HSCN port 3389 guidance

Previously on the Transition Network GP surgeries had relied upon using Microsoft RDP (Remote desktop protocol) to connect from the Transition Network remote VPN to their desktop in the surgery. This is required primarily to access software installed locally such as Docman7.

Upon migration to HSCN it is understood these GP surgeries tightened their local security measures and blocked TCP port 3389. The impact is that over 2000 GP’s are currently unable to work remotely without some additional software/service or capability being deployed. Unfortunately, the time isn’t available to test and deploy such a solution.

As such, NHS Digital has been asked to advise on their stance on opening port 3389 on the firewalls at these local surgeries to enable those GPs to work remotely during the current COVID-19 situation

NCSC and NHS Digital recognise that networks and end user devices need to be protected against a number of key risks, particularly relevant to using Remote desktop protocol (RDP), including

1. Exploitation of systems – The compromise of systems that perform critical functions, affecting the organisation’s ability to deliver essential services or resulting in severe loss of customer or user confidence.

2. Compromise of Information – The unauthorised access of systems hosting sensitive information directly or allowing an attacker to intercept poorly protected information whilst in transit.

3. Import and export of Malware - Implementing appropriate security controls preventing the import and export of malware.

4. Brute force attack – simple method to gain access by attempting possible username and password combinations

5. Man-in-the-middle Attack - Remote Desktop sessions operate over an encrypted channel, preventing anyone from viewing the session by listening on the network. However, there is a vulnerability in the method used to encrypt sessions in earlier versions of RDP. This vulnerability can allow unauthorized access to your session using a man-in-the-middle attack.

NHS Digital advise that the local organisation should perform their own risk assessment regarding opening port 3389 on these sites in these exceptional circumstances.

If a decision was made to open up these RDP ports, NHS Digital strongly recommends that this must only be accepted between the HSCN IP address range allocated to the Remote access provider, and the GP’s desktops. NHS Digital also recommends that a secure password is used on these desktops within the surgery sites. In addition, HSCN remote access services all must use MFA.

NHS Digital strongly recommend that the organisation’s account password and lockout policies are reviewed to ensure they are securely configured, and that TLS is used to secure the RDP sessions. It is also recommended to ensure up-to-date antivirus product and definitions are in use on the surgery desktops being remotely controlled. CNSPs must confirm that they are still adhering to all Security obligations as outlined within the HSCN Obligations Framework, including ensuring all necessarily IPFix data is sent to the NHS Digital NAS service from any location changed to allow tcp/3389 inbound’.

CNSP’s must still apply a level of security appropriate to meet CAS(T) and ISO27001 requirements.

It is understood that this weakens the overall security of HSCN, and NHS Digital reiterates the need for CNSPs to provide IPFix data as specified within the obligations framework to ensure that all traffic flows are being recorded and analysed through our network analytical service (NAS) to identify any suspicious or malicious traffic.

This guidance is a COVID-19 only perspective and will be reviewed on a quarterly basis. This statement is being made having performed some analysis on the risks of making the change versus the risk of not making the change. And if the local decision was to allow port 3389 to be opened, then NHS Digital are providing this guidance on how to do that most appropriately.

CNSPs shall ensure all IP Addresses allocated to the VPN service(s) are registered on the NHS Digital IPAM (HSCN IP Address Management) .

CNSPs shall record the following information for each Inbound connection:

• HSCN consumer organisation’s details
• customer details
• destination IP address(s), ports and protocols applications or service details being accessed or provided access to over these VPN services

CNSPs shall provide NHS Digital’s Data Security Centre (DSC) the aforementioned information upon request. The above is in line with the obligations on a CNSP who provide Inbound internet and is taken from the HSCN inbound internet connectivity guidelines for CNSPs and consumers.

GP surgery sites need to look at more secure and suitable long-term solutions which may incorporate moving to cloud based software which negates the need to manage a device with locally installed applications and data.