32226
32236
GP/D3-13
eHealth Business and Delivery Manager/Information Governance Advisor
eHealth Business and Delivery Manager
Medical Director
14 September 2017
14 September 2017
30 September 2020
1.0

1 FUNCTION

This procedure is required to ensure that NHS Fife’s, eHealth Department has the appropriate arrangements and procedures in place to issue Active Directory (AD) accounts to NHS Fife employees, third parties and volunteers in a manner that satisfies the eHealth Security Policies.

The eHealth System Access Request form (available via NHS Intranet/Quicklinks/eHealth/Forms and System Access Requests) must be completed before a user is issued with a user name and password for an active AD account that will grant access to networked systems.

Access to the NHS Fife Network, email and Internet will be given as default.

The AD accounts will only be activated once the user has provided a security question/answer and signed confidentiality agreement at the bottom of section 1. At this point the user name and initial password can be issued.

The eHealth System Access Request form can also be used to inform System owners that training is required by the user; however the eHealth department will not take responsibility for organising it.

In the event that a user requires to be added to one of the laptop encryption groups and they already have an AD account, the form does not need to be reproduced. The request should be submitted to the eHealth Service Desk for recording and processing.

2 LOCATION

All NHS Fife Sites and GP Practices within Fife.

 

3 RESPONSIBILITY

NHS Fife Line Managers

eHealth Account Provisioning staff

eHealth Security Manager

NHS Fife System Administrators

NHS Fife Head of Information Services

4 OPERATIONAL SYSTEM

 

The Line Manager completes the System Access Request form and submits it to eHealth Account Provisioning Team.

 

4.1       eHealth Account Provisioning Assistant Duties

The eHealth Account Provisioning Assistant shall vet all submitted eHealth System Access Request forms for completeness. If the form is fully completed, the AD account can be created.

The eHealth Account Provisioning Assistant shall initiate the creation of AD account by carrying out the following steps:

  • The Account Provisioning Assistant shall create an AD for the user within Courion and create an Account.
  • If the user requires access to a clinical system, the Account Provisioning Assistant shall create an account or forward this request to the appropriate Team either via Cherwell or via email along with the  eHealth System Access Request form.

4.1.1 Doctor Induction Procedure

If the Login Account is to be created as part of a Student Doctors intake, the eHealth Account Provisioning Assistant will:

  • create an AD Account within Courion or include this within the script for creating bulk student doctors accounts.
  • attend doctor’s induction and pass over the envelope once ID verification is carried out.

4.1.2 Locum Procedure

As Locums tend to require AD account at short notice, the eHealth System Access Request form should be sent by email.

4.1.2.1 NHS Locums External to NHS Fife

Where the above require access to data on Fife patients held in SCI store, the persons involved must request and complete an eHealth System Access request form via the eHealth Service Desk.

Only medical personnel who are treating Fife patients may apply for access to Fife SCI store. On completion the eHealth System Access request must be forwarded to Head of Information Services, NHS Fife for approval and countersignature. 

4.1.3 Emergency Intake

It is recognised by NHS Fife that there may be situations where a Locum is required to start immediately and it is not possible to obtain user specific eHealth System Accounts i.e. out of hours or during the weekend.

In this case a Line Manager may make take steps to address this possibility by requesting that the eHealth Infrastructure Department to create Locum Generic Accounts.

NB The accounts must be created prior to any Locum starting as it is for emergency short term situations only and these accounts must already be in existence and securely held by the line manager responsible for them.

For those locums who are given sufficient notice before starting the normal account creation process above should be followed. If it is short notice then the process at 4.1.2 above (e-mailing) should be followed.

It will be the responsibility of the Line Manager who requests these Generic Accounts to manage them and to ensure that a record of who and when they were used is maintained. These details must be centrally stored and held for a minimum of five year. This requirement is to comply with the Data Protection Act. An example of a record log can be found in Appendix A of this procedure.

The details of the account shall be held separately in marked, sealed envelopes so they can be issued as and when necessary. After their use the manager shall have their password reset via the eHealth Service Desk in preparation for further use.

These generic accounts should be used for a maximum of 3 days – this is sufficient time to obtain an individual account for the locum. We are legally required to be able to track an individual’s use of any computer system.

4.1.3.1 Emergency Access Cards (EAC)

Where PC’s have been configured with a card reader, e.g. a Kiosk PC, Emergency Access Cards can be requested.  These cards can be configured with access to systems which are configured to be accessed via Single Sign On (e.g. SCI Store, eOasis, LabCentre etc).

The cards themselves are configured and enrolled with a four digit pin and then sealed in an envelope.

The underlying AD account is not known to the user and the user will not be able to change its password. This being the case, the user cannot retain that information for use at a later date. The emergency access cards can be audit logged through One Sign and FairWarning. All system access accounts will be unique to the individual card and therefore auditable.

At present A&E staff issue EAC cards to locums, who signs for them and at the end of their shift they return the card and A&E notify the eHealth Service Desk. That card cannot be issued again until it has been reset.

Note that other departments will need to develop their own procedure for issuing and reactivation of their own Emergency Access Cards.

4.1.4 eHealth Project Rollouts

Where new eHealth Systems are to be rolled out it is not practical to have each individual submit an eHealth System Access Request form. In this particular scenario each directorate may submit a multi user form with a list of all the users who are to be issued access account for the new system. The caveat is that a sufficiently senior manager within the directorate approves the request form.

4.1.5 Third Party Procedure

The username of a Third Party AD account shall only be assigned the name of the organisation with a numerical suffix i.e. Clinisys01, OMS01 etc. These accounts are to be grouped in the AD container for third parties and this naming convention will assist with identifying these types of generic accounts.

There are 2 categories of third parties:

4.1.5.1 Suppliers of products or services who require access to systems that they are contracted to support.

 

These accounts will be company accounts rather than individual accounts. The personal details will be those of the company representative who can sign the agreement on behalf of the company. It will be at the discretion of the eHealth Security Manager if accounts are created for individuals rather than the company.

 

eHealth Account Provisioning Assistant shall check with the appropriate eHealth Engineer that these accounts are required. The eHealth Security Manager will be informed of the account.

 

The Head of eHealth Infrastructure shall authorise these accounts.

 

4.1.5.2 Staff employed by other organisations but working on NHS Fife premises and using NHS Fife systems.

 

The application requires to be authorised by an NHS Fife Manager who will take responsibility for the applicant. i.e. a sponsor.

The eHealth Account Provisioning Assistant will:

check the form for completeness

create an AD Account within Courion

create any other clinical system access required

forward on (either via Cherwell or email) the request form to other appropriate system administration teams.

4.1.6 Administrative Rights

Some users may require a level of administrative rights in order to carry out their job function. These staff will normally be within the eHealth Department or be working in eHealth related roles within other NHS Fife Departments. There may also be a number of generic or system accounts that require administrator rights to function correctly.

4.1.6.1 eHealth Department Staff

 

The eHealth Account Provisioning Assistant shall check the forms are completed correctly and inform the eHealth Security Manager of the request.

 

The eHealth Delivery Manager, eHealth Service manager or the Head of eHealth Infrastructure shall authorise these accounts.

 

4.1.6.2 Other NHS Fife Staff

 

The eHealth Account Provisioning Assistant shall check the forms are completed correctly and inform the eHealth Security Manager of the request.

Reference should be made to the SOP “Issuing of Administration Rights to Non IT Department Staff”

The eHealth Delivery Manager or the eHealth Security Manager shall authorise these accounts.

4.1.6.3 Non person requests

The eHealth Account Provisioning Assistant shall check the forms are completed correctly and inform the eHealth Security Manager of the request.

 

The eHealth Delivery Manager or the eHealth Security Manager shall authorise these accounts.

 

4.2 eHealth Security Manager

The eHealth Security Manager will assist the eHealth Account Provisioning  Assistant with any queries regarding IT security and maintenance of this procedure.

4.3 NHS Fife Line Managers

The Line Manager will complete the relevant sections of the eHealth System Request form (available via NHS Intranet/Quicklinks/eHealth/Forms and System Access Requests) and sign the statement authorising the user access to the IT Systems requested. Manager’s guidance is available to aid completion of the form.

4.4 NHS Fife System Admins

The System Admin’s for LabCentre, TrakCare, PACS etc shall on receipt of the eHealthSystem Request form create a User Account. If training has been requested then they shall liaise with the User to organise a suitable time and place to this to be carried out.

4.5 NHS Fife Head of Information Services

On receipt of an application for system access from Locums external to NHS Fife, the Head of Information Services will verify that the application has valid signatures and countersign the application before passing to the eHealth Department for further action.

Related Policies

  • GP/D3 - NHS Fife Data Protection and Confidentiality Policy

APPENDIX A - GENERIC ACCOUNT - USERS REGISTER

Please complete every time a user is authorised to make use of a generic account managed by you.

ACCOUNT ADMINISTRATOR DETAILS

 

ACCOUNT USERNAME: 

Surname:                                                                         Forename:                                                                    Job title:

Department and Location:                                                                       Contact Number:                                                                   Email Address

ACCOUNT USER DETAILS (internal staff)

Note 1: I agree to comply with the NHS Fife eHealth Security Policy, Managing Generic Accounts Procedure and eHealth System Access Procedure. I have read the eHealth statement enclosed and understand that I am responsible for issuing, recording and managing the Locum Generic Accounts. Note that NHS Fife Internal Audit department are entitled to audit the use of any Generic Accounts and this document can be used to provide an audit trail.

 

Applicant / User

 

Account Assigned From/To

Account administrator authorisation

Password changed

Surname, Forename

Signature & date (Note 1)

start date

end date

signature

Yes/No

 

NHS Fife

eHealth Security Statement

This document is in support of the eHealth Security Policy with which users should familiarise themselves. This is available on the Intranet Home page under: General Policies/GP15 eHealth Security. NHS Staff must read this document and agree to abide by the statements below before access is given to Systems.

  1. Security Passwords and User ID codes

It is my responsibility to ensure that any system passwords and User IDs allocated to me are kept confidential and secure, and are not passed to any other person whether or not an employee of NHS Fife. I further understand that I will be held responsible for any transaction carried out under my ID and password.

 

  1. Data Protection

I acknowledge that the Data Protection Act governs all information gathered or accessed by me. I understand that I may not without explicit permission extract subject identifiable data and hold it on any system not owned by NHS Fife. I further understand that when transmitting data (electronic or otherwise) I must take all reasonable precautions to ensure that the recipient is entitled to receive it and that only the intended recipient(s) will receive it.

 

  1. E-Mail

As part of my duties I will have access to NHS Fife’s email facilities. I acknowledge that I must not send or communicate any e-mail or attached statement containing obscene language, or an inflammatory, derogatory or insulting nature about any person or organisation. NHS Fife will monitor e-mail and block movement of certain e-mail attachments that are considered a threat to the infrastructure. I also acknowledge that any approved patient identifiable data to be transmitted only to approved addresses out-with NHS Fife.

 

  1. Internet

As part of my duties I will have access to the Internet via NHS Fife’s network/equipment. I acknowledge that such access is intended primarily for NHS Fife business. I may use this facility for reasonable and limited personal use provided it is with the agreement of my line manager and does not adversely affect my own or other’s work. I am wholly responsible for the consequences of such access, which must not impact on legal or moral reputation. I acknowledge that such access is monitored and reported by specialised software.

 

  1. Computer Misuse

I acknowledge that it is expressly forbidden to use NHS Fife’s owned equipment or networks for malicious purposes e.g. hacking, software piracy, software or data theft, copyright contravention etc. I understand that I must not use the eHealth Infrastructure for personal business activities.

 

  1. Virus Protection

If a virus is encountered it must be reported immediately to the eHealth Service Desk on 01592 648028.

 

  1. Unapproved Software

I acknowledge that it is expressly forbidden to load software not licensed to NHS Fife on to any NHS Fife owned equipment or networks. I also acknowledge that I may not load any software not approved by NHS Fife eHealth Infrastructure Department.

 

  1. Connection of Equipment

I acknowledge that I may not connect any non-NHS Fife computer equipment including peripheral devices (e.g. printers, scanners, storage devices, memory sticks, PDAs, digital equipment etc) to NHS Fife equipment or connect NHS Fife computer equipment to any non-NHS Fife communications system or network.