[Skip to content]

East Midlands Strategic Health Authority
Search our Site
.

IMT Security Access Policy

 

Aim

The aim of this Policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by NHS East Midlands.

The objectives of this policy are to preserve:

  • Confidentiality – access to data must be confined to those with specific authority to view the data
  • Integrity – Information is to be complete and accurate. All systems, assets and networks must operate correctly, according to specification
  • Availability – Information must be available and delivered to the right person, at the time when it is needed

This policy seeks to ensure that:

  • NHS East Midlands Information Systems are properly assessed for security (manual and electronic)
  • Confidentiality, integrity and availability are maintained
  • Staff are aware of their responsibilities, roles and accountability
  • Procedures to detect and resolve security breaches are in place
  • Systems are not misused

Scope

This policy applies to all NHS East Midlands Directorates and all users of NHS East Midlands information systems and networks.

Responsibilities

  • Ultimate responsibility for IM&T security rests with the Chief Executive.
  • At Board level, responsibility for IM&T Security resides with the Director of Strategic IM&T
  • Line managers are responsible for ensuring that their permanent and temporary staff, and contractors, are aware of the IM&T Security policy and their roles and responsibilities detailed within it
  • It is the responsibility of all staff to comply with this policy.

Definitions

Information System – for the purposes of this policy, an information system is defined as any electronic means of processing data. Examples include network access, SBS, and ESR.

Potential Threats

This Policy has been designed to address the following risks:

  • Fraud – altering data for private gain or benefit, altering or misusing programs, destroying/suppressing/misappropriating computer output
  • Viruses – introducing viruses to NHS East Midlands computers and systems
  • Theft – of data, software and hardware
  • Use of unlicensed software – using illicit copies of software
  • Private work – unauthorised use of NHS East Midlands computing facilities for private gain or benefit
  • Hacking – deliberately gaining unauthorised access to a computer system
  • Sabotage – causing deliberate damage to data, software, processes or equipment
  • Misuse of personal data – unofficial access to data or ‘browsing’ through computer records and breaches of Data Protection legislation
  • Introducing offensive material – access to or processing offensive material (e.g. pornographic or racist material)
  • Integrity – ensuring data is accurate and of good quality

Total security is almost certainly impossible to achieve but adequate security represents a balance between these four factors:

  • The risks of illegal access/damage
  • The consequences and costs of damage limitation
  • The limitations that the security may impose on users
  • The costs of implementing the security

Human attitudes are fundamental to good security. Managers, users and operators must be aware of the reasons for taking security issues seriously and take appropriate action.

Misuse of NHS East Midlands information systems or communications equipment by an employee may result in disciplinary action.

Equipment Security

Equipment security is required to protect IM&T equipment against loss, theft or damage, and to avoid interruption of business activity.

Equipment Siting

All PC and terminal screens must be positioned so that any confidential information displayed will not be viewable by unauthorised personnel.

Security of Equipment & Information Off-Site

Equipment and person identifiable data should not be taken off site.

Confidential or sensitive information should not be placed on privately owned computers and must be stored on NHS East Midlands file servers.

Sensitive or person identifiable data stored for the purposes of transportation on portable devices must be held in accordance with NHS East Midlands Transportation of Records Procedure and NHS East Midlands Mobile Computing/Teleworking Procedure.

All laptops must be encrypted to ensure the data they hold is stored securely and cannot be accessed by unauthorised users should the laptop be stolen or lost.

Security of Third Party Access

No external agency (NHS or not) will be given access to NHS East Midlands network unless that body has been formally authorised to have access by NHS East Midlands Director of Strategic IM&T (or nominated deputy). All non-NHS agencies will be required to sign security and confidentiality agreements with NHS East Midlands. Third parties must also obtain NHS Connecting for Health’s Statement of Compliance.

External agencies will only be allowed access to the hardware/systems for which they are responsible.

NHS East Midlands will control all external agencies access to its systems by enabling/disabling through the secure gateway, for each approved access requirement, as per Derwent Shared Services Firewall Policy.

Remote Access

Staff will only be allowed remote access to the NHS East Midlands network after gaining the permission of their line manager and completing a remote access application form provided by DSS Customer Services Team.

User Access Control

Setting network access for staff will form part of the starter’s process managed by line mangers. The removing of network access for staff will form part of the leaver’s process managed by Human Resources.

When an individual’s responsibilities change or they leave the employment of the NHS East Midlands, system managers will modify or remove access privileges as appropriate.

Whenever possible, user classification should be used when allocating access rights to systems. The issues to be considered in user classification are:

  • Restricting access to certain parts of the records
  • Restricting access to:

-          Named data about individuals

-          Anonymised data about individuals

-          Aggregated data

  • Restricting user access to a particular ‘view’ of the data
  • Defining what a user can do with the data i.e. create, read, update, delete
  • Defining whether a user should have ‘online’ access, access for batch processing, pre-set reports or ad hoc reports.

User Password Management

Users must keep their passwords secret and never disclose them to colleagues.

Passwords must be changed regularly – all new systems must enforce regular password changes.

Passwords must not be easily guessable or have been used before. The recommended minimum password length is 6 characters using a combination of alphabetic and numeric characters.

When a member of staff leaves their position, their access rights must be removed from any systems that they access. Line managers must ensure that system administrators are informed when a member of staff leaves or changes role to ensure this takes place.

When leaving their PC users should either log off, or “lock” their PC by pressing ctrl-alt-delete. This ensures a password is entered before the PC can be unlocked and used. Smartcard users should remove their smartcard when leaving a PC unattended.

Systems must be able to provide an audit trail of user logins and activity.

Contractors & Temporary Personnel

All contractors, agency and temporary staff are subject to the same checks as permanent staff, and must abide by the NHS East Midlands policies and procedures when accessing systems and handling person identifiable data.

Adequate training, in keeping with the designated responsibilities and risks, must be given prior to authorising access.

Portable Devices

A portable device is defined as any electronic device that can hold information (specifically person identifiable data) e.g. portable computers, laptops, notebooks, palmtops, Personal Digital Assistants (PDA’s), Blackberries.

Portable devices represent a heightened risk regarding their physical security because:

  • By definition, they are portable, smaller and easy to steal
  • Due to their portability they are more likely to be left in less secure locations
  • Any personal or confidential data stored on them is more vulnerable because of the factors above

Therefore, particular measures should be taken regarding these types of computers. As a result of this risk NHS East Midlands has developed specific guidance surrounding the usage and transportation of portable devices which can be found in NHS East Midlands Transportation of Records Procedure and NHS East Midlands Mobile Computing Procedure.

Housekeeping

All systems will be backed-up regularly to ensure integrity and availability of data and all back-up tapes and disks will be held in secure locations.

All PC users must save their files onto the server rather than the hard drive of their PC.


Back-up and maintenance procedures must be adequately documented to enable other technical staff to understand and comply with the requirements.

Equipment Disposal

All removable media must be reformatted before disposal, however if this is not possible, the media should be destroyed.

Derwent Shared Services Customer Services Team should be contacted to collect and dispose of all redundant computer equipment. A technician should check that the equipment can no longer be used and confirm that it should be disposed of. Any data should be deleted, transferred or archived prior to disposal.

Software Protection

All users must ensure that they only use licensed copies of software. It is a criminal offence to make or use unauthorised copies of commercial software and offenders are liable to disciplinary action.

All software should be installed by Derwent Shared Services technical staff.

It is the responsibility of system managers to ensure that the software pertaining to their system is being used within the terms and conditions of the software licence.

Software will not be placed on network servers or on multiple machines unless this is in accordance with the licensing agreement.

Any employees learning of any misuse of software should report this to the HQ IT Manager.

Software Updates to Systems

Anti-virus software will be installed on all NHS East Midlands PCs (including laptops). Updates will be automatically uploaded via log on scripts.

Emails from an unknown source should be carefully examined. If an email looks suspicious, users should contact Derwent Shared Services customer services team for advice.

Users should report any suspected/detected viruses on their machines to Derwent Shared Services customer services team immediately.

Files should only be downloaded from the internet if they are from a trusted source. If in doubt the user should contact Derwent Shared Services customer services team.

Equipment Installation

IM&T equipment should be installed and sited in accordance with the manufacturer’s specification.

All computer/communications equipment rooms should be inaccessible to non-authorised staff at all times.

Environmental controls will be installed to protect key/central equipment.

Drinking and eating is not allowed in areas housing critical computer or communications equipment such as servers.

Power Supplies

Critical computer equipment will be fitted with battery back-up to ensure that it does not fail. Such battery power should suffice for all critical systems to perform an automatic shut down.

An uninterrupted power supply should be used for multi-user operational systems as it guarantees protection from power cuts and fluctuations.

Development & Introduction of Systems

NHS East Midlands, in conjunction with Derwent Shared Services, will ensure that all new information systems, and any developments to existing systems, comply with Information Governance requirements.

Asset Control

An up to date register of all NHS East Midlands IT equipment and disposals of physical computer assets will be maintained by Derwent Shared Services in conjunction with the HQ IT Manger.

An up to date register of all proprietary software will be maintained by Derwent Shared Services to ensure that licence conditions are followed.

Each of NHS East Midlands systems will have a designated system owner(s) who are responsible for ensuring compliance with this policy.

Access Control to Secure Areas

All central processors/networked file servers/central network equipment will always be located in secure areas with restricted access.

In restricted areas, unrecognised or unaccompanied visitors should be challenged.

Disaster Recovery

A full disaster recovery plan should be in place, developed in conjunction with Derwent Shared Services.

Internet & E-Mail Use

All staff should ensure they understand and comply with NHS East Midlands Internet Use and E-mail Policies.

IM&T Security Incidents

IM&T Security incidents should be reported and dealt with in line with NHS East Midlands Incident Reporting Policy.

Monitoring of the Policy

This policy will be monitored by NHS East Midlands Information Governance Steering Group.