection took less than a morning.

My top tips:

  1. Start the IGToolkit and Logical Connection Architecture early. You can then make design decisions that make it easy to meet the requirements.
  2. Use the Infrastructure as Code practice, for example AWS CloudFormation ( Use this to build and deploy a development environment that matches the production environment exactly - including network configuration, firewall rules and virtual machine images.
  3. Remember that not all AWS services run in all regions (e.g. Kinesis Firehose) and some must be internet connected (e.g. ApiGateway). Check that you’ll be able to use the service when you deploy to production.
  4. Make friends with the NHS Digital DNS team - you may want their help to configure some non-standard records (e.g. a CNAME record on N3 DNS servers that points to a CNAME record on internet DNS servers that points to the CNAME record of a private load balancer on AWS DNS servers, that finally resolves to A records describing IP addresses in the Gateway VPC)

(tony) #9

This is super helpful Dunmail, thanks for taking the time to type this up.

(Marcus Baw) #10

Absolutely! thanks for doing that Dunmail, I’m sure many others will find it helpful. If I could give the post more than one :heart: Like, I would!

(Jakob Mathiszig Lee) #11

That’s incredibly helpful dunmail! awesome post

(Matt Stibbs) #12

Dunmail kindly allowed me to put it into a blog and share publicly - please feel free to share on to anyone who might find it useful :slight_smile:

(Marcus Baw) #13

A fantastic contribution and collaboration @matthew.stibbs and @dunmail

Probably worth cross-posting on the CCIO/CIO Network, there are many on there who would be really interested. @matthew.stibbs do you want to post it? (or I can do it if you prefer)

(Matt Stibbs) #14

@pacharanero Don’t think I have access to CCIO / CIO network so happy for you to post!

(Marcus Baw) #15

OK will do

(roland king) #16

so many thanks for this! appreciating a lot!