General Note
NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.
New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy/procedure is past its review date then the content will remain extant until such time as the policy/procedure review is complete and the new version published, or there are national policy or legislative changes.
1. FUNCTION
This document forms the GP/V2 IT Virus Protection Policy,in support of the GP/I5 Information Security Policy. This document is part of the Information Security Management System (ISMS) for NHS Fife and describes the measures the organisation takes to control mobile and malicious code i.e. viruses, that may potentially infiltrate into the organisation.
This policy falls under scope of the organisations ISO 27001 compliant management system.
Compliance with this policy will help protect NHS Fife from viral and worm contamination and provide the means to minimise disruption and business impact should preventative measures fail.
2. LOCATION
This policy is applicable to all staff, contractors and volunteers using NHS Fife’s IT systems.
3. RESPONSIBILITY
3.1 All staff
Anyone who believes or suspects that their computer has been infected with a virus is to immediately disconnect it from the network and inform the eHealth Service Desk as soon as possible.
Virus infected computers are to remain isolated from the network until you are told by a member of the eHealth staff, that they can be reconnected. The person who was using the computer the time it became, or was suspected of becoming infected is to clearly label the computer that it is virus contaminated and must not be reconnected to the network without the authority of the eHealth Department.
Any removable medium that was being used on the computer at the time of the suspected contamination, or immediately prior, is to be handed to the eHealth support staff, for investigation.
Mobile users must ensure that the virus checking software is up to date.
3.2 eHealth Department
The NHS Fife eHealth Department will deploy, operate and maintain up to date effective anti-virus software on all computer systems that are liable to attack from malicious software.
All networked PCs/Laptops will be updated with the latest applicable virus definition files daily on startup and periodically throughout the day if required.
Only authorised eHealth staff may to deploy anti-virus software on to computers.
eHealth staff who discover virus contamination on any computer must inform the Service desk and raise a Security Incident. The eHealth Security Manager and Head of IT Operations will be informed that an incident has occurred.
3.3 eHealth Security Manager
The eHealth Security Manager will act as Virus management co-coordinator:
- Investigate the cause of contamination;
- Will alert eHealth staff to new viruses;
- Alert users where specific virus threats emerge;
- Alert the NHS NSS Information Security Manager in the event of a major malware outbreak;
3.4 Head of IT Operations
The Head of IT Operations will be responsible for:
- Inform Senior Management and agree communication / update methods and frequency;
- Share intelligence / impact with National Infrastructure Leads Group and or other interested parties;
- Make decisions regarding preventative isolation of systems or platforms which will impact a wide user base;
3.5 Line Managers
It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.
3.6 Third parties
All third party servers which are either not connected to NHS Fife’s domain or not managed by NHS Fife’s Anti-virus management platform must have appropriate malware protection in place.
All third party appliances must be checked for viruses before connecting to the NHS Fife network. This will be carried out by the eHealth Remote Access Solution and access will be denied if the computer does not have appropriate malware protection in place.
4 OPERATIONAL SYSTEM
NHS Fife will use anti-virus software products to protect desktop and laptop computers and servers.
Automatic anti-virus software updates will be provided centrally.
4.1 Malicious Code
Malware is short for malicious code and is an umbrella term used to refer to a variety of forms of hostile or intrusive software. These include computer viruses, crypto ransomware, worms, Trojans, spyware, and other intentionally harmful programs. When run, these may damage the confidentiality, integrity or availability of an information processing system.
4.2 Mobile Code
Mobile code is defined as software code that transfers from one computer to another and then executes automatically, performing a specific function with little or no user interaction.
Whilst many websites may use mobile code, such as Java or ActiveX, for legitimate purposes, the same technology can be used for clandestine means, and therefore, where mobile code is allowed, specific technical controls must be utilised to ensure the integrity of information systems.
5 RISK MANAGEMENT
To mitigate the risks to NHS Fife’s Data, Information and IT infrastructure from malware attacks, the following strategies and techniques’ shall be implemented:
It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.
NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.
The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.
With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and regularly review these to ensure they take into account legislative and operational requirements.
6 RELATED DOCUMENTS
GP/I5 Information Security Policy
GP/I6 IT Change Management Policy
All other supplementary NHS Fife Information Security Policies
eHealth Infrastructure BC and DR Framework Plan
BC and DR Plans Operational Procedures
7 REFERENCES
Data Protection Act (2018)
General Data Protection Regulations (GPDR)
Network and Information Systems (NIS) Regulations
Computer Misuse Act (1990)
Civil Contingencies Act (2004)
Human Rights Act (1998)
Freedom of Information (Scotland) Act (2002)
NHSIS I.T. Security Manual