Skip to main content

Part of The future of Wi-Fi and Wi-Fi roaming for the NHS and Integrated Care Boards (ICBs) an independent study

An assessment of existing roaming solutions

Previous Chapter

The benefits of Wi-fi roaming

Current Chapter

Current chapter – An assessment of existing roaming solutions

View all

Next Chapter

Future wi-fi standards and wi-fi roaming technologies
Page contents

The Wi-Fi roaming solutions currently in use in NHS trusts and ICSs are summarised in the image below.

Responses to the 2022 Wi-Fi roaming survey indicated that 50 NHS trusts had deployed a Wi-Fi roaming solution. Solutions deployed are summarised in the image below.

graph displaying wifi roaming solutions used in trusts and ICSs

Further information including the data is available from Wi-Fi roaming Survey Results - Future Connectivity - FutureNHS Collaboration Platform (requires FutureNHS account). 

 

‘Other’ is defined as another productised solution, used by more than 1 organisation. ‘Self implemented’ is defined as a ‘home grown’ roaming solution used by more than 1 organisation.

Of the 50 trusts that have already implemented a solution, 41 have opted for a single solution to meet their needs, and the other 9 have implemented two or more solutions. Govroam has been used the most, by nearly half (24) of the trusts that have implemented a solution. Eduroam was mentioned 6 times, (in 4/6 cases it was implemented with another solution). In the cases where ‘Other’ was selected, NHS Wi-Fi was also mentioned 4 times.

It should be noted that in the remainder of this section of the report the security mitigation techniques described protect the data only when in transit i.e. as it is transmitted over the Wi-Fi network. They do not protect the data once at rest i.e. when stored locally on an end user device. Data at rest should be protected in line with the organisation’s local security policy.

Summary table

Analysis shows that of the Wi-Fi roaming solutions most widely used by NHS and ICB Partners today, only two can be considered for ICB wide deployment GovWi-Fi and govroam. Of the other solutions in use:

  • NHS Wi-Fi was not intended or designed to be a Wi-Fi roaming solution and is therefore excluded
  • Eduroam is designed and funded for the education sector, the supplier has developed an alternative solution for the public sector market (govroam)

The two candidate solutions recommended for ICB wide deployment are therefore GovWifi and govroam. These two solutions are summarised in the tables below.
Table 5. Govroam and GovWifi Client Organisations in England.

Published client organisations/bodies (England only) 13 March 2023

  Govroam GovWiFi*
Central government department  0 58
Trust  88 30
Hospital  4 1
Local regional authority 91 95
CCG/CSU/Shared services 46 4
Blue light 6 39
Universities/college 37 0
ICB/ICS 3 1
GP practice 4 0
Community health and care 4 0
Hospice 2 0
Other 3 0
Total 288 228

Source: Jisc and GDS

Table 6. Summary comparison of Govroam and GovWiFi (as of March 2023)
Characteristic GovWiFi  Govroam
Supplier GDS, Cabinet office Jisc
Funding source Central government departments Fees and charges
Cost to use Free of charge Individual Organisation: £1k boarding, £3,640 pa
•Federation (25 Organisations max): £3k boarding, £8,460 pa
Age Live since 2021 (2 Yrs.)
Beta stage 2017 to 2020 (3 Yrs.)		 Live Since 2017 (6 Yrs.)
•Based on eduroam which has been live since 2006 (17 years)
Service description  Available for public sector NHS and ICB partners.
• Potentially available for private sector ICB Partners for example social care providers commissioned by NHS/Local Authorities.		 Available for public sector NHS and ICB partners.
Available for private sector ICB partners  for example social care providers commissioned by NHS/Local Authorities
Use cases Enables the use cases described in Section 4 if implemented by the relevant organisations in the relevant location. Does not enable mobile Wi-Fi roaming use cases e.g. in a patient’s home, travelling in an ambulance Enables the use cases described in Section 4 if implemented by the relevant organisations in the relevant location. Does not currently enable mobile Wi-Fi roaming use cases for example in a patient’s home, travelling in an ambulance. However, Jisc has a mobile Wi-Fi solution in development
Architecture Centralised approach. The Remote Authentication Dial-In User Service (RADIUS) is used to provide centralised authentication and authorisation for devices and users connecting to the network Decentralised approach. The Remote Authentication Dial-In User Service (RADIUS) is used to provide decentralised authentication and authorisation for devices and users connecting to the network
Strategy and roadmap 2 year technical roadmap which may change.
The long-term strategy for GovWifi is not yet agreed with funders		 Technical roadmap aligned to WBA Roadmap.
Interested in exploiting Wi-Fi 6E and 5G cellular roaming.
The long-term strategy is influenced by client user group
Number of clients  250 organisations
In England this includes 9 Trusts, 51 Local Authorities, 1 CCG/CSUs		 351 organisations
•In England this includes 88 Trusts, 91 Local Authorities, 46 CCG/CSUs
Public access Members of the public can use GovWifi.
Registered GovWifi users can use any other GovWifi network		 Members of the public cannot use govroam.
Registered govroam users can use any other govroam network provided their employer has purchased a full membership license
Security  802.1X EAP Authentication
username and password
digital certificates are being tested
EAP, WPA2 encryption of data in transit
WPA3 encryption of data in transit is being tested
RADIUS provides centralised authentication and authorisation		 802.1X EAP Authentication
Username and Password or Digital Certificate
EAP-TLS, IPSEC and WPA2/3 encryption of data in transit
RADIUS provides decentralised authentication and authorisation
National solution Funding to be reviewed. Commercial service provided by a not for profit 
Bandwidth

GovWifi does not provide any tunnelling to separate users or traffic type when accessing the service. This means there is no traffic separation/prioritisationavailable between the public and members of staff. Once connected to the internet, GovWifi users can access their own services and VPNs

Bandwidth is shared for all GovWifi users including members of the public. Local Authorities tend to use GovWifi for public access and a separate Wireless Local Area Network (WLAN) for their own internet access.

 The Host network provides the visitor with internet access using a govroam specific VLAN that it has allocated a portion of bandwidth to
Relative complexity  GovWifi is relatively simple to deploy and maintain as no additional infrastructure is required for the centralised authentication model. However, if it represents an additional overhead if deployed as an entirely separate Wi-Fi infrastructure as some clients have chosen govroam is relatively complex to deploy and maintain as additional infrastructure is required for the centralised authentication model. The hardware required is: a repository of users/credentials (AD/LDAP), two RADIUS servers, and a Web Server to publish information about the govroam service to users. Organisations can build on this e.g. give high bandwidth VPN access to certain organisations or provide a VPN tunnel back to a visitors own network.
Accounting/audit logs  Audit logs relate only to the mobile telephone number of the device used to create the user account. Logs are created ad hoc by combining data held by GovWifi and the client organisation. Usage Logs retained by GovWifi for 90 days Audit logs relate specifically to the individual device that has been registered by the organisation to use govroam. Logs are created ad hoc by combining data held by govroam and the client organisation.
User experience  Sign up by text or email. Sign in by username and password. Does not automatically sign in when in range of GovWifi. CBA is being tested Sign up by installation of App. Automated sign in when in range of govroam
Hosting Amazon Web Services Tier 3 Jisc Data Centre
Service management 

Most support is provided by the organisation’s own IT dept.

Online support is available for issues regarding the GovWifi authentication service only Monday to Friday, 8am to 6pm.

Response times are one working day

Most support is provided by the parent organisation’s IT dept.

Jisc provides a central help desk and will receive and forward tickets to the appropriate parent organisation

Calls relating to govroam authentication service have response time of 4 hours and resolution time of 2 to 5 working days depending on the severity of the issue.

 

Govroam

Govroam (government roaming), is a Wi-Fi service which enables public sector employees from participating institutions to access the internet at their own location and whilst visiting other govroam enabled locations. Govroam is a Wi-Fi service set identifier (SSID) that is broadcast over a Wi-Fi network. A user’s phone or device automatically connects to govroam as it enters the coverage area. Govroam is preconfigured on the user’s device, meaning there is no reconfiguration needed. Govroam is provided by Jisc. There is a one-off onboarding fee to join and then annual subscription payments to continue to use the service. Jisc is a not-for-profit organisation that reinvests surplus funds into service delivery. Hundreds of public sector organisations currently use govroam, including NHS Trusts, local authorities and emergency services.

Security protocols

  • Govroam uses several security protocols to provide secure access to Wi-Fi networks:
  • 802.1X: A standard for network access control that provides an authentication framework to protect networks against unauthorised access
  • authentication: govroam is compatible with all EAP types, with mutual authentication between the user’s device and the authentication server to ensure that only authorised users/devices can access the network. The most prevalent option govroam users implement is EAP-TLS, which is also supported by eduroam
  • EAP: A security protocol that defines how to provide authentication and authorisation in a wireless network such as password, digital certificate, smart card or biometrics
  • RADIUS: The Remote Authentication Dial-In User Service (RADIUS) is used to provide decentralised authentication and authorisation for devices and users connecting to the network. RADIUS allows network administrators to control access to the network based on user or device credentials
  • certificate management: govroam requires users to have a digital certificate installed on their device to ensure secure authentication and encryption. Govroam uses a more robust certificate management system than eduroam, which includes certificate revocation and validation, to ensure the integrity and authenticity of the certificates
  • access control: govroam provides granular access control mechanisms to limit the resources and services that users can access based on their role and affiliation. Govroam provides more extensive access control capabilities than eduroam, which allow administrators to define fine-grained policies based on attributes such as time of day, location, and device type
  • encryption: The Transport Layer Security (TLS) protocol is used to encrypt data in transit and to verify the identity of the network server to provide secure communication between device and network
  • IPsec: The Internet Protocol Security (IPsec) protocol is used to provide secure communication between devices and the network. IPsec provides end-to-end encryption of network traffic and can be used to secure communications over untrusted networks
  • WPA2: A security protocol that uses the AES to encrypt data in transit and which prevents eavesdropping and protects against data tampering. Govroam uses AES-128 encryption which is robust but not as strong as AES-256 encryption used by eduroam

Vulnerabilities

Govroam is subject to the following security vulnerabilities:

  • Man-in-the-Middle (MITM) attacks: WPA2 is susceptible to MITM attacks, where an attacker intercepts and alters network traffic to capture sensitive information such as login credentials. EAP is also vulnerable to MITM cyber security attacks
  • rogue access points: govroam relies on the deployment of secure Access Points (APs) to provide secure network access. However, attackers can create rogue APs that mimic legitimate govroam APs and capture sensitive information such as login credentials. To mitigate this risks, govroam users should ensure that they are connecting to the legitimate network and not a rogue access point. Users should also keep their devices up-to-date with security patches and use anti-malware software to protect against potential threats
  • password reuse: Users who use the same password for their govroam account as they do for other accounts are vulnerable to credential stuffing attacks where attackers can use stolen passwords from one account to gain access to other accounts that use the same password
  • insider threats: govroam may be vulnerable to insider threats from employees who have access to sensitive information and can abuse their privileges for personal gain or to harm the organisation
  • compromised user credentials: If a user’s username and password are compromised, then this could lead to unauthorised access to personal and institutional data. To mitigate this risk, govroam encourages users to adopt strong password policies and to enable two-factor authentication whenever possible
  • misconfiguration: govroam uses a decentralised architecture for the RADIUS Servers. This increases the risk of improper configuration which can leave the network vulnerable to attack or compromise

Eduroam

Eduroam (education roaming), is a Wi-Fi service which enables students, researchers and staff from participating educational institutions to access the internet at their own location and whilst visiting other eduroam enabled locations. Eduroam is a Wi-Fi Service Set Identifier (SSID) that is broadcast over a Wi-Fi network. A user’s phone or device automatically connects to eduroam as it enters the coverage area. Eduroam is preconfigured on the user’s device, meaning there is no reconfiguration needed. Eduroam is free to use for the user and for the institution.

Eduroam is funded by grants from education funding councils solely for the benefit of education. Jisc cannot offer eduroam to entity’s that are not involved in education in some capacity. Those NHS organisations involved in delivering medical education (teaching hospitals etc) do qualify for eduroam, the remainder of the NHS does not.

Security protocols

Eduroam uses several security protocols to provide secure access to Wi-Fi networks:

  • 802.1X: A standard for network access control that provides an authentication framework to protect networks against unauthorised access
  • EAP: A security protocol that defines how to provide authentication and authorisation in a wireless network such as password, digital certificate, smart card or biometrics
  • authentication: eduroam uses WPA2-Enterprise with 802.1x authentication to ensure that only authorised users can access the network
  • RADIUS: The Remote Authentication Dial-In User Service (RADIUS) is used to provide centralised authentication and authorisation for devices and users connecting to the network. RADIUS allows network administrators to control access to the network based on user or device credentials
  • Certificate Management: eduroam requires users to have a digital certificate installed on their device to ensure secure authentication and encryption
  • access control: eduroam provides granular access control mechanisms to limit the resources and services that users can access based on their role and affiliation
  • encryption: The Transport Layer Security (TLS) protocol is used to encrypt data in transit and to verify the identity of the network server to provide secure communication between device and network
  • WPA2 Enterprise: A security protocol that uses the AES to encrypt data in transit and which prevents eavesdropping and protects against data tampering. Eduroam uses AES-256 encryption which is stronger than the AES-128 encryption used by go

Vulnerabilities

Eduroam is subject to the following security vulnerabilities:

  • Man-in-the-Middle (MITM) attacks: WPA2 Enterprise is susceptible to MITM attacks, where an attacker intercepts and alters network traffic to capture sensitive information such as login credentials. EAP is also vulnerable to MITM cyber security attacks
  • rogue access points: eduroam relies on the deployment of secure Access Points (APs) to provide secure network access. However, attackers can create rogue APs that mimic legitimate eduroam APs and capture sensitive information such as login credentials. To mitigate this risk, eduroam advises users to verify the authenticity of the network before connecting, and to use a virtual private network (VPN) to encrypt their traffic when connecting to untrusted networks
  • password reuse: Users who use the same password for their eduroam account as they do for other accounts are vulnerable to credential stuffing attacks where attackers can use stolen passwords from one account to gain access to other accounts that use the same password
  • lack of visibility: eduroam is a federated network, which means that it is composed of many interconnected networks that are managed by different organisations. This can make it difficult for network administrators to have full visibility into the security of the entire network
  • insider threats: eduroam may be vulnerable to insider threats from employees who have access to sensitive information and can abuse their privileges for personal gain or to harm the organisation
  • compromised user credentials: If a user’s username and password are compromised, then this could lead to unauthorised access to personal and institutional data. To mitigate this risk, eduroam encourages users to adopt strong password policies and to enable two-factor authentication whenever possible
  • misconfiguration: eduroam uses a decentralised architecture for the RADIUS Servers. This increases the risk of improper configuration which can leave the network vulnerable to attack or compromise

GovWifi

GovWiFi is a Wi-Fi authentication service which enables public sector employees from participating institutions to access the internet at their own location and whilst visiting other GovWifi enabled locations. GovWifi can also be used by members of the public to access the internet. GovWifi a Wi-Fi service set identifier (SSID) that is broadcast over a Wi-Fi network. Staff and visitors use a single username and password to connect to guest Wi-Fi across the public sector. GovWifi is free to use for the user and for the institution. Hundreds of public sector organisations currently use GovWifi, including NHS Trusts, Local Authorities and emergency services.

Security protocols

GovWifi uses several security protocols to provide secure access to Wi-Fi networks:

  • 802.1X: A standard for network access control that provides an authentication framework to protect networks against unauthorised access
  • Authentication: GovWifiuses EAP-TLS with mutual authentication between the user’s device and the authentication server to ensure that only authorised users can access the network
  • EAP: A security protocol that defines how to provide authentication and authorisation in a wireless network such as password, digital certificate, smart cards or biometrics
  • RADIUS: The Remote Authentication Dial-In User Service (RADIUS) is used to provide centralised authentication and authorisation for devices and users connecting to the network. RADIUS allows network administrators to control access to the network based on user or device credentials
  • Certificate Management: GovWifi does not currently require users to have a digital certificate installed on their device to ensure secure authentication and encryption. GovWifi relies on username and password for authentication. The US National Institute of Standards and Technology (NIST) advise that certificate-based authentication provides stronger security than authentication based on username and password because it does not rely on a shared secret (the password) that can be intercepted or predicted by an attacker. However, certificate-based authentication is currently being tested and may be rolled out across the GovWifi estate
  • access control: GovWifi provides granular access control mechanisms to limit the resources and services that users can access based on their role and affiliation
  • encryption: The Transport Layer Security (TLS) protocol is used to encrypt data in transit and to verify the identity of the network server to provide secure communication between device and network
  • WPA2: A security protocol that uses the AES to encrypt data in transit and which prevents eavesdropping and protects against data tampering. GovWifi uses AES-128 encrypt

Vulnerabilities

While ever GovWifi relies on username and password for authentication rather than digital certificates, it will be vulnerable to the following security risks:

  • Man-in-the-Middle (MITM) attacks: staff and visitors use a single username and password to connect to GovWifi. The EAP is protocol used is vulnerable to MITM cyber security attacks, where an attacker intercepts and alters network traffic to capture sensitive information such as login credentials
  • rogue access points: GovWifi relies on the deployment of secure Access Points (APs) to provide secure network access. However, attackers can create rogue APs that mimic legitimate GovWiFi APs and capture sensitive information such as login credentials. To mitigate this risks, GovWiFi users should ensure that they are connecting to the legitimate network and not a rogue access point. Users should also keep their devices up-to-date with security patches and use anti-malware software to protect against potential threats
  • weak user credentials: If users choose weak passwords or do not properly protect their authentication credentials, it can be easier for attackers to gain unauthorised access to the network
  • password reuse: Users who use the same password for their GovWifi iaccount as they do for other accounts are vulnerable to Credential Stuffing attacks where attackers can use stolen passwords from one account to gain access to other accounts that use the same password
  • insider threats: GovWifi may be vulnerable to insider threats from employees who have access to sensitive information and can abuse their privileges for personal gain or to harm the organisation
  • compromised user credentials: If a user’s username and password are compromised, then this could lead to unauthorised access to personal and institutional data. To mitigate this risk, GovWiFi encourages users to adopt strong password policies and to enable two-factor authentication whenever possible
  • misconfiguration: GovWifi uses a centralised architecture for the RADIUS Servers. This reduces the risk of improper configuration which can leave the network vulnerable to attack or compromise

NHS Wi-Fi

The NHS Wi-Fi Programme was a 3-year funded programme that ran from 2016/17 to 2018/19 and was established to provide a secure, stable and reliable Wi-Fi capability, consistent across thousands of NHS care settings across England. NHS Wi-Fi was established to enable everyone to use digital services making care more efficient and helping patients take control of their own health and care.

NHS Wi-Fi was an NHS Digital managed infrastructure programme, which ensured that trusts and GP practices were NHS Wi-Fi enabled. The way in which individual trusts and GP practices exploited the NHS Wi-Fi platform to deliver healthcare benefits to patients was not directed nationally, it was dependent on local innovation.

For example, NHS Wi-Fi may have been implemented as a standalone public access Wi-Fi network alongside an entirely separate corporate Wi-Fi network providing staff with access to the organisations network, applications and data.

By the end of March 2019, free NHS Wi-Fi had been introduced in more than 95% of GP surgeries and 98% of trusts. Over 8,000 centres of patient care across England have now been Wi-Fi enabled through the NHS Wi-Fi programme, providing over 63 million visiting patients and citizens with access to free NHS Wi-Fi.

The NHS Wi-Fi Programme has now been completed. NHS Wi-Fi provides internet access for patients, clinicians and NHS staff. NHS Wi-Fi is compatible with the technical definition of Wi-Fi roaming, but not the use case definition used in this report. Therefore, as the Programme has been completed and Wi-Fi roaming services are not provided in the manner required for this report, it is not considered further in this document.

Footnotes

*note that the number of organisations using GovWifi could be considerably understated in this table. An individual organisation may register and deploy the service on behalf of other organisations. Those other organisations will not be registered with GovWifi. For example, GovWiFi is known to be used by GP practices, yet none are registered with GovWifibecause the service is administered on their behalf by another organisation. ‘Central Government Departments’ includes Healthcare UK, NHS Digital, NHS England, NHS Professionals, Medical Research Council, Department of Health and Social Care.

https://beta.Jisc.ac.uk/govroam
https://beta.Jisc.ac.uk/govroam/participating-organisations
https://csrc.nist.gov/News/2012/SP-800-153,-Guidelines-for-Securing-WLANs
https://csrc.nist.rip/library/NIST%20IR%208221-draft.pdf
https://digital.nhs.uk/services/nhs-wifi
https://docs.WiFi.service.gov.uk/
https://map.govroam.uk/govroammap.html
https://repository.Jisc.ac.uk/7994/16/govroam-service-defintion.pdf
https://repository.Jisc.ac.uk/7994/28/govroam-pricing.pdf
https://wiki.govroam.uk/doku.php?id=public:faq
https://wiki.govroam.uk/lib/exe/fetch.php?media=public:2021_techspec_v3.pdf
https://wiki.govroam.uk/lib/exe/fetch.php?media=public:high_level_architecture.pdf
https://www.cisco.com/c/en/us/support/docs/wireless/mobility-express/213579-understand-and-configure-eap-tls-with-mo.pdf
https://www.crowncommercial.gov.uk/agreements/RM1557.13
https://www.Jisc.ac.uk/eduroam
https://www.ncsc.gov.uk/guidance/krack#:~:text=The%20NCSC%20recommends%20that%20security,are%20connected%20to%20that%20network.
https://www.researchgate.net/publication/282924894_Rogue_access_point_detection_methods_A_review#:~:text=To%20detect%20a%20rogue%20access,network%20when%20compared%20with%20servers.
https://www.researchgate.net/publication/333879655_A_Technical_Survey_on_Methods_for_Detecting_Rogue_Access_Points
NHS Digital: Annual Report and Accounts 2016-17, HSCIC, 2017
NHS Digital: Annual Report and Accounts 2017-18, HSCIC, 2018
NHS Digital: Annual Report and Accounts 2018-19, HSCIC, 2019
Product Description: NHSRoam Version 1.1 DRAFT, BT, 11/10/2022
Wi-Fi Roaming Solutions: Guidance for NHS Organisations, NHS Digital, 2022.
Wi-Fi Roaming Survey Results, Wireless Centre of Excellence, July 2022

Last edited: 12 March 2025 11:22 am

Previous Chapter

The benefits of Wi-fi roaming

Next Chapter

Future wi-fi standards and wi-fi roaming technologies

Chapters

  1. The future of Wi-Fi and Wi-Fi roaming for the NHS and Integrated Care Boards (ICBs) an independent study
  2. Concepts and definitions
  3. The benefits of Wi-Fi roaming
  4. An assessment of existing roaming solutions
  5. Future Wi-Fi standards and Wi-Fi roaming technologies
  6. Planning for adoption
  7. Future cost models
  8. Appendix additional stakeholder personas and Wi-Fi roaming use cases
  9. Appendix Wi-Fi standards roadmap