General Note
NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of first issue.
Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.
If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made.
1. FUNCTION
This document forms the GP/V2 IT Malware Protection Policy, in support of the GP/I5 Information Security Policy. This document is supporting the Information Security Management controls and IT Security posture for NHS Fife and describes the measures the organisation takes to control Malware i.e. computer viruses, malicious code or any other destructive software that may potentially infiltrate into the organisation’s (or partner organisation’s) IT Systems.
This policy falls under scope of the organisation’s obligations to the Network and Information Systems Regulations (NIS Regulations) 2018. The NIS Regulations provide legal measures to boost the level of security of network and information systems for the provision of essential services and digital services.
Compliance with this policy will help protect NHS Fife from malware contamination and provide the means to minimise disruption and business impact should preventative measures fail.
2. LOCATION
This policy is applicable to all staff, contractors and volunteers using NHS Fife’s IT systems or IT Systems provided to partners by NHS Fife.
3. RESPONSIBILITY
Digital and Information Department (D&I)
The NHS Fife Digital & Information Department is responsible for this policy. D&I will deploy, operate and maintain up to date effective anti-virus software on all computer systems that are liable to attack from malicious software.
All networked PCs/Laptops will be updated with the latest applicable virus definition files daily on start-up and periodically throughout the day if required.
Only authorised Digital & Information staff may deploy anti-virus software on to computers. The introduction and/or use of any other anti-virus software without the Digital and Information Departments consent will be investigated and removed.
All Staff
It is essential that these measures are implemented to prevent the introduction of malicious software such as computer viruses, ransomware and malware or even unauthorised software.
Users must not attempt to download executable files, i.e., program software, unofficial templates from the internet without prior specific clearance from IT staff. Safe Browsing and Email Practices are to be employed, and users are to exercise caution when using the corporate network to browse the internet. Employees should be wary of unsolicited emails, especially those with attachments or links, and should not open them unless they are from a trusted source.
Anyone who believes or suspects that their computer has been infected with malware is to immediately phone the Digital & Information Service Desk to log a call. Do not shutdown or close your current session on your device.
Malware infected computers are to remain untouched until you are told by a member of the Digital & Information staff that they can be reused. The person who was using the computer the time it became or was suspected of becoming infected is to clearly label the computer that it is contaminated and must not be used without the authority of the Digital & Information Department.
Only authorised devices are to be permitted for use on the NHS Fife Infrastructure. Personally owned USB storage devices in particular are not to be connected. Any removable medium that was being used on the computer at the time of the suspected contamination, or immediately prior, is to be handed to the Digital & Information support staff, for investigation.
Cyber Security Manager
The D&I Cyber Security Manager will undertake the role of virus management coordinator and will:
• Investigate the cause of contamination.
• Will alert Digital & Information staff to new viruses.
• Alert users where specific virus threats emerge.
• Alert the outside agencies as required, e.g., National Services Scotland Cyber Security Operations Centre, National Cyber Security Centre.
Information Security Manager
The Information Security Manager will:
• Investigate the circumstances in conjunction with the Cyber Security Manager.
• Ensure any risk and adverse event reports are carried out.
• Generate any legislative reporting requirements, e.g., NIS, Information Commissioner’s Office.
Head of Digital Operations
The Head of IT Operations is responsible for:
• Informing Senior Management and agreeing communication / update methods and frequency in the event of a significant cyber security incident.
• Sharing intelligence / impact with interested parties.
• Seeking further support from specialist National organisations, such as Scottish Government Resilience Team, NCSC, Police Scotland etc,
• Making decisions regarding preventative isolation of systems or platforms which will impact a wide user base.
Line Managers
It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.
Third Parties
All third-party assets which are either not connected to NHS Fife’s domain or not managed by NHS Fife’s Anti-virus management platform must have appropriate malware protection in place approved by NHS Fife Digital & Information. The third-party supplier must ensure that this is maintained and updated as appropriate with the latest definitions.
4. OPERATIONAL SYSTEM
NHS Fife will use anti-virus software products to protect PC’s/ laptop computers and servers.
• Automatic anti-virus software updates will be provided centrally.
• The ability to receive Threat Detection Alerts will be maintained at all times by ensuring that the capability to orchestrate is retained centrally and endpoints are reporting in.
Malicious Code
Malware is the commonly used terminology for malicious software and is an umbrella term used to refer to a variety of forms of hostile or intrusive software. These include computer viruses, crypto-ransomware, worms, Trojans, spyware, and other intentionally harmful programs. When run, these may damage the confidentiality, integrity or availability of an information processing system.
Mobile Code
Mobile code is defined as software code that transfers from one computer to another and then executes automatically, performing a specific function with little or no user interaction.
Whilst many websites may use mobile code, such as Java or ActiveX, for legitimate purposes, the same technology can be used for clandestine means, and therefore, where mobile code is allowed, specific technical controls must be utilised to ensure the integrity of information systems.
5. RISK MANAGEMENT
To mitigate the risks to NHS Fife’s Data, Information and IT infrastructure from malware attacks, the following strategies and techniques shall be implemented:
It is the responsibility of each Line Manager to ensure this policy is deployed within their area of responsibility.
NHS Fife Staff shall be trained to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.
The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities, is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.
The unauthorised disclosure of any Cyber Security incident or vulnerability, except as required by an employee’s job responsibilities, is expressly forbidden. If unsure, contact the Communications Department or a member of the D&I senior leadership team.
Risk management strategies will be adopted in accordance with NHS Fife and D&I policies.
6. RELATED DOCUMENTS
GP/I5 Information Security Policy
GP/A4 Acceptable Use Policy
GP/B2 Remote Access Policy
GP/E7 Non NHS Fife Equipment Policy
GD/D3 Information Governance and Data Protection Core Policy
7. REFERENCES
Data Protection Act 2018 (legislation.gov.uk)
The Network and Information Systems Regulations 2018 (legislation.gov.uk)
Freedom of Information (Scotland) Act 2002 (legislation.gov.uk)
Computer Misuse Act 1990 (legislation.gov.uk)
