IT Change Management Policy

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.

New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy/procedure is past its review date then the content will remain extant until such time as the policy/procedure review is complete and the new version published, or there are national policy or legislative changes.

1 FUNCTION

This document sets out the policy on Information Security that NHS Fife will implement to preserve the confidentiality, integrity and availability of the information on which its operations depend.

Information is vital to NHS Fife. The data stored in information systems used by NHS Fife represent an extremely valuable asset. The reliance of information technology makes it necessary to ensure that these systems are developed, operated, used and maintained in a safe and secure fashion. It is used in every aspect of its operations, from manual systems of record keeping to administration processes such as payroll and accounting; and patient care systems. It is central to the implementation of the Electronic Patient Record and information sharing between NHS Organisations and outside agencies.

Without the right information, NHS Fife would be unable to fulfil its responsibilities to patients, staff, NHS Scotland and the government. NHS Fife is reliant not only on information, but also on the controls protecting the information and how it is used.

Information Security is important to ensure that NHS Fife does not become vulnerable to the potentially highly damaging financial, legal or political implications arising from a serious breach of security or confidentiality.

This document provides a set of rules, measures and procedures that determine the physical, procedural and logical security controls imposed on the management,distribution and protection of assets. It is aimed at ensuring the protection of information from loss of confidentiality, integrity and availability within NHS Fife.

Some aspects of information security are governed by legislation and all staff within NHS Fife are under a common law obligation to preserve the confidentiality of thisinformation. In addition the EU directive ‘For the protection of individuals with regard to the processing of personal data and the free movement of such data’ is implemented in the UK via the Data Protection Act 1998.

NHS Fife expects the provisions of this policy to lay the foundation for the alignment of Information Security practices with the International Standard ISO 27001.

This is the key Information Policy which is supported by all other NHS Fife eHealth Policies/Procedures

1.1 Policy Objectives

The following points outline the objectives of this document:

• to preserve the confidentiality, integrity and availability of data within NHS Fife;
• to provide management direction and support for information security;
• to ensure all information, whether manual or electronic, is adequately protected against loss, unauthorised access, disclosure or inaccuracy;
• to identify the threats to assets, vulnerabilities and impact;
• to ensure all information (whether manual or electronic) is adequately protected to allow the continuation of day to day core operations without loss or reduction to the quality of service. This also supports the implementation of new computerised systems and facilities in accordance with Strategic plans;
• to ensure security is an integral part of working with information (whether manual or electronic);
• to ensure there is compliance with relevant legislation relating to the collection, maintenance and protection of information, access to information (whether manual or electronic) is on a strictly need to know basis;
• to ensure Business Continuity Plans are produced, maintained and tested periodically;
• to ensure all Information Security breaches, actual or suspected, are reported and investigated by the eHealth Security Manager;
• to ensure Information Governance training is given to all staff

1.2 Scope

NHS Fife holds a range of data in various formats. For the purposes of this policy, all information held by NHS Fife is regarded as falling within the scope of this policy to facilitate a structured and cohesive approach to the provision of Information Security.

This policy relates to all the elements of NHS Fife where information is used or operated, including those supplied or operated on its behalf by external contractors. It also applies to joint working arrangements with other agencies.

This policy is applicable to all NHS Fife data and information and to all people accessing such data and information from any location, regardless of the method used. It also applies to all staff accessing other information resources using NHS systems or equipment.

2 LOCATION

Where the term staff is used it shall be taken to apply to full or part time employees, contractors, volunteers or third parties that work on behalf of NHS Fife.

3 RESPONSIBILITY

3.1 Chief Executive

The final responsibility for the secure operation of all systems used in NHS Fife is vested in the Chief Executive. This responsibility is delegated to Line Managers and ultimately to all staff (via the directorate structure), developing, introducing, managing and using information systems through the medium of this policy.

3.2 Caldicott Guardian

The responsibility for maintaining the confidentiality of patient identifiable information rests with the NHS Fife Caldicott Guardian.

3.3 eHealth Delivery Board

The eHealth Delivery Board is responsible for implementing eHealth projects and ensuring that they comply with NHS Fife security and data protection policies and standards.

3.4 eHealth Quality & Governance Manager

The eHealth Quality & Governance Managers responsible for the development; introduction; distribution; training, and the monitoring of compliance for all Information Governance policies and standards.

3.5 Head of eHealth

The Head of eHealth has the responsibility to:

• Ensure the I.T. infrastructure supports and enables the Information Security policies to be implemented and maintained;
• Ensure the eHealth staff work within a clear framework which promotes Information Security and that the framework is documented within the department;
• Develop, introduce, distribute, train, and the monitor the compliance for all Information Governance policies and standards.

3.6 eHealth Security Manager

The eHealth Security Manager for NHS Fife is responsible for the implementation and enforcement of the Information Security Policy and will have responsibility for:

• ensure that the Information Security Policy is implemented throughout the organisation;
• ensuring Operational Support Guides (OSG) are in place for all critical computer systems. OSG documentation will supersede and replace existing SSP/SOP’s;
• examining and determining the level of security required for any new production systems;
• ensuring that all 3rd party connections comply with the SWAN Code of Connection;
• ensuring regular risk assessments are performed on systems;
• monitoring and reporting on the state of Information security within the organisation;
• developing and enforcing detailed procedures to maintain information security;
• ensuring compliance with relevant legislation and NHS guidance;
• developing and delivering training plans to ensure that all staff are aware of their responsibilities and accountability for information security;
• monitoring, recording, investigating and reporting actual or potential Information security breaches

3.7 eHealth Department

The eHealth department has the responsibility to ensure that:

• file servers are housed in secure areas that provide protection from unauthorised access and environmental threats such as fire, flood and loss of power;
• all equipment used to store NHS Fife data is recorded and any movements tracked to ensure that any theft or loss is detected;
• all information contents are removed before equipment is re-allocated or sent for disposal;
• systematic protection against malicious code is operated on all workstations, servers and on all data exchange systems including email gateways;
• all incoming data (including data from removable media devices e.g.USB memory sticks, CD/DVDs, external e-mail and downloads) are scanned for malicious code before installation or use;
• regular data and software back-up procedures are used to provide contingency backup;
• Interconnection between the NHS and other networks, for instance at universities or the public internet should be avoided. For the avoidance of doubt, this provision applies to interconnection across both cabled and wireless network connections; where this cannot be avoided, the interconnection should be risk assessed and compliant with standards and guidance in place (e.g. SWAN code of connection).
• Interaction with external systems is recorded and monitored. This will include the electronic monitoring of e-mail and other data streams up-loaded to, or downloaded from, any NHS Fife system. Access to non-NHS mail accounts is strictly managed by the Information Service Department.
• Back-up copies of operational configuration files for the I.T. infrastructure including server and networked equipment (IP address ranges, firewalls, etc.) are kept in a secure place. This will allow the quick recovery of the infrastructure if a disaster occurs.

3.8 Data Protection Officer

The Data Protection Officer for NHS Fife is responsible for ensuring:

• that a register of information/datasets assets is maintained. The register records data owners and designates those assets that are confidential or sensitive as defined in Data Protection legislation and Caldicott guidelines;
• that there is justification why each dataset exists and why it needs to contain patient personal information and what access restrictions should apply to each;
• ensuring that a register of data flows is maintained and that a risk assessment has been carried out;
• ensuring that staff handling personal information understand that they are contractually responsible for following good data protection practice, are appropriately trained to do so and supervised where necessary;
• queries about handling personal information are promptly and courteously dealt with;
• ensuring that methods of handling personal information are clearly described;
• regular audits of how personal information is handled is carried out

The Data Protection Officer is supported by the Data Protection Co-ordinator.

3.9 Line Managers’ Responsibilities

Managers will notify the eHealth Service Desk about staff changes affecting computer access (e.g. job function changes/leaving department or organisation), so that accounts may be disabled, deleted, data transferred or access rights modified.

Managers will ensure that all current and future staff are fully trained in their information security responsibilities.

Managers will ensure that all their staff using computer systems/media are trained in their use.

Managers will ensure that no unauthorised staff are allowed to access to any of the organisation’s computer systems as such access could compromise data integrity.

Managers will determine which individuals are to be given authority to access specific computer systems. The level of access to specific systems should be based on a job function need, irrespective of status.

Managers will implement NHS Fife procedures to minimise the organisation’s exposure to fraud/theft/disruption of its systems, such as segregation of duties/dual control/staff rotation in critical areas. Other related documents are:

• eHealth Incident Management PolicyGPS8
• Financial Operating Procedures

Managers will ensure that key documentation is maintained for all critical job functions to ensure continuity in the event of individual unavailability.

3.10 All Staff

All members of NHS Fife staff, contractors and service providers who use or influence the use of NHS Fife information systems must conform to the standards expected and described in this policy statement and the Information Security Standards.

All staff must read this Information Security Policy and those supporting standards, policies and procedures that are relevant to their role.

Specific security related responsibilities required of key personnel will be defined in their job description and in secure operating procedure documentation. All staff required to use information systems will be made aware of their responsibilities in maintaining an appropriate level of Information Security, be adequately trained in their security related roles and responsibilities and in the correct use of those systems.

Good workplace practices are an essential part of this Information Security Policy. NHS Fife expects everyone – from volunteers to the Chief Executive - to take personal and professional responsibility for dealing securely with any information they have access to in the course of their duties. Professional practices such as tidy working areas and workstation screen-savers must be used whenever possible.

All individuals entrusted with access to information have a responsibility to ensure that their actions when using information systems conform to this policy, to NHS standards and to legal requirements.

Each employee is personally responsible for ensuring that no breaches of computer security result from their actions. Staff working from home must also comply with the I.T. Equipment Home Working Policy GP/H6.

Each employee must report to the eHealth Security Manager, via the eHealth Service Desk, any suspected breaches of security arising from the actions of others.

All staff must comply with all NHS Fife Information Security Policies, Standards and Procedures including the maintenance of data confidentiality and data integrity.

Failure to observe this policy may result in disciplinary action or legal proceedings being taken against the offender. Standard supplier contracts will also require contractors and other third parties to comply with the provisions of this policy.

All staff must notify their line manager of all suspected or actual breaches of confidentiality.

3.11 Information Owners

All information belongs to NHS Fife however, for responsibility purposes all data, held manually or electronically, must have a designated ‘Information Owner’. Each owner is responsible for ensuring that risk assessments are carried out and appropriate security measures are in place to protect their information.

3.12 Third Parties

Health and related care organisations need to share information and, in some cases, to allow access to I.T. resources from other parts of the NHS or vendors supplying application support to NHS systems. The increased level of sharing brings with it increased risk to the security of the data and the systems on which it is held. Before allowing third party access, a risk assessment will be carried out by the eHealth Security Manager in consultation with the Caldicott/Data Protection Coordinator to establish the level of risk and to recommend necessary counter-measures.

Access to information facilities by third parties will only be allowed when the appropriate measures have been implemented and an agreement has been signed defining the terms for the connection. There must be a regular audit of external contractors and service providers in respect of their need for access to systems and data and their awareness of responsibilities regarding security and confidentiality.

4 OPERATIONAL SYSTEM

Appendix 1 provides guidance and procedural information.

5 RISK MANAGEMENT

NHS Fife will carry out a risk assessment for all information and record systems to ensure that suitable disaster recovery and contingency capabilities are implemented. In rare circumstances, the Chief Executive may approve the operation of an information system without recovery and contingency facilities where the risk assessment justifies this.

Recovery procedures will be developed for all operational systems and where relevant an appropriate contingency plan must also be prepared to ensure an acceptable level of service and control is maintained following system failure.

All recovery and contingency plans will be kept up to date with system changes. NHS Fife will test these arrangements initially and at intervals thereafter as part of its ongoing Information Security management programme.

With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.

6 RELATED DOCUMENTS

All underlying NHS Fife Informatio NHSS Information Security Policy Framework July 2015eHealth Incident Management Policy GP/S8

eHealth Change Management Policy GP/I6

Financial Operating Procedures

7 REFERENCES

The Principal Acts of Parliament, Management Executive letters and Scottish Office Home and Health Department circulars relevant to Information Security and confidentiality are:

Compliance with legal requirements

LEGISLATION The principle UK Acts of Parliament are:
Data Protection Act 1998	http://www.legislation.gov.uk/ukpga/1998/29/contents
Computer Misuse Act 1990	http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm
Access to Health Records Act 1990 (only in respect of records relating to deceased persons)	http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900023_en_1.htm
Access to Medical Reports Act 1988	http://www.hmso.gov.uk/acts/acts1988/Ukpga_19880028_en_1.htm
Copyright Design and Patents Act 1988	http://www.hmso.gov.uk/acts/acts1988/Ukpga_19880048_en_1.htm
Human Rights Act 1998	http://www.legislation.gov.uk/ukpga/1998/42/contents
Freedom of Information (Scotland) Act 2002	http://www.legislation.gov.uk/asp/2002/13/contents
Regulation of Investigatory Powers Act (Scotland)2000	http://www.legislation.gov.uk/asp/2000/11/contents

SCOTTISH OFFICE POLICY DOCUMENTS: The principle Scottish Executive Letters & SOHHD Circulars relevant to information security listed below. These may be found on the SHOW website at http://www.show.scot.nhs.uk/sehd/
Circ. SW 1/89	Confidentiality of Social Work Records
Circ. SW 2/89	Access to Personal Files / Regulations
MEL 1992 (14)	Safeguarding Confidentiality Identifiable Data / Contracting
MEL 1992 (42)	Confidentiality / Personal Data associated with contracts
MEL 1992 (45)	Computer Security Guidelines
MEL 1992 (69)	Access to Health Records (Now superseded by Data Protection Act 1998 (for living patients)
MEL 1993 (152)	Guidance for the Retention and Destruction of Health Records
MEL 1993 (59)	NHS in Scotland I.T Policy
MEL 1993 (70)	NHS Communications Systems
MEL 1994 (100)	Protecting the Confidentiality of Personal Health Information
MEL 1994 (75)	NHS in Scotland I.T Security Manual
MEL 1994 (76)	Telecommunications Policy & Management
MEL 1996 (72)	The Year 2000
MEL 1996 (80)	NHS-net Telecommunications Policy & Management
MEL 1999 (10)	Introduction of Managed Clinical Networks within the NHS in Scotland
MEL 1999 (19)	Caldicott Guardians
MEL 1999 (88)	NHSIS Telecommunications Service & Website Developments
HDL (2006) 41	NHS Scotland Information Security Policy
NHS circ. DGM 1992 (20)	Security of Health records
NHS circ. GEN 1990 (22)	Confidentiality of Personal Health Information
NHS circ. GEN 1991 (27)	Access to Health Records
NHS circ. GEN 1991 (31)	The Access to Health Records (steps to secure compliance & complaint procedures) (Scotland) Regulations 1991
Staff Leaflet on Confidentiality (2003)	NHS Code of Practice for Protecting Patient Confidentiality
NHS Scotland Information Governance	Information Governance Standards
SHHD/DGM (1987) 49	Disclosed Information about Hospital Patients in the Context of Civil Legal Proceedings
SHHD/DGM (1991)/39	Safeguarding the Confidentiality of Personal Data Associated with Contracts
SHHD/DGM (1991)/47	Computer Security
SHHD/DGM 1991 (28)	Computer Software and Crown Copyright
Scottish Wide Area Network (SWAN)	SWAN Information Security Policy v13 SWAN Tier 1 Code of Connection v0.12

Related Policies

• GP/D3 - DATA PROTECTION AND CONFIDENTIALITY POLICY
• GP/B2 - eHealth Remote Access Policy
• GP/E6 - Email Policy
• GP/I3 - Internet Policy
• GP/E7 - Non NHS Fife Equipment
• GP/O2 - Online Communications
• GP/P2 - Password Policy
• GP/P3 - Picture Archiving and Communications System (PACS) Policy
• GP/P3-1 - Picture Archiving and Communications System (PACS) Procedure
• GP/D3-11 - SUPPLIER RELATIONSHIPS PROCEDURE
• GP/D3-13 - System Access Provisioning Procedure
• GP/O2-5 - Use of Staff Intranet Discussion Forums