Policy Type General Policy

Policy Category Digital & Information

Policy Number GP/P2

Author Information Security Manager

Reviewer Head of Information Governance and Security

Signatory Associate Director Digital & Information

Implementation Date 01 June 2022

Last Review Date 01 June 2022

Next Review Date 01 June 2025

Version Number 1

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out.

New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date, then the content will remain extant until either such time as the policy review is complete and the new version published, or there are national policy or legislative changes.

1. INTRODUCTION

This policy relates to Secure Use of Passwords and forms part of the overall Information Security policy for NHS Fife.

2. AIM, PURPOSE AND OUTCOMES

To ensure that INFORMATION SECURITY is maintained by

• Ensuring that confidentiality and integrity of personal and sensitive information is maintained
• Ensuring that information is available to authorised users
• Ensuring that information is not disclosed to unauthorised people
• Preventing destruction of information

The policy also advises staff of their obligations to maintain information confidentiality, integrity, and availability.

This policy forms part of Digital & Information’s Information Security (IS) Management System (ISMS) and should be read in conjunction with all the IS policies.

This policy has been written in line with the best practice for information security standards ISO 27001, ISO 27002 and NIS regulations, and the policy will be reviewed to meet future changes to this standard.

This policy has been written to comply with current legislation and the policy will be updated appropriately to suit new and/or modified legislation. The references at section 11 will be updated to reflect this legislation.

3. SCOPE

3.1 Who is the Policy intended to Affect?

This policy is intended to apply to all NHS Fife staff to maintain information security. In the interests of clarity all references to ‘staff’ includes all staff within NHS Fife and all staff who are employed, engaged or partners within each GP practice (contracted to NHS Fife).

This policy also applies to Third Party Suppliers who support NHS Fife Digital & Information assets.

3.2 Who are the Stakeholders

All staff and Third Party Suppliers.

Patients. NHS Fife take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure and confidential. In order to find out more about current data protection legislation and how we process your information, please visit the Data Protection Notice on our website at https://www.nhsfife.org/about-us/accessing-records/data-protection/ or ask a member of staff for a copy of our Data Protection Notice.

4. PRINCIPAL CONTENT

This policy provides practical advice on the use of passwords for access to computer systems. Section 12 provides a summary of good practice in respect of passwords.

General

Each member of staff must have his/her individual user account and password. For the most effective security, staff should have self-selected individual passwords that conform to NHS Scotland password standards.

When someone leaves, his/her password and user account must be disabled as soon as possible. It is the staff member’s direct line manager who is responsible for actioning the off-boarding request for staff members who are leaving the organisation, whereby the account will be disabled, and the password reset by service desk during the leavers process.

Passwords must not normally be written down. It is not uncommon for password protection to be defeated by a user writing the password down on a piece of paper kept close to a computer.

Passwords must not be displayed on screens as they are entered. Computers should be physically positioned such that they are protected against accidental disclosure of passwords. Keyboards and screens should be positioned such that only the user can view password entry.

Passwords must consist of a minimum of 14 characters. It is recognised that hackers using 'password crackers' are capable of very many password probes in a short period of time. The most effective passwords are therefore those with the longest number of characters. At next password change, users will be instructed to adopt the minimum 14 characters over the previous policy of 12. Passwords automatically expire on a 12 monthly basis but can be changed at other intervals by the user.

Staff should not disclose their passwords to any other person, even Digital & Information staff.

Where possible passwords should not relate to the system being accessed i.e. they must not be the same as the service or system being assessed, e.g. “efin”.

Passwords must not relate to the user. Many staff will opt for passwords that they find particularly easy to remember. Often the password chosen has strong associations with either the system being accessed or the background of the user and can be guessed by potential intruders.

Password Maintenance

Re-use of recent passwords is not allowed.

Passwords must always be changed immediately on suspicion of any compromise.

Single Sign On

Staff may already be using Single Sign-On (SSO). This allows staff to login into a PC with their own unique network Username and Password and then be automatically logged into all their key applications.

The key benefit of SSO is to increase front-line efficiency by enabling staff to legitimately access several applications without the need to remember several passwords and log into each of them separately.

It is essential that staff comply with the password policy, and this includes good logging in/out procedures.

Third Party Suppliers

All usernames and passwords managed by third parties must comply with this policy.

NHS Fife is required to maintain an up-to-date database of all usernames and passwords for all Digital & Information assets maintained and managed by Third Party Suppliers. The Information Security Manager will be the custodian of the Password Database.

The creation, modification and deletion of usernames and/or passwords on Digital & Information assets managed by Third Party Suppliers is subject to NHS Fife’s Digital & Information Change Control Policy.

5. ROLES AND RESPONSIBILITIES

Authors/Contributors: Information Security Manager, Digital & Information
Senior Manager: Associate Director of Digital & Information
Endorsing Body: Information Governance Group

6. RESOURCE IMPLICATIONS

No resource implications

7. COMMUNICATION PLAN

This policy will be managed through the Stafflink policies page and will be announced through the staff briefing.

8. QUALITY IMPROVEMENT – MONITORING AND REVIEW

To be reviewed at regular intervals by Information Security Manager.

9. EQUALITY AND DIVERSITY IMPACT ASSESSMENT

This policy meets NHS Fife’s EDIA.

10. SUMMARY OF FREQUENTLY ASKED QUESTIONS (FAQS)

N/A

11. REFERENCES

The principal Acts of Parliament, Scottish Government circulars, and internal guidance documents relevant to this policy are:

• General Data Protection Regulation (GDPR)

• Network and Information Systems Regulations 2018 (NIS Regulations)

• CEL 25 (2012) NHS Scotland Mobile Data Protection Standard

• Civil Contingencies Act 2004

• Computer Misuse Act 1990

• Data Protection Act 2018

• Freedom of Information (Scotland) Act 2002

• MEL 2000 (17) Data Protection Act 1998

• NHSF Risk Management Strategy 2016

• Public Records (Scotland) Act 2011

• Regulation of Investigatory Powers (Scotland) Act 2000

• Scottish Government Records Management: NHS Code Of Practice (Scotland) Version 2.1 January 2012

• SG DL (2015) 17 Information Governance and Security Improvement Measures 2015-2017 (NHSS Information Security Policy Framework)

• The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

12. SUMMARY OF GOOD PASSWORD PRACTICE

Any user with allocated an NHS Fife user account must:

• Be responsible for the security and confidentiality of their password(s)

• Do not tell anyone else his or her password

• Be aware of the guidance relating to passwords

• Do not write down passwords

• Ensure that when entering a password, the entry cannot be seen by anyone else

• Choose a password carefully and ensure the password does not match passwords you use for your personal systems or email.

• Do not choose a password that relates directly to the system intended to be accessed

• Seek advice from the IT Service Desk if you forget your password

• If you can, change your password immediately if you suspect it has been compromised or alternatively contact the IT Service Desk for assistance

• If you suspect your password has been used by others contact the IT Service Desk so that the incident can be investigated

• Personal passwords should never be reused as a work password and work passwords should never be reused as a personal password as either being compromised results in both being compromised

Secure Use of Passwords