Skip navigation

N3 CRM  |  N3 Service Portal  |  Contact N3


N3 Network Security

N3 is a very large network, with 1.3 million NHS end users and over 40,000 connections in England and Scotland connected to regional Points of Presence (PoPs).  A high speed any to any Multi-Protocol Label Switching (MPLS) core is used to connect the N3 PoPs. There are currently twelve major data centres connected directly to the MPLS network to provide national and local services and applications. Two additional data centres provide authentication and access profiling.

The network has a very wide variety of end user NHS organisations from GP practices to large hospitals with dedicated IT staff. It has gateways to other networks, most notably the Internet. A number of approved NHS suppliers are connected to N3.

All involved have security responsibilities:

  • network owners - the Health and Social Care Information Centre and NHS National Services Scotland who set security policy, rules and requirements.
  • service provider - N3SP by ‘building-in' network security through design and operation
  • end users - anyone who connects to and uses N3 by acting responsibly, following the Health and Social Care Information Centre and NHS National Services Scotland policy and rules and maintaining good security practices

General Security

The N3 network is a private data network designed to ensure:

  • Confidentiality with physical and logical restrictions to network access
  • Integrity with authorised user access
    Only NHS organisations and approved third parties can connect to N3. Third party access is normally restricted in terms of types of network traffic and N3 destinations
  • Availability with resilience and fallback built into the core network design and access (catalogue) services
    The level of resilience at an end user site depends on the Catalogue Service in use

Data sent across N3 is not encrypted (unless using the VPN N3-12-4 Catalogue service which encrypts traffic across the Internet and the N3 network to a specific site). As with any data network there is a risk that data can be intercepted. There are number of security factors that minimise the chances of this happening, including:

  • physical and organisational security of the core network, data circuits and end users equipment
  • N3SP service level agreements/contractual agreements to ensure secure network operation
  • established policies, rules and in some cases laws to control user behaviour

Physical Security

N3 PoPs and Community of Interest Network (COIN) gateways are housed in physically secure BT premises. N3SP has applied additional security for the N3SP equipment cabinetswith a remote locking and unlocking solution. This ensures only authorised personnel can access the cabinets following request and authorisation from the N3 Operational Support helpdesk. Alarms are generated if unauthorised entry is attempted or there is an unusual condition or problem detected. This will allow the N3 Operational Support helpdesk to carry out an investigation

Sensitive/Patient Data

Data transmitted across N3 is not encrypted (unless using the VPN N3-12-4 Catalogue service which encrypts traffic across the Internet and the N3 network to a specific site). Thus N3 is not considered secure enough to transmit patient identifiable or similarly sensitive data across. It does not meet the Caldicott Guidelines requirements alone. It is the joint responsibility of the sender(s) and receiver(s) of such data - not the Health and Social Care Information Centre, NHS National Services Scotland or N3SP to implement a solution that conforms.

The normal practical solution is to encrypt application data where it traverses N3 between users and application providers. The encryption method must meet the Health and Social Care Information Centre and NHS National Services Scotland requirements.

Network border security - firewalls

The core of the N3 network is protected from individual end users and vice versa by firewalls, devices that only allow certain types of IP data to pass. Firewall rules control what types of IP data packets can pass. Firewalls are also used to protect N3 at its gateways to other networks. All of these firewalls are mandatory.

Firewalls are often used to protect a small network where it connects to a larger network; such as where a GP surgery connects to the N3 Wide Area Network. The firewall passes data in both directions to make the connection useable, but it will only do this if the session (streams of data traffic back and forth to complete a task, such as browsing a web site) is started by a user/device on the small network. In this way firewalls protect the user's local network from users on the larger network they're connected to.

For GP and similar lower-speed user N3 catalogue (access) services the firewall is within the router that terminates the N3 connection at the user's premises. Users with these types of service can request changes to the standard firewall rule set configured by N3SP on the router to meet local needs.

Larger NHS sites and organisations use N3 catalogue (access) services where the firewall is not built into the terminating router. They must deploy their own compliant firewall between N3 and their local network, in line with the Health and Social Care Information Centre and NHS National Services Scotland security rules. They are responsible for managing and configuring their own firewall rules.

The Internet Gateway firewall rule set controls N3 user access to the Internet. The rule set has evolved to meet NHS business needs and is controlled by the Health and Social Care Information Centre. End users must contact the Health and Social Care Information Centre with any change requests to the Internet Gateway rules.

the Health and Social Care Information Centre and NHS National Services Scotland also set the firewall rules for other N3 gateways. These include:

  • NHS Wales and NHS Northern Ireland networks
  • pharmacies and procurement networks
  • Social Services
  • government departments
  • NHS suppliers

Anti-virus/Anti-worm/Denial Of Service Attack Measures

N3SP is responsible for the security of the N3 network infrastructure such as routers, firewalls and DNS servers.

N3SP monitors the network for unusual activity that may indicate virus or denial of service activity. N3SP will investigate such activities and will alert the Health and Social Care Information Centre and NHS National Services Scotland. N3SP will request that NHS the Health and Social Care Information Centre and NHS National Services Scotland contact the affected or offending end user to apply appropriate fixes. 

General Disclaimer

The network owners and N3SP will make every reasonable attempt to prevent any malicious data traffic from entering the N3 network. However it is not possible to monitor and verify all data traversing N3 due to the sheer volume of traffic. Network performance would also be significantly degraded if this took place. A significant proportion of the data passed over N3 is encrypted to protect patient data confidentiality. This prevents virus and worm detection. N3 users are therefore responsible for ensuring that their own systems and data are well protected. Below is a checklist to help with this.

User Security Checklist

Important network and data security responsibilities for end users (organisations and individuals):

  • Ensure physical security of
    • site computer systems
    • N3 terminating router etc on site
  • Ensure up-to-date PC protection
    •  anti-virus and anti-worm
    • Spyware and Malware
  • Ensure the N3 connection is
    • only used in conformance with the N3 access agreement
    • used in conformance with the Health and Social Care Information Centre Information Governance guidelines
    • only used in line with local organisation operating procedures
  • Ensure strict but practical access control
  • Monitor use of the N3 network through organisational compliance programmes
  • Ensure staff vetting and information security training and awareness procedures are in place
  • Where there is no firewall protection provided or it has been removed from the N3 router at customer's request, the end user is responsible for the management and security of their own firewall which has been approved by the Health and Social Care Information Centre Information Governance.
  • Ensure that all borders are disabled or safe e.g. wireless LAN, Bluetooth, modem links, alternative ISP connections. Good practice guidelines can be viewed on the the Health and Social Care Information Centre intranet site, accessible via the N3 network.
  • Ensure that all router/hub/switch ports and other access points are closed/locked down to prevent unauthorised access.
  • Protect any data against malicious or accidental loss. N3SP and the N3 network owners are not responsible for data loss, unless it is due to shortcomings in the design or implementation of the network.
  • Ensure a local security policy is implemented, including the use and security of removable media, Internet access/use.
  • Securing Patient Identifiable Data within local and remote applications to Caldicott Guideline standards
  • Carry out appropriate and robust compliance security checks for current or potential sub-contractors