information security policy - open.essex.ac.uk

Trust Policy and Procedure Document Ref. No: PP(14)060

Information Security Policy

For use in: All Departments

For use by: All Staff

For use for: Management of Risk for Trust information and systems

Document owner: IT Department

Status: Approved

Contents 1. PURPOSE .................................................................................................................................... 1

2. INFORMATION SECURITY INFRASTRUCTURE ........................................................................ 2

3. ASSETS CLASSIFICATION AND CONTROL .............................................................................. 4

4. PERSONNEL SECURITY ............................................................................................................. 6

5. PHYSICAL AND ENVIRONMENTAL SECURITY ........................................................................ 8

6. COMPUTER MANAGEMENT ..................................................................................................... 12

7. NETWORK MANAGEMENT AND INFORMATION EXCHANGE ............................................... 17

8. SYSTEM ACCESS CONTROL ................................................................................................... 21

9. SYSTEM DEVELOPMENT AND INCREMENTAL CHANGES ................................................... 25

10 BUSINESS CONTINUITY PLANNING ...................................................................................... 27

11 COMPLIANCE ........................................................................................................................... 27

12. MAINTENANCE OF SECURITY POLICY ................................................................................ 29

13. AUTHORITY ............................................................................................................................. 30

1. PURPOSE This policy updates the Information Technology Security Policy of April 2011. It takes account of the increased emphasis on sharing information between professions and agencies with appropriate safeguards. The purpose of the Information Security Policy is to ensure business continuity and to reduce risk to the Trust by preventing and minimising the impact of information security incidents on patient care and supporting processes. In supporting this Information Security Policy management objectives are to:

Establish effective control through adequate procedures and management practice over those resources which provide manual and computerised information for West Suffolk NHS Foundation Trust.

Ensure that activities relating to manual and computerised information meet relevant legal requirements and NHS accountability

Source: IT Department Status: Approved of 32 Issue Date: March 2014 Review date: March 2016 Document Reference: PP(14)060

Provide and maintain security awareness amongst all personnel using, maintaining and managing manual and computerised records:

Maintain information protocols for exchange of information with external organisations

Adopt a system of risk analysis to ensure that all recognised threats are evaluated and to examine any preventative measures evolving from such a system for cost effectiveness and practical application

Allocate security responsibilities and to maintain them within an integrated means of managing the various aspects of security

The scope of the Policy relates to information in any form, as it is needed to support Trust business. The Policy covers information stored on computers, transmitted across networks, printed or written down on paper, and spoken in conversations. It also includes all still and moving images recorded on any format. It includes references to subsidiary policies such as Email and Internet, Disaster Recovery and Records Management. The Policy will be supported by other Trust policies as they apply to confidentiality, premises and personnel security within the West Suffolk NHS Foundation Trust. Information security management has three basic components: 1. Confidentiality: protecting sensitive information from unauthorised disclosure

2. Integrity: safeguarding the accuracy and completeness of information and computer software

3. Availability: ensuring that information and vital services are available to users when require. The degree to which these aspects are maintained will be determined by management to a level, which is cost effective and appropriate to the needs of the Trust.

2. INFORMATION SECURITY INFRASTRUCTURE A management framework is required to initiate and control the implementation of information security within the Trust. 2.1 MANAGEMENT GROUPS Information Governance Steering Group will address issues of patient confidentiality, security, data protection and controls assurance in these areas. The Caldicott Guardian is the Medical Director, and the Group reports to the Finance & Workforce Committee. It will also address Freedom of Information issues. Trust IM&T Strategy Group will cover the Information Security Policy as a whole and address risk management and funding issues, with particular issues being referred to the Trust Management Team. Trust Management Team will authorise supporting policies and guidance such as disciplinary procedures. Trust Council will provide staff consultation on policy and procedures. 2.2 ALLOCATION OF INFORMATION SECURITY RESPONSIBILITIES Responsibilities for the protection of individual assets and for carrying out specific security processes must be explicitly defined. The roles of Information Security Officer (as required under the Caldicott Recommendations) and Data Protection Officer will reside in one member of staff, the Information Governance


Manager. The postholder will carry out Trust-wide co-ordination of information security management. The Information Governance Manager will liaise closely with the Head of IT, the Health Records Manager and owners of specific systems. System ‘Owners’ will be identified for all Trust systems or categories of manual records. Owners of information systems or manual records categories may delegate their security authority (power to act) to individual user managers or service providers, but they remain ultimately, and maintained as part of, the Trust’s registration under the Data Protection Act. All owners of information systems containing person identifiers must register the system with the Information Governance Manager Users of manual and electronic records will have generic and departmental responsibilities. 2.3 AUTHORISATION PROCESS FOR IT FACILITIES Business Need - Directorates and TMT will provide management approval to ensure that proposed systems are for a clear business process. Security and Compatibility with Trust Standards – the Trust IM&T Strategy Group will provide technical and strategic approval that proposed systems support adequate levels of security protection and will not adversely affect the security of the existing infrastructure. Physical Connections - the IT Service and Quality Manager will check that all devices connected to the Trust network meet Trust and NHS security standards. User Access – the IT Department will administer the user access procedure using a standard Proforma covering all systems. User access to NHS Connecting for Health systems will be governed by the Registration Authority policy. 2.4 SECURITY OF THIRD PARTY ACCESS Third Party access may be required for two reasons:

Access to identified systems for support purposes

Healthcare related access to specific applications where there is a legitimate relationship e.g. the Trust Clinical systems. For example, NSFT gaining access to our Pathology results

Such access must be the subject of a risk analysis to determine the security implications and control requirements, and approved by the Information Governance Steering Group. The IT Service and Quality Manager will provide the risk analysis and control requirements for 3rd party access. This will apply to corporate systems managed wholly by the IT Department and to departmental systems where the Department carries out systems administration.

No one other than the IT Service and Quality Manager or the Head of IT is able to approve the setup of 3rd party connections to Trust IT facilities. Apart from standard security management considerations, the Trust is also subject to the NHS Health & Social Care Information Centre policies. These are set up to provide a secure environment for the exchange of patient level information. Access to the Trust network and individual systems occurs under controlled conditions that are periodically audited. The Control Requirements consist of security conditions in third party contracts and secure authentication systems. Security Conditions

Suppliers


Third Parties must complete and sign a third party confidentiality agreement to ensure compliance with Data Protection Act, Trust security policies and standards. The standard proforma will be the one developed by the Trust.

Health and Social Care

Protocols covering all types of exchange of information will be signed with other healthcare agencies requiring access to Trust IT facilities (as well as electronic and manual information). See Section 7.6. Access to Trust IT facilities will not be provided until the appropriate agreements have been implemented and a contract has been signed defining the terms for the connection. Secure Authentication

Suppliers

A secure pin will released to the supplier by the Trust to provide access to the required system only. The number generated by the secure ID token must be one part of the two part authentication required by the Trust’s Swivel security system

Or

NHS HSCIC and the Trust will jointly agree access via the N3 network Health and Social Care Arrangements for health and social care to have access to Trust IT facilities for business purposes e.g. booked admissions will be identified at the time. A register will be kept of all third party access to Trust information systems. 2.5 SAFE HAVEN FAX AND OTHER FACILITIES The ‘Safe Haven Policy and Procedures’ PP126 covers receipt of telephone and fax information.

3. ASSETS CLASSIFICATION AND CONTROL 3.1 SYSTEM OWNERS AND INVENTORY All major information assets will have a nominated ‘owner’ and be assigned responsibility for security measures. Examples of information assets include the following: Information Assets – manual records including all forms of patient notes, operational procedures, training material, databases, continuity plans. This includes data on PCs at home e.g. for clinical audit purposes Media Assets – photographic, film, video and sound records e.g. teaching materials, digital and film X-Ray images, ultrasound. This includes material on portables or PCs at home. Software Assets – application software, system software, development tools and utilities Physical Assets – computer and communications equipment, magnetic media (tapes and disks), specialist technical equipment (power supplies, air conditioning units), furniture, accommodation


Services – computing and communications services, technical services (heating, lighting, power, air-conditioning) Inventories will be maintained of all major information and IT assets. For IT assets an inventory will be maintained of all the major assets associated with each information system, with an audit trail from procurement to asset register and support contract.


3.2 INFORMATION CLASSIFICATION AND CONTROL Classification Guidelines Protection for classified information will be consistent with the business needs of the Trust e.g. 24 hour access to patient notes

an enhanced need for sharing information with outside agencies

a high degree of confidentiality and security protection for patient level information

compliance with an increasing range of legislation as electronic communication and use of IT becomes more pervasive in society as a whole and is mandated by government policy.

Classification will be established in relation to the following business needs: Confidentiality – the business need to share or restrict access to information with regard to confidentiality, and the controls required to restrict access to information Integrity – the business need to control modifications to information, and the controls required to protect the accuracy and completeness of information Availability – the need to have information available when required by the Trust and its healthcare partners, and the controls required to achieve this The responsibility for defining the classification of an item of information (e.g. a document, data record, data file) and for periodically reviewing the classification rests with the nominated ‘owner’ of the data.

4. PERSONNEL SECURITY 4.1 JOB DESCRIPTIONS AND CONTRACTS All employees at all levels handle information in some way. Information security will be covered in job descriptions and contracts issued by the Personnel Department. The Information Security Policy will be a Trust Policy incorporated into the Trust Handbook, available to all employees. The Trust Handbook will include Disciplinary Guidelines for non-compliance with the Information Security and other Policies. Job descriptions must define information security roles and responsibilities in addition to standard user responsibilities where appropriate. This should include responsibilities related to ownership of particular information assets, or delegated responsibilities regarding particular security processes or procedures. Applications for employment will follow the Personnel procedures in the Trust Handbook (e.g. character references, completeness of curriculum vitae). Signing of the job contract will bind employees to abide by the Trust’s Information Security and other related Policies. This will also be made plain as part of the standard ‘Note’ included on all job descriptions. Agency staff i.e. Bank and Locum staff will also be asked to sign an undertaking included in the Trust contract covering all IT related policies. Volunteer staff will sign an honorary contract with clauses similar to those for bank and agency staff. 4.2 USER TRAINING


Corporate Training

The Trust will deliver information security training through the Information Governance Manager and trainers in the IT Training Department, who will update course material in line with legislation and NHS guidance. Courses will cover:

Basic hospital induction, clinical and medical induction

Annual mandatory training days providing refresher training

Other refresher training for existing staff

New requirements as they arise e.g. introduction of new systems and procedures

Specific Departments

Additional training specific to particular functions will be delivered by Departments (e.g. Medical Records and Radiology). User Security Guide

A user version of the Information Security Policy will provide an easy guide to the main points. Training Prior to Use of IT Facilities

Users will receive appropriate training in the correct use of IT facilities by the IT Training Team (e.g. logon procedure, use of software packages) before access to IT is granted. The Computer Access Form records which systems the user is entitled to have access to. Access will only be granted when the form is signed by the appropriate line manager. Arrangements will be made with the Site Manager to handle the need for speedy access to IT facilities out of hours e.g. Bank staff and Locums Access to additional systems will be handled under the same conditions. A Training and Communications Plan will be devised to support staff in meeting their obligations for records management once the Trust Plan has been determined. 4.3 REPORTING OF INFORMATION SECURITY INCIDENTS All employees and contractors must be made aware of the procedure for reporting the different types of incident – security breach, threat, weakness or malfunction – that might put the Trust at risk. The Trust Incident Form for reporting all forms of security breaches contains an area for reporting of Information Security Incidents and must be used by all staff or contractors. Reporting must be as soon as possible after the incident has taken place. Reporting will be to the Governance Office. External reporting of such incidents will be carried out by the:

Risk Manager using the SIRI procedure as required for all security incidents as documented in the agreed Trust Incident Policy

Under the NHS Code of Connection external reporting of information system and network incidents is required. This will be carried out by: The IT Infrastructure Manager using the reporting process set up by the NHS Telecommunications Agency

The formal disciplinary procedure in the Trust Handbook will be invoked for dealing with employees who commit security breaches or misuse of IT systems


4.4 REPORTING OF SOFTWARE MALFUNCTIONS Users of Trust IT facilities whether managed directly by the IT Department or individual Departments are required to note and report any software that appears not be functioning correctly. They are to report the matter directly to the IT Department or to the system owner. The user should:

Note the symptoms and any messages appearing on the screen

Stop using the software in question on that computer and inform IT Help Desk on ext 7777 4.5 DISCIPLINARY PROCESS The Disciplinary Procedure in the Trust Handbook identifies the disciplinary process for a breach of the Information Security Policy.

5. PHYSICAL AND ENVIRONMENTAL SECURITY SECURE AREAS Manual records, information systems and other assets must be housed in secure areas to prevent unauthorised access, damage and adverse interference. The following guidelines should be applied:

The security of the perimeter should be consistent with the value of the assets or services under protection.

The security perimeter should be clearly defined

Support functions and equipment (e.g. photocopiers, fax machines) should be sited to minimise the risks of unauthorised access to secure areas or unauthorised information

Physical barriers for critical systems will be from floor to ceiling for equipment requiring environmental controls as well barriers for physical access

Other personnel should not be made aware unnecessarily of activities in the secure area

It may be necessary to prohibit unsupervised, lone working – for safety and to avoid opportunities for inappropriate activities

Secure areas will be physically locked when vacated and checked periodically

Personnel supplying or maintaining support services should be granted access to secure areas only when required and authorised.

5.2 PHYSICAL ENTRY CONTROLS

1. Visitors to secure areas should be supervised, and their date and time of departure recorded.

2. All personnel should be required to wear visible identification within the secure area and encouraged to challenge strangers

3. Access rights should be revoked immediately for all staff that leaves employment. 5.3 SECURITY OF COMPUTER ROOMS

Corporate Systems

Main IT machine room by the IT Department

Second machine room near Ward G8

Second Floor Comms Room in the Education Centre


The location of these sites at opposite corners of the hospital provides some resilience in the case of disaster and allow for triangulation and hence re-routing of network services and applications if necessary. Departmental Systems

The location of departmental systems such as pathology supporting trust-wide services, must take the same considerations into account as corporate systems, they must therefore be located in one or both of the two designated computer rooms. Arrangements for computer rooms should take account of:

1. Damage from fire. A smoke detector and fire alarm will be maintained in working order. Computer supplies will not be stored in the machine room. Fire extinguishing equipment will be serviced regularly and stored in the immediate vicinity. Storage of combustible materials in the vicinity will be avoided.

2. Flooding – from domestic floods from the floor above, or surface water where accommodation is below ground level.

3. Natural or man-made disasters – will be addressed through Disaster Recovery. The following arrangements will be made:

1. Staff will be trained in the use of safety equipment. 2. Arrangements will be made in conjunction with the Facilities Department to safeguard

supporting facilities such as electrical supply and cabling infrastructure. There will be an emergency power generator and resilience and triangulation arrangements will offer alternative routing for cabling infrastructure.

3. Critical systems will be fitted with UPS (Uninterruptible Power Supplies) and will operate at the immediate loss of power supplies until the Emergency Generator Power begins

4. In the event of total loss of computing facilities, for example due to sustained loss of electrical power, departments will implement their business continuity plans.

5. Corporate IT back-up media will be sited in fireproof data safes located in a secure room on G6 Ward. This location is at the opposite corner of the hospital site from the two computer rooms. Where Departments manage systems they also store back-up media at this location.

6. Emergency procedures will be fully documented and updated and regularly tested. At least two members of staff will be familiar with the operation of scripts for each main system.

7. Doors and windows will be locked when the IT facility is unattended.

5.4 LOCATION OF USER EQUIPMENT PCs, terminals and other equipment such as printers and scanners will be sited to minimise the risk of damage, interference and unauthorised access.

1. Workstations handling sensitive data will be positioned to reduce the risk of overlooking. 2. Eating and drinking in the vicinity of personal computer equipment will be prohibited. 3. Smoking is forbidden throughout the Trust.

5.5 CABLING SECURITY Power and telecommunications cabling will be protected from interception and damage by:

1. Ensuring that hubs and cabinets are in locked rooms or cupboards throughout the building 2. Working with the Facilities Department (Local Area Network) to provide conduits for cables,

to avoid public areas, to ensure that cables remain tidy at all times and are not vulnerable to contractors on site for other reasons

3. Use of the national NHS framework, and its attached conditions for access to the rest of the NHS.


5.6 EQUIPMENT MAINTENANCE Servers and other core equipment must be appropriately maintained by corporate IT or responsible Departments to ensure its continued availability and integrity. In particular:

1. Equipment must be maintained in accordance with the supplier’s recommended service levels and specifications

2. Repairs and servicing of equipment must only be carried out by authorised maintenance personnel.

3. A record of all faults or suspected faults must be kept. 4. A record must be kept of supplier maintenance visits and the work carried out. 5. Contractual terms and conditions must be filed and easily available.

Maintenance of PCs will be addressed by purchasing PCs with a 3 year warranty, rather than paying an annual maintenance premium per unit. Desktop printers will be maintained on a break fix contract to a third party


5.7 SECURITY OF PORTABLE EQUIPMENT TAKEN OFF PREMISES IT equipment used outside Trust premises to support business activities must be subject to an equivalent degree of security protection as on-site protection. This applies particularly to laptop computers or hand-held, but may apply to other equipment as well.

1. For asset purposes ownership of mobile devices should be clearly linked to a named individual, in a specific department, it is the responsibility of the department who was allocated the device to maintain this ownership list. Devices must be returned to the IT Department if they are to be reallocated to a different department.

2. Temporary allocation of equipment (equipment that is booked out) must be recorded and updated on return of the equipment. Maintaining the equipment log is the responsibility of the department to which the device was allocated

3. Proper carrying cases must be used at all times. 4. Virus controls must be in place. 5. When travelling, equipment and media must not be left in public places. 6. Where equipment must be left in a car, it must be left out of sight in a locked boot. 7. Overnight, equipment must be taken in-doors and secured. 8. Portable computers are particularly vulnerable to theft, loss or unauthorised access and

must be provided with an appropriate form of protection e.g. passwords to prevent unauthorised access to their contents.

9. Portable media containing ‘person identifiable data’ must be encrypted 10. Policy PP227 applies for all removable media where ‘person identifiable‘ data is held

Patient data e.g. for clinic audit on personally owned PCs at home must be subject to the same degree of protection and approved my senior manager 5.8 REMOTE ACCESS TO TRUST NETWORK Access will be provided to the Trust network and its applications for Trust staff, who are sponsored by their departments and for whom the cost of a laptop, a dedicated line and a proportion of server costs has been provided. Each user will be provided with Secure ID authentication. Broadband will be used to ensure that staff are provided with concurrent data and voice facilities – for instance to provide a telephoned verbal opinion on X-Ray images accessed over the Trust network. 5.9 SECURITY OF PAPER RECORDS TAKEN OFF THE PREMISES Refer to Health records policy. 5.10 SECURE DISPOSAL All computer hardware, magnetic and optical media will be returned to the IT Department for redistribution or secure destruction. An area within the IT Department will be dedicated to the secure storage of computer assets requiring end of life destruction, with a current inventory maintained of equipment being stored in the facility including:

West Suffolk IT asset tag number

Internal hard disk serial number

Product serial number or service tag

Make and model information

Hardware type – monitor; base; printer All loose media which does not have an identifying mark (compact discs, tapes, flash cards) will be segregated, collected and packed in sealed boxes marked clearly with “Magnetic Media for Secure Disposal”.


Contracts will be maintained with Information Technology Asset Disposal (ITAD) providers based on the requirements of the:

Waste Electrical and Electronic Equipment (WEEE) regulations

Information Commissioners advice and model contract clauses for data processors

IAS 5 standards for media destruction based on the relevant security level of information assets as well as the disposal method suitable for the media type.

These contracts will be for no longer than 3 years and reviewed at least annually, with sampling of disposal methods and supplier audits conducted. It is typical that quarterly disposals are conducted to reduce increased risk of holding vast volumes of decommissioned data assets. At the point of disposal, asset sign over sheets produced by Trust IT will be signed by the ITAD representative and the Trust employee tasked with supervising the collection and any onsite destruction of data. A waste transfer note, asset reconciliation and certificate of destruction will be provided by the ITAD as agreed in the terms of the contract and within 4 weeks of any collection. Any discrepancies must be reported as a data loss whilst an investigation is conducted. This policy is supported by two IT procedures:

WSH PC Decommissioning Procedure : (QM)DT/003

IT Asset Management Procedure : (QM)DT/001

6. COMPUTER MANAGEMENT 6.1 PROCEDURES Responsibilities and procedures for the management and operation of all computers and networks must be established. Two people must be competent to carry out procedures for all critical systems – whether corporate or departmental. Documented operating procedures must be prepared for all computer systems to ensure their correct, secure operation. This applies to small standalone systems – just accessing the network – as well as large corporate systems. It includes Departmental systems and those managed by IT. Some small to medium size systems e.g. specialty specific will hold important patient level clinical data. They should be given the same level of security as larger systems – see below. Documented procedures are also required for system development, maintenance or testing work. (See Chapter 8). Procedures must specify the correct instructions for the detailed execution of each job including, as appropriate:

1. The correct handling of data files 2. Scheduling requirements (including inter-dependencies with other systems) and earliest job

start and latest job completion times. 3. Instructions for handling errors or other exceptional conditions. 4. Support contacts in the case of unexpected operational or technical difficulties. 5. Any particular output handling requirements e.g. special stationery, or the management of

confidential output. 6. Systems start and re-start procedures for use in the event of system failure. 7. House-keeping procedures e.g. computer start-up and close down, data back-up etc 8. Routine procedures for system optimisation and performance.


Media Handling Procedures must be maintained to protect all computer media (e.g. tapes, disks, input/output data and system documentation). These provisions will apply to:

Patient identifiable information - with additional provisions for sensitive information eg sexual health

Employee identifiable information

Screen Output

1. Screen output must be protected from casual enquiry (e.g. on wards, at reception areas).

Screens should be facing away from public walkways etc, or be protected by screens. 2. Screens must time-out after an agreed period. 3. Screens should be locked when unattended.

Printed output

Printed output must be sent securely to named recipients. Lists of appropriate recipients must be maintained. Printed output retained in generating departments must be securely stored. Particular forms of printed output must be secured by departmental policies e.g. blank cheques and invoices System documentation containing details of application processes, procedures, data structures must be locked into secure cabinets Sensitive printed output must be disposed of securely by putting it into sacks marked ‘Confidential Waste’ or blue wheelie bins if applicable for shredding. Arrangements made with Estates must ensure speedy, secure removal of such sacks

Magnetic Media

Data and software on magnetic media must be securely stored. If no longer required, the data from any re-usable media must be erased using software tools that completely wipe the data from all areas of the media. Alternatively the media will be physically destroyed and a certificate of destruction will be obtained and kept on file. This work must be carried out by the IT Department Computer media must be disposed of securely when no longer required. Data on hard disks must be erased using software tools that completely wipe the data from all areas of the media. In the event that the hard disk has failed and cannot therefore be wiped, the disk drive will be sent for secure physical destruction and a certificate of destruction will be received and kept on file. This work must be carried out by the IT Department Operator Logs Operator Logs must be maintained for critical systems to show as appropriate: System start and finish times System errors and corrective action taken Confirmation of the correct handling of data files and computer output


Fault Logging Faults reported by users must be logged using call fault logging software. The software must provide information to review the fault log to ensure that all faults have been satisfactorily resolved. Environment Monitoring Temperature, humidity and power supply quality must be monitored in computer machine rooms. If there is a problem (e.g. with air conditioning) this must be addressed quickly with the Estates Department to avoid system crash and down-time. (Desk-top equipment is designed for office conditions and is unlikely to suffer from these problems) Back-Ups For corporate systems a minimum level of back-up information will be taken each night and backups stored in the designated fireproof data store. Daily backups will be retained for one week. Weekly backups will be retained for one month. Monthly backups will be retained for one year. Yearly backups will be retained indefinitely.

Back-up master disks of operating system, application software and system set-ups must also be stored in the data safe. They must be capable of being used to restore the system(s) in the event of an extensive disaster. Back-up data on and off-site should be given an appropriate level of protection e.g. storage in a fireproof safe. Back-up data must be regularly tested, with accompanying procedures, to ensure that recovery of the system(s) is to be relied upon. 6.2 OPERATIONAL CHANGE CONTROL Changes to IT facilities and systems must be controlled. The following items must be covered by corporate IT staff or departmental staff managing other systems e.g. pathology and Radiology:

Identification and recording of significant changes e.g. version, additional users

Assessment of the potential impact of such changes, including impact on clinical processes

Approval procedure for proposed changes through a project team, either existing or convened for the purpose

Creation of a plan with the supplier

Identification of Trust responsibility

Arrangements for testing to include technical staff and end users e.g. data integrity

Communication of change details to all relevant staff. Increasingly this will include external agencies (e.g. GPs for pathology results)

Procedures and responsibilities for aborting and recovering from unsuccessful changes 6.3 CAPACITY PLANNING Capacity requirements must be monitored to avoid failures due to inadequate capacity. This may apply to long established systems e.g. HISS or newly installed systems where capacity planning should form part of implementation.

Projections must be made of future computer capacity requirements for critical systems to ensure that adequate processing power and storage remain available.


Projections must take account of new system requirements as well as current and projected trends in computer and network use.

IT management must identify trends in usage (e.g. increased access to clinical applications, Intranet and Internet) with a view to identifying and avoiding potential bottlenecks that might present a threat to system security or user access – and plan appropriate remedial action.

6.4 SEPARATION OF DEVELOPMENT AND OPERATIONAL FACILITIES Segregation of development and operational facilities is desirable to reduce the risk of accidental changes or unauthorised access to operational software and business data.

Development and operational software must run on different processors, or at least as a minimum on different directories where small Microsoft Office applications are concerned.

Different passwords should be used for development systems, and menus should display appropriate messages.

Acceptance criteria for new systems must be established as part of the procurement or development process.

See also Chapter 8 ‘System Development and Maintenance’.


6.5 PROTECTION FROM MALICIOUS SOFTWARE Precautions must be taken against the introduction of malicious software, which poses a threat to the integrity of data and software. Protection will be founded on user awareness, licensed software and virus controls. User Level - the following actions will be taken, focussing on PCs, Email and Internet access:

1. Users will be made aware of their responsibilities at Induction, in job contracts and through ongoing training. IT training on clinical systems will include responsibility on: secure data transfer, confidentiality and file management.

2. Software must be procured, issued and installed by the central IT Department where for any PC attached to the network. There must be a licence for all software.

3. The use of unauthorised software is prohibited. 4. Users are not permitted to install software on Trust devices. 5. Users will not be given domain or local administrator rights, on rare occasions where

elevated rights maybe required (such as legacy software not fully compatible with newer security rights within Operating Systems), exceptions must be recorded and monitored to ensure appropriate use.

6. Where disks are received from outside the organisation they will be asked to take them to the IT Department for examination by a virus checking programme

7. Users will be made particularly aware of the danger of attachments to emails, particularly from unknown sources

8. The IT department will send out network wide announcements when particularly virulent viruses are operating world wide

System Level:

1. Anti-virus software from a reputable supplier will be purchased and maintained with updates from the supplier.

2. The virus checking software will operate Trust wide and there will be a message that alerts users to the fact that this checking is taking place.

3. Virus checking will be initiated at boot-up but may be activated at other times. 4. In addition to the virus checking software upgrades against known viruses, the IT

Department will subscribe to a service for the NHS giving forward warning of all significant viruses and evasive action

5. Virus attacks will be reported in the following ways:

Trust Security Incident Form (for return to Trust governance department)

NHSNet Incident Report Form (for return to NHS HSCIC) 6.6 FALLBACK PLANNING There must be emergency arrangements for an alternative, temporary means of continuing processing, in the event of any damage, total loss of electrical power or failure of equipment. These arrangements will be covered in the Disaster Recovery Policy. Examples are:

Manual recording onto pre-prepared proformas (e.g. for patient demographic details)

Back-up processors (e.g. mirror systems for critical systems)

Re-routing of network services and re-location of staff in case of minor disasters

Off-site arrangements for extensive disasters

Business Continuity/Disaster Recovery Plans will be maintained under the following Trust policies:

Disaster Recovery (IT)

MAJAX

Departmental Policies e.g. Medical Records, Estates


7. NETWORK MANAGEMENT AND INFORMATION EXCHANGE 7.1 LOCAL NETWORK CONTROLS The security of the computer network requires particular attention as the communications highway for an increasing range of systems – in particular those supporting patient level clinical information. The ‘network’ spans Trust and site boundaries and provides communication services to: West Suffolk Hospital NHS Trust – all sites Sites belonging to health and social care partners e.g. GPs, other Trusts and increasingly Social Care Services Administrative links to the Health Authority, Region, NHSE and DoH Academic and other links accessed over the Internet Suppliers over N3 The NHS Connecting for Health Code of Connection works on the principle that each NHS organisation will ensure its own internal network security, thus protecting the whole. The Trust as a connected organisation must have in place the measures for the Code of Connection: Security Policy – this document which meets the NHS Security Policy EL(92)60 Approved security access and authentication measures Appropriate measures for supplier remote access (e.g. authentication, dropped connections) Firewall protection against non-NHS networks (e.g. academic networks such as JANET, Internet) Reporting of security incidents to NHS Connecting for Health Readiness for Network Audit Maintenance of all relevant security controls e.g. Data Protection The IT Department must maintain appropriate controls to ensure the security of data in the network, and the protection of connected services from unauthorised access. Code of Connection requirements must be maintained. The Trust must comply with the NHS Statement of Compliance as required for Information Governance. Remote access by suppliers or staff must be agreed as supporting a specific business purpose, and must be recorded as required to specific systems. See section 2.4. A Third Party Confidential Agreement must be read and signed by all contractors Such connections must be monitored on a regular basis to identify any irregularities. Network security measures must be applied consistently across the Trust network and apply to departmental as well as corporate IT systems. 7.2 NATIONAL NETWORK CONTROLS – NHS N3 Network The Trust currently uses BT as one of two network providers approved under the NHS framework contract for the NHS N3 Network. The Service Level Agreement entitles the NHS to a certain level of service and support in the case of problems.


The Trust will continue to meet the NHS Connecting for Health Code of Connection allowing access to the NHS N3 Network. 7.3 NATIONAL APPLICATIONS USING the NHS N3 Network The Trust will continue to use the following national framework contract services until and if they are re-procured at national level:

Cable and Wireless NHS e-SMTP relay service via nhs.uk addresses for non secure emails

Cable and Wireless NHS e-SMTP relay service via nhs.net addresses for secure emails

Sending and receipt of CDS data to Health Authorities, Regional Office and DoH (in the form of HES – Hospital Episode Statistics) is done via Secondary User Services (SUS)

Choose and Book

Map of Medicine 7.4 ELECTRONIC OFFICE Electronic Office Systems provide opportunities for faster dissemination and sharing of business information within the Trust and externally over NHSNet. Particularly for internal information sharing the following standards must be in place. Microsoft Office 2003/2007/2010/2013 for word-processing, spreadsheets and power-point slides Microsoft Outlook 2003/2007/2010/2013 email and diary scheduling package Clear procedures on the status of electronic communications for communicating orders, signatures etc Policy regarding retention and back-up of information held on the system 7.5 INTERNET AND EMAIL Electronic Mail and Internet Access are the subjects of a separate Policy. The security aspects are repeated here. The Security Policy for email and Internet access applies to all employees. The Trust permits reasonable use of email and Internet facilities for personal use with a view to developing information technology skills. The Trust as an employer must balance its risks with regard to:

The law of agency, whereby an employer is responsible for the acts of its employees

Vicarious liability, whereby actions in the normal course of work, whether authorised or unauthorised, are held to be the responsibility of the employer

Legislation protecting the privacy and autonomy of the individual: Data Protection Act (1998) Human Rights Act (1998) Regulation of Investigatory Powers Act (2000) Email has particular vulnerabilities associated with it (e.g. incorrect addressing, unintended copying of emails, reliability of the service, junk mail, retrieval of messages and replies, virus attachments, staff misuse, improper monitoring). Email is a ‘written record’ and can be cited as evidence, and may be disclosable under the Freedom of Information Act. Inadvertent formation of contracts must be avoided. Internet vulnerabilities include copyright issues, downloading of over-large files, unsuitable material, and use of staff time.


Trust as an employer The Trust will

Continue to operate a formal connection procedure, which is authorised and monitored by managers

Install appropriate technology to monitor usage

Update these precautions on a regular basis to keep pace with the changing environment

Provide a clear process that handles the 1st, 2nd and 3rd offence if staff are detected infringing the Security Policy.

The Trust will prohibit:

Email content that is libellous, pornographic, sexually or racially offensive, or otherwise illegal

Use of email or Internet facilities for any form of commercial advertising or personal business transactions

‘Junk mail’ or spamming (such as ‘car for sale’, or ‘Joan has had a bouncing baby boy’ which are sent to all users). Such notices should be put onto the Intranet bulletin board

Uploading, downloading or sending commercial software or other copyrighted materials

Sending of very large files (10mb+) as attachments to other users, as they might compromise the network

Sending of patient identifiable data except where a protocol exists with other NHS organisations using the NHS.Net email system or ideally with encryption.

Using computer facilities outside the individual’s working hours, unless agreed with the line manager for study purposes

Examining, changing or using another persons files, output or user name for which they do not have explicit authorization

The Trust has installed Webmarshal software for monitoring Internet use. Some websites have been blocked as inappropriate for NHS Staff. The Trust will monitor Internet usage in terms of time spent accessing the Internet. Any inappropriate or excessive use will be reported to the member of staff’s line manager. The Trust requires staff to:

Be cautious of un-solicited email with regard to viruses e.g. attachments from unknown senders, particularly those with unusual extensions

Close down terminals not in use as a malicious user could send messages in your name Legislation protecting the privacy and autonomy of the individual The Trust will inform staff:

Of its policy for acceptable use of Email and Internet Access

That a clear amount of personal surfing and personal email will be permitted to develop skills

Of monitoring of email and Internet usage for security and network management reasons

That users may be subject to limitations on their use of resources e.g. file sizes The Trust will provide: Training – induction and refresher User guide


Reinforcement messages e.g. on the screen Wide access to this policy and the Trust Disciplinary Procedures The Trust will take account of the privacy of those sending the email as well as those receiving it. In monitoring email and Internet usage the Trust will:

Target investigations and avoid routine sweeps.

Ensure that precautions are relative to the size of the risk Email is for business use and in a member of staffs absence, access to essential emails may be authorized by line manager. 7.6 PROTOCOLS FOR INFORMATION EXCHANGE Seamless exchange of information within the Trust and with healthcare partners is required to achieve seamless care. In addition various kinds of legislation require sharing of information between agencies e.g. the Crime and Disorder Act, the Health and Social Care Bill. With the availability of electronic exchange mechanisms it is essential that these information exchanges are protected by Information Protocols. The Trust will adopt protocols developed by the Eastern of England Information Governance Forum (which also acts as a forum for Caldicott and Controls Assurance issues) and locally agreed protocols with other agencies. These protocols cover:

Management responsibilities for controlling and notifying transmission, dispatch and receipt

Procedures for notifying transmission, dispatch and receipt

Minimum technical standards for packaging and transmission

Courier identification standards

Responsibilities and liabilities in the event of loss of data

Data and software ownership and responsibilities for data protection, software copyright compliance

Technical standards for recording and reading data and software

Any special measures required e.g. encryption 7.7 ENCRYPTION AND MESSAGE AUTHENTICATION The Trust will comply with Department of Health guidelines issued in January 2008 on securing data in transit, using encryption where appropriate. This applies to all removable media where person identifiable information is stored. The Trust continues to comply with the Data Protection Act in keeping information secure. For patient level clinical information the Trust will comply with the encryption requirements outlined in ‘Building the Information Core – Enabling the NHS Plan’. There is a timetable for applying this technology to particular GP/provider flows that started with GP pathology results in 2003.

7.8 FALLBACK PLANNING The Local Area Network is covered in the Disaster Recovery Policy. Triangulation is used to ensure alternative routing if required. See Section 6.6. The NHS N3 Network connection has been upgraded to support the increasing number of clinical and business information exchanges with health and social care partners expected under national targets. When the trust subscribes to the National PAS system, in order to ensure business continuity in the event of this line being lost the Trust will install a second line for resilience.


8. SYSTEM ACCESS CONTROL Control of access to data and information services must be based on business requirements and the ‘need to know’. This will support prevention of unauthorised access. 8.1 GROUPS Each system ‘owner’ must maintain a clearly defined access policy statement, which defines the access rights of each user group. The policy will take account of the following:

Security requirements of individual business applications e.g. levels of access supported

Agreed security levels for particular groups of staff

Individual departmental, Trust or NHS policy requirements (e.g. access to NHS Number Tracing Service)

Access to individual applications will be granted in line with business or clinical need, supported by the following measures: Menus will provide access to application system functions – where particular functions are not available to an individual user these functions will not be visible to that user.

Users will be limited by access level (e.g. read, write, delete, execute)

User documentation will be tailored to the required function(s) only, so that no extraneous systems information is provided

Outputs from application systems will only contain data that is relevant to the use of that output (on a need to know basis in line with Data Protection and Caldicott Principles)

8.2 SYSTEM PRIVILEGES Unnecessary allocation and use of super-user privileges will be prevented. Allocation of super-user privileges will be through a formal process. System owners will:

Identify the privileges associated with each system product i.e. operating system, database management and the categories of staff to which they need to be allocated

Allocate privileges on a ‘need to use’ basis

Maintain an authorisation process and a record of all privileges allocated.

Promote the development and use of system routines to avoid the need to grant privileges to users.

8.3 USER PROFORMA FOR ACCESS A formal user registration and de-registration procedure will be maintained for access to all multi-user IT facilities, including access to CFH National systems requiring access via the ‘smartcard’ (see separate policy and procedure from Registration Authority) One proforma will address access all forms of system access. It will be the same for the two Trust ‘networks’ – the corporate IT network and associated applications and the Library network which includes academic access. See Appendix 1. The Trust will introduce an electronic (online) system user access form in late 2014 The proforma will:

1. Check that the user has authorisation from their line manager. 2. Check that the user has authorisation from the system ‘owner’.


3. Check that the level of access granted is appropriate for the business purpose 4. Gives users a written statement of their access rights 5. Requires users to sign to indicate that they understand the conditions of access (this

requirement will be withdrawn when online application is working. This requirement is covered in the individuals contract of employment)

6. Ensure that system providers do not allow access (e.g. set up users) until authorisation procedures have been completed.

7. Maintain a formal record of all persons registered to use the networked applications. 8. Obtain additional forms authorization for access to further system(s).

In addition the IT Department will:

Receive notification from Personnel of new starters.

Process requests for access to systems for new starters within 24 hours of receipt from the employing department.

Support arrangements for temporary staff to access essential systems for business use (all terms and conditions of employment and compliance with Trust policies will apply) sign proformas counter-signed by the Site Manager and permit use of assigned accounts for locum and bank staff

Receive details of leavers from Personnel and immediately remove those accounts

Periodically check for and remove redundant user-ids and accounts that are no longer required

Support the requirements for access to national systems via the smartcard

Enforce change of passwords by authorised users at regular intervals. 8.4 USER IDENTIFIERS Computer activities must be traceable to individuals. The following must apply:

All users must have a unique identifier (user-id) for their personal and sole use, to ensure that activities can be subsequently traced to the responsible individual. Also to maintain patient confidentiality e.g. to results in semi-public areas e.g. wards

User-id’s should not give any indication of the user’s privilege level e.g. manager, supervisor.

In exceptional circumstances e.g. operating theatres, A&E, where individual logging on and off inhibits work processes and ultimately the time for patient care, use of a shared user-id (for a group of users for a specific job) may be used (subject to authorization). This is likely to be in discrete departments rather than areas open to a range of users and the public.

The Trust will provide support for easy input of user-id’s and passwords (see 8.5) to support this policy.


8.5 USER PASSWORD MANAGEMENT Password management after authorisation of the user is supported by the user: Signing an undertaking (as part of the access proforma) to keep personal passwords confidential and not to pass them onto others, or to display them e.g. at the workstation Taking a temporary password from the authorising department e.g. corporate IT and then changing it immediately to their own password. Being advised of good security practice in the selection and use of passwords at induction or refresher training and at allocation of access. Users should be told:

Passwords are the principal means of validating a user’s authority to access a system

Passwords must be individual and kept confidential

Avoid keeping a paper record of passwords, unless this can be stored securely

Change passwords when there is any indication of password compromise

Select passwords with a minimum length as advised by the system owner

Change passwords when prompted to by the system

Avoid basing passwords on any of the following: Any aspect of the date e.g. days of the week, or months of the year, Family names, initials, car registration, Organisation names or references, Telephone numbers.

All numeric or all alphabetic Password protection will be required to individual applications and to NHSNet (which allows onward access to the Internet).

Users will be allowed to select and maintain their own passwords.

Passwords will be of a minimum length of 7 alpha-numeric characters

The default position will be that individual passwords will be enforced to maintain accountability (unless separate provisions for group passwords are underwritten by management)

The Trust will try to make entry of passwords as non-onerous as possible to:

Support responsible, confidential use of passwords

Inhibit disclosure to others with post-it notes etc for memory reasons

Focus on patient care by making use of information systems as speedy as possible The Trust will take the following interim measures: Passwords for core systems will share the same overall format and length to make logging on quicker and more intuitive and to address the practice of writing up passwords All core systems will enforce a password change Trust systems will:

Maintain a record of previous user passwords (e.g. for previous 12 months) and prevent users from re-using them

Not display passwords on screen when being entered

Store password files separately from the main application system data As part of its development programme the Trust will:

Work towards user profiles where an initial log-on will entitle a user to their agreed suite of applications.

Work towards smart card or biometric recognition of the user.


8.6 SYSTEM RESPONSE TO USER LOGON The logon procedure should: Display a warning that the system must only be accessed by authorised users. Disconnect and give no assistance after an unsuccessful attempt to logon. Validate the logon information only on completion of all input data. Limit the number of unsuccessful logon attempts to three. The system must:

Record the unsuccessful attempt

Force a time delay before further logon attempts are allowed

Disconnect data link connections Display the following information on completion of a successful logon:

Date and time of previous successful logon

Details of any unsuccessful logon attempts since the last successful logon 8.7 ENFORCED PATH OR STANDARD DESKTOP Modern networks are designed to allow maximum scope for sharing of resources and flexibility of routing. These features may also provide opportunities for unauthorised access to business applications, or unauthorised use of IT facilities i.e. unlimited network roaming. The Trust will set up a standard ‘desktop’ to minimise the risks from user use of Internet facilities to modify applications or access data, thus breaching access, confidentiality and integrity. The actions taken by the IT Department will include: Automatically connecting ports to specified application systems or security gateways. Limiting menu and sub-menu options for individual users. Preventing unlimited network roaming.

8.8 UNATTENDED USER EQUIPMENT Where possible Trust users will adopt the following guidelines:

In ward and clinic situations it may be necessary to modify these guidelines to suit the operational environment. A ward and clinic policy will be developed in this regard.

Terminate active sessions when finished

Log off corporate systems when finished

Secure PCs (or terminals) by password access when not in active use


8.9 TERMINAL TIME-OUT Inactive terminals in high risk areas must be timed-out to prevent access by unauthorised persons. The time-out delay will reflect the security risks of the area. For instance unauthorised access to theatres is much less likely than to wards where relatives and other members of the public visit. There will be an agreed time period Trust-wide for wards and clinics. 8.10 USE OF SYSTEM UTILITIES Access to system utilities must be restricted and controlled. There will be:

Password protection for system utilities

Access will only be at the level of System Administrator or above

Segregation of system utilities from applications software

Limitation of use of system utilities to a small number of technically qualified staff

Documentation supporting use of system utilities 8.11 SENSITIVE SYSTEM ISOLATION Particularly sensitive systems will require isolating from other systems and placing on a separate network, this may be achieved through the use of network lans or other technology appropriate to the risk level. 8.12 MONITORING SYSTEM ACCESS AND USE Trust systems must be monitored on a regular basis to detect unauthorised activities. The following measures will be taken: Audit trails will be maintained. These will be kept for a year to assist any investigations and should show:

Access failures

Allocation and use of accounts with a privileged access capability

Tracking selected transactions System Use will be monitored to ensure that users are only performing processes for which they have been authorised. Computer clocks will be synchronised to ensure accurate recording in audit logs, such that it can be relied upon for investigative purposes.

9. SYSTEM DEVELOPMENT AND INCREMENTAL CHANGES 9.1 SYSTEM DEVELOPMENT OR PROCUREMENT New systems developed for the Trust either by in-house developers or by suppliers must contain specified security features, comply with Information Governance requirements and HSCIC Statement of Compliance Security requirements must reflect the business value of the information assets involved and the potential damage to the Trust from a failure or absence of security. Security must be:

Addressed at the requirements, specification and design stages

Defined with clinical or business input as appropriate to the application

Justified, agreed and documented as part of the overall business case for the system.

Matched with requirements when evaluating a software package


Areas to include will be:

Control of access i.e. passwords and security levels

Audit trails of important events

Validation of data input e.g. out-of-range values, invalid characters, missing or incomplete data

Protection from unauthorised disclosure

Compliance with legislative and regulatory requirements

Back-up procedures

Recovery from failures including commit and roll-back procedures

Easy operation of the system by end users with suitable training

Where appropriate facilities meeting requirements of external auditors 9.2 ACCEPTANCE OF NEW SYSTEMS/MODULES Acceptance criteria for new systems must be established as part of the procurement or development process.

Criteria for acceptance must be clearly defined, agreed, documented and tested.

Testing should include performance and computer capacity requirements.

Testing should include routine operating procedures (to defined standards).

There must be evidence that installation of the new system will not adversely affect existing systems.

There must be training in the operation or use of new systems.

Error recovery and re-start procedures must be prepared and tested. 9.3 CONTROLS TO PROTECT OPERATIONAL SOFTWARE The following controls will be applied to operational systems by IT or by staff in charge of departmental systems:

Updating of libraries of operational programs must only be performed by the nominated member(s) of staff.

Executable code should not be implemented on an operational system until evidence of successful testing and user acceptance is obtained, and the corresponding program source libraries have been updated.

An audit log should be maintained of all updates to operational program libraries.

Previous versions of software should be maintained as contingency measure.

Strict control must be exercised over the implementation of changes. Change control procedures must ensure that:

Security and control procedures are not compromised

Support programmers are given access only to those parts of the system necessary for their work

Formal inter-disciplinary agreement and approval for the change is obtained from clinical, business and technical staff

There is a record of authorisation by these groups to reflect change requests and acceptance

Security controls and integrity procedures are not compromised by the changes

Identify all computer software, data files, database entities and hardware that requires amendment

System documentation is updated as a result of the change

Version control is maintained for all updates

An audit log is maintained for all change requests. 9.4 TECHNICAL REVIEW OF OPERATING SYSTEM CHANGES


When new operating systems are released and in time become essential to continued supplier support the following actions must be taken:

Provide for reviews of operating system changes in the annual development plan for IT and departments running systems

Review application control and integrity procedures to ensure that they have not been compromised by the operating system changes

Ensure testing by User Support to identify any changes for end users or unexpected consequences Notify users in good time of any changes to be expected.

Offer user training if required. If changes are substantial plan a whole training programme. 9.5 RESTRICTION OF CHANGES TO SOFTWARE PACKAGES Wherever possible supplier software packages should be used unmodified. The package most suiting the user requirement should have been purchased. The 80:20 rule may have been applied but this should mean that users look at their processes and see if they can be modified rather than the package. Unmodified the package is more supported and more secure. Any essential changes must be strictly controlled. If at all possible Trust departments should consider:

Specifying the change and asking the supplier to carry it out and support it Obtaining the change in conjunction with other users in a user group The risks are: Built-in controls and integrity processes might be modified. The supplier will not support the modified area of software The supplier will deem that the support contract as a whole is invalid If it is absolutely essential then the original software must be retained and the changes applied to a clearly identified copy and fully documented, so that they can be applied if necessary to future software upgrades.

10 BUSINESS CONTINUITY PLANNING All critical business and management processes must be restored and maintained as quickly as possible following any major disaster or failure of essential services. Identifying and managing risks has been addressed by the Disaster Recovery Policy. The Disaster Recovery Plan will be developed or updated each year to take account of new systems, new technology, legislation and other changes. It will prioritise expenditure as part of a risk management process. The Disaster Recovery Plan will feed into Controls Assurance and MAJAX planning.

11 COMPLIANCE The Trust must take appropriate action to comply with legislation and the NHS Information Security Code of Practice (April 2007). Due to the increase in computer use and the ambitions for e-government this has recently become much more extensive. The Trust must also meet its contractual requirements for the NHS Governance – Guidance on Legal & Professional Obligations (September 2007)


11.1 ISO20072 INFORMATION MANAGEMENT SECURITY STANDARD BS7799 is a national standard and will assist e-government objectives. The requirement for all NHS organisations to achieve ISO20072 accredited status was set out in ‘Building the Information Core – Enabling the NHS Plan’. The Trust will:

Use the standard tool-kit for CRAMM analysis being provided by the NHSIA

Carry out a BS7799 Gap Analysis

Consider obtaining ISO20071 accreditation 11.2 NHSNET SECURITY POLICY The Trust will comply with the NHS HSCIC Code of Connection. Please see Section 7.1. 11.3 CALDICOTT RECOMMENDATIONS The aim of the Caldicott Report was to make confidential information as confidential as possible. It identified a number of items by which a person’s identity might be established i.e. patient identifiable. These include but are not limited to:

Surname, forename, Initials, Address, Postcode, Date of birth, other dates (e.g. death, diagnosis), NHS No., N.I. number, Local identifier e.g. CRN, Occupation.

The 7 Caldicott Principles are given below.

Principle 1

Justify the purpose. Every proposed use or transfer of personal identifiable information with or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate guardian. Someone one in the Trust (Information Security Officer) should be responsible for ensuring that the Trust complies with legal requirements.

Principle 2

Don’t use personal identifiable information unless it is absolutely necessary. Personal identifiable information should not be used unless there is no alternative.

Principle 3

Use the minimum necessary personal identifiable information Where use of personal identifiable information is considered to be essential each individual item of information should be justified with the aim of reducing identifiably. Principle 4

Access to person identifiable information should be on a strict need to know basis. Only those individuals who need access to person identifiable information should have access to it and they should only have access to the information that they need to see. Principle 5

Everyone should be aware of their responsibilities. Action should be taken to ensure that all staff who handle personal identifiable information are aware of their responsibilities and obligations to respect confidentiality. Principle 6

Understand and comply with the law. Every use of person identifiable information must be lawful.


Principle 7

The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies. Caldicott Improvement Plan The Trust will continue to improve its performance against the 18 Caldicott benchmarks in its annual Improvement Plan. Data Quality The Trust will strive to use the NHS Number as a unique identifier in place of other more recognisable data items as much as possible. Aggregate information (e.g. for planning) will contain no identifiable information. Trust information systems will be converted gradually. (Note: most work on the CRN (Casenote Record Number) or individual system numbers e.g. A&E (a manual number), or pathology (a system generated number).

Encourage receipt of the NHS Number from GP practices.

Make use of the CSA (formerly the National Strategic Tracing Service) to verify and obtain NHS Numbers.

The Trust enjoys a high percentage of NHS Number in the PAS and will take the following steps to increase its use in the Trust:

Development of high-quality patient demographics file from PAS which will feed many other systems

Population of the pathology system in preparation for GP pathology results

Population of other systems as a planned programme 11.5 MAJAX DISASTER PLANNING The Trust will maintain its contingency plans within the Disaster Recovery Plan and will feed into Trust wide arrangements for MAJAX.

11.6 SYSTEM AUDITS The Trust will continue to participate in a programme of audits for operational systems. These will be carried out by internal and external auditors, with appropriate support provided by IT and departmental staff e.g. Finance. A three year programme of audit will be agreed and incorporated into the Trust three year plan for submission to the following sub-committees of the Board – Internal Audit Committee and Organisational Risk Committee.

12. MAINTENANCE OF SECURITY POLICY The nominated Information Governance Manager and Information Security Officer (who may be the same person) will be responsible for ensuring that regular checks are carried out to assess compliance with the procedures set out in this policy. This work will be carried out in close liaison with the Manager of Health Records in particular and other staff with responsibilities for record keeping. Maintenance of Policy is as follows:


A review of all elements contained in this document will be undertaken at intervals not exceeding 2 Years. It will capture any strategic changes in systems or services

Information incidents will be reported using the established Security Incident Reporting system. Monitoring of incidents and provision of regular reporting will be managed through the same process. This will feed into Controls Assurance and Clinical Governance.

An ongoing maintenance system for standards and procedures will be adopted to keep these documents in line with policy directives and legislation

A regular review of the risk analysis programme will be carried out to assess the ongoing level of risk to manual and computerised records, with due account taken of cost effectiveness and practicality when considering measures to be taken

Personnel training programme will be regularly reviewed to ensure that material is relevant to changing circumstances, directives and legislation

An up-to-date knowledge of requirements will be maintained by accessing the national Security and Data Protection programme, and attending the regional forum.

13. AUTHORITY This policy forms part of the Trust Handbook and is supported by the Chief Executive and Executive Board members.

Author: Robert Howorth, IT Infrastructure Manager

Other Contributors: Sara Ames, Information Governance Manager

Approval and Endorsements: Information Governance Steering Group

Issue No: 6

File Name: Information Security Policy PP(14)060.doc

Supersedes: Security Policy April 2011.doc

Additional Information: Supporting Policies are:

Email & Internet

Safe Haven Policy

Disaster Recovery

Staff Code and Conduct

Security Awareness Policy

Information Sharing Protocols outside the Trust

Data Protection Policy

Freedom of Information Policy User guides are available for:

Security Policy

Email Patient leaflets are available for:

Use of Patient Information

information security policy - open.essex.ac.uk

Documents