General Note
NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.
New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy/procedure is past its review date then the content will remain extant until such time as the policy/procedure review is complete and the new version published, or there are national policy or legislative changes.
1 FUNCTION
The purpose of this document is to define the framework within which NHS Fife provides and manages the IT Remote Access Service (RAS), which allows staff to access file storage and information systems from external NHS Fife locations using mobile devices i.e. laptops and iPads.
By default, all laptops have the remote access software installed. With iPads the remote access software can be installed upon request to the eHealth Service Desk.
This document forms part of NHS Fife’s Information Security Management System (ISMS).
1.1 Definition
For the purpose of this document, Remote Access is defined as IT access that uses an internet connection from a commercial company i.e. Virgin, BT, Sky etc. to connect to NHS Fife’s network via SWAN (Scottish Wide Area Network).
2 LOCATION
This policy is applicable to all staff and contractors working within NHS Fife.
3 RESPONSIBILITY
3.1 Responsibilities of the User
In accordance with GP/I5 Information Security Policy, it is the responsibility of all staff to ensure that information systems and the data accessed, remain safe and secure. Staff who are authorised to have remote access have additional responsibilities relating to information security, confidentiality and appropriate use.
At no time will any NHS Fife Remote Access User provide their login credentials to anyone, not even family members, the GP/P2 Password Policy applies.
Only NHS Fife Information Technology (IT) Equipment can be used to connect to NHS Fife resources i.e. network, file storage, IT systems, corporate WiFi.
NHS Fife users with remote access privileges will ensure that their computer, which is remotely connected to the NHS Fife network or an NHS or SWAN connected LAN, is not concurrently connected to any other business network. For example, an unauthorised connection of work laptop to a home LAN, allowing access to other networks.
3.2 Responsibility of the Line Manager
Where a member of staff requires remote access to perform their duties, the Line Manager shall ensure that they have access to a laptop or an iPad.
3.3 Responsibility of the eHealth Department
It is the responsibility of the eHealth Department to ensure that the correct remote access configuration of the laptop or iPad is implemented.
4 OPERATIONAL SYSTEM
4.1 Remote Access Solution
NHS Fife has adopted a Remote Access solution as the means of connection to the NHS Fife and SWAN IT networks.
4.2 Remote Access to NHS Fife Network
Secure Remote Access to the NHS Fife network will be strictly controlled by the eHealth department. Control will be enforced by the use of eHealth configured mobile devices and authorised staff using their IT login accounts.
Services available via Remote Access are limited to those that have been security assessed.
No file transfers will be available via remote access if the endpoint device is not encrypted.
Computer policies will be defined on GP Practice computers to check for antivirus software being up to date, before allowing connection.
Remote access to networks and directly to host systems is in widespread use throughout the NHS. It is used in support of:
- Vendor support of installed systems – network components or computer systems;
- Home working for staff;
- Intermittent access for remote offices;
- Mobile access to enable Consultants, GPs, Community Nurses, etc., to gain access to clinical information systems.
4.3 Home Broadband Specification for Remote Access
For the VPN client to work successfully the home broadband router must support IPSec and/or “vpn passthrough”. The user’s ISP account must also support home working/VPN access.
The Broadband RAS is only available for users with existing broadband routers which provide Ethernet or wireless connections, and is not available to users who have a broadband connection via a USB modem or similar. It is important that the user has the router equipment successfully installed and working before setting up their device to use remote access. The responsibility for the ongoing support of the home broadband connection will remain with the user and their chosen Internet Service Provider.
The RAS solution will require that the user perform a level of configuration at home as eHealth staff do not provide home visits.
4.3.1 Remote Access using a Wireless Network
Since there are information security risks associated with the use of wireless networks, users shall only be permitted to use the approved eHealth Department solution.
The use of any other wireless solution shall be deemed a breach of this policy.
5 RISK MANAGEMENT
To mitigate the risks to NHS Fife’s (including GP Practices) Data, Information and IT infrastructure, the following strategies and techniques shall be implemented:
It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.
NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.
The unauthorised disclosure of NHS Fife data in any medium is expressly forbidden, as is the access or use of any NHS Fife data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.
With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and regularly review these to ensure they take into account legislative and operational requirements.
Should the above risk mitigations not be implemented and a breach of legislation occurs the following impact may follow:
- Disciplinary action against staff;
- Legal action against NHS Fife;
- Legal action against the person(s) involved in the breach;
6 RELATED DOCUMENTS
6.1 GP/I5 Information Security Policy
6.2 GP/D3 Data Protection and Confidentiality Policy
6.3 GP/E6 Email Policy
6.4 GP/I3 Internet Policy
6.5 GP/I6 IT Change Management Policy
6.6 GP/M5 Mobile Device Management Policy
6.7 GP/O2 Online Communication Policy
6.8 GP/P2 Password Policy
7 REFERENCES
7.1 Data Protection Act ( 2018)
7.2 General Data Protection Regulations (GPDR)
7.3 Network and Information Systems (NIS) Regulations
7.4 Civil Contingencies Act (2004)
7.5 Computer Misuse Act (1990)
7.6 Freedom of Information (Scotland) Act (2002)
7.7 Human Rights Act (1998)
7.8 NHSS Information Security Policy Framework July 2015
Related Policies
