General Note
NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made.
1. FUNCTION
This document forms the GP/V2 Malware Protection Policy, in support of the GP/I5 Information Security Policy. This document is supporting the Information Security Management controls and IT Security posture for NHS Fife and describes the measures the organisation takes to control Malware i.e. computer viruses, malicious code or any other destructive software that may potentially infiltrate into the organisation’s (or partner organisation’s) IT Systems.
This policy falls under scope of the organisation’s obligations to the Network and Information Systems Regulations (NIS Regulations) 2018. The NIS Regulations provide legal measures to boost the level of security of network and information systems for the provision of essential services and digital services.
Compliance with this policy will help protect NHS Fife from malware contamination and provide the means to minimise disruption and impact should preventative measures fail.
2. LOCATION
This policy is applicable to all staff, contractors and volunteers using NHS Fife’s IT systems or IT Systems provided to partners by NHS Fife.
3. RESPONSIBILITY
Digital and Information Department (D&I)
The NHS Fife Digital & Information Department is responsible for updating and maintaining this policy. D&I will deploy, operate and maintain up to date effective anti-virus software and other tools and methods of defence on all digital systems and managed endpoints that are liable to attack from malicious software.
All networked PCs/Laptops will be updated with the latest applicable virus definition files daily on start-up and periodically throughout the day if required.
Only authorised Digital & Information staff may deploy anti-virus software on to corporate devices managed by NHS Fife. The introduction and/or use of any other anti-virus software without the Digital and Information Department’s consent will be investigated and removed.
All Staff
It is essential that sensible measures are implemented to prevent the introduction of malicious software such as computer viruses, ransomware and malware or even unauthorised software.
Users must not attempt to download executable files, i.e., program software, unofficial templates from the internet without prior specific clearance from IT staff. Safe Browsing and Email Practices are always expected, and users are to exercise caution when using the corporate network to browse the internet.
All staff are required to always be vigilant, paying particular attention to unexpected or unsolicited communications such as:
- Instructions, warnings with a sense of urgency, requests for verification etc.
- Financial based requests that are out with normal procedures and governance.
- Any communication with links and attachments, especially if particular emphasis is placed on these within the message.
- Anything that seems too good to be true including offers & coupons, refunds and prizes.
- Messages containing poor grammar, spelling errors (including US spelling), awkward phrasing etc.
- Messages requesting personal information.
Anyone who believes or suspects that their computer has been infected with malware is to immediately phone the Digital & Information Service Desk to log a call. Do not shutdown or close your current session on your device until advised to do so.
Malware infected computers are to remain untouched until you are told by a member of the Digital & Information staff, that they can be reused. The person who was using the computer the time it became or was suspected of becoming infected is to clearly label the computer that it is contaminated and must not be used without the authority of the Digital & Information Department.
Only authorised devices are to be permitted for use on the NHS Fife Infrastructure. Personally owned USB storage devices are not to be connected to any NHS Fife equipment. Any removable medium that was being used on the computer at the time of the suspected contamination, or immediately prior, is to be handed to the Digital & Information support staff, for investigation.
Cyber Security Manager
The D&I Cyber Security Manager will undertake the role of virus management coordinator and will:
- Investigate the cause of contamination.
- Will alert Digital & Information staff to new viruses.
- Alert users where specific virus threats emerge.
- Alert the outside agencies as required, e.g., NSS CSOC, NCSC.
Information Security Manager
The Information Security Manager will:
- Investigate the circumstances in conjunction with the Cyber Security Manager.
- Ensure any risk and adverse event reports are carried out.
- Assess impact against the NIS criterion and generate any legislative reporting requirements, e.g., CA, ICO.
Head of Digital Operations
The Head of IT Operations is responsible for:
- Informing Senior Management and agreeing a communication plan / update methods and frequency in the event of a significant cyber security incident.
- Agreeing levels of detail able to be shared within the various internal & external agencies and partners within the Comms Plan.
- Sharing agreed levels of intelligence / impact detail with interested parties and colleagues Nationally.
- Seeking further support from specialist National organisations, such as Scottish Government Resilience Team, NCSC, Police Scotland etc,
- Making decisions / advising Executive Leadership Team on any critical decisions required regarding preventative isolation of systems or platforms which will impact a wide user base.
Line Managers
It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility. Line Managers should also encourage staff to stay vigilant and report anything suspicious immediately.
Third Parties
All third-party assets which are either not connected to NHS Fife’s domain or not managed by NHS Fife’s Anti-virus management platform must have appropriate malware protection in place approved by NHS Fife Digital & Information. The third-party supplier must ensure that this is maintained and updated as appropriate with the latest definitions.
4. OPERATIONAL SYSTEM
NHS Fife will use anti-virus software products to protect desktop / laptop computers and servers.
- Automatic anti-virus software updates will be provided centrally.
- The ability to receive Threat Detection Alerts will be maintained at all times by ensuring that the capability to orchestrate is retained centrally and endpoints are reporting in.
- All legitimate Digital & Information Email communications will use the same recognisable graphics, colours and layout, and come from the IT Servicedesk (NHS Fife).
- Regular threat updates, items to watch out for, general reminders to be vigilant etc. will be communicated using various mediums.
Malicious Code
Malware is short for malicious software and is an umbrella term used to refer to a variety of forms of hostile or intrusive software. These include computer viruses, crypto-ransomware, worms, Trojans, spyware, and other intentionally harmful programs. When run, these may damage the confidentiality, integrity or availability of an information processing system.
Mobile Code
Mobile code is defined as software code that transfers from one computer to another and then executes automatically, performing a specific function with little or no user interaction.
Whilst many websites may use mobile code, such as Java or ActiveX, for legitimate purposes, the same technology can be used for clandestine means, and therefore, where mobile code is allowed, specific technical controls must be utilised to ensure the integrity of information systems.
5. RISK MANAGEMENT
To mitigate the risks to NHS Fife’s Data, Information and IT infrastructure from malware attacks, the following strategies and techniques shall be implemented:
It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.
NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.
The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.
The unauthorised disclosure of any Cyber Security incident or vulnerability, except as required by an employee’s job responsibilities is expressly forbidden. If unsure, contact the communications department or a member of the D&I senior leadership team.
Risk management strategies will be adopted in accordance with NHS Fife and D&I policies.
6. RELATED DOCUMENTS
GP/I5 Information Security Policy
GP/E7 Non NHS Fife Equipment Policy
GD/D3 Information Governance and Data Protection Core Policy
7. REFERENCES
Data Protection Act 2018 (legislation.gov.uk)
The Network and Information Systems Regulations 2018 (legislation.gov.uk)
Freedom of Information (Scotland) Act 2002 (legislation.gov.uk)
