These controls support NHS Fife Information Security Management System (ISMS) and the corresponding GP/D3 Information Security, Data Protection and Confidentiality Policy.
It details existing policy and controls surrounding Access Control to NHS Fife information and the associated IT infrastructure (e.g. access to systems and network).
This policy forms part of NHS Fife Information Security Management System (ISMS) and has been written in line with the best practice for information security standard ISO 27001.
These controls are applicable to all staff, contractors and volunteers working within NHS Fife.
It is the responsibility of all staff, contractors and volunteers to abide by these controls.
4 OPERATIONAL SYSTEM
NHS Fife uses access controls and other security measures to protect the confidentiality, integrity, and availability of any information processed by computers and communications systems, and to ensure that individuals will be held accountable for information that is accessed and processed.
In pursuit of these security objectives, the eHealth department maintains the authority for the following actions:
restrict or revoke any user's privileges;
inspect, copy, remove, or otherwise alter any data, programme, or other system resource that may undermine these objectives;
take any other steps deemed necessary to manage and protect its information systems;
NHS Fife imposes the following access controls:
NHS Fife will not share information and/or information systems or allow unsupervised access to it by third party organisations unless authorised by the Data Protection Office;
NHS Fife must take all reasonable organisational and technical measures to prevent unauthorised access to its information and systems, both from inside and outside NHS Fife;
Access to information and systems is provided upon the needs of the jobs;
NHS Fife provides function-specific digital storage where individuals may store data, which is personal and privy to their job role, as well as areas where they may share information within defined groups;
Individual's access to facilities and data is determined and granted by the individual's Head of Department and the Information Asset Owner (both authorisations are required);
The facilities which any department has rights of access to are in turn laid down according to the department’s function within the organisation;
The granting of remote access facilities is strictly limited to those with a business need to make use of them;
4.1.1 User Registration
A registered user is one who uses an NHS Fife information processing facility and provides his/her credentials, effectively proving his/her identity.
Non-registered users with very limited access to NHS Fife information or resources (e.g. patient WIFI) are referred to as “guests”.
The action of providing the proper credentials for accessing a particular system or the network is called logging in, or signing in.
Without proper controls to govern user registration, unauthorised people can gain access to confidential NHS Fife information and leak it out causing harm to the organisation.
The NHS Fife procedure to register users is described in GP/D3-13.
User registration at NHS Fife must ensure:
Use of unique user IDs so that users can be linked to and made responsible for their actions;
Appropriate verification that the user has authorisation from their Head of Department and the Information Asset Owner to use the information system or service. Separate approval for access rights from management may also be appropriate;
Appropriate verification that the level of access granted is appropriate to the business purpose and is consistent with the security policy, e.g. it does not compromise segregation of duties;
Service providers do not make available access until NHS Fife authorisation procedures have been completed (this includes approval for NHS Fife partners as applicable from the corresponding information sharing agreements and protocols);
A formal record of all persons registered to use the service is maintained where user details are linked to an identified person;
Regular prompt removal of redundant user IDs and accounts;
Redundant user IDs are not issued to other users;
4.1.2 Privilege Management
Privileges are allocated to individuals on a need-to-know/use basis and on an event-by-event basis, i.e. the minimum requirement for their functional role only when needed.
The privileges associated with each system product, e.g. network, patient administration system, a database etc. are initially defined during the release of a new system, subject to changes during the life cycle of the system. These roles and privileges must be approved by the Data Protection Office (privacy by design is a legal requirement).
System Administrators are not authorised to introduce changes in roles and privileges without previous approval from the Data Protection Office.
eHealth must keep up to date records of all privileges allocated. Privileges should not be granted until the authorisation process is complete.
Elevated rights.Only authorised users are given full admin rights depending on their job role. The allocation of special system privileges must be approved by the Health of the Department (requester), the Information Asset Owner and the Data Protection Office (e.g. system administrator accounts).
4.1.3 User Password Management
All new users must be briefed on the importance of passwords and instructed in the manner in which they are to be used and protected in the in-house core training for new employees.
Users are forced to change the access passwords upon their first log in.
The password policy (GP/P2) sets out the criteria for the provision of passwords and conditions relating to their use.
4.1.4 Review of User Access Rights
Head’s of Department shall ensure the immediate removal of access rights of staff who have changed jobs or left NHS Fife i.e. complete the mover/leaver form and forward it to the eHealth Department for implementation.
Heads of Department must ensure staff do not have more rights than is necessary for them to carry out their responsibilities, and that a review of staff user rights is conducted when changes in their role occur.
Failure on providing appropriate access to information can cause elevated fines and damage the reputation of the NHS.
4.1.5 Unattended user equipment
When a user leaves a screen unattended, they must lock the screen. This can be done using the following key actions Ctrl+Alt+Del or + L.
All desktops within the NHS Fife have a 15 minute timeout set. Operation’s theatre machines have a 4 hours timeout set. Any specific requirements outside these controls must be requested to the eHealth Department via eHealth Service Desk for consideration.
4.2 NETWORK CONTROLS
4.2.1 Network access
The following Network access controls are mandatory:
All NHS Fife networks and network services must be clearly identified;
The level of acceptable access to all NHS Fife networks and network devices must be clearly identified and approved (privacy by design) before such devices go live. The Data Protection Office must approve any changes in the design of user access (e.g. groups) to areas of the network;
Network access controls must be documented by the relevant eHealth technical teams, and any changes (e.g. Group polices) must be approved by Head of ICT and the Data Protection Office/Information Security Officer. Areas of high risk must be escalated to the SIRO (Senior Information Risk Owner).
Access to Network services will be available only to those personnel who have a legitimate need for them. The process to request access to network services is by using the eHealth Systems Access Request Form (GP/D3 -13).
4.2.2 External Connections
Access to the NHS Fife network by any person or system must be approved in accordance with the NHS Fife GP/B2 Broadband Remote Access Policy which forms part of the eHealth departments ISMS document set.
An enforced path must be set up for user authentication using external connections to NHS Fife/NHSnet networks.
4.2.3 Equipment access to the NHS Fife network.
All NHS Fife digital equipment connected to the network (e.g. tablets, laptop, servers, network nodes etc.) must be physically and logically identified in the network.
Every item of NHS Fife digital equipment is a physical NHS Fife asset and must be tagged with a computer readable NHS Fife “C” number.
The eHealth Department is responsible for maintaining a full asset inventory so that physical identification of equipment is facilitated and regular inventories can be conducted.
For IT equipment designated and managed by specific department, services and projects, the Head of the Department/Service Manager is responsible for maintaining a full inventory of physical IT equipment in their department/service.
eHealth must have a system (e.g. SCCM, Altiris, etc.) in place to discover and identify equipment connected to the NHS Fife network. The system must keep history logs of equipment/users connectivity to the network.
4.2.4 Remote diagnostic and configuration. Port protection.
Third parties must not connect to NHS Fife eHealth systems and resources unless they have first obtained formal approval. Refer to the eHealth Supplier Relationship Policy (GP/D3-11) which forms part of the NHS Fife ISO 27001 Information Security Management System (ISMS).
4.2.5 Segregation in Networks
Controls must be in place to segregate groups of information services, users and information systems throughout NHS Fife. Segregation in networks is by logical means. The use of firewalls, VLANS, Virtual Private Networks (VPNs), IP-switching and access control lists apply.
The eHealth department must have a representation of the network segregations up to date (network diagram). Any changes must be approved the Information Security Officer.
The design for the allocation of users to areas of the NHS Fife network must be approved by the Data Protection Office, including the principles for sharing data storage drives, etc.
Each user however must have their own individual storage area in the NHS Fife network (drive) which other users do not have access to.
Access to network drives must be requested using the “Systems Access Request” form GP/D3-13 and approved by the Head of Department and the Data Protection Office/Information Security Officer. This function can be delegated to operational teams (e.g. eHealth Service Desk or “Account Provisioning” team) as long as guidelines for approval have been authorised by the Information Security Officer. Complex and unique requests must be authorised by the Information Security Officer.
4.2.6 Network connection control
The connection capability of users on shared networks is controlled in line with this policy. This applies to the following:
one-way file transfer;
both-ways file transfer;
4.2.7 Network routing control
Shared networks at NHS Fife have routing controls to ensure that computer connections and information flows do not breach the NHS Fife access controls.
The eHealth Department must ensure NHS Fife has sufficient controls in place to protect the organisation from denial of service attacks on routers, firewalls and servers.
Where possible, hardware network interfaces will send an alarm on hardware or software malfunction.
4.3 Operating System Access Control
4.3.1 Use of system utilities
NHS Fife realises that the use of system utility programs shall be restricted and tightly controlled as system utilities can be capable of over-riding system and application controls.
Therefore the use of those utilities should be restricted to those who need to use them and their use controlled by the following:
password protection for system utilities;
segregation of system utilities from applications software;
limitation of the use of system utilities to the minimum number of trusted, authorised users;
limitation of the availability of system utilities, for example, for the duration of an authorised change;
logging of all use of system utilities;
defining and documenting authorisation levels for system utilities;
removal of all unnecessary utility and system software;
The use of utilities must be authorised using “Systems Access Request Form” – approved the Head of Department and the Information Security Officer.
Where access is required urgently and can be justified, then the designated eHealth Senior Manager can authorise – a notification must be sent to the Information Security Officer.
4.4 Application system access control
4.4.1 Information Access Restriction
Access to data and information is granted only to NHS Fife staff that need to use it to perform their job function, as described in section 4.1 (User Access).
The initial design of roles and permission to any systems must be approved by the Data Protection Office prior to the system/application going live. System administrators must seek for approval from the Data Protection Office if changes to initial design needs to take place (privacy by design).
All changes to user profiles must keep a history log of changes made, including:
the identity of the person making the change;
the authority for the change;
what is being changed;
who would or could be affected by the change;
the date and time of the change;
All detected unauthorised attempts to access systems or data must be reported to the Information Security Officer as a security incident.
5 RELATED DOCUMENTS
GP/D3 Data Protection and Confidentiality Policy
All supplementary ISMS NHS Fife Information Security Policies
GP/P2 Password Policy
GP/B2 eHealth Remote Access Policy
GP/I6 eHealth Change management Policy
GP/D3 – 13 System Access Request Form.
GP/D3-11- eHealth Supplier Relationship Policy
6 REFERENCES (*Ensures evidence based practice)
Computer Misuse Act (1990)
Data Protection Act (2018)
General Data Protection Regulation (2016)
Privacy and Electronic Communications Regulations (2003)
Human Rights Act (1998)
Freedom of Information (Scotland) Act (2002)
NHSS Information Security Policy Framework July 2015