Hosting & Infrastructure v1.0.1
Description
Supports best practices for infrastructure and hosting of systems. For example, ensuring that systems are cost effective, secure and energy efficient.
It is essential that Solutions delivered under the Catalogue and Frameworks follow standards and guidance, that are cost effective, secure, reliable, resilient, safe, manageable and energy efficient.
The previous GPSoC infrastructure requirements pulled together best practice from recognised standards and industry guidance, however, feedback from suppliers and other stakeholders identified that these requirements were complex and challenging to evidence as part of the assurance process.
In addition it is a Suppliers responsibility to ensure they fully understand industry standards & best practice and cannot rely on the Authority explicitly defining requirements at a point in time. The previous requirements documents were developed at a point in time and technology and security vulnerabilities change rapidly.
Whilst UK Government has promoted a Cloud First policy, it is only recently (2018) that the hosting within public cloud has become a reality for health based services.
The Technology Strategy has a fundamental principle of delivery of services via cloud provision and specifically the architecting of Solutions to be cloud native.
NHS Digital recognises that cloud hosting may not be appropriate for some services e.g. based on the sensitive and scale of data or the manner in which the service is architected.
Fundamentally there are three core options for hosting services:-
| Hosting Option | Description | Preference Status | Level | Standard |
|---|---|---|---|---|
| Cloud – Public or Private | The Public / Private cloud provider offers self-managed virtualised, elastic/on demand scalable infrastructure as a service where the cloud provider owns the underlying datacentres and physical infrastructure. The supplier rents the use of the virtualised infrastructure. | Strongly Preferred | Suppliers SHOULD host Solutions via one of these options. | NHS Cloud Hosting Standards & Guidance |
| Colocation | The physical infrastructure is owned by the supplier and hosting of the physical infrastructure is provided within the Colo providers datacentres, The management of the infrastructure can be done by the Colo provider, a 3rd party or the supplier themselves. | Preferred | Co location & Provider Datacentre Standards | |
| Provider own facilities | The datacentres and physical infrastructure are owned by the supplier. The management of the infrastructure can be done by a 3rd party or the supplier themselves. | Not recommended | ||
| Local | The hosting location and physical infrastructure are owned by the GP Practice. The management of the infrastructure can be done by a 3rd party or the Practice themselves. | Not recommended | Suppliers MAY host Solutions locally where there is an existing GPSoC deployment base. Suppliers will be expected to follow industry best practice and to be able to demonstrate how security and service resilience risks are mitigated. After March 2021, suppliers must not host Solutions locally. | N/A |
The Authority does not recommend the suppliers should attempt to host services themselves due to the cost and complexity of providing data centre capabilities that meet the necessary requirements.
Previously the GPSoC framework provided a set of requirements for local hosting of services. Given the security and service risks of this form of infrastructure the Catalogue and Frameworks will not formally assure local hosting of services. Buyers purchasing services which are locally hosted will be required to satisfy themselves that the security and service risks are mitigated and managed appropriately.
The standards to support infrastructure and hosting are split into two sections, depending on the mechanism being deployed:-
Cloud – Based on published NHS wide risk assessments and guidance.
CoLocation / provider facilities – specific requirements & assurance processes.
Additional Information
Recommended Best Practices
Capabilities
All suppliers Solutions delivering any Capabilities will need to meet this Standard.
Roadmap
Suppliers will not be assessed or assured on these Roadmap Items as part of Onboarding