IT and Information Security Policy

Policy Title IT and Information Security Policy

Policy Number OP06

Version Number 4.1

Ratified By Information Governance Assurance Group

Date Ratified 15/05/2018

Effective From 01/09/2019

Author(s) Derek Prudhoe, IT Directory and Security Manager (name and designation)

Sponsor Nick Black, Chief Digital Information Officer

Expiry Date 01/09/2021

Withdrawn Date

Unless this copy has been taken directly from Pandora (the Trust’s Sharepoint document management system) there is no assurance that this is the most up to date version

This policy supersedes all previous issues

IT and Information Security Policy v3

Version Control

Version Release Author/ Ratified by/Authorised Date Changes Reviewer by (Please identify page no.) 1.0 20/03/2013 D Prudhoe Health Informatics 06/03/2013 Policies OP6a Assurance Committee & OP6b merged

2.0 04/08/2015 D Prudhoe Health Informatics 04/03/2015 Minor edits to Assurance Committee remove references to CfH

3.0 07/12/2017 D Prudhoe Health Informatics 21/11/2017 Minor updates Assurance Group – remove references to obsolete equipment. 4.0 31/05/2018 D Prudhoe Information 15/05/2018 6.7.1 minor Governance Assurance update to Group introduction 6.7.2 removed reference to Information Security Policy 6.8.2 (b) removed advice to remove hard drive 6.8.2 (d) reworded statement on downloading and installing software, added exception for smart devices 6.8.2 (e) added exception for Apple devices 6.8.2 (f) added exception for Apple devices 6.8.2 (i) added

IT and Information Security Policy v4 2

new section for Smart Devices security settings 6.9.3 (a) added additional information for smart devices 6.10.18 Updated to reflect changed process 10. updated group name

4.1 01/09/2019 D Prudhoe Information 02/04/19 6.8.2 – Governance Assurance updated to Group match guidance in OP17

IT and Information Security Policy v4 3

Contents

Contents ...... 4

1 Introduction ...... 5

2 Scope of the IT and Information Security Policy ...... 5

3 Aim of Policy ...... 6

4 Duties (Roles and Responsibilities) ...... 6

5 Definition of Terms ...... 6

6 IT and Information Security Policy ...... 7 6.1 Policy Statements ...... 7 6.2 Keeping Information Secure ...... 8 6.3 Transfers and Disclosure of Data ...... 8 6.4 System Security ...... 8 6.5 Breaches of the policy ...... 12 6.6 Policy Review and Evaluation ...... 12 6.7 Remote Access to Gateshead Network from Home ...... 13 6.8 Mobile Access to Gateshead Network ...... 15 6.9 Use of Removable Media ...... 19 6.10 Network Security ...... 22 6.11 Legal requirements ...... 27

7. Training ...... 28

8. Diversity and Inclusion ...... 28

9. Monitoring Compliance with the Policy ...... 28

10. Consultation and Review ...... 28

11. Implementation of Policy (Including Raising Awareness) ...... 28

12. Associated documentation...... 28

Appendix A - Checklist for Home/Remote Access ...... 30

IT and Information Security Policy v4 4

IT and Information Security Policy

1 Introduction

1.1 The Need for an IT and Information Security Policy

The data stored in information systems used by the Trust represents an extremely valuable asset. As systems proliferate, and with the increasing reliance of the NHS on information technology for the delivery of healthcare, it becomes necessary to ensure that these systems are developed, operated, used and maintained in a safe and secure fashion.

The increasing needs to transmit information across networks of computers renders data more vulnerable to accidental or deliberate unauthorised modification or disclosure. The use of computers in clinical care activities offers advantages to NHS patients if handled securely, but could present serious hazards if security is inadequate.

All NHS organisations need to proactively assess, monitor and manage the risks associated with their IT assets and information services. Indeed, NHS information systems are considered to be key components of the UK’s Critical National Infrastructure.

2 Scope of the IT and Information Security Policy

2.1 This Policy is applicable to all existing and proposed systems and is effective from the date of issue of this policy. The manager responsible for each system must ensure that all risks are identified and all reasonable measures are taken against security breaches. The system administrator for each system will be responsible for ensuring that a current System Specific Security Policy for that system is maintained.

2.2 The value of information, physical assets or processing capability to be protected needs to be estimated and recorded, along with the impact of possible disclosure, inaccuracy, incompleteness or unavailability of that information. The cost of countermeasures should be commensurate with the threats to security, the value of the assets being protected and the impact of security failure.

2.3 The Trust policy is to ensure that IT systems, including computer systems, network components and electronically held data, are adequately protected from a range of threats. The policy and associated guidelines cover all aspects of the environment: IT systems, administration systems, environmental controls, hardware, software, data and networks. It will apply to all stages of the system lifecycle, from feasibility study through to operation.

2.4 The policy applies to:

a) all staff employed by the Trust, and to locums, students and trainees on temporary placements;

IT and Information Security Policy v4 5

b) other individuals and agencies who may gain access to data, such as volunteers, visiting professionals or researchers, and companies providing IT services to the Trust.

2.5 The requirements of the IT Security Policy are mandatory wherever they are applicable.

3 Aim of Policy

3.1 This document defines the IT and Information Security Policy for Gateshead Health NHS Foundation Trust and  Sets out the Trust’s policy for the protection of the confidentiality, integrity and availability of IT and Information Systems.  Establishes the Trust and user responsibilities.  Provides reference to documentation relevant to this policy.

3.2 The objective of this policy is to ensure the security of the Trust’s IT and Information Systems. The Trust will:  Ensure Availability Ensure that the IT systems, administration systems, environmental controls, hardware, software, data and networks are available for users.  Preserve Integrity Protect the the IT systems, administration systems, environmental controls, hardware, software, data and networks from unauthorised or accidental modification ensuring the accuracy and completeness of the Trust’s assets.  Preserve Confidentiality Protect assets against unauthorised disclosure.

4 Duties (Roles and Responsibilities)

The Trust will take all reasonable steps to ensure that users of IT and Information Systems are aware of acceptable use policies and legal obligations relating to them.

All staff and Non-Executive Directors are obliged to adhere to this policy. It is the responsibility of the individual to ensure that they understand this policy. Managers at all levels are responsible for ensuring that the staff for whom they are responsible are aware of and adhere to this Policy. They are also responsible for ensuring staff are updated in regard to any changes in this Policy.

5 Definition of Terms

5.1 For the purposes of this policy document, IT and Information security is characterised as the preservation of the confidentiality, integrity and availability of Trust information technology and associated systems, where:

a) CONFIDENTIALITY is defined as the restriction of information and assets to authorised individuals;

IT and Information Security Policy v4 6

b) INTEGRITY is defined as the maintenance of information systems and physical assets in their complete and proper form;

c) AVAILABILITY is defined as the continuous or timely access to information, systems or physical assets by authorised individuals.

6 IT and Information Security Policy

6.1 Policy Statements

All managers have a responsibility to ensure that:

 The value of information, physical assets or processing capability to be protected and for which they are responsible is recorded, along with the impact of possible disclosure, inaccuracy, incompleteness or unavailability of that information;  All systems for which they are responsible are reviewed to identify potential threats to the system, and the likelihood of those threats occurring;  They implement cost effective controls that are consistent with the business risks and are fit for purpose, to protect information assets from any misuse which could act to the detriment of the Trust or its partners;  All staff receive training appropriate to their information security needs, and are fully trained in the use of the systems that they are required to operate;  Staff, contractors and other agencies are fully aware of the Trust’s security requirements and have sufficient resources necessary to meet their obligations to those requirements;  Business continuity plans are in place to protect the Trust from any threats to its continued provision of healthcare services arising from the effects of major failures of IT systems or other disasters;  The Trust’s information systems are protected from the threat of viruses and other malicious software;

All staff have a responsibility to ensure that:

 The use of information assets shall be restricted to activities approved by the owner(s) of those assets, but in any case shall not be used for the distribution of obscene, racist or otherwise offensive material;  They use all proprietary software in accordance with the terms and conditions of the associated licence(s);  They comply with all legal, regulatory and compliance requirements and regulations that apply to the Trust’s information assets;  They use data, computer equipment, software and communications facilities in a manner that ensures appropriate security of those assets;  Their password(s) or other means of authentication for access to computer systems are not compromised;  They report any incidents or information indicating a breach or suspected breach of security to their immediate supervisor or the IT Security Manager at the earliest opportunity;

IT and Information Security Policy v4 7

 Management shall ensure that the security policy is observed, by themselves and their staff.

6.2 Keeping Information Secure

All paper records/documents containing personal or sensitive information must be stored securely. For example, staff records should be held in a locked filing cabinet or cupboard.

Filing cabinets etc. containing personal data must be locked outside of normal working hours and keys must be held securely by nominated staff.

All electronic data must be stored in secure server areas, not on computer hard drives, laptops or other mobile devices. Removable media should not be used as a permanent or long term storage device.

Any electronic data backed up to media such as CD must be kept physically secure.

Where outside bodies/companies process or hold any of the Trust’s personal data then the Trust must be satisfied that the data is held securely and with due regard to the obligations of the General Data Protection Regulation and Data Protection Act 2018. Where such arrangements are in place a risk assessment should be carried out by the Information Governance Officer to establish compliance with the Act.

6.3 Transfers and Disclosure of Data

Data must not be transmitted or transferred out of the European Economic Area (i.e. the EU member states, Iceland, Norway and Liechtenstein) unless the country they are being transferred to has the same or equivalent standards of Data Protection. This has implications for data placed on the Internet and use of e-mail where servers are based abroad.

If information is required to be transferred abroad then checks must be made to ensure that the data are held securely during transfer and that data recipients apply data protection rules equivalent to those in the UK General Data Protection Regulation and Data Protection Act 2018. Advice on this should be sought from the Information Governance Officer.

For further information regarding the disclosure and safe transfer of personal information please refer to the Records Management Policy (IG05) and the Caldicott and Safe Havens Procedure (IG07).

6.4 System Security

6.4.1 System Owners and Information Asset Administrators

All systems must have a designated ‘owner’. This may be a system administrator or manager or the system may be maintained by the IT

IT and Information Security Policy v4 8

department. The designated system owner will be the nominated Information Asset Administrator for the system.

6.4.2 System Specific Security Policy and Risk Assessment

All systems must have a System Specific Security Policy (SSSP) in place in line with the Trust’s standard SSSP document which: • Identifies the security requirements of the individual system • Asset security • User access controls • Use and sharing of personal data • Data Quality

The accompanying risk assessment form should also be completed.

6.4.3 Business Continuity plan

All systems must have a Business Continuity Plan (BCP) in place in line with the Trust’s standard BCP document.

The BCP should undergo a documented test at least annually.

6.4.4 User Access Management

The Trust must ensure that access to information is only granted to those who require access in order to perform their duties. Where appropriate, the Trust must employ logical access restrictions. This should be enabled through the provision of tailored menus, which allow access only to those functions required, controlling such rights as, read, write, delete and execute.

There must be formal user registration and de-registration procedures for granting access to systems. The procedure must include:  The formal completion of an access application form, which is endorsed by the users’ immediate line manager and countersigned by an authorised individual within the organisations IT department,  The use of unique user ID’s to ensure that users can be linked to and made responsible for their actions.  Checks that the user has received appropriate authorisation from the system owner and that appropriate management approval has been obtained.  The provision of written confirmation of access rights to the user and the requirement for users to sign to acknowledge that they understand the conditions of their access.  Maintenance of a formal record of all users.  Immediate removal of access rights of users who have left the organisation or change their role.  Regular checks against the organisations personnel files, to ensure that redundant accounts do not remain live.

IT and Information Security Policy v4 9

The Trust must ensure that the allocation and use of special privileges (the ability to override system or application controls) is restricted and controlled. The allocation of privileges must be controlled through a formal authorisation process and be dependent upon the role of the user. Special privileges, e.g. Administrator rights, must be assigned to a different user identity from those used for normal access.

Access to all critical systems within the Trust must be controlled by password. The allocation of passwords must be controlled through a formal management process, which must:  Include the requirement of users to sign a statement binding them to keep passwords confidential.  Ensure that users are required to maintain their own passwords and change them on a regular basis, where password changes are not enforced by the system. Where enforced by the system, password changes must be a maximum of 60 days  Ensure passwords are a minimum of eight characters, use at least 3 of the 4 character types (Upper Case, Lower Case, Number and Symbol) and not relating to the user or the system being accessed.  Ensure procedures for positive identification of users who forget their passwords prior to temporary ones being issued are in place.

The access log on procedure must not display system or application identifiers until the process has been completed. The system must display a general warning notice to users that unauthorised access is a criminal offence, and where appropriate that information within the system is subject to the requirements of the General Data Protection Regulation and Data Protection Act 2018

The system owner must regularly review user access rights to maintain effective control over access to data and information services. Access rights for normal users should be reviewed on a six monthly basis and rights of privileged users on a three monthly basis.

The Trust HR department should ensure that all leavers are notified to the IT department and system owners, to ensure the prompt removal of redundant user accounts.

6.4.6 User Responsibilities

All users of organisational information processing facilities are required to follow good security practices in the selection and use of passwords. This will include:  Keeping passwords confidential, not writing passwords down or sharing them.  Changing their password immediately they suspect it has been compromised.  Ensure that unattended equipment has appropriate protection.

IT and Information Security Policy v4 10

 Do not leave computer terminals unattended whilst connected to the system, ensure that when a session is finished they log-out and ensure that, where available, screen saver passwords are used.

Failure to follow good security practices may lead to disciplinary action being taken against the user. Deliberate sharing of system access passwords, is a criminal offence under the Computer Misuse Act 1990.

6.4.7 Access Logs/Audits

Records should be kept by the systems owner of new accounts set up on the systems together with copies of the corresponding signed access forms.

Similarly, the system owner should keep a record of all accounts deactivated which should be cross referenced with HR leavers records in order to ensure that accounts are deactivated in a timely manner when a member of staff leaves the organisation.

Where possible, unsuccessful log on attempts must be limited to three, all unsuccessful logon attempts to the system after the third attempt must be recorded.

6.4.8 Security Requirements of New Systems

It is the responsibility of the Information Governance Officer and the IT Security Manager to provide advice on the appropriate security requirements for information systems and best practice for implementation, and where necessary to liaise with partner Organisations to ensure that a coherent approach has been adopted.

A number of system requirements are set out in the IG Systems Checklist.

Individual system owners are responsible for ensuring that appropriate security requirements have been included in system specifications for new systems and system upgrades, and to ensure that all modifications to systems are logged and up to date documentation exists for their systems. The Trust must ensure that statements of business requirements for new systems, or enhancements to existing systems specify the security controls required for that system. Security requirements should be based on the classifications of information assets to be held within the system and take into account relevant legislation and guidance and an appropriate risk assessment.

6.4.9 Security in Application Systems

Application systems should wherever possible validate input to ensure that it is correct and appropriate, and should consider the following controls;  Out-of-range values and invalid characters.  Missing or incomplete data.

IT and Information Security Policy v4 11

 Periodic review of the content of key fields or data files to confirm their validity and inspecting hard copy input documents for any unauthorised changes.  Defining responsibilities of staff involved in the input process.  Validation checks should be incorporated into the system in order to detect corruption of data that has been correctly input, accidentally or deliberately, during processing.

6.4.10 Security of System Files

All modifications to the system, including changes, updates and servicing of hardware as well as software must be conducted with the security of the overall system in mind.

6.4.11 Security in Development and Support Processes

Changes to systems must be assessed under a formal change control system. This must include an assessment of the change’s impact on existing security. A record of all changes made must be maintained, and must include; the identity of the person making the change, details of the changes made, other systems affected, date and time of the change and test results.

When changes to operating systems are performed, application security should be reviewed to ensure no adverse impact on existing security.

Access to data should wherever practical be limited to anonymised data and must be authorised by the data owner. Copies of data must retain the same levels of security and access controls as the original data. Live data must not be used for testing, training or demonstration purposes

6.5 Breaches of the policy

Violations of the provisions of the policy will be handled under the Trust’s existing Personnel Policies.

6.6 Policy Review and Evaluation

6.6.1 The policy will be reviewed in response to any changes affecting the basis of the original risk assessment, e.g. significant security incidents, new vulnerabilities or changes to the Trust organisation or technical infrastructure.

There will additionally be an annual review of the following: a) the policy’s effectiveness, demonstrated by the nature, number and impact of recorded security incidents; b) cost and impact of controls on business efficiency; c) effects of changes to technology.

IT and Information Security Policy v4 12

6.7 Remote Access to Gateshead Network from Home

6.7.1 Teleworking

Introduction

In exceptional circumstances the Trust may allow remote access to critical systems from home for suitable members of staff. By using remote access, many organisations allow staff to perform duties from home that they would otherwise carry out in an office-based environment. This can bring significant benefits to both the Trust and its staff. Examples of these benefits include: a) flexibility for staff (particularly those with young children); b) improvements in productivity and staff morale; c) reductions in travel time and cost; d) more effective use of office space.

Teleworking i.e. home access to the Trust network, uses communications technology to enable staff to work remotely from a fixed location outside of the Trust. Suitable protection of the teleworking site should be in place against, for example, the theft of equipment and information, the unauthorised disclosure of information, unauthorised remote access to the Trust’s internal systems or misuse of facilities. It is important that teleworking is both authorised and controlled by management, and that suitable arrangements are in place for this way of working.

Procedures and Standards

Procedures and standards to control teleworking activities must be in place. Management should only authorise teleworking activities if they are satisfied that appropriate security arrangements and controls are in place and that these comply with the Trust’s IT Security Policy and IT Security Guidelines. The following should be considered: a) the existing physical security of the teleworking site, taking into account the physical security of the building and the local environment; b) the proposed teleworking environment; c) the communications security requirements, taking into account the need for remote access to the Trust’s internal systems, the sensitivity of the information that will be accessed and passed over the communication link and the sensitivity of the internal system; d) the threat of unauthorised access to information or resources from other people using the accommodation, e.g. family and friends.

Controls

The controls and arrangements to be considered include:

IT and Information Security Policy v4 13

a) the provision of suitable equipment and storage furniture for the teleworking activities; b) a definition of the work permitted, the hours of work, the classification of information that may be held and the internal systems and services that the teleworker is authorised to access; c) the provision of suitable communication equipment, including methods for securing remote access; d) physical security of the location housing the equipment; e) rules and guidance on family and visitor access to equipment and information; f) the provision of hardware and software support and maintenance; g) the procedures for back-up and business continuity; h) audit and security monitoring; i) revocation of authority, access rights and the return of equipment when the teleworking activities cease.

6.7.2 PC Systems

Minimum Specification

Any PC system used for Teleworking must meet the Trust standards for: a) Anti virus (AV) protection – the PC must be protected using current Trust virus protection software, or other software approved by the IT Security Manager. In all cases the AV software must be the current version and must be updated with the latest DAT files; b) Acceptable use of e-mail and the Internet (see the Trust E-mail, Internet and Intranet Acceptable Use Policy); c) Management of patient-identifiable information; d) Management of other confidential information; e) Securing the Trust’s information and ensuring data integrity. To this end, encryption software must be installed on any PC holding personal identifiable information or other information of a confidential nature.

6.7.3 Request for Home Access

Request for Access

All requests for home access to the Trust network must be directed to the IT Department and be accompanied by a completed checklist (see Appendix A).

Any request for access must be signed off by the line manager of the member of staff. They must be aware of the considerations laid down in this policy and ensure that the person requesting access is also aware of these.

The IT Services Department will use the information provided to assess suitability for the provision of a home connection, and the most appropriate technology to be used for that connection.

IT and Information Security Policy v4 14

Approval

If the request is approved, the IT Services Department will complete the checklist by specifying the connection technology and equipment required. The costs for the provision of service will also be given.

NB: All costs associated with the provision and operation of a home connection will be the responsibility of the requesting Department/Directorate.

6.8 Mobile Access to Gateshead Network

6.8.1 Introduction

This section comprises the IT Security policy for Mobile Computer systems. Mobile Computers are defined as Laptop and Notebook computers and Smart Devices. The security of Smart Devices which are capable of storing and transferring files is also detailed in the Removable Media section.

6.8.2 Security Measures

a) Personnel Security

Only authorised staff may access and use Mobile Computer Systems. Reasonable personal use is permitted provided this does not interfere with the performance of your duties. Persons accessing data and using it for medical purposes should afford all material stored and processed on these systems adequate protection.

b) Physical/Hardware Security

The following guidelines should always be adhered to by the user of the Mobile Computer:  Treat the Mobile Computer as if it is your own property  The Mobile Computer must be securely locked away when not in use.  Mobile Computer security is the responsibility of the member of staff who is using it at all times.  If you have and use a Mobile Computer security cable, keep one key with you and the other in a secure separate location.  Do not leave the Mobile Computer unattended in a public place e.g. car park  Do not leave your Strong Authentication token (if applicable) in the same location as the Mobile Computer.  Do not keep password details in the same location as the Mobile Computer.  Avoid leaving the Mobile Computer within sight of ground floor windows or within easy access of external doors.

IT and Information Security Policy v4 15

c) Strong Authentication

Remote access to Gateshead Health Foundation Trust network must always be strongly authenticated.

It is considered best practice for two-factor authentication to be used when controlling access to a Remote Access Virtual Private Network (VPN).

Where remote access to the Trust network is approved, the IT Department will provide the appropriate means to connect to the network using two-factor authentication.

All requests for access to the Trust network on a mobile computer must be directed to the IT Services Department and be accompanied by a completed checklist (see Appendix A).

The IT Services Department will use the information provided to assess suitability for the provision of a home connection, and the most appropriate technology to be used for that connection.

If the request is approved, the IT Services Department will specify the connection technology and equipment required. The costs for the provision of service will also be given. All costs associated with the provision and operation of remote access will be the responsibility of the requesting Department/Directorate.

d) Software Security

Mobile users are not authorised to load any software onto the Mobile Computer system. Software must not be downloaded from the Internet and must not be loaded onto systems. Software must be installed by the IT Department.

It is recognised that it is currently not possible to prevent ‘apps’ being installed on Smart devices. Apps may only be installed on Smart devices for business purposes. Smart devices will be monitored by the IT Department using the Mobile Device Management system. If any inappropriate apps are found on Smart devices they will be removed.

Software obtained illegally will not be loaded onto Mobile Computer Systems.

IT and Information Security Policy v4 16

e) Virus Control

The Mobile Computer System must have an Anti-Virus software package installed. Users are not to alter the configuration of this package unless express permission has been obtained from the IT Security Manager. The anti-virus system’s database of virus definitions must be updated on a regular basis. Where Anti-Virus cannot be installed e.g. Apple Smart devices, users must ensure that the latest operating system available for their device is installed.

If a virus is discovered the following actions must be carried out: a. Turn the Computer off. b. Place a label over the switch and floppy drive stating that the machine has a virus infection and should not be used. c. Isolate any removable media that has been used on that machine. d. Inform the IT Security Manager

f) Security of Data

 Password Security

Password Security is the responsibility of the individual, passwords should be formulated in such a way that they are easily remembered but difficult to guess and should be formulated using letters (upper and lower case), figures and other characters. Passwords must consist of a minimum of 8 characters. Passwords must not be shared amongst users. Passwords must not be written down. Passwords should not relate to the system or the user. Password must be changed regularly, at intervals not exceeding 60 days.

 Hardware Security

Standard operating system password protection is very limited. The following measures should be taken before the Mobile Computer is taken off site. . The use of the Trust encryption software package must be used to provide protection to the data if the machine is lost or stolen. . The use of other third party software applications to protect both the system and the data contained on it should be considered.

IT and Information Security Policy v4 17

g) Internet/e-mail

The Mobile Computer has been provided by the organisation for use off site. It should be noted that the Internet is an uncontrolled, unmanaged and largely unsupported global network. It is a source of much valuable information not least on the area of Healthcare, however it is also an unrestricted source of much illegal and illicit material. Additionally it has a large recreational attraction.  No illicit or illegal material will be viewed, downloaded or obtained via the Internet or E-mail.  Any material downloaded must be automatically virus checked immediately by the Mobile Computer’s anti-virus software. For smart devices detailed in 6.8.2 (e), it is recognised that at present apps downloaded from the Apple app store are virus free  The user will make their system available at any time for audit by the local IT Department.  Breaches of security, abuse of service or non-compliance with the Trust Code of Connection may result in the withdrawal of all network services including internet and E-mail.

h) Maintenance

Maintenance is to be controlled by the IT Department Desktop Support team in conjunction with the IT Security Manager.

All equipment that requires repair or maintenance must be returned to the IT Department.

If the hard disk has failed and the maintenance engineer is required to replace it with a new device then the old hard disk must be disposed of in a secure manner so that it is impossible to recover any data from it.

If the hardware is returned to the supplier for repair it must have patient sensitive/confidential information removed from it in a manner whereby the data cannot be recovered. A note of all serial numbers should be taken including the hard disk. If the hard disk is irreparable the old hard disk must be returned for destruction.

i) Smart Device Controls

It is recognised that Smart Devices may not be capable of meeting the standard security controls detailed in this policy. The minimum security to be enforced on Smart Devices is as follows.

 Minimum passcode length of 6 characters  Maximum passcode Age of 60 days  Device locks automatically after 10 minutes inactivity

IT and Information Security Policy v4 18

 Maximum number of failed passcode attempts before device is wiped of 7  Facetime access removed  Screen capture disabled  Siri (or equivalent) disabled  Document sync to cloud disabled  Photo Stream disabled  Diagnostic data sending disabled  Access to removable storage on device (e.g. SD Card) disabled

Security settings for Smart Devices used specifically for clinical applications may be considered and approved separately.

6.8.3 Losses and Confidentiality/Security breaches

Incidents that constitute a Loss of Hardware or Data, which could potentially lead to a breach of personal identifiable information are to be reported directly to the IT Security Manager. The IT Security Manager will instigate investigation procedures to try and establish the nature and potential threat of the incident.

Incidents could involve: a. Loss of Hardware. b. Loss of Software/Data. c. Virus attack d. Unauthorised access. e. Misuse of System/Privileges.

6.8.4 Accounting and Audit

The software and information held on Mobile Computer Systems is subject to the same audit procedures as the Trust Computer Systems. This also covers information and data stored on removable media.

6.9 Use of Removable Media

6.9.1 Introduction

a) Purpose The purpose of this section is to define the security standards that removable media deployed on networks and computer systems connected to Gateshead Health NHS Foundation Trust network must meet.

b) Scope This section deals with media handling requirements to secure Gateshead Health NHS Foundation Trust network boundaries, internal and external.

IT and Information Security Policy v4 19

c) Objectives This section aims to provide security guidance to Gateshead Health NHS Foundation Trust staff to ensure that the risks associated with the use of removable media and networks are subject to the appropriate level of security controls to prevent damage to assets and interruptions to business activities.

6.9.2 Overview

a) What is Removable Media Removable media can be classified as any portable device which can be used to store and/or move data. Media devices traditionally can come in various shapes and forms: Universal Serial Bus (USB) memory sticks, Secure Digital (SD) cards, floppy disks, read/write compact disks (CD), magnetic tapes and cassettes, Bluetooth capable devices, Smart Devices, Personal Digital Assistants (PDA’s), portable music players. Any other devices you can copy/save/write data to which can then be taken away and restored on another computer or network.

b) What are the threats associated with Removable Media Disclosure of confidential data could occur if removable media fell into the wrong hands. Most forms of removable media require no form of authentication or configuration to install or use. USB memory sticks tend to make use of “plug and play” technologies to get up and running and generally do not require any administrator privileges to install. Computer users are able to save vast amounts of data onto these high capacity media devices and can very easily transport data and possibly unwittingly “malware” between PC systems and associated networks. Users need to be educated with regard to the possible virus issues that removable media brings to the Trust network and computers, so as to manage the risk.

6.9.3 Requirements

a) Management of removable computer media

The following controls have been implemented, so as to prevent damage, theft or unauthorised access to NHS data:  Only NHS owned and managed media should be used with NHS equipment and networks. No personal or non-nhs removable media should be used.  The Trust Removable Media encryption software will ensure all devices are encrypted. Where this is not possible the device should have alternative encryption capabilities. Smart devices must have their encryption enabled by the Mobile

IT and Information Security Policy v4 20

Device Management software and users must not be able to remove the encryption.  All USB memory devices will be encrypted prior to being issued.  Any data written to CD will be automatically encrypted by the Trust removable Media software.  Patient Identifiable Information must be protected by encryption using the NHS Digital recommended algorithm with the correct bit strength when stored on electronic removable media. The Trust removable media software will be configured to ensure encryption meets the requirements. This information should only be saved on such media if there is a business need to do so.  Any device which is capable of having a power-on password should have this enabled.  All devices must be encrypted.  If the media is no longer required by the organisation, the previous contents of any re-usable media that are to be removed should be forensically erased. The erasure must operate across the totality of the media. The IT Security Manager can advise on how this can be carried out. Careless disposal of media could enable confidential information to fall into unauthorised hands.  Authorisation to remove media from the Trust should be required prior to its removal. A record should be made of such removals to maintain an audit trail. Any routine removals, such as off-site backup storage should be documented in the local Security Policy.  All media should be stored in a safe, secure environment in line with the manufacturer’s recommendations. Media safes, with appropriate fire resistance, should be used for business critical data.  “On Access” anti-virus scanner controls should be configured on servers and workstations to check for removable media devices. Rather than scanning whole systems, on-access scanners scan files and other objects, such as removable media and their associated drives when they are accessed. Access is not allowed to such objects until they have been checked by the scanner.  Any removable media which relies on an operating system e.g. iPads, should be connected to the Trust network or returned to the IT Department on a regular basis to check for updates required. The time interval for these checks should not exceed 6 months. Any devices not seen in this timeframe will be recalled for checking. All staff who are issued this type of device are to be made aware of this requirement.

6.9.4 Legal Requirements

IT and Information Security Policy v4 21

a) General Data Protection Regulation and Data Protection Act 2018

The General Data Protection Regulation and Data Protection Act 2018 gives guidelines that Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Given the speed at which removable media is being developed or enhanced, organisations must therefore have the capability to deal with their introduction into the working environment i.e. change control.

The Office of the Information Commissioner has clearly stated that organisations are responsible for information that is held not only on equipment held by them, but personal equipment that they know is being used by its staff. The use of mobile phones with picture capability has been reported in the press within the NHS with examples of equipment purchased by the organisation and where individuals have used their own personal equipment.

This therefore poses clear legal issues as well as fundamental records management issues which are likely to impact on Trust equipment as part of the resolution.

6.10 Network Security

6.10.1 Introduction

This section defines the Network Security Policy for Gateshead Health Foundation NHS Trust. The Network Security Policy applies to all business functions and information contained on the network, the physical environment and relevant people who support the network.

This section: a. Sets out the organisation's policy for the protection of the confidentiality, integrity and availability of the network. b. Establishes the security responsibilities for network security. c. Provides reference to documentation relevant to this policy.

6.10.2 Aim

The aim of this policy is to ensure the security of Gateshead Health Foundation NHS Trust's network. By doing this the Trust will:

a. Ensure Availability b. Ensure that the network is for users.

IT and Information Security Policy v4 22

c. Preserve Integrity d. Protect the network from unauthorised or accidental modification ensuring the accuracy and completeness of the organisation's assets. e. Preserve Confidentiality f. Protect assets against unauthorised disclosure.

6.10.3 Network definition

The network is a collection of communication equipment such as servers, computers, printers, and routers which are connected together by cables. The network is created to share data, software, and peripherals such as printers, Internet connections, CD-ROM and tape drives, hard disks and other data storage equipment.

6.10.4 Scope

This applies to all networks within Gateshead Health Foundation NHS Trust used for:

a. The storage, sharing and transmission of non-clinical data and images b. The storage, sharing and transmission of clinical data and images c. Printing or scanning non-clinical or clinical data or images d. The provision of Internet systems for receiving, sending and storing non-clinical or clinical data or images

6.10.5 The Network Security Policy

The overall Network Security Policy for Gateshead Health NHS Foundation Trust is described below:

The Gateshead Health NHS Foundation Trust information network will be available when needed, can be accessed only by legitimate users and will contain complete and accurate information. The network must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To satisfy this, Gateshead Health NHS Foundation Trust will undertake to the following. Gateshead Health NHS Foundation Trust will:

a. Protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and non-technical measures. b. Provide both effective and cost-effective protection that is commensurate with the risks to its network assets. c. Implement the Network Security Policy in a consistent, timely and cost effective manner.

6.10.6 Physical and Environmental Security

IT and Information Security Policy v4 23

a. Network computer equipment will be housed in a controlled and secure environment. Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality. b. Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls. c. Critical or sensitive network equipment will be protected from power supply failures. d. Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment. e. All visitors to secure network areas must be authorised by the Infrastructure Manager. f. All visitors to secure network areas must be made aware of network security requirements. g. All visitors to secure network areas must be logged in and out. The log will contain name, organisation, purpose of visit, date, and time in and out. h. The Infrastructure Manager will ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted, when necessary.

6.10.7 Access Control to Secure Network Areas

Entry to secure areas housing critical or sensitive network equipment will be restricted to those whose job requires it. The Infrastructure Manager will maintain and periodically review a list of those with unsupervised access.

6.10.8 Access Control to the Network

a. Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access to the network will conform to the Remote Access section of this Policy (para 3). b. There must be a formal, documented user registration and de- registration procedure for access to the network. c. Departmental managers must approve user access. d. Access rights to the network will be allocated on the requirements of the user's job, rather than on a status basis. e. Security privileges (i.e. 'superuser' or network administrator rights) to the network will be allocated on the requirements of the user's job, rather than on a status basis. f. Access will not be granted until the IT Department registers a user. g. All users to the network will have their own individual user identification and password. h. Users are responsible for ensuring their password is kept secret (see User Responsibilities). i. User access rights will be immediately removed or reviewed for those users who have left the Trust or changed jobs.

IT and Information Security Policy v4 24

6.10.9 Third Party Access Control to the Network

a. Third party access to the network will be based on a formal contract that satisfies all necessary NHS security conditions. b. All third party access to the network must be logged.

6.10.10 External Network Connections

a. Ensure that all connections to external networks and systems have documented and approved System Security Policies. b. Ensure that all connections to external networks and systems conform to the NHS-wide Network Security Policy, Code of Connection and supporting guidance. c. The IT Directory & Security Manager and Infrastructure Manager must approve all connections to external networks and systems before they commence operation.

6.10.11 Maintenance Contracts

The Infrastructure Manager will ensure that maintenance contracts are maintained and periodically reviewed for all network equipment. All contract details will constitute part of the IT Department's Configuration Management database.

6.10.12 Data and Software Exchange

Formal agreements for the exchange of data and software between organisations must be established and approved by the IT Directory & Security Manager .

6.10.13 Fault Logging

The Infrastructure Manager is responsible for ensuring that a log of all faults on the network is maintained and reviewed. This log will be maintained in the IT Department Service Desk application. A written procedure to report faults and review countermeasures will be produced.

6.10.14 Network Operating Procedures

a. Documented operating procedures should be prepared for the operation of the network, to ensure its correct, secure operation. b. Changes to operating procedures must be authorised by the IT Department Change Advisory Board.

6.10.15 Data Backup and Restoration

IT and Information Security Policy v4 25

a. The Infrastructure Manager is responsible for ensuring that backup copies of network configuration data are taken regularly. b. Documented procedures for the backup process and storage of backup media will be produced and communicated to all relevant staff. c. All backup media will be stored securely and in a separate fire zone to the equipment or system to which it relates. d. Documented procedures for the safe and secure disposal of backup media will be produced and communicated to all relevant staff.

6.10.16 User Responsibilities, Awareness & Training

a. The Trust will ensure that all users of the network are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities. b. All users of the network must be made aware of the contents and implications of the Network Security Policy. c. Irresponsible or improper actions by users may result in disciplinary action(s).

6.10.17 Malicious Software

The network must be protected from viruses and other malicious software through use of measures including firewall, anti-virus and email filters (email filters are part of the NHSMail system. The Trust has no control over any settings in the email filter).

6.10.18 Secure Disposal or Re-use of Equipment

a. Equipment must be disposed of using the contracted secure disposal company. The IT Department manages all items to be disposed of via this company. b. The IT Department must ensure that evidence of secure disposal provided by the disposal company is retained as evidence. c. Ensure that where equipment is to be removed from the premises for repair, where possible, data is securely overwritten. If this is not possible the hard drive etc. should be removed and where necessary destroyed.

6.10.19 System Change Control

a. All changes to any aspect of the network (configuration, equipment, operation etc) are controlled through the IT Department Change Advisory Board. The Infrastructure Manager is responsible for updating all relevant Network Security Policies, design documentation and network operating procedures. b. The IT Directory & Security Manager may require checks on, or an assessment of the actual implementation based on the proposed changes.

IT and Information Security Policy v4 26

c. The IT Directory & Security Manager is responsible for ensuring that selected hardware or software meets agreed security standards.

6.10.20 Reporting Security Incidents & Weaknesses

All potential security breaches must be investigated and reported to the IT Directory & Security Manager. Security incidents and weaknesses must be reported in accordance with the requirements of the organisation's incident reporting procedure, including where appropriate in the Datix incident logging system, or if individuals are involved, the Personnel Department.

6.10.21 System Configuration Management

The network configuration will be documented and all devices and systems managed through the IT Department Service Desk Configuration Management Database.

6.10.22 Business Continuity & Disaster Recovery Plans

Ensure that business continuity plans and disaster recovery plans are produced for the network.

6.10.23 Security Responsibilities

a. The Chief Executive has delegated the overall security responsibility for security, policy and implementation to the Head of IT. b. Responsibility for implementing this policy within the context of IT systems development and use in the organisation is delegated further to the IT Directory & Security Manager.

6.10.24 Guidelines

Detailed advice on how to determine and implement an appropriate level of security is available from the IT Directory & Security Manager.

6.11 Legal requirements

Users of all systems must comply with current legislation regarding the use and retention of Patient information and use of computer systems. These include, but are not limited to:

a. General Data Protection Regulation and Data Protection Act 2018. b. Access to Health Records Act, 1990. c. The Copyright, Designs and Patents Act, 1988. d. The Computer Misuse Act, 1990. e. The Human Rights Act 1998 f. Electronic Communications Act 2000 g. Regulation of Investigatory Powers Act 2000 h. Freedom of Information Act 2000

IT and Information Security Policy v4 27

i. Health & Social Care Act 2001

7. Training

Training for the use of Trust IT equipment/systems is carried out by the relevant teams. Information Security Training is carried out by the Information Governance team.

8. Diversity and Inclusion

The Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat staff reflects their individual needs and does not unlawfully discriminate against individuals or groups on the grounds of any protected characteristic (Equality Act 2010). This policy aims to uphold the right of all staff to be treated fairly and consistently and adopts a human rights approach. This policy has been appropriately assessed.

9. Monitoring Compliance with the Policy

Standard/process/issue Monitoring and audit Method By Committee Frequency Policy Compliance Review of Confidentiality Monthly Datix and Data incidents Protection Group Service desk Incidents Assigned Directory When to IT Services Team reported Directory Services Team Smart Device Assigned IT System Monthly Compliance. to IT Support Team System Support Team

10. Consultation and Review

Information Governance Assurance Group

11. Implementation of Policy (Including Raising Awareness)

This Policy will be published as per normal policies and circulated as per standard. This Policy will be available at all the Trust’s designated locations.

12. Associated documentation

OP17 Internet, Intranet and Email Acceptable Use Policy OP58 Anti Virus Policy IG05 Records Management Policy

IT and Information Security Policy v4 28

IG06 Confidentiality & DP Policy IG07 Caldicott and Safe Havens Procedure

IT and Information Security Policy v4 29

Appendix A - Checklist for Home/Remote Access

In order to be able to have access you must have the following –  For anything other than access to email only, a Trust Laptop with wireless and pointsec encryption installed.  For working at home, a broadband internet connection with a wireless router.  Authorisation from your Head of Service or Head of Department.

Please complete the following checklist -

Do you have equipment as detailed above? Yes/No Does your position require you to provide on-call services which use IT systems? Yes/No What does your position require you to be able to access? Email □ Email + Office Applications □

Do you frequently work away from the Trust in locations other than home which requires access to the Trust IT systems? Yes/No Do you frequently do work from home which requires access to the trust IT systems? Yes/No Does your position require you to be able to access Trust IT systems from home in order to respond to emergency situations? Yes/No If home working will be a regular occurrence, has advice been sought from the Occupational Health department? Yes/No

Any further requirements: ……………………………………………………………………………………………………………………………………………………………… ……………………………………………………………………………………………………………………………………………………

I have read and understand the IT Security and Information Security Policies and agree to abide by them and the Trust’s Internet, Intranet and E-mail Acceptable Use Policies while using a remote connection. I also agree to ensure that, if dealing with Personal Identifiable Information I will deal with it and protect it in accordance with all relevant Trust Policies and Procedures.

First Name: ...... Surname: ...... Department: ......

Authorised by Head of Service or Head of Department: I confirm that the above member of staff has a requirement for home/remote access to the Trust network and that the procedures, standards and controls contained within the IT Security Policy have been considered and adhered to. I also confirm that they have read and understood the relevant trust policies and in particular the IT Security Policy, Information Security Policy and the Internet, Intranet and E-mail acceptable use policies.

Name ……………………………………………………………………………… Job Title ……………………………………………………………………………... Signature …………..………………………………………………………………..... Date ………………….…………………………………………………………..

For IT Services Department use Request for access approved? Yes/No Technology recommended: Equipment Required:

IT and Information Security Policy v4 30