ES1.0

NHS and social care data: off-shoring and the use of public cloud services guidance

NHS and social care data: off-shoring and the use of public cloud services guidance

The geographical location (or specific range of locations) of the clinical data at rest and service management activities at any given time are to be known and communicated to NHS Digital.

Operating the Solution or elements of the Solution outside of England will be with the permission of NHS Digital, the data controllers and their representative organisations..

Note:  There are no absolute barriers to the off-shoring of data or services, although the requirements of UK Government IA policy must be able to be met in the overseas location.  See Data Protection Act and Offshoring for statements on the offshoring of information.

MUST

Provide formal confirmation of compliance to requirement

ES2.0

Sanctions, embargoes and restrictions

Sanctions, embargoes and restrictions

The supplier will require approval from NHS Digital of any part of the Solution that is hosted or communicates with services outside of England.

The communication between systems will not be made to those countries or states prohibited by Government Policy.

MUST

Provide formal confirmation of compliance to requirement

ES3.0

Cyber Essentials Plus

Certified cyber security

Protect your organisation against cyber attack
Cyber Essentials helps you to guard against the most common cyber threats and demonstrate your commitment to cyber security

MUST

Valid Cyber Essentials Plus Certificate

ES4.0

ISO 27001 - IT Security Management Systems

ISO/IEC 27001:2013

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.

The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.

MUST

Valid ISO Certificate required from UKAS registered accreditation organisation.

ES5.0

ISO 9001 - Quality management systems 

ISO 9001:2015

ISO 9001:2015 specifies requirements for a quality management system when an organisation:

a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and

b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.

All the requirements of ISO 9001:2015 are generic and are intended to be applicable to any organisation, regardless of its type or size, or the products and services it provides.

MUST

Valid ISO Certificate required from UKAS registered accreditation organisation.

ES6.0

ISO 20000 Information technology -- Service management

ISO 20000-X:2018

This document specifies requirements for an organisation to establish, implement, maintain and continually improve a service management system (SMS). The requirements specified in this document include the planning, design, transition, delivery and improvement of services to meet the service requirements and deliver value. This document can be used by:

a) a customer seeking services and requiring assurance regarding the quality of those services;

b) a customer requiring a consistent approach to the service lifecycle by all its service providers, including those in a supply chain;

c) an organisation to demonstrate its capability for the planning, design, transition, delivery and improvement of services;

d) an organisation to monitor, measure and review its SMS and the services;

e) an organisation to improve the planning, design, transition, delivery and improvement of services through effective implementation and operation of an SMS;

f) an organisation or other party performing conformity assessments against the requirements specified in this document;

g) a provider of training or advice in service management.

The term "service" as used in this document refers to the service or services in the scope of the SMS. The term "organisation " as used in this document refers to the organisation in the scope of the SMS that manages and delivers services to customers. The organisation in the scope of the SMS can be part of a larger organisation , for example, a department of a large corporation. An organisation or part of an organisation that manages and delivers a service or services to internal or external customers can also be known as a service provider. Any use of the terms "service" or "organisation " with a different intent is distinguished clearly in this document.

MUST

Valid ISO Certificate required from UKAS registered accreditation organisation.

ES7.0

ISO 14001 Environmental management systems

ISO 14001:2015

ISO 14001:2015 specifies the requirements for an environmental management system that an organisation can use to enhance its environmental performance. ISO 14001:2015 is intended for use by an organisation seeking to manage its environmental responsibilities in a systematic manner that contributes to the environmental pillar of sustainability.

ISO 14001:2015 helps an organisation achieve the intended outcomes of its environmental management system, which provide value for the environment, the organisation itself and interested parties. Consistent with the organisation 's environmental policy, the intended outcomes of an environmental management system include:

· enhancement of environmental performance;

· fulfilment of compliance obligations;

· achievement of environmental objectives.

ISO 14001:2015 is applicable to any organisation , regardless of size, type and nature, and applies to the environmental aspects of its activities, products and services that the organisation determines it can either control or influence considering a life cycle perspective. ISO 14001:2015 does not state specific environmental performance criteria.

ISO 14001:2015 can be used in whole or in part to systematically improve environmental management. Claims of conformity to ISO 14001:2015, however, are not acceptable unless all its requirements are incorporated into an organisation 's environmental management system and fulfilled without exclusion.

MUST

Valid ISO Certificate required from UKAS registered accreditation organisation.

ES8.0

ISO 50001 Energy management systems

ISO 50001:2018

This document specifies requirements for establishing, implementing, maintaining and improving an energy management system (EnMS). The intended outcome is to enable an organisation to follow a systematic approach in achieving continual improvement of energy performance and the EnMS.

This document:

a) is applicable to any organisation regardless of its type, size, complexity, geographical location, organisation al culture or the products and services it provides;

b) is applicable to activities affecting energy performance that are managed and controlled by the organisation ;

c) is applicable irrespective of the quantity, use, or types of energy consumed;

d) requires demonstration of continual energy performance improvement, but does not define levels of energy performance improvement to be achieved;

e) can be used independently, or be aligned or integrated with other management systems.

Annex A provides guidance for the use of this document. Annex B provides a comparison of this edition with the previous edition.

Should

Valid ISO Certificate required from UKAS registered accreditation organisation.

ES9.0

BS6701 Telecommunications equipment and telecommunications cabling. Specification for installation, operation and maintenance

BS 6701:2010

If you work in the telecommunications industry, and are responsible for installing, operating or the administration and maintenance of copper or optical fibre cabling or equipment, then this newly-revised standard will be of interest.

Conformance to specific aspects of BS 6701 is a requirement of the Wiring Regulations (BS 7671) and is applicable in virtually all premises.  In addition, it addresses cabling external to buildings and should be followed by anyone installing cabling.

Correctly specified and installed cable management systems ensure that telecommunication cabling performs at its best – so it is important that cable management be considered from the start of a project.

In addition to specifying the requirements beyond the scope of the BS EN 50174 series of standards for telecommunications cabling, BS 6701 provides requirements for installing telecommunications equipment. The application of BS 6701 will ensure that equipment is properly set up, which means the customer will be reassured their risk-managed cabling installations work to optimum performance, thus assuring more profitable business practice.

As one of the few national standards that are directly linked to the EN 50174 series, BS 6701 could also be used in other countries. It supports all cabling media.

Should

Valid ISO Certificate required from UKAS registered accreditation organisation.

ES10.0

EU Code of Conduct

EUCoC

This Code of Conduct has been created in response to the increasing energy consumption in data centres and the need to reduce the related environmental, economic and energy supply security impacts. The aim is to inform and stimulate data centre operators and owners to reduce energy consumption in a cost-effective manner without hampering the mission critical function of data centres. The Code of Conduct aims to achieve this by improving understanding of energy demand within the data centre, raising awareness, and recommending energy efficient best practices and targets.

TBD: May be put on the roadmap.

Should

Provide formal confirmation of compliance to requirement

ES11.0

General Data Protection Regulation

Data Protection Act 2018

GDPR / DPA 2018

The Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection.

The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25 May 2018.

MUST

Provide formal confirmation of compliance to requirement

ES12.0

BS EN 50600-1:2012. Information technology. Data centre facilities and infrastructures. General concepts

(Minimum availability class 3)

BS EN 50600-1:2012 

The unrestricted access to internet-based information demanded by the information society has led to an
exponential growth of both internet traffic and the volume of stored/retrieved data. Data centres are
housing and supporting the information technology and network telecommunications equipment for data
processing, data storage and data transport. They are required both by network operators (delivering
those services to customer premises) and by enterprises within those customer premises.

Data centres need to provide modular, scalable and flexible facilities and infrastructures to easily
accommodate the rapidly changing requirements of the market. In addition, energy consumption of data
centres has become critical both from an environmental point of view (reduction of carbon footprint) and
with respect to economical considerations (cost of energy) for the data centre operator.

The implementation of data centres varies in terms of:
a) purpose (enterprise, co-location, co-hosting or network operator facilities);
b) security level;
c) physical size;
d) accommodation (mobile, temporary and permanent constructions).

The needs of data centres also vary in terms of availability of service, the provision of security and the
objectives for energy efficiency. These needs and objectives influence the design of data centres in terms
of building construction, power distribution, environmental control and physical security. Effective
management and operational information is required to monitor achievement of the defined needs and
objectives.

This series of European Standards specifies requirements and recommendations to support the various
parties involved in the design, planning, procurement, integration, installation, operation and maintenance
of facilities and infrastructures within data centres. These parties include:
1) owners, facility managers, ICT managers, project managers, main contractors;
2) consultants, architects, building designers and builders, system and installation designers;
3) suppliers of equipment;
4) installers, maintainers.

Should

Formal accreditation against BS EN 50600 will not be available until mid 2019 therefore suppliers MUST be able to provide evidence to demonstrate alignment with the scope and aims of BS EN 50600.

Note.  Formal accreditation (when available) will become a mandatory requirement as detailed in the standards road map

ES13.0

BS EN 50600-2-1:2014. Building construction

(Minimum availability class 3)

BS EN 50600-2-1:2014

Should

ES14.0

BS EN 50600-2-2:2014. Power distribution

(Minimum availability class 3)

BS EN 50600-2-2:2014

Should

ES15.0

BS EN 50600-2-3:2014. Environmental control

(Minimum availability class 3)

BS EN 50600-2-3:2014

Should

ES16.0

BS EN 50600-2-4:2015. Telecommunications cabling infrastructure

(Minimum availability class 3)

BS EN 50600-2-4:2015

Should

ES17.0

BS EN 50600-2-5:2016. Security systems

(Minimum availability class 3)

BS EN 50600-2-5:2016

Should

ES18.0

BS EN 50600-3-1:2016. Management and operational information

(Minimum availability class 3)

BS EN 50600-3-1:2016

Should

ES19.0

BS EN 50600-4-1:2016. Overview of and general requirements for key performance indicators

(Minimum availability class 3)

BS EN 50600-4-1:2016

Should

ES20.0

BS EN 50600-4-2:2016. Power Usage Effectiveness

(Minimum availability class 3)

BS EN 50600-4-2:2016

Should

ES21.0

BS EN 50600-4-3:2016. Renewable Energy Factor

(Minimum availability class 3)

BS EN 50600-4-3:2016

Should

HPA4.0

The supplier will provide the data centre address and the current data centre owner’s / operator’s details, to NHS Digital.

Must

HPA5.0

The supplier will provide the build date of the data centre, its current age and any planned or expected Data Centre services uplift or refit covering but not limited to:

• Power

• Space

• Cooling

• Security

• Construction

Must

HPA16.1

The supplier will ensure that the Data Centre perimeter is protected by an IDS (Intrusion Detection System) compliant to BS EN 50131-1:2006

Should

HPA25.0

The supplier’s Data Centre will have arrangements such that a vehicle is unable to enter the site before all the checking of the vehicle and driver has been completed.  The gate will prevent the tail gating of vehicles.

Must

HPA32.0

The supplier’s Solution will provide at a minimum two separate geographically physical locations to hold the data and capability to run the services.  The distance between the two locations will be such that they cannot both be affected by concurrent loss due to overlapping items on the Location Risk Assessment.

Must

HPA34.0

The supplier will provide permanent access to the Data Centre and equipment, supported by an access request process of 24hrs notice for normal maintenance requests and 1hr for emergency access, with unlimited frequency, for the purpose of maintaining the systems and services

Note: If the hosting provider is a 3^rd party / sub-contractor to the supplier and escorted access is the policy enforced then permanent access to the Data Centre will still be provided.

Must

HPW11.0

Refuelling of the tanks for the generators will be possible with the generators in use.

Must

HI2.0

The supplier to ensure that log files written, even if the device is passive, will write the log with the synchronised time to NHS Network and written in UTC but can be displayed in the supplier’s application in local time.

Must

HI3.0

The supplier will ensure the infrastructure’s time is synchronised with a NHS & National Apps, Cloud / CNSP NTP service, delivered as a minimum, by a stratum 3 service

Must

HI5.0

The supplier to ensure that message time stamping is performed using UTC, for all infrastructure, but can be displayed in the suppliers supported applications in local time.

Note: This requirements scope is the infrastructure; see IG Requirements for further related time stamping and representation. This requirement is to ensure that there is a consistent time stamping policy across all infrastructures and  messaging so that correlation can occur locally, between suppliers and also national applications. The requirement is to ensure that the raw date use is of the format defined.  Local support applications (Applications used to manage the service) can represent the date in their local time if required and in line with the IG Requirements.

Must

HI9.0

The supplier to ensure that all hardware, devices, servers and components have support agreements in place to replace faulty items if they fail.  The replacing of components will not impact live service and meet SLA and planned down time agreements.

Must

HI13.0

The supplier will ensure that Live environments are segregated from the development activity by using processors, virtual servers, domains and partitions that are not in use by live and by storing development utilities away from the live environment.

Must

HS9.0

The supplier will ensure that all operating systems and applications have undergone a hardening process to ensure only the necessary services are in place, within their domain of responsibility in the equipment and services they provide.

Note: Hardening is the process of securing a system reducing its vulnerability, through the use of patching, removal of unnecessary software and services.

Good Practice guidance can be found on the NHS Digital Web Site

The supplier to ensure that due diligence to hardening is performed for their domains of responsibility. 

If the supplier is responsible for the hardware / OS then this hardening will be performed on the hardware and OS. 

If the supplier only provides application software then the necessary hardening will have been performed on that application software. 

If the mobile device hardware (Phone, Medical Device, mobile appliance) is provided by the supplier as part of their Solution then hardening on the components they have provided will have been performed.

Where a BYO device is used the supplier will ensure their application is hardened to protect the data and application.

Must

HS20.0

The supplier will ensure that servers are configured to disable or restrict:

• non-essential or redundant services (eg X Windows, Open  Windows, fingered and web browsers)

• communication services that are inherently susceptible to abuse (e.g. tftp, RPC, rlogin, rsh or rexec)

• communication protocols that are prone to abuse, where not required (e.g. HTTP, HTTPS, SSH, FTP, SMTP, Telnet and UUCP)

• execute permissions on sensitive commands or scripts (e.g. rlogin, rcp, rsh, remsh, tstp and trtp)

• powerful utilities (e.g. Windows ‘Registry Editor’) or ‘control panels’

• run commands or command processors (e.g. Perl or Tcl).

Must

HS24.0

The supplier to ensure that physical servers hosting virtual instances are protected from resource overload (e.g. excessive use of the CPU, memory, hard disk and network).

Must

HNT1.0

The supplier’s data centre to be connected to the Internet and the NHS Network, for clinical services holding PID that are accessed from either an Internet or NHS Network attached end point.

Must

HNT1.1

If the suppliers Data Centre are connected to the NHS Network termination will be from an approved termination point.

Must

HNT1.2

The supplier’s data centre to be connected to the Internet and the NHS Network, for services that communicate with national systems. (PDS, TMS, etc)

Must

HNT1.3

The supplier will respond to the Authorities request for information around security, network settings and ports used, from time to time, in how their services operate across the NHS Network, to support the NHS Network QoS Policy over HSCN.

Must

HNT2.0

Communications in and out of the Data Centre will adhere to the HSCN connection Agreement and NHS Network QoS policy for the classification of data across the network, to enable network traffic prioritisation and ‘class of service’ to reduce network latency.  The supplier will evidence their adherence to the QoS policy, to NHS Digital, for changes to the system in how it communicates across the NHS Network, prior to release. 

Note:

See HSCN Quality of Service overview

See HCSN Technical Guidance

Must

HNT2.1

The supplier’s NHS Network connections to be compliant with the HSCN Connection Agreement and compliant with the DNS and IP addressing policies for the network, where HSCN is used

See NHS digital HCSN Page

Must

HNT3.1

The supplier to provide evidence that the system complies with the requirements and best practice operating principals and guidance when operating over the NHS Network.  Specifically the system to:

• Comply with the NHS Network QoS (Quality of Service) Policy

• Performs adequately within the network latency constraints

• Performs adequately within the typical bandwidth (downstream and upstream) provided to consumers

• Collaborate with NHS Digital and relevant network providers to resolve escalated performance issues which could include installing diagnostic probes into the DC environment.

Must

HNT4.0

The supplier will have completed a NHS Network QoS Policy review, where the suppliers application makes use of or is accessed across the NHS Network, have demonstrated the application and services adhere to the NHS Network policy.  NHS Network QoS rules may need to be amended as a part of this review. Updates to refreshed QoS policies to be applied as required.

See HSCN Quality of Service overview

Must

HNT6.0