General Policy
Digital & Information
GP/P2
Information Security Manager
Head of Information Governance and Security
Director Digital & Information
01 June 2022
16 October 2025
16 October 2028
2

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out.

New policies will be subject to a review date of no more than 1 year from the date of first issue. Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date, then the content will remain extant until either such time as the policy review is complete and the new version published, or there are national policy or legislative changes.

1.  INTRODUCTION

This policy relates to Secure Use of Passwords and forms part of the overall Information Security policy for NHS Fife.

2.  AIM, PURPOSE AND OUTCOMES

To ensure that INFORMATION SECURITY is maintained by

  • Ensuring that confidentiality and integrity of personal and sensitive information is maintained
  • Ensuring that information is available to authorised users
  • Ensuring that information is not disclosed to unauthorised people
  • Preventing destruction of information

The policy also advises staff of their obligations to maintain information confidentiality, integrity, and availability.

This policy forms part of Digital & Information’s Information Security (IS) Management System (ISMS) and should be read in conjunction with all the IS policies.

This policy has been written in line with the best practice for information security standards ISO 27001, Network and Information Systems Regulations (NIS) and in line with guidance distributed by the National Cyber Security Centre (NCSC) and the policy will be reviewed to meet future changes to these standards.

This policy has been written to comply with current legislation and the policy will be updated appropriately to suit new and/or modified legislation. The references appendix will be updated to reflect this legislation.

3.  SCOPE

  • Who is the Policy intended to Affect?

This policy is intended for all NHS Fife staff to maintain information security.

In the interests of clarity all references to ‘staff’ includes all staff within NHS Fife and all staff who are employed, engaged or partners within each GP practice (contracted to NHS Fife).

This policy also applies to Third Party Suppliers who support NHS Fife Digital & Information assets.

3.2 Who are the Stakeholders

All staff, contractors and third-party suppliers.

Patients - NHS Fife take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. In order to find out more about current data protection legislation and how we process your information, please visit the Data Protection Notice on our website at https://www.nhsfife.org/ or ask a member of staff for a copy of our Data Protection Notice.

4.  PRINCIPAL CONTENT

This policy provides practical advice on the use of passwords for access to computer systems. The Appendix provides a summary of good practice in respect of passwords. NHS Fife strives to maintain alignment with National Cyber Security Centre (NCSC) guidelines for password policy:

  • Minimum password length: 12-14 characters
  • Forced complexity: Disabled
  • Password History Remembered: 8-24 passwords
  • Lockout Threshold: 5-10 attempts
  • Logout Duration: 2-15 minutes
  • Multi-factor Authentication: Enabled

Each member of staff must have his/her individual user account and password. For the most effective security, staff should have self-selected individual passwords that conform to NHS Scotland password standards.

When someone leaves, his/her password and user account must be disabled as soon as possible. It is the staff member’s direct line manager who is responsible for actioning the off-boarding request for staff members who are leaving the organisation, whereby the account will be disabled, and the password reset by service desk during the leavers process.

Passwords must not normally be written down. It is not uncommon for password protection to be defeated by a user writing the password down on a piece of paper kept close to a computer.

Passwords must not be displayed on screens as they are entered. Computers should be physically positioned such that they are protected against accidental disclosure of passwords. Keyboards and screens should be positioned such that only the user can view password entry.

Passwords must consist of a minimum of 14 characters. It is recognised that hackers using 'password crackers' are capable of very many password probes in a short period of time. The most effective passwords are therefore those with the longest number of characters. At password change, users will be instructed to adopt the minimum 14 characters. Passwords automatically expire on a 12 monthly basis but can be changed at other intervals by the user.

NHS Fife follow the recommendations from the NCSC and advise using a combination of three random unrelated words to create strong, memorable passwords. This approach helps users create passwords that are complex enough to be secure, yet easy enough to remember e.g. “chairlaptoptree

Do not base passwords on personal details like birthdays, anniversaries, names of family members, pets, or favourite sports teams. These details are often easily accessible through social media or other public information

Staff should not disclose their passwords to any other person, even Digital & Information staff.

Where possible passwords should not relate to the system being accessed i.e. they must not be the same as the service or system being assessed, e.g. “trakcare”.

Passwords must not relate to the user. Many staff will opt for passwords that they find particularly easy to remember. Often the password chosen has strong associations with either the system being accessed or the background of the user and can be guessed by potential intruders.

4.1 Password Maintenance

Re-use of recent passwords is not permitted. NHS Fife domain access will remind users upon reset whether a password has been used in the past 24 resets. Other platforms or 3rd party systems may adopt a different process but the direction at minimum is a “no repeat in 5” policy. Passwords must always be changed immediately on suspicion of any compromise.

4.2 Single Sign On

Staff may already be using Single Sign-On (SSO), this allows staff to login into a PC with their own unique network Username and Password and then be automatically logged into all their key applications.

The key benefit of SSO is to increase front-line efficiency by enabling staff to legitimately access several applications without the need to remember several passwords and log into each of them separately.

It is essential that staff comply with the password policy, and this includes good logging in/out procedures.

4.3 Third Party Suppliers

All usernames and passwords managed by third parties must comply with this policy.

The creation, modification and deletion of usernames and/or passwords on Digital & Information assets managed by Third Party Suppliers is subject to NHS Fife’s Digital & Information Change Control Policy.

4.4 Multi Factor Authentication (MFA)

MFA is now a common place and is an essential security feature in most corporate environments. Users should expect to enter a minimum of a second factor, if prompted, by any system processing NHS Fife data. There are various measures that satisfy MFA steps, including the authentication apps, onetime passcodes or verification links.

Where NHS Fife Patient Identifiable Information and/or Health data is processed on a 3rd Party public cloud environment, MFA is mandatory requirement. Public cloud environments can be accessed without internal NHS Fife technical controls and therefore MFA is the repeatable minimum measure required to adequately secure NHS Fife’s data.

4.5 Administrator Passwords

There are genuine instances that occur where D&I and other staff may require privilege/administrator access to NHS Fife’s systems or infrastructure. Passwords for such accounts are to be strictly controlled. They:

  • Must adhere to complexity standards
  • Must be unique and never reused across systems
  • Must be changed every 90 days, or immediately after a security incident
  • Must be stored securely using D&I secure vault system
  • Access to administrator credentials must be logged, monitored and regularly reviewed

4.6 Mobile Devices

NHS Mobile device controls (Phones, tablets) are intended to afford commensurate protection as the traditional desktop and laptop inventory. The following applies -

  • Mobile devices are to be secured with a 6-digit PIN.
  • Individual apps will have additional security controls i.e M365 apps
  • Auto-lock set to 5 minutes – for personal issue corporate devices
  • Auto-lock set to 1 Minute – for shared devices
  1. RISK MANAGEMENT

Any exceptions to this policy will be subject to detailed risk assessment and will be placed on an exceptions list.

The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities, is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.

With regard to the Health & Social Care Partnership (H&SCP), the Integration Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.

6.  RELATED DOCUMENTS

7. REFERENCES

The principal Acts of Parliament, Scottish Government circulars, and internal guidance documents relevant to this policy are: