Options, appraisal and decision – Non-NHS locations network requirements

Due to the nature of how the community services wished to operate, there was a requirement for staff to have IT connections when they were at multiple non-NHS locations.

The infrastructure which was in place when Mid Cheshire took on the service only allowed for staff to access the clinical system in an offline mode or via 3G. They were also limited in the applications they could use, if there wasn’t an app for it on the iPad then they couldn’t connect or use the application.

The mobile application for their main EMIS clinical system only offered limited functionality at the time. So many of the more advanced features were not available when staff were using mobile devices. Many staff had to return to a base where a PC was to access certain functions and information.

Some community staff did have laptops which were used for home working, but they didn’t have mobile SIMs configured in them. Where they used corporate devices at home, they also had to have a separate PIN/Password to access the network. Having separate pins and connection settings could also generate connection issues which would result in the staff members being unable to connect to the network.

Mid Cheshire needed a way for connections from non-NHS location to be incorporated, so the transition from NHS location and non-NHS location was seamless for the users.

Three main solutions were put in place for staff, these were Cisco AnyConnect VPN solution, and VMWare Horizon for remote desktop, and specific windows configuration for the prioritisation of networks.

Cisco AnyConnect is a service which runs on the users laptop which monitors the network connection the device has, and where it’s not a trusted network (4G, home internet etc) then it automatically creates a secure connection to the host network, by creating a VPN tunnel for the traffic to route over.

For users who had laptops or were going to be deployed laptops, Cisco AnyConnect was configured on the devices. This allowed users to use their active directory usernames and passwords on the laptop to authenticate. This worked alongside 4G SIM cards being configured in the devices, so the staff could access the network while outside of the traditional office locations.

It was easy for the users to use, and there wasn’t a requirement for specific PINs / tokens to access the network which previously staff had to use.

The service continually runs in the background and if the network location changes from a Trusted to a non-Trusted connection it will automatically connect the user to the VPN, so the connection remains secure back into the Trusts network.

As part of the infrastructure configuration for AnyConnect we also implemented split tunnelling so that it reduced the bandwidth requirements over our VPN connection. Any Microsoft Teams traffic or office 365 traffic would use your local internet connection outside of the VPN. All other traffic would route via the VPN tunnel.

Cisco AnyConnect was configured to run automatically on all devices and could not be disabled without having specific administration access to do so. 

For the wireless settings, we set a priory order and changed the setting to switch to a metered connection (4G) when a wireless connection was not in place.

These two settings along with the AnyConnect service allowed the users to seamlessly move between networks and locations without having to log off or reconnect.

For the first year of onboarding staff, we required a solution to plug the gap while we rolled out new equipment. We need a solution which would allow either the existing iPads or the staff members home computer to access the Trusts network and services securely. The Trust looked at VMWare Horizon to plug this gap.

This was an internet facing service, which allowed connection to a portal page which loaded a Trust desktop for the individuals. Unlike a VPN connection where data is transferred from the laptop to the host network, VDI allows just a connection from the device to a web page and all processing and system access is done within a secure window, so no data is transferred to the host network from the device. This solution works well for staff who wanted to use their own IT hardware.

This solution was also used to support staff members who had low bandwidth or poor connections, as it could run on a much lower connection speed than the Cisco AnyConnect solution.

In 2022 the community speech and language therapy team (SALT) team were onboarded into the organisation. They presented a challenge from an IT perspective as they worked out of Children Centres where the Trust and CSU didn’t have any connectivity. We completed site surveys to see if there was existing infrastructure or networks we could utilise.

After a review, these challenges were identified. We found that the:

• main network in most of the locations was run by the local mental health trust who didn’t have the ability to overlay a VRF network
• phone signal in many of the buildings was poor. There was a mixture of factors including older buildings with thick walls, rural locations with a lack of public coverage and newer buildings which didn’t have mobile coverage considered when they were built
• main communications cabinets in the buildings had limited space to add in additional equipment
• use of rooms at these sites was sporadic. It was hard to justify a big IT cost to put in a network for a small number of connections

With help from a 3rd party we investigated providing services over a traditional broadband line. We installed a small network switch at each location and then created a VPN tunnel back into the Trusts network. This then allowed staff to access our services via a LAN connection when 4G or council wireless wasn’t available.

A diagram showing the connection model is available in the full report on the NHS Futures platform.