Generic Security Policy

SECURITY POLICY

DR BOLT AND PARTNERS MCKENZIE HOUSE & Dr Bolt & Partners Security Policy THROSTON MEDICAL CENTRE

D:\Docs\2018-04-13\0f84c07336f9c35c0e619691423d6d61.doc Dr Bolt & Partners Security Policy

TABLE OF CONTENTS

1 POLICY OBJECTIVES...... 1

2 SCOPE...... 1

3 RESPONSIBILITY FOR SECURITY...... 2

4 KEEPING WITHIN THE LAW...... 2

5 PERSONNEL SECURITY...... 5

6 EQUIPMENT SECURITY...... 5

7 TECHNICAL SECURITY...... 8

8 BACK UP PROCEDURES...... 9

9 RECOVERY FROM FAILURE...... 10

10 DATA TRANSMISSION...... 10

11 PORTABLE COMPUTERS...... 11

12 DATA IMPORT/EXPORT AND DISPOSAL...... 11

13 PROCUREMENT...... 11

14 SECURITY ADMINISTRATION...... 11

FOREWORD

Security is the responsibility of everyone who uses the information systems within the practice. This includes all the doctors, all employed staff, and any attached staff who may be allowed access to the system.

All personnel should make themselves aware of the contents of the security policy and adhere to those parts of the policy that cover their areas of work.

An abridged version of the policy is also available to staff and a booklet printed by the NHS Information Authority “Play IT Safe” also contains useful Do’s and Don’ts relating to security and confidentiality in an easy to understand format.

Signed ...... Date ......

i D:\Docs\2018-04-13\0f84c07336f9c35c0e619691423d6d61.doc Dr Bolt & Partners Security Policy

(Senior Partner)

ii D:\Docs\2018-04-13\0f84c07336f9c35c0e619691423d6d61.doc Dr Bolt & Partners Security Policy

1 POLICY OBJECTIVES

The Objectives of this policy are to establish and maintain both the physical and information security of the practice, including patient confidentiality, by:

a. To ensure that all members of staff are aware of and fully comply with the relevant legislation as described in this and other documents.

b. To describe the principles of security and to explain how they shall be implemented at the Practice.

c. To introduce a consistent approach to security and to ensure that all members of staff understand their own responsibilities.

d. To create and maintain within the Practice a level of awareness of the need for Information Security as an integral part of the day to day business.

2 SCOPE

This Information Systems Security Policy shall apply to:

- All computerised information systems under the direct control of the Practice.

- All employees and agents of the Practice.

- All employees and agents of other organisations who directly or indirectly make use of or support the use of information systems under the direct control of the Practice.

As stated, this Information System Security policy is aimed specifically at computerised information systems but it should be read in conjunction with the other policies in force on confidentiality, physical security and quality as well as the more specific information system security policies which govern the use of particular systems.

3. RESPONSIBILITY FOR SECURITY

3.1 Overall responsibility for security rests with the partners of the practice, but on a day-to-day basis will be delegated to the Practice Manager acting as Security Manager. The Security Manager may in turn delegate some responsibility to the System Administrator (Assistant Practice Manager). All staff are to comply with the requirement to maintain security and patient confidentiality and failure to do so may be regarded as grounds for dismissal.

3.2 This Information System Security Policy shall be maintained, reviewed and updated as directed by the Security Manager in accordance with the risk management strategy of the Practice.

3.3 Each user shall be responsible for the operational security of those parts of the computerised information systems that they directly use.

3.4 Each individual user of any part of the Practice’s information system has responsibility to comply with the security requirements which may be in force to strive to ensure that the confidentiality, integrity and availability of the Practice’s information system is preserved to the highest standard.

3.5 Contracts with external organisations who access the Practice information systems should be in existence before such use is exercised. These contracts shall dictate that the staff of the external organisation shall comply with all appropriate security policies.

4. KEEPING WITHIN THE LAW

4.1 The Practice is obliged to abide by all relevant UK legislation and other relevant legislation from the European Union. This requirement devolves to the employees and agents of the Practice who may be held personally responsible for any breaches.

4.2 The Patients’ Charter Identifies “the right to have access to your health records” and the Data Protection Act 1984 and 1998 and the Access to Health Records Act (1990), with some exceptions, entitle individuals to a copy of computerised information held about them. Patients do not have to give reasons for seeking access.

4.3 There is specific guidance on access to records sought in connection with legal proceedings. Page 2 D:\Docs\2018-04-13\0f84c07336f9c35c0e619691423d6d61.doc Dr Bolt & Partners Security Policy

4.4 The Data Protection Act 1984. This has been superseded by the 1998 Act, which covers both computer and manual records, but the same principles still apply.

The provisions of this Act relate to all personal data of living persons.

a. Fair and Lawful obtaining of data. No patient should be misled about the uses, potential or real, which may be made of the information they provide. Further guidance is available from the Data Protection Commissioner’s office in a (free) booklet.

b. Purpose of Information.

The Register Entry for the Practice, which is held by the Data Protection Commissioner in accordance with the Act, contains particulars of personal data held by the Practice for six purposes. These are:

- Provision of healthcare; - Healthcare administration; - Ancillary and support functions; - Personnel/employee administration; - Research and statistical analysis; - Work planning and management;

These are the only purposes for which the Practice may store and process personal data and are subject to certain constraints under one or more of the other principles of the Act. If any staff member is uncertain of the legality of storing or processing particular data items they shall request information from the Security Manager.

c. Use or Disclosure of Information.

Information stored in any system shall be used and disclosed only in accordance with the Register Entry. Any breach of this principle may lead to prosecution of an individual.

d. Limits of Stored Information.

Consideration must be given to the adequacy and relevancy of information. It must be adequate for the purpose for which it is held but it must not be excessive.

e. Accuracy.

All reasonable steps must be taken to ensure that data is accurately captured and input to the system. In

particular it must be updated to reflect the current situation.

f. Timeliness.

Information must not be kept longer than it is needed. This requires an adequate and efficient archiving strategy for each type of personal record on the system. The Security Manager is responsible for devising and implementing such a strategy.

g. Information Correction.

Patients have the right to be informed, at reasonable intervals, of the data held by the Practice unless, in the opinion of the appropriate Health Professional, it would be likely to cause serious harm to the patient or to identify a third party who has not consented and is not a Health Professional. If appropriate the patient can require relevant corrections to the data held. It is the responsibility of each-user to advise the Security Manager of the appropriate action to be taken in response to each subject access request.

h. Security.

Appropriate security measures must be taken against unauthorised access to, alteration, disclosure or destruction of personal data as well as against accidental loss or destruction. The Security Manager shall be responsible for ensuring those physical security mechanisms and procedures are appropriate and adequate.

4.3 Copyright, Designs and Patents Act 1988.

a. All computer software used on any computerised information system at the Practice must be properly licensed. The Practice may be prosecuted if illegally copied software is found to be resident on any one of the information systems in use including laptop computers etc. used outside the normal boundaries of the Practice.

b. The Security Manager shall be responsible for conducting software audits at periodical intervals to ensure that all software has been properly procured and licensed. A checklist is enclosed in Appendix A.

c. No member of staff should copy software illegally, nor introduce illegally copied or any other unauthorised software into any part of the total information system, nor knowingly use illegally copied software. Any

person who does shall be subject, upon discovery, to severe disciplinary action.

4.4 The Computer Misuse Act 1990.

a. The purpose of this legislation is to ease the prosecution of persons who access systems when they are unauthorised to do so.

b. In order to ensure that all members of staff understand the seriousness of accessing parts of the system(s) to which they have not been given access rights, notice is hereby given that the Practice intends to pursue prosecution of those who set out deliberately to try to extend their legitimate scope of access for unauthorised purposes.

4.5 Health and Safety at Work Act (1992).

Computers should be used in a manner that does not affect the user’s health. More information is given in the practice’s Health and Safety Procedures document.

5 PERSONNEL SECURITY

5.1 Staff are reminded that they have signed a contract of employment with the Practice. This includes reference to the need to maintain a high standard of confidentiality. Disclosure or misuse of personal data will be treated as a serious disciplinary offence, which may result in dismissal. Non-employed users are bound by the same standards of confidentiality.

5.2 The Security Manager shall always check previous work references of all new employees. However, this does not guarantee that everyone has behaved impeccably during his or her previous employment. The Security Manager should ensure a thorough check is carried out.

5.3 It is the responsibility of each member of staff to be aware of the full nature of their responsibilities and in particular the limits of those responsibilities. This is best achieved through discussion with the Security Manager who should then document the results. Ideally, where appropriate, members of staff shall have a current written job description.

5.4 It is the intention of the Practice that all members of staff should receive appropriate training to enable them to carry out their work efficiently. It is the responsibility of the Security Manager, in conjunction with the users themselves, to ensure that everyone who uses an information system is competent to do so, appreciates the importance of providing correct information and fully understands the status of the output received.

5.5 In order to support efficient and knowledgeable working practices, each member of staff should have, or have access to, appropriate documentation. However, it must be recognised that such documentation may also be of help to someone who may wish to attempt to gain unauthorised access to the system, and it should, therefore be held securely at all times.

5.6 If any user becomes aware of errors, which apparently have been made by the information system, it is important that they formally report the errors to the Security Manager. The seriousness of the error is not the main issue. Even minor errors may be symptomatic of a deeper and much more serious issue.

5.7 The Security Manager, regards, the preservation of the security of the information systems as of vital importance. A breach in security shall be properly investigated and, where appropriate, disciplinary action shall be taken. If appropriate the Health Authority may be informed and involved in the investigation of the security breach. Page 6 D:\Docs\2018-04-13\0f84c07336f9c35c0e619691423d6d61.doc Dr Bolt & Partners Security Policy

6 EQUIPMENT SECURITY

6.1 The responsibility for physical security throughout the Practice rests with the Security Manager. The opportunity is taken here to emphasise those aspects of physical security, which impinge on the security of IT systems.

One or more of the following should be used to protect computer equipment:

- building alarm - security lighting - window locks and bolts - window blinds and/or have equipment sited away from window - security marking on equipment - locked room housing main fileserver

6.2 Access Control.

a. All terminals and other computer equipment shall, wherever possible and practical, be located in rooms where windows and doors can be and shall be, locked when staff are not present. In administrative areas which patients and other members of the public normally have cause to enter, access shall be controlled.

b. If equipment cannot be located within a room as described above, it shall be located, wherever possible and practical, in an area which is always supervised and where patients and other members of the public have no cause to enter unless invited by a member of staff.

c. Equipment which, through force of necessity must be located in an area to which the general public have open access and which may be unsupervised for prolonged intervals, shall be physically protected against opportunistic theft. In addition, technical access to such machines shall require the use of a physical token as well as a password.

d. All portable equipment shall be clearly and indelibly marked to indicate that it is the property of the Practice. Where possible and practical such equipment shall be locked away when not in use.

e. Portable equipment shall not be removed from the Practice’s premises without written authority from the

Security Manager. This will be granted only on the understanding that:

- The employee/doctor assumes full responsibility and liability for any loss or damage, however caused; - No item of equipment is left in an unattended vehicle; - Equipment will only be used for bona fide Practice business; - Equipment will only be used by Practice employees: - Equipment is not removed beyond the United Kingdom and the Republic of Ireland.

f. All equipment, including portable, shall be entered on an asset register, which shall also record the individual to whom it is allocated or, in the case of non-portable equipment, the room in which it is situated. Changes to these allocations shall be logged on the register.

g. Each user shall ensure that all relevant PCs and network terminals are physically secured in accordance with the recommendations of the Security Manager.

h. All staff shall be encouraged to challenge anyone who is not accompanied by a known member of staff in a controlled location.

i. Where patients and other members of the public are able to view the output on a screen, whether as a passer-by or by invitation, staff shall exercise great care to ensure that unauthorised disclosure does not occur. Care must also be exercised to ensure that passwords are not disclosed to others (staff or public) who may observe the use of the keyboard.

j. It is the responsibility of each user of the system not to move away from a screen with patient details visible. When leaving a terminal it should be logged out to a level that requires a password to be entered to access the system again.

6.3 Fire Control.

a. In the event of an outbreak of fire, staff shall not be expected to fight it unless it is very obvious that it can easily be extinguished by a hand held fire extinguisher. For more than minor outbreaks the fire brigade shall be summoned. In these circumstances the priority shall always be the safety of patients, visitors and staff and the

emphasis shall be on quick and safe evacuation. All staff shall be aware of the Practice procedures in this respect. Staff are hereby reminded of their responsibility to attend a fire procedure briefing as organised by their manager.

b. In the context of reducing the risk of fire, it shall be the responsibility of staff to minimise the likelihood of an outbreak by ensuring that any heat source is always properly operated and maintained in accordance with fire regulations. This particularly applies to electric cables and connection sockets. Cabling shall not be allowed to trail and the electric source shall not be overloaded.

c. A neat and tidy operational environment shall be maintained to help limit the spread of fire. Inflammables shall not be stored adjacent to any source of heat. Fire doors shall always be kept closed.

6.4 Water Damage.

a. All staff shall be vigilant for the risk of water damage. The Manager who is responsible for the maintenance of pipes and drains will provide advice on where these services are located. But accidents do occur and staff shall do their best to arrange for computer equipment of all kinds to be out of reasonable range of any water leaks whether from overhead pipes, drains, damaged roofs, water guttering etc. This may involve the deployment of waterproof covers when the equipment is not in use or, in the extreme, the re-routing of potential hazard.

6.5 Disaster.

a. Whatever level of care is exercised accidents can still happen. Severe storm damage is difficult to anticipate and it can be very expensive to provide protection against it. For this reason adequate backup and recovery arrangements are a prerequisite for the Practice. The Security Manager shall be responsible for ensuring that adequate arrangements exist for continuity of operations in the case of an event causing widespread unavailability of the main Practice systems. In addition all data shall be properly backed up and stored in a secure location off site.

b. UPS (uninterruptable power supply) should be attached to the fileserver to protect against sudden power loss and the associated data loss and/or corruption.

7 TECHNICAL SECURITY

If practice staff are dialling in from home to access patient records and managerial data, the systems should be protected by strong authentication as defined in the connection guide.

7.1 Access Controls.

All reasonable efforts shall be made to ensure that the system software controls those who are allowed to access the system, and controls and monitors the consequent use of system resources.

7.2 Identification.

Each-user shall be allocated a unique user identity, which shall be used during the log on process to validate a genuine user, and track system use. The user shall use this identity to record all subsequent actions.

7.3 Authentication.

a. Each user of any part of the Practice’s information systems shall be allocated a unique login name and password.

b. After the user identity has been provided to the system during the log on process the password shall be used, still as part of the log on process, to authenticate that the user actually is the person who provided the user identity. This means that passwords must be kept secret by all users to avoid the possibility of misuse and causing actions to be attributed to the wrong person. It must not normally be written down.

If a user is forced to use three or more passwords in the normal course of events and they feel obliged to record the password then it may be written down and stored securely or carefully disguised as being a password.

c. Passwords must be changed regularly. Most of the software in use will force users to change their password regularly. Reuse of passwords recently used will not be permitted. The IPS VISION system does force password changes. Logging in to Windows will also need a password which must be changed regularly. All users are reminded that routine changes should be undertaken even when not forced. This is particularly important if you are aware that someone else may know your password, or if you

feel that access has been gained to the system using your identity.

7.4 Invalid Log On.

Each-user shall be given only limited number of attempts to access the system. A specific record of invalid attempts to log on, either due to failed user identity and /or failed password, shall be kept. This shall be examined at regular intervals to identify possible deliberate attempts to gain unauthorised access to the system.

7.5 Authorisation.

After successful authentication, where possible, the system shall use a pre-notified list of authorisations to determine which functions and data that particular user is authorised to access and what mode of access (e.g. read, update, delete) is permitted. User management shall determine the authorisation list and the system shall only permit accesses according to this list.

7.6 Transaction Accounting.

A record shall be kept of all transactions together with the user identities used to initiate them.

8 BACK UP PROCEDURES

8.1 The Security Manager shall be responsible for taking and securing back-ups for all data and software relevant to the systems, and in the interests of the Practice, they are to ensure that this is properly done on a regular and routine basis.

8.2 Back-up copies of data and software shall be held off-site, or in a secure fire-proof cabinet on site.

8.3 The Security Manager shall carry out random inspections to ensure that appropriate back-ups exist. Tests shall be carried out from time to time to ensure that complete and accurate data can be restored from the back-up copies.

8.4 Backups of the clinical system will be done on a daily basis by authorised administrative staff, using a series of tapes.

9 RECOVERY FROM FAILURE

9.1 Contingency plans shall be created for the possible occurrence of a variety of exceptional operating conditions. These plans shall enable essential practice activities to continue in the face of unavailability of equipment, people or electrical power for whatever reason. The plans shall cover: -

- Equipment replacement strategy; - Insurance company involvement; - Organisational responsibilities; - Processing priorities; - Personnel considerations; - Maintenance of asset inventories; - Storage locations of data, equipment, documents, software; - Plan of action; - Maintenance of data security; - Testing procedures;

10DATA TRANSMISSION

10.1 The number of attempts to access the network shall be restricted.

10.2 User authorisation records shall be examined at predetermined intervals to ensure currency. The record of people, both staff and others, who are authorised users, shall be made inactive immediately when their authorisation becomes invalid e.g. on leaving the Practice’s employment or on amendment of privileges.

10.3 Internal.

a. All physical connections to the practice network must be authorised by the Security Manager. Users must not connect unauthorised hardware to the practice network. If a direct connection is to be made to the Internet, through a modem to a third party Internet provider, the computer must be physically disconnected from the practice LAN.

b. All network equipment shall be allocated a unique serial number and inspections made to ensure that only authorised equipment is connected to the network.

10.4 External.

a. Remote access and diagnostic facilities from third party suppliers, requires the enforcement of strict control over connection procedures. The Security Manager before use Page 12 D:\Docs\2018-04-13\0f84c07336f9c35c0e619691423d6d61.doc Dr Bolt & Partners Security Policy

shall approve all equipment. Dial-in lines shall all be normally controlled, with automatic disconnect after the call has terminated. Successful connections should only be achieved on dial-back, dual line devices, which call back on a separate line to the one used by the originator. Strong authentication should be used to authenticate the originator as a part of this process. Contracts relating to the confidentiality and integrity of use shall exist with the supplier and these terms shall be part of the service level agreement. Systems accesses made by the suppliers shall be logged and a separate audit trail inspected at regular intervals.

11PORTABLE COMPUTERS

11.1 Users who make use of laptops, notebooks etc. shall ensure that the data is properly backed up to guard against data loss; and is encrypted (in accordance with the recommendations of the Security Manager) to guard against data disclosure.

12DATA IMPORT/EXPORT AND DISPOSAL

12.1 All disks and tapes entering the site shall be checked for physical and logical integrity. All disks to be used in PCs will be scanned for viruses.

12.2 Disks and tapes exported to other organisations should also be checked to ensure their integrity. In addition these checks must ensure that only data relevant to the recipient is held on the storage medium.

12.3 Tapes and disks, which contain data about an identifiable patient, should be transported by secure means, using a security firm.

12.4 Procedures should be established for the disposal of records and equipment.

12.5 Clear all sensitive material off hard disks and floppies, by reformatting, not by deletion, before disposing of them in accordance with the IM & T Security Manual.

12.6 Use a shredder when necessary.

13PROCUREMENT

13.1 New software, which has not been properly developed and/or properly tested, is a threat to the security of existing data. All software procurements shall take account of the security requirements recommended by the Security Manager. This shall specifically include the procedures and actions for handing over

and testing new software. Contravention of the recommendations may be considered a disciplinary offence.

13.2 It shall also be considered a disciplinary offence to connect any new hardware equipment to the network without the prior approval of the Security Manager.

14SECURITY ADMINISTRATION

14.1 The Security Manager shall carry overall responsibilities for the security of the computerised information systems of the Practice. This does not necessarily mean that the Security Manager should carry out all the tasks directly but shall be responsible for ensuring that they are carried out and that they are carried out efficiently and effectively. In general they shall be responsible for:

- The continued availability of data to each-user when and where it is needed; - The preservation of the confidentiality of all data of the computerised information systems of the Practice; - The preservation of the integrity of all data of the computerised information systems of the Practice; and - The development of initial system specific security policies which reflect the security needs of individual systems.

14.2 The management of the developed security requires seven main tasks. These are to: - Monitor the effectiveness of the security enforcing functions included as part of the technical system as well as physical mechanisms; - Monitor compliance by staff with security procedures through observation and examination of documentary evidence both manual and computer generated records; - Maintain the level of protection to an adequate level by acting on the evidence provided from the monitoring tasks; - Provide security education for all users of the system; - Reassess whether the security measures are still relevant to the current threats to the system (by risk analysis); - Reassess whether the security policies are still adequate; and - Monitor that new systems are procured according to the Security Policy.

14.3 A fundamental prerequisite for the development of new or additional security is the carrying out of a risk analysis exercise. This is true whether the new security is to improve the security of Page 14 D:\Docs\2018-04-13\0f84c07336f9c35c0e619691423d6d61.doc Dr Bolt & Partners Security Policy

an existing system or whether it is to be part of the design of a new system development or major enhancement. Effort or finance for implementing protective measures shall not be expended unless they can be justified. A significant piece of the justification will originate from the type and degree of risk to patients and to the Practice if the expenditure is not made. Justification is required for the type of protection needed as well as the strength of mechanism.

14.4 A risk analysis study shall always form the basis for new security measures. This will provide a series of recommendations, which will need implementation. Risk can never be eliminated. The objective will be to reduce the risk to a level, which is considered to be acceptable. The specification of what represents an acceptable risk is a wholly subjective exercise, which will have to take account of a number of other parameters as well as the risk factors.

Appendix A

Basic Information Security Compliance Checklist

D:\Docs\2018-04-13\0f84c07336f9c35c0e619691423d6d61.doc