Information Governance Incident Reporting Procedure

Transcription

1 Information Governance Incident Reporting Procedure : 3.0 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 15 th February 2016 Name of originator /author (s): Responsible Committee / individual: Information Governance Manager NHS Bury CCG Quality and Risk Committee Date issued: 14 th March 2016 Review date: March 2018 Target audience: Equality Analysis Assessed: NHS Bury Clinical Commissioning Group Members, staff, volunteers and contractors Yes Information Governance Incident Reporting Procedure 3.0 1

2 Further information regarding this document Document name Category of Document in The Policy Schedule Author(s) Contact(s) for further information about this document This document should be read in conjunction with This document has been developed in consultation with Published by Copies of this document are available from Information Governance Incident Reporting Procedure CCG.GOV Governance Information Governance Manager All Information Governance Policies NHS Bury CCG Information Governance Operational Group NHS Bury Clinical Commissioning Group 21 Silver Street Bury BL9 0EN CCG Corporate Office CCG website Control History: Number Reviewing Committee / Officer Date 3.0 = policy once reviewed NHS Bury Clinical Commissioning Group, Quality and Risk Committee 15 th February 2016 Information Governance Incident Reporting Procedure 3.0 2

3 Information Governance Incident Reporting Procedure Table of Contents 1. Introduction Purpose Definitions Roles and Responsibilities The Process for Reporting Information Governance Incidents Cyber Security Incident Reporting and Management Process Reporting Closure and Lessons Learned from the IG Incident Training and Awareness Accountability, Responsibilities and Training Monitoring and review Legislation and related documents Information Governance Incident Reporting Procedure 3.0 3

4 1. Introduction 1.1 NHS Bury Clinical Commissioning Group (hereafter referred to as the CCG) is committed to a programme of effective risk and incident management. This procedure explains the system to be used for staff for the recording, reporting and reviewing of Information Governance, Information Security and / or cyber security incidents. Reporting an incident or a near miss is an integral part of personal, clinical and corporate governance. 1.2 Due to the increase in Information Governance and Cyber Security incidents, the HSCIC have introduced documentation called the Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation and on-line reporting via the IG Toolkit. The guidance covers reporting arrangements and actions that need to be taken when an IG incident and / or IG SIRI occurs. It also contains guidance regarding scoring an incident based on numbers of individuals affected together with other sensitivity factors. It is important as it defines when an incident becomes an IG SIRI. For a reported IG incident to become an IG SIRI, a level 2 score has been attained. This then has an effect on how the incident is reported which the HSCIC checklist outlines and the CCG must therefore ensure the correct process is followed. 1.3 The CCG has a responsibility to monitor all Information Governance related incidents that occur that may breach security and / or confidentiality of personal information. 1.4 All incidents must be reported using the CCG s Incident Reporting System Safeguard however, when an IG incident occurs there are extra reporting mechanisms the CCG must comply with. This procedure provides details about this. 1.5 This procedure applies to all staff who work for or on behalf of the CCG. Third party contractors and others (e.g. business partners, including other public sector bodies, volunteers, commercial service providers) who may potentially use the CCG s facilities must be aware of the importance of reporting perceived or actual events. 2. Purpose 2.1 This document sets out the directions across Bury Clinical Commissioning Group (the CCG) for the reporting and management of Information Governance / Cyber Security incidents. 2.2 This procedure applies to those members of staff who are directly employed by the CCG and for whom the CCG has legal responsibility 2.3 For those staff covered by a letter of authority / honorary contract or work experience the organisation s policies are also applicable whilst undertaking duties for or on behalf of the CCG. 3. Definitions 3.1 Information Governance Related Incident An Information Governance or Information Security related incident relates to breaches of security and / or the confidentiality of personal information which could be anything from users of computer systems sharing passwords, to a piece of paper identifying a patient being found in the high street. Information Governance Incident Reporting Procedure 2.1 4

5 It could also be any event that has resulted or could result in: The integrity of an information system or data being put at risk The availability of an information system or information being put at risk An adverse impact, for example, embarrassment to the NHS, threat to personal safety or privacy, legal obligation or penalty, financial loss and / or disruption of activities Some more common areas of incidents are listed below but this list is not exhaustive and should be used as guidance only. If there is any doubt as to what you have found being an incident it is best to report it to the relevant personnel for this decision. Breach of security Loss of computer equipment due to crime or an individual s carelessness Loss of computer media, for example, cd s, memory sticks / USB sticks due to crime or an individual s carelessness Accessing any part of a database using someone else s authorisation either fraudulently or by accident Breach of confidentiality Finding a computer printout with personal identifiable data on it in a public area Finding any paper records about a patient / member of staff or business of the organisation in any location outside secured CCG premises Being able to view patient records in an employee s car Discussing patient and / or staff personal information with someone else in an open area where the conversation can be overheard A fax being received by the incorrect recipient 3.2 Information Governance Serious Incident Requiring Investigation (SIRI) There is no simple definition of an Information Governance incident. What may at first appear to be of minor importance may, on further investigation, be found to be serious or vice versa. As a guide, any incident involving the actual or potential loss of personal information that could lead to identity fraud or have other significant impact in individuals should be considered as serious. This definition applies irrespective of the media involved and includes both loss of electronic media and paper records. Categorising of the incident assists to distinguish the severity level of the Information Governance related incident and whether it is a SUI or not. This is explained in later sections of this procedure. 3.3 Information Governance Cyber Serious Incident Reporting Investigation For the purposes of reporting a Cyber incident, it is defined as anything that could (or has) compromised information assets within Cyberspace. These types of incidents include denial of service attacks, phishing s, social media disclosures, web site defacement, malicious internal damage, spoof website and cyber bullying. 5

6 4. Roles and Responsibilities 4.1 Chief Officer Has ultimate responsibility for the implementation of the provisions of this procedure. As the Accountable Officer they are responsible for the management of the organisation and for ensuring that the appropriate mechanisms are in place to support incident reporting for IG and cyber security incidents. 4.2 Caldicott Guardian To review and provide feedback regarding an incident where this relates to patient data. This may involve decision making about informing patients regarding an incident or not if this would deem to cause them harm / distress. 4.3 Senior Information Risk Owner (SIRO) To review Information Governance incidents and report Information Governance and information security issues to the Senior Management Team and ensure that any external reporting of the incident if required is undertaken 4.4 Information Governance Team To co-ordinate and investigate reported IG incidents, maintain IG Incident Logbook, make recommendations and act on lessons learnt. To liaise with the CCG Information Governance Lead, CCG SIRO and Greater Manchester Shared Services (GMSS) IT Services / IT Security Manager as appropriate pertaining to cyber security incidents. To escalate incidents to the CCG Information Governance Lead in order to inform the SIRO, and/or Caldicott Guardian as appropriate. To grade the incident and report it where necessary on the Information Governance Toolkit Incident Reporting Tool and local IG Incident Logbook. 4.5 CCG IT Manager To work with IT to investigate the Cyber Security incident, make recommendations and act on lessons learnt. To liaise with IG Teams as appropriate especially regarding reporting. To inform the Senior Information Risk Owner, and/or Caldicott Guardian as appropriate. To grade the incident, and ensure that where necessary it is reported on the IG Incident Reporting Tool Cyber Security section (through the IG Team). 4.6 GMSS IT Services / IT Security Manager To alert the CCG IT Manager and IG Team when a member of CCG staff report a potential or actual cyber security incident via Service Now so this can be investigated and assist with the grading of the incident. 5. The Process for Reporting Information Governance Incidents 6

7 5.1 Staff must follow the CCG s Incident Reporting Procedure in order to report any incident. All Information Security / Information Governance incidents must be reported using this procedure only and no other method. 5.2 Incidents must be logged on the CCGs Safeguard system by the member of staff reporting the incident. 5.3 Once the IG Team have been notified of an incident relating to Information Governance the team will ensure they are entered on the Incidents Logbook. 5.4 The IG Team will assess the incident and calculate the severity score according to the checklist contained within the Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Serious Incidents Requiring Investigation (SIRI s) Please see link below Annex A: 0Checklist%20Guidance.pdf 5.5 The IG Team based at the CCG where the incident has occurred must be notified of all Information Governance and Information Security incidents as well as logging this following the CCG s incident reporting processes. The immediate response to the incident and the escalation process for reporting and investigating of incidents will vary according to the severity level of the incident. 5.6 The flowchart (Figure 1) sets out the overall process for reporting, managing and investigating Information Governance incidents for the CCG for incidents scored level 1 and below and level 2 and above (IG SIRI s). 7

8 Figure 1: Incident Process Flowchart Potential or actual Information Governance / Information Security related incident identified Incident Management staff member who identified incident must log incident using CCG incident reporting tool (Safeguard) and inform Lead IG / IG Officer in CCG ASAP Incident Report received by IG Team logged on IG Incident Logbook Assessment of severity level for incident by Lead IG / IG Officer and associated personnel (e.g. Information Security Officers, Caldicott Guardian, SIRO, department who have reported incident) using the HSCIC grading tool Incident graded at Level 0-1 Incident scored at Level Inform CCG CG & SIRO Information Governance related Incident Information Governance related Serious Incident Requiring Investigation (SIRI) Manage locally Investigation Final Report (to be fed back to all parties concerned) and update to Logbook Feed into training and awareness sessions Report on IG Incident reporting Tool within 24 hrs (the score can be changed later if needs be) Hold Investigation Meeting (IG/CG/SIRO and other relevant parties). Form and document action plan/lessons learned. IG Team produce IG Incident Report IG Team feedback outcome and update Safeguard, Logbook and IG Toolkit Incident Reporting Tool (amend score if necessary) Close incident and if IG SIRI close on the IGTK Incident Reporting Tool Informs ICO and DH Reply to ICO investigation questions (if sent) & keep updated 8

9 6. Cyber Security Incident Reporting and Management Process 6.1 Figure 2 outlines the incident reporting process for cyber security incidents. In most cases, staff will report such incidents via the IT helpdesk as they will tend to be IT related such as PC / laptop not working correctly, phishing s or denial of access to a system or webpage. Due to this, the IG Team are linking with IT services and the GMSS IT Security Manager to capture such recorded incidents. They will be identified through the use of key words and confirmed whether they are cyber security incidents. The notification of this will be forwarded to the IG Team who will then liaise with IT Security staff to assess its severity and sensitivity and graded as per the HSCIC checklist. The incident is logged on the Cyber Security Incident Logbook and updated throughout the investigation process. 6.2 Incidents may also be captured via the CCG s incident procedure as well. In these cases, the IG Team will liaise with IT Security Manager to inform them and follow the same process as above. 6.3 For Cyber Security incidents, it is vital that the person responsible for any operational response, typically the CCG IT Manager is notified and the SIRO kept up to date. 6.4 Cyber security incidents scored Level 2 and above must be logged on the IG Toolkit Incident Reporting Tool. This then triggers an automated notification to the Department of Health and HSCIC. Please note the ICO are not informed of cyber incidents scored level 2 and above. 9

10 Figure 2: Cyber Security Incident Reporting Process Step One Notification from IT Services / GMSS IT Security Manager 7. Reporting 7.1 Reporting in the Annual Governance Statement / Statement of Internal Control Incidents classified at an IG SIRO level 2 and above are those that are classed as a personal data breach or high risk of reputational damage and are reportable to DoH and ICO. These incidents need to be detailed individually in the annual report / governance statement / Statement of Internal Control as per Table 1 below. Notes to assist in completion of the table can be found in the HSCIC checklist: ist%20guidance.pdf 10

11 Table 1 Summary Table of IG SIRI s SUMMARY OF SERIOUS UNTOWARD INCIDENTS INVOLVING PERSONAL DATA AS REPORTED TO THE INFORMATION COMMISSIONERS OFFICE [from year to year] Date of Incident (month) Jan Further action on information risk Nature of Incident Loss of inadequately protected electronic storage device Nature of data involved Name, address, NHS number Number of people potentially affected Notification Steps 1,500 Individuals notified by post The CCG will continue to monitor and assess its information risks, in lights of the events noted above, in order to identify and address any weaknesses and ensure continuous improvement of its systems. The member of staff responsible for this incident has been dismissed. 7.2 A summary of IG incidents must also be published in annual reports / governance statement using the summary table as highlighted in Table 2: Table 2 Annual Summary of IG reported incidents below Level 1 SUMMARY OF OTHER PERSONAL DATA RELATED INCIDENTS IN [insert year to year] Category Nature of Incident Total A Corruption or inability to recover electronic data B Disclosed in Error C Lost in Transit D Lost or stolen hardware E Lost or stolen paperwork F Non-secure Disposal hardware G Non-secure Disposal paperwork H Uploaded to website in error I Technical security failing (including hacking) J Unauthorised access / disclosure K Other Please note incidents designated as pure cyber are not required to be included in the annual reports and SIC at this time. However cyber incidents that are also IG SIRI s should be included. 7.3 Reporting by the HSCIC The document below explains how the HSCIC publish data on IG SIRI s. tatement.pdf 11

12 7.4 Reporting to the Information Governance Operational Group (IGOG) IG incidents are reported routinely at the IGOG Meeting via the IG Key Statistics Report. Lessons learned are discussed and actioned when necessary. 8. Closure and Lessons Learned from the IG Incident Set target timescale for completing investigation and finalizing report Report reviewed and signed off by appropriate persons or appraisal group Identify who is responsible for disseminating lessons learnt Closure of IG SIRI only when all aspects, including any disciplinary action against staff, are settled Update the IG Incident Reporting Tool The record cannot be closed until all the data fields are populated including Actions taken and Lessons Learned. HSCIC External IG Delivery Team will be notified by when an incident is closed and monitor progress The CCG Board must publish data breaches involving the processing of personal data without a legal basis, where one is required. Reports of IG SIRIs should be published on the CCG website and can be easily exported from the IG Incident Reporting Tool for publication 8. Training and Awareness This procedure will be available on the CCG s Policy Library on the intranet and on the Information Governance page on the staff intranet. Staff are also informed about the reporting of incidents during Mandatory training. Lessons learned from incidents will be fed back into future training or where appropriate to the staff concerned to encourage further participation and demonstrate the value of reporting to the CCG. The relevant committees in the CCG s where IG is itemed are made aware of information governance related incidents reported and the associated action plans to mitigate similar incidents occurring in the future. All staff will continue to be informed about the importance of reporting information governance related incidents via a variety of media such as handouts, leaflets, intranet, newsletter, s and training sessions. 9. Accountability, Responsibilities and Training Overall accountability for procedural documents across the organisation lies with the Chief Officer who has overall responsibility for establishing and maintaining an effective document management system, for meeting all statutory requirements and adhering to guidance issued in respect of procedural documents. Overall responsibility for the Incident Reporting Procedure lies with the Risk Manager who has delegated responsibility for managing the development and implementation of Information Governance Incident Reporting procedural documents. 12

13 The Senior Information Risk Officer (SIRO), with support from the Information Asset Owners, is responsible for any issues of information risk that arise from incidents and ensuring appropriate actions are in place to mitigate future risk. The Caldicott Guardian is responsible for overseeing and advising on issues of service user confidentiality for the CCG. Line managers are responsible for ensuring that all staff, particularly new staff, temporary staff, contractors and volunteers, know what is expected of them with respect to confidentiality and protecting information. They are also responsible for monitoring compliance with this guideline e.g. undertake ad hoc audits to check for inappropriate disclosures, records left out, abuse of passwords etc. Staff are responsible for maintaining the confidentiality of all personal and corporate information gained during their employment with the CCG and this extends after they have left the employ of the CCG. Individual staff members are personally responsible for any decision to pass on information that they may make. All staff are responsible for adhering to the Caldicott Principles, the Data Protection Act and the Confidentiality Code of Conduct. Staff will receive instruction and direction regarding the policy from a number of sources: Policy /strategy and procedure manuals; line manager; specific training course; other communication methods (e.g. team brief/team meetings); staff Intranet; All staff are mandated to undertake Information Governance training on an annual basis. This training should be provided within the first year of employment and then updated as appropriate in accordance with the Information Governance policy. 10. Monitoring and review 10.1 Performance against Key Performance Indicators will be reviewed on an annual basis and used to inform the development of future procedural documents This procedure will be reviewed on a yearly basis, and in accordance with the following on an as and when required basis: legislative changes; good practice guidance; case law; significant incidents reported; new vulnerabilities; and changes to organisational infrastructure. 11. Legislation and related documents 11.1 A set of procedural document manuals will be available via the CCG staff Intranet Staff will be made aware of procedural document updates as they occur via team briefs, team meetings and notification via the CCG staff Intranet All documents in the CCG Policies and Procedures Register are relevant. 13