General Note
NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out.
New policies will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy is past its review date, then the content will remain extant until such time as the policy review is complete, and the new version published.
1. FUNCTION
1.1 This policy is to preserve the confidentiality, integrity and availability of NHS Fife digital information assets and is intended to ensure NHS Fife clinical and business activities are not subject to poor practices and disruption. This document forms part of the overall Information Security Policy for NHS Fife.
1.2 Portable are not to be considered the platform of storage for personal, health, staff or other corporate records / data, and should not be stored locally on devices including PC, laptops, USB memory sticks, portable hard drives, external hard drives, smart phones, or any other portable storage media not listed other than to facilitate a data transfer or other approved process such as system backups.
1.3 In some cases, the use of these device may be unavoidable for the completion of work duties and/or the provision of care. Such cases would be authorised and, on a case-by-case basis and be subject to:
• An approved Data Protection Impact Assessment (DPIA).
• Adherence to the security requirements of this and other relevant NHS Fife polices listed at section 6 of this document.
• Standard Operating Procedures aimed at management of the process which would include an agreed backup strategy and management of NHS Fife records.
2. LOCATION
2.1 This policy is applicable to all staff, contractors and volunteers using NHS Fife’s IT infrastructure and its information processing systems.
3. RESPONSIBILITY
3.1 Chief Executive
3.1.1 It is the responsibility of the NHS Fife Chief Executive to accept and implement this policy and to ensure that the security controls identified by this policy are endorsed and implemented.
3.2 All Staff
3.2.1 It is the responsibility of all staff to comply with this and all other NHS Fife policies. This is particularly important in the modern connected, mobile and hybrid working environments where Information assets/devices are, in almost all cases, used in non-fixed locations to process business sensitive, health and personal information.
3.2.2 Failure to comply with this policy increases the risk of a data breach of NHS Fife information and may result in disciplinary action.
3.3 Digital and Information Department (D&I)
3.3.1 The D&I Department includes IT Operations, Cyber Security & Information Governance & Security and amongst other responsibilities ensure:
• Mobile/portable devices have the appropriate data encryption capabilities in order to protect personal, health and business data stored on them.
• Assuring that the data encryption functionality and procedures used to protect data have been implemented correctly, are of appropriate strength and fit for purpose
• Appropriate measures are in place to prevent unauthorised memory devices i.e.
unencrypted memory sticks, being connected to PCs, servers or other USB enables systems.
3.4 Line Managers
3.4.1 It is the responsibility of Line Managers to ensure that all staff adhere to the contents of this policy.
3.4.2 Responsibility for taking any appropriate disciplinary action following a breach of this policy lies with the relevant Line Manager having taken advice from the Human Resources Department.
Line managers in collaboration with D&I are responsible for the day-to-day management of the security of data within their work areas to ensure this policy is adhered to.
4. OPERATIONAL SYSTEM
4.1 Information Processing Systems
4.1.1 To comply with UK General Data Protection Regulations (UK GDPR), Data Protection Act 2018 and the Network and Information Systems (NIS) regulations, the purchasing and implementing of information systems that process personal data shall be required to have a supporting DPIA to ensure that personal data is adequately protected through its lifecycle within NHS Fife.
4.1.2 The transmission of personal, health or business sensitive data shall be protected by encryption to the currently acceptable encryption standards as defined by Information Security and/or Cyber Security.
4.1.3 All information processing assets are to be recorded on the departmental information asset register and logged with the Information Governance and Security team through the following link - Registration of a Digital Information Asset.
4.2 Data Encryption
4.2.1 This data encryption policy must be applied in conjunction with the organisation’s GP/M5 Device Management and GP/M4 Media Handling Policies.
4.2.2 All mobile, portable & removable media for use on information systems owned or operated by NHS Fife are covered by this policy. Removable media routinely in use includes, USB Pen drives, USB external hard disc drives, DVD/CD, solid state memory devices including memory cards and as a guide the following standards are stated as the standards (in most routine cases) to adhere.
• Advanced Encryption Standard (AES) with a minimum key size of 256 bits for data at rest. – Routinely the standard employed on for devices including removeable media, smartphones and laptops
• Transport Layer Security (TLS) version 1.2 or higher for data in transit. – The minimum standard accepted for data moving across the network and mandatory minimum standard for Internet traffic.
• Secure Hash Algorithms (SHA) 256 or higher for hashing sensitive data. – Routinely used for integrity checking of data pre and post transit.
4.2.3 The use of freeware or shareware is not permitted and must be avoided. There is heightened risk of malware being incorporated into these products.
4.3 Data Security
4.3.1 Data intended for processing on removable media must be risk assessed, taking into account personal data, its sensitivity and the potential impact if lost, stolen, corrupted, unavailable or otherwise compromised.
4.3.2 Where encrypted removable media is to be shared, care must be taken to ensure that the intended recipient has the correct technical capability to de-crypt the data on receipt and this should be established in advance of any sharing of media.
4.3.3 The passphrase or decryption key used for encryption/decryption purposes must be sufficiently long and complex to protect the encrypted information from a password attack. The decryption passphrase or key must never be sent with encrypted removable media.
4.3.4 In all cases where data encryption is used, a full auditable record should be maintained of the media and data involved and its intended purposes including dates of encrypted file creation, transmission and destruction.
4.3.5 D&I conduct regular audits of connected devices and user, and any compliance issues will be investigated. All incidents involving loss of personal data or business data must be reported to the Information Governance Team via a Datix incident. This must be done promptly as serious breaches must be reported to the Information Commissioners Office (ICO) within 72 hours to comply with GDPR.
4.3.6 Where the media concerned is a removable/portable USB device then in all cases, the business use must be approved, the device tracked, and appropriate encryption applied as per this policy. Where a legitimate business need exists, then complete the form at the link and submit to Information Security through the D&I Service Now Portal. USB Storage device application - V1.3.
4.4 Device Control
4.4.1 Only approved devices will be permitted to connect to the NHS Fife network. Access of all other devices will be denied. Approved devices must be purchased and owned by NHS Fife or GP Practices. All other devices such as portable hard drives, MP3 players or any other mobile device or media such as smart phones or cameras must be approved by the Information Security Manager and applied for as per the instruction in Para 4.3. Laptops/Tablets must be authenticated on the network periodically or they will be locked and rendered unusable
4.4.2 Data Loss Protection software must be installed on all PCs (Laptops, Desktops, Notepads) to prevent data being downloaded onto unapproved devices.
4.5 Procurement of Encrypted Memory Sticks
4.5.1 The procurement of approved encrypted USB memory sticks must be via the NHS Fife D&I Department. Only approved encrypted USB memory sticks must be purchased to ensure that they comply with section 4.1 of this policy.
4.6 Removable Media
4.6.1 Export of unencrypted personal data onto removable media such as CD, SD cards, DVD or ZIP drives MUST be avoided unless for approved backup purposes and then they must be stored securely.
4.6.2 Any requests for this deviation must be authorised by the Information Governance Team through a Digital and Information service request.
4.7 External Hard Drives
4.7.1 Users must show a clinical or business requirement for the use of external hard drives and this must be approved by the process explained at Para 4.3. They must be pre-encrypted and match the currently approved cryptographic standards. Where this isn’t possible, owing to a legacy process or equipment, then a DPIA and/or risk assessment is to be raised through the Information Governance and Security team.
4.8 Secure File Transfer
4.8.1 The approved methods of securely transmitting personal data are NHS M365 (up to 25 MB) and the SWAN Secure File Transfer (SFT) service.
4.8.2 The SFT provides the means of transferring larger files than NHS M365, up to 1GB, to non-NHS M365 accounts securely. The Digital and Information Service Desk should be contacted, if an account is required to make use of the SFT service.
5. RISK MANAGEMENT
5.1 Breach of legislation occurs the following impact may follow:
• Disciplinary action against staff
• Legal action against NHS Fife
• Legal action against the person(s) involved in the breach
6. RELATED DOCUMENTS
• GP/I5 Information Security Policy
• GP/D3 Data Protection and Confidentiality Policy
• GP/R4 Records Management Policy
• GP/A4 Acceptable Use Policy
• GP/E6 Email Policy
• GP/I3 Internet Policy
• GP/M5 Device Management Policy
• GP/P2 Secure Use of Password Policy
7. REFERENCES
• Computer Misuse Act (1990)
• Data Protection Act (2018)
• General Data Protection Regulations (GPDR)
• Network and Information Systems (NIS) Regulations 2018
• Freedom of Information (Scotland) Act (2002)
• Public Records (Scotland) Act 2011