Last updated: 
2 weeks 5 days ago
Group Manager
New: Presentations from NHS-HE Forum on Thursday 7th June 2018. NHS-Higher Education Connectivity Project: about NHS-HE Forum: about+archive, last meeting, next - November 2018 tba Scotland NHS-HE Forum:archive, last- 27th October 2016, next - tba Jisc is working with the Farr Institute, Medical Bioinformatics Initiative and the Administrative Data Reseach Network (ADRN) on the safe share service. NHS-HE Connectivity Best Practice Working Group: about; Headings: Access from NHS Desktops; Use of Terminal services; NHS & HE networking securely, including: NHS & eduroam/wireless/govroam, List of hospitals providing eduroam See also Govroam  - roaming federation for the public services, blogs NHS-HE Information Governance Working Group and IG resources N3 Janet Gateway - turned off on 31st January 2018 Other Strands: Joint Content Procurement; Identity & Access Management; NHS as Janet Business & Community Engagement Partners; .....NHS impact 'Live@Edu' to 'Office365 for Education' Please join this group and comment, also the parallel NHS-HE Forum JISCMAIL group for email updates.

Group administrators:

NHS and eduroam/shared use of wireless/govroam

30 January 2018 at 4:24pm

eduroam has been widely extended in to the NHS and is a successful and popular support for students on clinical placement in the NHS and the academic staff supporting them, plus clinical researchers working with the NHS.

See here for a list of UK hospitals where eduroam is available

Mechanisms that can be used to offer eduroam in the NHS are described below. More recently the Cabinet Office have started to investigate whether a "public services version of eduroam" and some work was done on "PSNroam" or which would be valuable for Local Authorities and related partners such as NHS Trusts given the integration of social care and public health etc. However this initiative stalled but in 2016 Jisc worked with interested organisations to create an early adopter "Govroam" service which went live in September 2016. This uses the same technology as eduroam but it is a different federation. The idea is that organisations deploy both govroam and eduroam SSIDs where this is relevant. The Govroam service went live in July 2017 and is already well established in Kent, Yorkshire and Humberside, London and expanding there and in other places such as Greater Manchester and Norfolk, see link below. Mark O'Leary described the initiative at the May 2016 NHS-HE Forum.

See here for a list of communities implementing or exploring govroam

How can NHS Healthcare Trusts participate in eduroam?

There are three routes for NHS Trust participation in eduroam listed in 1a, 1b and 2 below:

1. Extension of a local university's eduroam service

a. direct connection between the NHS organisation and partner University

NHS Trusts can participate and provide a Visited service by acting as an extension of a local university's eduroam service. This approach has been adopted at a number of teaching hospitals across the country through the use of a direct connection between the NHS Trust and a partner University e.g.

It is likely that eduroam has been extended to many other NHS Trusts, it is not possible to detect this from eduroam usage statistics because the activity will be incorporated in to those for the University.

An association between NHS and local academic institutions enables beneficial sharing of network and communication infrastructure. The Trust and the local university connect their networks via a local wide area network link and the eduroam service managed by the university is extended across the Trust’s (Wi-Fi) network. The eduroam network is securely tunnelled to the university’s network. Basically the eduroam network provided by the Trust APs would point to the university’s RADIUS server (just for the eduroam SSID) for handling of authentications. User network traffic from authenticated and connected users is piped to the university’s network. This is a simple and secure way for an NHS Trust to offer an eduroam ‘Visited’ service; this avoids the overhead of running an eduroam RADIUS server (since it would be managed by the university), but of course Home (ID provider services for the Trust's own staff) is not available with this solution.

Reciprocal wifi access is often offered by the University to NHS staff by broadcasting the NHS Trust's SSID e.g. Aberdeen and Dundee

1b. using a partner University to handle the authentication

This was a new approach demonstrated by the University of Bristol's work with the Weston Area Health NHS Trust. It was the first example of the eduroam footprint being extended to an NHS Trust without using a direct Trust to University network connection. Instead the authentication messages are channelled to the University of Bristol radius server which then handles further authentications on behalf of the NHS Trust (originally this was through the N3 Janet Gateway but recently it has been moved to the Trust's private internet connection). The NHS Trust provides the internet connectivity for the authenticated eduroam users.  Martin Van Eker presented on this at the November 2013 NHS-HE Forum and with an encouraging update in May 2014. In addition Martin has provided a document on this approach that can be used as a basis by others as required (but noting that the N3 Janet Gateway has now ceased and so an internet connection or use of the Transition Network to internet gateway will be needed instead).

2. Full service member with an independent Internet feed

In this option the NHS Trust becomes a full member of eduroam(UK) and implements eduroam itself using a non-N3 Internet feed. This requires the deployment of a RADIUS server and connection to the Janet national proxies and connection of the Trust’s eduroam network to either an independent Internet feed or to the university’s network (this latter option would require use of the university's IP address space since the RADIUS server must be reachable via DNS... we require a FQDN for the RADIUS server).

South London and Maudsley NHS Foundation Trust, part of Kings Health Partners, implemented this. Ricky Mackennon, Deputy Director of ICT at SLaM presented to the November 2013 NHS-HE Forum on this approach. This has also more recently been the preferred approach for the YHMAN project that is extending eduroam to 8 further NHS Trusts in West Yorkshire, see press release and presentation at the June 2015 NHS-HE Forum.

Participation as a full member is a great way to provide the "visited" eduroam service.

As a potential addition it does open the way for the Trust to have a "home" service so its own staff can benefit from eduroam services, e.g. consultants teaching at the hospital would be able to gain eduroam connection at local universities (and at any of the hundreds of eduroam providers elsewhere in the UK and abroad). N.b. at present we must limit this to NHS staff involved in teaching, research or the support of these activities. Whilst Janet eligibility now extends quite broadly to include education, health and public sector organisations, eduroam is an international federated service with members drawn from many different countries where access to national education and research networks is in some cases more restrictive than in the UK. As the UK eduroam provider (and participant in the European confederation) we have to be sensitive to these concerns.

[An independent internet feed is needed for the Trust because the network address translation at the N3 Janet gateway would prevent a Trust-sited RADIUS server from being looked up via DNS by the Janet national RADIUS proxy servers. Whilst this could be solved via fixed NAT translation of a national N3 RADIUS proxy, this is not in place.]

See also the NHS section of the eduroam frequently asked questions (2) library page, from which the above is based

CISCO white papers

A member of the Working Group facilitated the sharing of the following white papers in this area from CISCO:

Free wifi for all visitors

Some NHS Trusts have been offering free wifi for some time to all visitors, including patients as well as visiting staff and students e.g. Plymouth Hospitals NHS Trust, Liverpool Heart and Chest Hospital. In England the NHS WiFi Programme is extending this to all GP practices and secondary care organisations.

NB Thank you to the NHS-HE Connectivity Best Practice Working Group for many of the case studies on this page.

Comments

Great news that an NHS Trust is now actively engaged in joining the eduroam federation in their own right to provide both visited site and host site services as soon as possible. More news will be posted here when it is available.

Also an interesting new model has been developed by Bristol University where Weston Area Health NHS Trust in Somerset is now providing eduroam as a visited site with the authentication messages being supported through the N3 Janet Gateway to Bristol University which brokers the rest of the authentication process. The internet access is provided by the NHS Trust. A bit more detail here but it is planned to issue something further on this through the NHS-HE Connectivity Best Practice Working Group.

University Hospitals Leicester NHS Trust (3 main hospitals) is the latest to have the local partner University eduroam footprint extended to them.

eduroam is now available across the Cardiff and Vale University Hospital Board sites - link here.

Martin Van Eker is presenting on the Weston Area Health NHS Trust case study at the NHS-HE Forum on 28th November.

And if you happen to be at E-Health Insider Live on Wednesday 6th November at the NEC, I will be speaking briefly 10.30-11.00 in the Open source Skunkworks programme on the eduroam opportunity in the NHS.  I am delighted to announce that Ricky Mackennon, Deputy Director of ICT at South London & Maudsley NHS Foundation Trust, is going to join me in this to explain how they are the first to implement eduroam by joining the eduroam federation in their own right as an NHS Trust, in support of research & education.

With thanks to Malcolm Newbury, of Guildfoss and Forum member for this opportunity.