General Note
NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.
New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy/procedure is past its review date then the content will remain extant until such time as the policy/procedure review is complete and the new version published, or there are national policy or legislative changes.
1 FUNCTION
1.1 NHS Fife relies upon eHealth Services and Infrastructure in order to deliver patient care and support business operations. Incident management is essential for maintaining adequate and sustainable levels of available of these services.
1.2 Incident management restores eHealth services as quickly as possible and minimises the impact on healthcare and business operations, thus ensuring that the best possible levels of service quality and availability are maintained. Normal service operation is as described on the corresponding service-level agreement (SLA).
1.3 This policy defines the controls that NHS Fife will implement in the event of an incident. This will include any type of unplanned disruption in eHealth services, including servers, computers, printing, telecommunication, network or information system issues. Also covered are security breaches or suspected cases of computer or information misuse by users.
2 LOCATION
2.1 This policy is applicable to all staff, contractors and volunteers working within NHS Fife or accessing NHS Fife eHealth related infrastructure, systems or information, including the Health and Social Care Partnership.
2.2 This policy includes all eHealth related infrastructure or systems upon which any department or service within NHS Fife relies upon, in order to perform their normal duties.
3 RESPONSIBILITY
3.1 This section addresses the responsibilities for preventing, detecting, reporting and then investigating eHealth Incidents. Based upon the reported incidents corrective and future preventative measures shall be implemented.
3.2 Implementing the eHealth Incident Management Policy ensures the mitigation of associated risks and minimise disruption to business critical services.
3.3 Refer to GP/D3 Data Protection & Confidentiality Policy, Appendix 2 NHS Fife Information Governance structure, roles & responsibilities, for detailed information on the type, distribution and roles responsible for information security within NHS Fife.
3.3 All Users
3.3.1 All users of NHS Fife eHealth systems or infrastructure are required to exercise responsibility in the reporting of incidents and events to the eHealth Service Desk as they are encountered. Contacting the eHealth Service Desk can be done using any of the following methods - eHealth Service Desk Portal, phone or email.
3.3.2 The Incident Identification Guide (Appendix 1) has been produced to provide staff with assistance in recognising when an incident has occurred and needs to be reported.
3.4 eHealth Service Desk
3.4.1 The eHealth Service Desk is responsible for recording incidents on the call management system and each incident is assigned a unique call reference number.
3.4.2 The eHealth Service Desk is also responsible for managing the overarching incident life cycle from recording to closure and to coordinate communications and work between all relevant parties. Depending on the severity the management of the incident lifecycle to closure might be monitored and coordinated by eHealth Service Desk analysts, the Service Desk team leader or the Quality & Governance Manager.
3.4.3 The incidents will be treated as per the Incident Management Procedure (Appendix 2), which involves escalation as appropriate (e.g. to the eHealth Security Manager when applicable).
3.5 Incident Support Teams
3.5.1 Support teams may include a combination of eHealth staff e.g. engineers, analysts and specialists, including departmental system administrators out with eHealth e.g. Laboratory, Radiology, Intranet services, external contractors and others.
3.5.2 Incident support teams have a responsibility to ensure all detected incidents are registered in the eHealth service management system.
3.5.3 System administrators and staff involved in eHealth operations are responsible for monitoring systems and infrastructure e.g. log file reviews, network scanning, systems testing and reporting any incident detected.
3.5.4 Systems managed externally are also subject to this policy, hence external system managers are also required to communicate any known or suspected incidents to the NHS Fife eHealth Service Desk as soon as detected.
3.5.5 Incident support teams (internal or external) are also responsible for the investigation and resolution of the incident to ensure a return to normal operations. The team will maintain active and effective communications and will updates on status and impact on the eHealth service management system.
3.5.6 Where Computer Misuse is suspected the Computer Misuse Procedure (Appendix 3) will be implemented by staff with the appropriate skills to carry out this work.
3.6 eHealth Security Manager
3.6.1 On receipt of an information security incident report, the eHealth Security Manager will investigate, classify and escalate the incident as required.
3.6.2 If the security incident is likely to affect other systems then the eHealth Security Manager will alert administrators. If the incident is deemed serious enough, it will be reported to the Information Security Manager at NHS NSS and the Scottish Government Security Officer.
3.6.3 Security incidents relating to data breaches shall be passed to the Data Protection/Caldicott Coordinator for investigation and action.
3.6.4 The eHealth Security Manager must ensure that all reports of incidents are recorded for audit review and for the Information Security and Governance group (ISG).
3.6.5 The eHealth Security Manager will follow the procedure for reporting security incidents as described in the Detailed Incident Management & Reporting Procedure.
4 OPERATIONAL SYSTEM
4.1 The NHS Fife eHealth incident management system has been designed in compliance with best practices and international standards, particularly ITIL, COBIT and ISO27001. Unmanaged incidents that can affect NHS Fife's eHealth systems and its supporting Infrastructure present a significant risk to NHS Fife’s ability to perform its core business functions.
4.2 NHS Fife eHealth Systems utilise a combination of technical and procedural controls to provide protection against threats that have the potential to result in the compromise, modification, unavailability of data or damage the reputation of NHS Fife. It should be noted that not all incidents, which may be either accidental or deliberate, can be prevented.
5 RISK MANAGEMENT
5.1 The incident management process is a key component of the overall eHealth risk management approach, involving the collection, classification and use of incident data to protect people and systems from harm.
5.2 The current eHealth incident management process is compliant with best practice and recommended standards, and provides a cost-effective way to minimise risks by:
- Standardising the process and ensuring it is followed by all parts involved (eHealth, decentralised IT services, external parties and all users);
- Aggregating all relevant information such as investigations, solutions/fixes and preventative measures;
- Coordinating the management of incidents from beginning-to-end and all relevant parties involved, users, managers, technical teams, communications, 3rd parties, decentralised IT services, etc;
- Standardising the understanding of impact and seriousness and applying consistently this classification across the organisation, involving all relevant expertise in the creation and reviews of incident categories;
- Bringing incident data together with risk and mitigation information, enabling management to see the overall picture, identify where controls need tightening and provide a growing knowledge base of successful controls, fallbacks and actions;
- Linking the standard incident management process to the major incident management protocol, the information security management system and the disaster recovery plans and procedures.
5.3 With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.
6 RELATED DOCUMENTS
GP/I5 Information Security Policy
GP/I6 eHealth Change Management Policy
All other supplementary NHS Fife Information Security Policies
7 REFERENCES
Appendix 1: NHS Fife eHealth Incident Management Procedure
Appendix 2: Security Incidents Procedure
Appendix 3: Computer Misuse Procedure
Significant Incident Reporting Guidance eHealth July 2014
Computer Misuse Act (1990)
Data Protection Act (1998)
Human Rights Act (1998)
The Regulation of Investigatory Powers Act (2000)
Freedom of Information (Scotland) Act (2002)
NHSS Information Security Policy Framework July 2015
ITIL (IT Infrastructure Library)
COBIT (Control Objectives for Information and Related Technology)
Related Publications
- Appendix 1 - Incidents Identification Guide
- Appendix 2 - Incident Management Procedure
- Appendix 3 - Computer Misuse Procedure
- EQIA
