Records Management Plan
|Policy Manual/System||General Policy|
|Author||eHealth Security Manager||Version No||4|
|Reviewer||eHealth ICT Manager, General Manager - eHealth & IMT||Implementation Date||01/01/2007|
|Signed By||Director of Finance||
Last Review Date
Next Review Date
The purpose of this policy is to set out the criteria for the provision of passwords and conditions relating to their use. This policy is a supplementary policy to the NHS Fife Information Security Policy and forms part of NHS Fife’s ISO 27001 Information Security Management System (ISMS).
NHS Fife has a responsibility to ensure that all data stored on its computer systems:
- is appropriate to the needs of NHS Fife;
- is securely held;
- is available in a complete and accurate form when needed;
- complies with the requirements of the Data Protection Act and recommendations of the NHS Fife Information Governance Group associated with the secure storage of data
Passwords are an effective eHealth security countermeasure if they are kept secret. Passwords are a means of validating a user's identity to access a computer resource, to ensure the security of that resource and to maintain the confidentiality of information held on that resource. NHS Fife requires users to select passwords which are secure and difficult to guess, whilst easy to remember, and to keep passwords confidential.
This policy is applicable to all staff, contractors and volunteers working within NHS Fife.
3.1 User Responsibilities
3.1.1 Security of Passwords
Users of all systems are responsible for ensuring that their passwords are kept secure and confidential, to prevent unauthorised access to any NHS Fife system and to maintain the confidentiality of information held on NHS Fife systems.
Under no circumstances, shall users write down their passwords or share them with other users, including eHealth staff.
Where it is necessary to write down a password for contingency reasons e.g. boot passwords and administrator passwords they should be put in a sealed envelope and placed them in the fireproof safe.
Any user who shares a password with another user may be liable to action under NHS Fife’s Employee Conduct Policy.
3.1.2 Changing Passwords
Even where the system does not force them to do so, users shall ensure that any passwords they receive from the eHealth Department are changed the first time the user logs on to the system.
If a user suspects that someone else may have become aware of his/her password (for instance, if another person has watched the user enter the password), the user must immediately change his/her password and log an Information Security Incident via the eHealth Service Desk for investigation.
3.1.3 Selection of Passwords
For passwords to be an effective security measure, they should not be easy for someone to guess. Names, words, telephone numbers, dates of birth etc., must not be used. Users should use choose passwords which meet the following minimum password complexity rules:
- be a minimum of 8 characters in length; where possible, the minimum character length will be configured in the system;
- force a change at least every 90 days;
- enforce password history of 6;
- be changed on first login;
- contain at least three of the four possible character types, (lowercase letters, upper case letters, numbers and symbols)
3.2 Line Managers
It is the responsibility of the Line Manager to inform the eHealth Service Desk when a member of staff:
- joins NHS Fife;
- moves location within NHS Fife;
- terminates their employment;
This is to enable access rights to be established, altered and terminated in a prompt manner.
Line Managers have a responsibility to ensure that their staff have read, and comply with this policy.
3.3 eHealth Department
The eHealth Department will ensure that all users windows logins are configured to meet the minimum requirements
On desktop PC’s 5 attempts to login are permitted before the account is locked for 30 minutes.
On laptops a maximum of 10 attempts is allowed before the account is locked and the eHealth Service Desk needs to intervene to unlock the device. The lockout period will double each time the account is disabled before this limit is reached.
3.4 eHealth Support Staff
There is no justification for eHealth Staff to request a users password either in person or by any other means i.e. telephone, email, remote access etc.
If a user discloses their password to eHealth Support they should inform the user of the correct procedure and should ensure that the user is forced to change their password on completion of their support task.
If eHealth Support staff see a password written down and visibly displayed they should remind them of the policy and inform the relevant manager and the eHealth Security Manager.
eHealth Support staff must never ask users’ for their password details. They should always ask the user to input their own login ID and password.
eHealth Support staff must never disclose their own unique ID or password to anyone including third party support.
Third Party support staff must be issued with their own unique ID and password to carry out their tasks. Upon completion of the agreed work the account must be disabled. The account shall only be re-enabled when third parties have further approved work to complete.
Where third parties have out of hours support agreements then these accounts will remain enabled.
4. OPERATIONAL SYSTEM
4.1 Single Sign On
NHS Fife has introduced a Single Sign On (SSO) solution that provides credential management functionality for incorporated eHealth systems, for example NHS Mail, eExpenses, SCI Store etc. The SSO solution stores the users username and password for each system and automatically inputs these details when a user assesses one of the integrated systems.
In order to gain the ability to have SSO store credentials a user must both have a legitimate account and be a member of the appropriate Active Directory (AD) SSO group.
SSO only provides this functionality once the user has successfully logged into an NHS Fife PC/Laptop.
This solution also provides the option to automatically reset & store the passwords of the integrated systems when the existing one expires. It should be noted that if this option is used then the user will not know the password (without accessing the reveal option within the SSO agent) and this may cause problems if the user requires access to an application out with NHS Fife, for example NHS Mail being accessed via the Internet. This is because there are very few applications that are accessible from non-N3 connected computers.
4.1.2 SSO Password Reset (SSPR)
SSO allows users to reset their Active Directory passwords without the intervention of the eHealth Service Desk. By correctly answering 3 of 5 questions they completed when enrolling for SSPR they can reset their password.
4.1.3 SSO Kiosk Mode
In the eventuality that a PC or laptop is in high demand and users logging on and off is detrimental to patient care due to time constraints, the SSO Kiosk Mode can be implemented. This option allows multiple users to use a PC while maintaining Information Security. This is achieved via the use of user proximity cards/identification cards, which enable SSO to identify a user and therefore grant that person access to the integrated systems they are entitled to use. These machines are typically ‘locked down’ to a greater degree, thereby limiting the access of users to clinical systems only. Access to the more generic (non-clinical) applications, are deemed to be more time consuming and therefore not suitable to a hot desk device.
4.1.4 Information Security
While SSO provides greater ease of access to the integrated systems it does mean that there is an addition emphasis on users to lock or logoff PC’s when leaving them unattended. The use of Secure Walkaway (SWA) which automatically locks a computer when the authenticated user moves away from the workstation, can alleviate this risk but will not be available on all computers.
In addition logging on as someone else i.e. using the logon of a fellow member of staff, even in the course of treating a legitimate patient is not permitted: therefore where the SSO Kiosk Mode is being used, sharing proximity cards would also be deemed to breach this stipulation.
4.2 User Password Management
4.2.1 Issue of Passwords
Each member of staff must have his/her own individual login ID and password. Users will be required to fill in an eHealth System Access Request Form which must be authorised by the manager of the department before receiving a user name and password.
As a result of the diversity of computer systems in NHS Fife, a user will need a separate user name and password for each main system which the user has authority to access. As NHS Fife moves to more integrated systems, the number of user names and passwords needed by an individual user will reduce.
Individual clinical or business systems shall be required to implement access control measures for users where unique username and password are required.
Active Directory generic accounts are used in some areas where log off / log on times being excessive and the delay may affect patient care, or for training/presentation purposes. The permissions granted to these accounts shall be restricted to prevent misuse.
4.2.2 Changing Passwords
New users will be required to change his/her password the first time they log on to any system. With most NHS Fife systems, the systems shall be configured to force this change. Where systems have the capability, the systems shall be configured to force users to change their passwords at regular intervals. All new systems implemented in NHS Fife shall include password ageing. Where systems have the capability, the systems shall be configured to prevent users re-using a password.
4.2.3 Forgotten Passwords
Where a password reset option does not exist for example Single Sign On or NHS Mail, user’s who forget their passwords must carry out the following steps:
- contact the eHealth Service Desk to request a new password;
- then provide the eHealth Service Desk with positive identification (such as a security question and answer) before a new password is issued;
As with new users, existing users will be required to change the password the first time they log on to a system after receiving a replacement password.
5. RISK MANAGEMENT
NHS Fife Staff and 3rd parties shall respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.
The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.
It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.
With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.
6. RELATED DOCUMENTS
GP/I5 Information Security Policy
All other supplementary NHS Fife Information Security Policies
Data Protection Act (1998)
Freedom of Information (Scotland) Act (2002)
Human Rights Act (1998)
Computer Misuse Act
NHSS Information Security Policy Framework July 2015