Information Security Policy (UHL) - Library - University Hospitals of ...

INFORMATION SECURITY POLICYTrust ref: A10/2003Approved by:Trust BoardDate of approval: 9 October 2003Most recent review:Policy and Guideline Committee20 April 20096 October 2008Date of next review: April 2011Version number: 4Responsibility forReview:Gareth Lawrence,InformationGovernanceManagerDave Rose,Technical SecuritySpecialistNB: this updated document also replaces the previous Trust guidelines on the removal ofinformation from Trust premises (off-site working), and the security of information processingequipment.Page 1 of 19

ContentsDocument change control .......................................................................................... 31. Introduction...................................................................................................... 41.1 This document ............................................................................................. 41.2 Purpose ....................................................................................................... 41.3 Failure to Comply......................................................................................... 41.4 Monitoring and Review ................................................................................ 52 Security Organisation.......................................................................................... 62.1 Roles and responsibilities ............................................................................ 62.2 Legal Obligations and Related Policies........................................................ 83. Policy Statements ............................................................................................... 84. Security of Assets ............................................................................................. 104.1. Desktop Devices ........................................................................................ 104.2. Physical security ........................................................................................ 114.2.1. Security of information ................................................................................ 114.2.2 Security of premises .................................................................................. 124.3. Servers ...................................................................................................... 124.4 Using removable media ............................................................................. 124.5 Medical/Laboratory Equipment...................................................................... 144.6. Disposal of equipment ................................................................................... 144.7 Shredding................................................................................................... 154.7.1 Fax rolls .............................................................................................. 155. Offsite working............................................................................................... 165.1 Physical Security / Access control ............................................................. 165.1.1 Usage in any public access area ........................................................ 165.1.2 Usage in areas not generally accessible to the public (including otherNHS premises).................................................................................................. 165.1.3 Occasional usage at home....................................................................... 165.1.4 Using equipment supplied by the Trust .................................................... 175.2 Email and offsite working ........................................................................... 175.2.1 Patient Identifiable Data Contained in an email........................................ 175.2.2 Auto forwarding ........................................................................................ 175.3 Transport of Equipment, Files and Paper Documents ............................... 185.4 Disposal of media (electronic & paper) ...................................................... 185.5 Disaster Recovery/Major incident planning................................................ 186. Awareness of this policy.................................................................................... 187. Contacts............................................................................................................ 18Glossary of terms ..................................................................................................... 19Page 2 of 19

Document change controlDate Version Author ReasonMarch 09 4 Gareth LawrenceDave RoseAmalgamation of the security policywith the Security of InformationProcessing Equipment Policy andthe Removal of Information fromTrust Premises Policy (at the requestSeptember083 Gareth Lawrence,Dave Roseof the PGC), and revisions.Section 1.5 acknowledgment,removed.2. Security Organisation – revised.Additional policy statements 3.9,3.11-3.14 added to bring thedocument further into line with ISO27001. Statement 3.2 removed.Section 4 added.Amendment to 3.4 to refer todisaster recover plans (businesscontinuity being a directorateresponsibility).July 06 2 Rod Makosch Document revised for clarity andsimplicity.Policy backed up by guidancedocuments05/05 2 Gareth LawrenceRod MakoschMajor revision to the structure ofPolicy, with the introduction of manysupporting procedures in place ofpolicy Text.1. Removal of Section A and B.2. Policy statements are nowincluded in the main body ofthe text.16/10/03 1.7 Gareth Lawrence Amendment to section B.5.4Disposal of Equipment followingguidance from the DoH on datadestruction.9/10/03 1.6 Approved by Trust BoardSeptember 1.6 Gareth Lawrence Following discussion with Staff SiderepresentativesJuly 1.5` Gareth Lawrence Minor changesMay 03 1.4 Dave Rose, Gareth Lawrence Tailored for UHLMarch 03 0.3 Vicky Hill – Leicestershire Base DocumentsHealth Informatics ServiceChange Control: all requests for change to the Information Governance Mangerx6053Page 3 of 19

1. Introduction1.1 This documentThis document is the Information Security Policy of the University Hospitals ofLeicester.The policy applies to all Trust business and covers the information, informationsystems, networks, physical environment, employees and contractors who supportthose business functions including where these facilities are shared with or ownedby external partners. The policy will be complied with in conjunction with otherapproved Trust policies and with other legal obligations of UHL.1.2 PurposeThe purpose of this policy is to ensure that information processing systems, andelectronic or paper based information, are protected from events that mayjeopardise staff and patients’ rights to confidentiality, other healthcare activities or,the business objectives of UHL.The rules, measures and procedures described herein determine the protection ofthe Trust’s assets by ensuring that:-• Information systems are properly assessed for security.• Availability is ensured (information is delivered to the right person, whenneeded and adhering to the organisation's business objectives).• Integrity is maintained (all system assets are operating correctly accordingto specification, protected from unauthorised or accidental modification, andensuring accuracy and completeness of the organisation's assets).• Confidentiality is preserved (assets are protected against unauthoriseddisclosure).• Accountability is enforced (staff are made aware of and held to account fortheir roles and responsibilities in regard to information security).• Breaches of security are detected and resolved.1.3 Failure to ComplyAny breaches of this policy and associated detailed guidelines will be investigatedthoroughly in accordance with the Trust’s disciplinary policies.Page 4 of 19

1.4 Monitoring and ReviewThis Policy will be reviewed no less than every three years unless there arechanges in legislation, standards and/or risk issues are identified.Page 5 of 19

2 Security Organisation2.1 Roles and responsibilitiesUHL has established clear lines of accountability for information security leading tothe Board. In the event of any issues see Section 4, Contacts.UHL will manage security along current best practice guidelines as provided byConnecting for Health and in accordance with applicable legislation (see 2.2.).Specific responsibilities for the security of computer systems, assets and manual orelectronically processed data will be clearly defined and communicated to staff.Security is organised within UHL as depicted below 1 .The Caldicott Guardian has a “strategic role, developing security andconfidentiality policy, representing confidentiality requirements and issues at Board1 This does not depict the external influences on policy and procedure formulation.Page 6 of 19

level, advising on annual improvement plans, and agreeing and presenting annualoutcome reports.” 2The Director of IM&T is the Senior Information Risk Officer (SIRO) and isresponsible for the security management system, policies and related procedures.The SIRO’s responsibilities can be summarised as 3 :Leading and fostering a culture that values, protects and uses information for thesuccess of the organisation and benefit of its customers;• Owning the organisation’s overall information risk policy and information riskassessment process and ensuring they are implemented consistently byinformation asset owners;• Advising the Chief Executive or the relevant accounting officer on theinformation risk aspects of the statement on internal controls;• Owning the organisation’s information incident management framework.The Information Governance Manager and the Technical Security Specialistdevelop the security standards for the Trust, based on DoH guidance, gaininginformation on security issues by networking with other Trusts, liaison with staff andindustry best practice.The Information Governance Manger is responsible for the maintenance of thispolicy.Systems Managers (i.e. those staff who have responsibility for specific applicationsystems) will comply with the Trust policies and procedures which define systemsecurity, auditing and compliance requirements.Line Managers are responsible for ensuring that their permanent or temporarystaff and contractors are aware of:-• The security policies which are applicable in their area;• Their personal responsibility for information security;• How to access advice on security matters.Staff members all have a responsibility for the security of information in electronicor manual systems. This includes:• Not sharing logins, passwords or smartcards;• Ensuring that personal data in electronic format on portable media isencrypted.Members of staff who originate new or revised flows of personal data 4 withinand outside of the Trust are responsible for ensuring that information flow mapping2 Protecting and Using Patient Information – A manual for Caldicott Guardians, NHS Executive3 NHS Information Risk management, Digital Information Policy Unit, NHS Connecting for Health. Jan 20094 Data Protection Policy (DMS article 11800)Page 7 of 19

is carried out, the security risks of the data transfer are assessed (seeking advicefrom IM&T where appropriate).2.2 Legal Obligations and Related PoliciesThis policy will assist the Trust in meeting its legal obligations in respect of EUdirectives and common law obligations as documented in the InformationGovernance Policy 5 .All policies and procedures developed relating to information will be designed toprotect patients, staff and the Trust.Other policies relevant to ensuring to confidentiality and integrity of information are:Data Protection Policy 4Policy on the Protection and Use of Personal Information 6Procedure Guidelines for Health Records ManagementE-mail and Internet Usage Policy 7 .Staff should also consider their UHL contract of employment.3. Policy Statements 83.1 Information will be protected against access by individuals who do not have ajustified and approved business need (i.e. unauthorised access) by the use ofappropriate logical access controls (see Access Control Policy - pending) andphysical access controls.3.2 All computers will operate up to date anti virus software.3.3 All UHL capital projects incorporating requirements for IT services or thetransfer of data outside of the Trust will include appropriate informationsecurity assessment.3.4 IM&T will build resilience into services in accordance with business need.Disaster recover plans will be produced, maintained and tested5 Information Governance Policy (DMS article 12469)6 Policy on the Protection and Use of Personal Information (DMS article 40285)7 Email and Internet Usage Policy (DMS article 12174)8 Policy statements refer to Trust Policies and Procedures. As policies and procedures are developed,the policy statements will be referenced to the documents and new version of this Policy issuedwithout PGC approval. Changes to policy statements will require PGC approval.Page 8 of 19

3.5 All breaches of information security, actual or suspected, will be reported to,and investigated by IM&T who will document the incident and wherenecessary will report the findings of these investigations to the IM&T Board.3.6 The physical security afforded to information will be commensurate with theoperational requirements of the Trust, the value of the equipment and thenature of the information held on and/or processed by it.3.7 Where possible equipment should be clearly marked as being the property ofthe University Hospitals of Leicester NHS Trust.3.8 Any minor changes to the use or structure of ‘live’ systems will be subject to aformal change control procedure (See IM&T Change Control Procedure).Fundamental changes to ‘live’ systems together with the introduction of newsystems will be subject to the full Project Management process.3.9 ALL UHL Laptops must be encrypted to NHS encryption standards.3.10 Software licensing applies to all UHL devices, only licensed software providedfor that purpose must be used.3.11 At the termination of employment, employees shall return all data processingequipment, tokens, smartcards & data stored on devices supplied for thatpurpose.3.12 IM&T will maintain an asset register of key Trust IT assets, this will include allIT hardware and software.3.13 UHL will use Risk Management procedures to estimate threat probability,including security risks to information systems; their vulnerability to damage,and impact of any damage caused. Such assessments are the responsibilityof the System Owners (i.e. those within the Directorates/Departments who areresponsible for the day to day operation of the specific system). Measureswill be taken to ensure that each system is secured to an appropriate and costeffective level and that data protection principles are implemented. Aninformation risk management policy is being developed.3.14 Management of computers and networks shall be controlled through standarddocumented procedures that have been authorised by IMT (or the appropriatedirectorate where system ownership sits outside IM&T).3.15 UHL will adopt national standards for the security classification of information.3.16 The movement of unencrypted personal data in electronic format on portablemedia e.g. CDs, memory sticks is strictly prohibited. See 4.4 UsingRemovable Media.3.17 An audit trail of system access and data use by staff will be maintained.Access of the audit trail for investigatory purposes will be carried out inPage 9 of 19

accordance with documented procedures which conform to the Regulation ofInvestigatory Powers Act (2000) and the Human Rights Act (1998).3.18 All computers and electronic media must be disposed of through IM&T. Thisincludes computer disks (which contain personal data) from medicalequipment. See 4.5.3.19 External hard drives are only to be used with the approval of the TechnicalSecurity Specialist. If approval is given, the device must be encrypted.3.20 The security arrangements for equipment and software must not becircumvented.3.21 Only PDA’s and smart phones provided by UHL must be connected to UHLequipment.3.22 Users should adopt a clear desk and clear screen policy for confidential orpersonal data to reduce the risks of unauthorised access, or accidentaldamage to or loss of sensitive or confidential information.4. Security of AssetsIt is accepted that, in order to provide healthcare services, the Trust’s hospital sitesare open to the public 24 hours a day 7 days a week and that, to be effective,equipment must be available and easily accessible by staff needing to use it.These requirements limit the level of security which can be applied to devices inareas which are open to the public.4.1. Desktop DevicesThis category covers a large number of different devices including (the list is notexhaustive):-- PCs,- Laptops,- Printers,- Thin Client devices,- Scanners,- Photocopiers,- Projectors,- Video/DVD Players/Recorders,- TVsDevices should, where possible, be stored out of site of the public.Computers in public areas should be risk assessed to determine their vulnerability.Page 10 of 19

• The contents of a computer can be protected through encryption if thedevice is an area open to the public;• The computer can be protected by means of a security cable or other suchdevice, to an appropriate anchor point.Specifically, laptops computers should be physically secured by a cable, due tothe portability of the device.If laptop computers are used in offices (which are not considered public areas) theyshould be locked with a security cable or must be locked away overnight. Laptopcomputers must not be left on a desktop overnight unsecured.Staff working in public areas must challenge anyone they see tampering with orattempting to remove equipment.Printers, scanners and photocopiers which incorporate internal memory featuresshould have these facilities disabled unless specifically required. If such facilitiesare used, care must be taken to clear the memory once documents held in it are nolonger required. These devices should not be used as general document storagefacilities.Video/DVD players/recorders and TVs should be stored in locked cabinets wherepossible.4.2. Physical security4.2.1. Security of informationThe provision of healthcare often involves constant use of confidential informationin areas open to the public where it is vulnerable to unauthorised access. Inaddition, visitors, some temporary and contract staff, security and cleaning staff,are examples of people with authorised access to secure, access controlled sites,who are not authorised to view confidential or sensitive data. The nature of thedata and not site location dictates how and when this policy is applied. Whereconfidential (patient identifiable) or other sensitive (e.g. employee’s pay scale)information is involved, users must, as and when appropriate: -• Remove all sensitive information from the workplace and lock away, in adrawer or preferably in a fire resistant safe or cabinet. This includes allpatient identifiable information, as well as other sensitive (personal orbusiness) information such as salaries and contracts.• Store visit, appointment or message books in a locked area when not in use.• Angle computer screens away from the view of patients and visitors.• When leaving a workstation either log out or, in the case of a PC, lock thescreen. (Press keys ctrl,alt,del at the same time, or the Windows key (next toalt) and L).• Store paper and computer media in secure cabinets or safes.• Locate photocopiers and printers so as to avoid unauthorised use.• Ensure that post-it notes and sticky labels holding patient-identifiable or othersensitive information are not left to public view.Page 11 of 19

• Any bulk extracts of confidential or sensitive data must be authorised by theresponsible senior manager for the work area.• Line managers are responsible for:o the day to day management and oversight of removable media usedwithin their work areas to ensure this policy is followed;o the secure storage of all unallocated removable media and its relatedcontrol documentation as required by this procedure;o ensuring that staff involved in data extraction and data file creation arefully aware of Trust policies, procedures and guidelines. (Note, e-learning entitled Secure Transfers of Personal Data is available free ofcharge on Insite.)• Staff who have been authorized to use removable media for the purposes oftheir job roles are responsible for the secure use of those removable mediaas highlighted in these guidelines. Failure to comply with this removablemedia policy may endanger the information services of UHL and will beinvestigated under HR policies.• Removable media may only be used to store and share NHS informationthat is required for a specific business purpose. When the business purposehas been satisfied, the contents of removable media must be removed fromthat media through a destruction method that makes recovery of the dataimpossible. Alternatively the removable media and its data should bedestroyed and disposed of beyond its potential reuse. In all cases, a recordof the action to remove data from or to destroy data should be recorded inan auditable log file;• Removable media should not be taken or sent off-site unless a prioragreement or instruction exists. A record must be maintained of allremovable media taken or sent off-site, or brought into or received by theorganization. This record should also identify the data files involved;• Removable media must be physically protected against their loss, damage,abuse or misuse when used, where stored and in transit;• Data archives or back-ups taken and stored on removable media, eithershort-term or long-term, must take account of any manufacturer’sspecification or guarantee and any limitations therein;• All incidents involving the use of removable media must be reported to ITand through the Trust’s incident reporting mechanism.Page 13 of 19

4.5 Medical/Laboratory EquipmentThis category constitutes all equipment, not included in the above categories,which is used within the Trust and which collects, stores, manipulates and/orproduces information.Users of such equipment must be aware that information stored within it may be ofa sensitive nature. The following should therefore be considered when dealingwith it:-• When not in use, the equipment stored securely to prevent theft• Information should not be held on the equipment for longer than isnecessary.• Staff using such equipment must not only be trained in its operation but alsomade aware of the information held on it to remove it (when no longerrequired).• An understanding of the nature of information storage must form a part ofthe acceptance testing phase for any new equipment.Equipment should not be taken off site (for example repair) when the devicecontains disk drives or memory cards.Disposal of medical equipment must take into account the disk drives or memorycards in the equipment, which should be removed and before the equipmentleaves site.4.6. Disposal of equipmentGreat care must be exercised when disposing of any equipment which has beenused in the processing of information if there is any possibility that someinformation may remain in/on it.In cases where the information is held electronically, reference must be made toIM&T for the appropriate action to be taken (Note – formatting a disk and/oroverwriting a tape does not necessarily destroy the information held on it). IM&Twill arrange for the physical destruction of the media.The disposal of computing equipment is covered by the WEEE (Waste Electricaland Electronic Equipment) regulations and must therefore be done in anappropriate and legal manner.Page 14 of 19

4.7 ShreddingIn cases where information is held on hard copy (paper, film, etc.), when no longerrequired (see the Retention Policy 10 ) the media must be shredded.4.7.1 Fax rollsCarbon fax rolls contain patient identifiable information. Users of fax machines withcarbon roles should take the used roll to Facilities for disposal.10 Retention of Records Policy (DMS article no 12746)Page 15 of 19

5. Offsite workingThis section is to support staff who use UHL supplied mobile data devices or paperrecords at any site other than their normal place of work or at home, by ensuring thatthey are aware of the information security issues. In order to protect staff and otherpeople, organisational assets and systems, staff who work at home or other sitesmust take appropriate security measures.5.1 Physical Security / Access control5.1.1 Usage in any public access areaThe use of information in these areas must be kept to an absolute minimum, due tothe threats of ‘overlooking’ and theft. Any member of staff choosing to useinformation and/or devices in these areas that results in any related incident will berequired to state why the usage was required in that situation and the efforts theymade to protect the information and any equipmentEquipment in use will not be left unattended at any time.5.1.2 Usage in areas not generally accessible to the public (including otherNHS premises)Staff are responsible for ensuring that unauthorised individuals are not able to seeinformation, access systems or remove equipment or information. If equipment isbeing used outside of its normal location and might be left unattended, the user mustsecure it by other means (such as security cable, locked cabinet or room).5.1.3 Occasional usage at homeIt is recognised that staff will have to hold UHL information at home.• Only members of staff are allowed access to information being used at homein any form, on any media.• Use of any information at home must be for work purposes only• Staff must ensure the security of information within their home. Wherepossible it should be stored in a locked container (filing cabinet, lockablebriefcase). If this is not possible, when not in use it should be neatly filed andstored in a way that it is not obvious to other members of the household.• Any personal/sensitive (inc. patient and staff information) or organisationallyconfidential information that has to be taken home must be within foldersmarked ‘private and confidential’ and other members of the householdinstructed not to look at it.Page 16 of 19

5.1.4 Using equipment supplied by the Trust• Any member of staff allowing access by an unauthorised person, deliberatelyor inadvertently may be subject to the Trust’s disciplinary proceedings.• Trust equipment must not be connected to any phone line, internet connectionor other computer other than where access is to the NHSnet or the Trust’snetwork via a secure remote link (VPN). Staff working from home areencouraged to use a VPN link to securely access UHL systems.• Any equipment supplied for remote access to NHSnet or the Trust must bestored securely when not in use. Where a system requires a PIN number anda ‘security token’ these must be stored separately• The Trust’s IT department is responsible for ensuring that access to suppliedequipment requires a username and password and that anti-virus software isinstalled.• For supplied equipment that is not classed as portable (i.e. a supplied desktopPC), the IT department are responsible for ensuring anti-virus software isregularly updated.• Portable equipment (i.e. a laptops or similar devices), supplied by the Trustmust be connected to the Trust’s network every 60 days (maximum) forupgrade of anti-virus software and security updates. Failure to do so willresult in the device being automatically disabled.• Provided all policy statements above are applied, any supplied equipmentmay be used for any type of work which would normally be done on a UHLdesktop PC. This includes the use of confidential information provided thegeneral regulations on handling and storing confidential data are compliedwith.5.2 Email and offsite workingThe Trust has an e-mail policy to refer to but the following points apply directly tostaff working from home.5.2.1 Patient Identifiable Data Contained in an emailPatient or staff identifiable data must not be sent to a personal email address.Internet e-mail services of any sort are not secure and must not be used to sendpersonal identifiable data or other confidential information.5.2.2 Auto forwardingStaff must not automatically forward their e-mail to a commercial ISP (InternetService Provider) such as Hotmail to enable access at home.Staff sending e-mail must be aware that it is not suited for confidentialcommunications. Various systems are used for receiving e-mail and there is noguarantee that the addressee will be the only person to see the mail.Page 17 of 19

5.3 Transport of Equipment, Files and Paper DocumentsWhen equipment, files and/or data are removed from Trust premises the individualremoving them is responsible for ensuring its safe transport as far as is reasonablypractical.• Equipment, and paper files must be kept out of sight (in car boots), lockedaway and ideally not be left unattended at any time• IT equipment must be transported in a secure, clean environment.• Appropriate packaging (such as sealed envelopes, bubble wrap etc) must beused to prevent physical damage• Where a courier service is used to transport packages containing sensitiveinformation tamper proof packaging must be used. Courier firms shouldguarantee the safe arrival of parcels and the confidentiality of any containedinformation. See the Safe Haven Guide 11 .5.4 Disposal of media (electronic & paper)Any disposal of media containing personally identifiable or organisationally sensitiveinformation must take place on-site of the Trust in line with on-site disposalprocedures. Staff with media to dispose of are responsible for returning it to site.Non sensitive information may be disposed of off site.5.5 Disaster Recovery/Major incident planningIn the event of a major incident or disaster, the Trust may recall all equipment onloan to provide core services.6. Awareness of this policyThis policy is available on the document management system, through the intranet and isreferenced by a number of policies and guidance leaflets.7. Contacts• IM&T Helpdesk – 8000• IT Training Department – 5662• Information Governance Manager – 6053• Technical Security Specialist – 5216• Director of IM&T - 678211 Safe Haven Guide (DMS article no 32283)Page 18 of 19

Glossary of termsTermDefinitionElectronic media • Floppy disks• USB or Pen drives• CDs and DVDs• External hard drives• Cameras• PDAs• Mobile telephones• Dictaphone tapesVirtual Private Network - VPN “A virtual private network (VPN) is the extension of a privatenetwork that encompasses links across shared or publicnetworks like the Internet. A VPN enables you to send databetween two computers across a shared or public internet workin a manner that emulates the properties of a point-to-pointprivate link. The act of configuring and creating a virtual privatenetwork is known as virtual private networking.”http://technet.microsoft.com/en-us/library/bb742566.aspxPage 19 of 19