Information Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure

Transcription

1 Information Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure Procedure Number: IG05 Version: 2.3 Approved by: Information Governance Working Group Date approved January 2018 Ratified by: Audit and Risk Committee Date ratified: February 2018 Name of originator/author: Louise Chatwyn Information Manager Name of responsible individual: Clare Hodgson Deputy Director of Corporate Affairs Review date: May 2018 Target audience: All Staff Page 1 of 18

2 Version Control Sheet Version Date Who Change 1.0 G Lawrence /13 M Griffiths Review for CCG ownership /13 M Griffiths Changes made re feedback from Audit & Risk August /16 L Chatwyn Review and update to current /16 L Chatwyn Incorporation of Audit feedback /16 L Chatwyn Incorporation of Consultation minor amendment /17/ L Chatwyn Minor revisions to reflect current legislation and practice and changes under the General Data Protection Regulations (GDPR) Page 2 of 18

3 Contents 1. Introduction Purpose Scope Key Roles and Responsibilities What is an incident? Process Grading of information incidents Grading of Cyber Incidents Reporting Timescales for Information Incidents Monitoring and Review Training Distribution and Implementation Associated Legislation and Documents References Appendices Appendix 1 Reporting Form Appendix 2 Process Flowchart Appendix 3 Grading of incident Appendix 4 Grading of Cyber incident Page 3 of 18

4 1. Introduction Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The Health and Social Care Information Centre (HSCIC) mandates that it is essential that all Information Governance Serious Incidents Requiring Investigation (IG SIRIs) which occur in Health, Public Health and Adult Social Care services are reported appropriately and handled effectively. This document details what constitutes an Information Governance Information Incident, Near Miss and Cyber Security Incident. It sets out Nene CCGs procedure for the effective management of such incidents to ensure compliance with all appropriate legislation, and standards 2. Purpose From June 2013 all organisations processing health and adult social care personal data are required to use the IG Toolkit Incident Reporting Tool to report Level 2 IG SIRIs to the Department of Health (DH), Information Commissioner s Office (ICO) and other regulators. Note: The European Union General Data Protection Regulation (GDPR) which was adopted by the European Union in 2016, will automatically come into force in all EU Member States from 25 May GDPR will replace the current Data Protection Act The Government is introducing a UK Data Protection Bill which incorporates and supplements the GDPR to create a UK data protection regime pre and post Brexit. This policy will be fully updated in accordance with the new legislation in May Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to result in a risk for the rights and freedoms of individuals. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, without undue delay after first becoming aware of a data breach. 1. This document is a statement of the approach and intentions for Nene CCG to fulfil its statutory and organisational responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and the organisations aims and objectives. 1 SOURCE: Article 34 Page 4 of 18

5 3. Scope This document applies to all staff, whether permanent, temporary or contracted. They are responsible for ensuring that they are aware of all relevant requirements and that they comply with them on a day to day basis. Furthermore, the principles of this document apply to all third parties and others authorised to undertake work on behalf of Nene CCG. This document covers all aspects of information, in both paper and electronic format The CSU provide a managed security service to Nene CCG for Information Management & Technology (IM&T). This includes support to the Senior Information Risk Officer on security and asset and risk management. The CSU will manage security along current best practice guidelines as provided by DH and in accordance with applicable legislation Information Security risks relating to Cyber Security will be referred to the CSU IM&T Team Where information security incidents of fraud are identified, they may be referred to the Local Counter Fraud Specialist 4. Key Roles and Responsibilities Role Accountable Officer Senior Information Risk Officer Responsibility The Accountable Officer and the Board have ultimate accountability for actions and inactions in relation to this document The CCGs SIRO is responsible for having overall accountability for Information Governance; this includes the Data Protection and Confidentiality function. The role includes briefing the Board and providing assurance through the Audit and Risk Committee that the IG approach is effective in terms of resource, commitment and execution. Caldicott Guardian The SIRO for Nene CCG is the Chief Finance Officer The Caldicott Guardian has responsibility for ensuring that there are adequate standards for protecting patient information and that all data transfers are undertaken in accordance with Safe Haven guidelines and the Caldicott principles. The Caldicott Guardian for Nene CCG is the GP Chair Page 5 of 18

6 Data Protection Officer Deputy Director of Corporate Affairs Information Manager Managers All staff The DPO has responsibility for Data Protection compliance The DPO for Nene CCG is fulfilled by NEL CSU The Deputy Director of Corporate Affairs has overall day to day responsibility for the Information Governance in the CCG. The role includes briefing the Board, including the SIRO and Caldicott Guardian of information risks and information incidents The Information Manager has day to day responsibility for implementing and monitoring procedures to ensure compliance with relevant information legislation The Information Manager is responsible for co-ordinating analysis, investigation and upward reporting of events and recommendations for remedial action to prevent recurrence and ensure compliance and continuing improvement Managers and supervisors are responsible for ensuring that staff who report to them have suitable access to this document and it s supporting policies and procedures and that they are implemented in their area of authority. Managers are also responsible for ensuring the initial training compliance of all staff reporting to them Have a responsibility to: Be aware of the Information Governance requirements Support the CCG to achieve Toolkit Compliance Complete annual IG training Report information Incidents appropriately 5. What is an incident? There is no simple definition of a serious information incident. What may at first appear to be of minor importance may, on further investigation, be found to be serious and vice versa. As a guide the scope of an Information Governance Serious Incident Requiring Investigation (IG SIRI) 4 could include This type of incident will typically breach one of the principles of the Data Protection Regulations and/or the Common Law Duty of Confidentiality. 4 As Defined by HSCIC SIRI Reporting and Checklist Guidance V5.1 May 2015 Page 6 of 18

7 Unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data, information security breaches and inappropriate invasion of people s privacy. Personal data breaches which could lead to identity fraud or have other significant impact on individuals. Applies irrespective of the media involved and includes both electronic media and paper records relating to staff and service users. When lost data is protected e.g. by appropriate encryption, so that no individual s data can be accessed, then there is no data breach (though there may be clinical safety implications that require the incident to be reported down a different route) When the data is protected but there is a risk of individuals being identified then this remains an incident and should be reported. The sensitivity factors within the IG Incident Reporting Tool will reflect that the risk is low. What is an IG Cyber SIRI? There are many possible definitions of what a Cyber incident is, for the purposes of reporting a Cyber incident is defined as:- A Cyber-related incident is anything that could (or has) compromised information assets within Cyberspace. Cyberspace is an interactive domain made up of digital networks that is used to store, modify and communicate information. It includes the internet, but also the other information systems that support our businesses, infrastructure and services. 5 It is expected that the type of incidents reported would be of a serious enough nature to require investigation by the organisation. These types of incidents could include: Denial of Service attacks Phishing s Hacking Social Media Disclosures Web site defacement Malicious Internal damage Spoof website Cyber Bullying 6. Process Initial information is often sparse and it may be uncertain whether a SIRI has actually taken place. Suspected incidents and near misses should still be reported and can be recorded on the IG Toolkit Incident Reporting Tool, as 5 Source: UK Cyber Security Strategy, 2011 Page 7 of 18

8 lessons can often be learnt from them and they can be closed or withdrawn when the full facts are known Where it is suspected that an IG SIRI has taken place, it is good practice to informally notify key staff (the Information Team, SIRO, Caldicott Guardian.) as an early warning to ensure that they are in a position to respond to enquiries from third parties and to avoid surprises. For cyber incidents the Information team will liaise with the person(s) responsible for Information Technology (IT) and Information Security (IS) Where fraud is identified it will be referred to the Local Counter Fraud Specialist Under the GDPR, data processors will also be required to notify their customers, without undue delay after first becoming aware of a data breach Article 34 of the GDPR states 1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay 2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) The incident reporting form can be found at appendix 1 The flow chart at appendix 2 details the process to be followed 7. Grading of information incidents There are 2 factors which influence the severity of an IG SIRI Scale & Sensitivity. Scale and Sensitivity tables can be found in appendices 3 and 4 Scale Factors Whilst any IG SIRI is a potentially a very serious matter, the number of individuals that might potentially suffer distress, harm or other detriment is clearly an important factor. The scale (noted below) provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors. Sensitivity Factors Sensitivity in this context may cover a wide range of different considerations and each incident may have a range of characteristics, some of which may raise the categorisation of an incident and some of which may lower it. The same incident may have characteristics that do both, potentially cancelling each other out. For the purpose of IG SIRIs sensitivity factors may be: Page 8 of 18

9 i. Low reduces the base categorisation ii. High increases the base categorisation The IG SIRI category is determined by the context, scale and sensitivity. Every incident can be categorised as level: 0. Near miss/non-event 1. Level 0 or 1 confirmed IG SIRI but no need to report to ICO, DH and other central bodies/regulators. 2. Level 2 confirmed IG SIRI that must be reported to ICO, DH and other central bodies/regulators. Where an IG SIRI has found not to have occurred or severity is reduced due to fortunate events which were not part of pre-planned controls this should be recorded as a near miss to enable lessons learned activities to take place and appropriate recording of the event. 8. Grading of Cyber Incidents Although the primary factors for assessing the severity level is the criticality and scale of the incident, for example the potential for impact on confidentiality, integrity or availability. If more information becomes available, post incident investigation the Cyber SIRI level should be re-assessed. Please note: Conversely, when targeted systems are protected e.g. by an Intrusion Prevention System, so that no services are affected. The sensitivity factors will reflect that the risk is low. All Cyber SIRIs entered onto the IG Toolkit Incident Reporting Tool, confirmed as severity level 2, will trigger an automated notification to the DH and HSCIC. The IG Incident reporting tool works on the following basis when calculating the severity of an incident: There are 2 factors which influence the severity of a Cyber SIRI Scale & Sensitivity. Scale Factors Whilst any Cyber SIRI is a potentially a very serious matter, the scale is clearly an important factor. The scale provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors. Sensitivity Factors Sensitivity in this context may cover a wide range of different considerations and each incident may have a range of characteristics, some of which may raise the categorisation of an incident and some of which may lower it. Page 9 of 18

10 The same incident may have characteristics that do both, potentially cancelling each other out. For the purpose of Cyber SIRIs sensitivity factors may be: iii. Low reduces the base categorisation iv. High increases the base categorisation The Cyber SIRI category is determined by the context, scale and sensitivity. Every incident can be categorised as level: 1. Level 0 or 1 confirmed Cyber SIRI but no alerting to HSCIC & DH. 2. Level 2 confirmed Cyber SIRI alerting to HSCIC & DH. 9. Reporting Timescales for Information Incidents The expectation is for Level 2 serious information incidents to be reported as soon as possible (usually within 24 hours of a breach being notified/identified locally) and with as much information as can be ascertained at the time. It is understood that further information will become available once the organisation conducts an investigation and the IG Incident Reporting Tool should be kept up to date with regards to any developments or further detail about the incident. A full record of the information incident should be complete within 5 working days from when the incident was initially reported. The reporting of Cyber SIRI Incidents within the tool does not replace local and national service desk reporting. Reported Cyber Incidents will not trigger an operational response. Local clinical and corporate incident management and reporting tools (including Strategic Executive Information System - STEIS) can continue to be used for local purposes but notifications of IG SIRIs for the attention of DH, NHS England and the ICO must be communicated using the IG Incident Reporting Tool. 10. Monitoring and Review Performance against key performance indicators will be reviewed on an annual basis through the IG Toolkit submission and used to inform the development of future documents. Unless there is major legislation or policy, this document will be reviewed annually 11. Training Appropriate Information Governance training will be provided to all staff annually. Training is available through ESR which can be found here: Page 10 of 18

11 12. Distribution and Implementation All policy and procedural documents in respect of Information Governance will be made available via the Nene CCG staff intranet. Staff will be made aware of procedural updates as they occur via team briefs, management communications and notification via the CCG staff intranet. 13. Associated Legislation and Documents To include but not limited to: Information Governance Policy and Management Framework Nene & Corby Serious Incident Policy Confidentiality Data Protection Policy Information Security Policy Information Asset Management Procedure Information Disclosure and Sharing Policy and Procedure Data Protection Impact Assessment Procedure Anti-Fraud and Bribery Policy The following references and areas of legislation should be adhered to. Confidentiality NHS Code of Practice Data Protection Act 1998 Caldicott Guardian principles Freedom of Information Act 2000 Environmental Information Regulations 2004 Access to Health Records 1990 Records Management NHS Code of Practice General Data Protection Regulation (GDPR) 14. References The IG Toolkit The EU General Data Protection Regulation Data Protection Act Freedom of Information Act Page 11 of 18

12 Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation d%20checklist%20guidance.pdf The NHS Constitution for England NHS Code of Confidentiality NHS Care Record Guarantee NHS Information Risk Management The Caldicott Review: Information Governance in the Health and Social Care System /192572/ _InfoGovernance_accv2.pdf Access to Health Records Act Appendices Appendix 1 Reporting Form A word copy of the reporting form is available from the Information Team Page 12 of 18

13 Information Security Incident Reporting Form completed forms as soon as possible to Provide as much information as you can, but do not delay sending in the form. Please note that data breaches must be reported to the supervisory authority within 72 hours GENERAL DETAILS Incident number: To be added by Information Governance Department/Section: Reporting officer: Investigated by: Contact number: Date form completed: Date of incident: Location of incident ABOUT THE INCIDENT Incident description. What has happened? How was the incident identified? What information does it relate to? eg. a file containing details of 100 service users name, address, direct debit details. What medium was the information held on? - Paper - USB stick - laptop, etc If electronic, was the data encrypted? Dealing with the current incident: Please list initial actions: - Who has been informed? - What has been done? Are further actions planned? If so, what? Have the staff involved in the security incident completed Data Security Awareness Training? Page 13 of 18

14 If so, what and when? (Please list) Preventing a recurrence: Has any action been taken to prevent recurrence? Are further actions planned? If so, what? IMPACT ASSESSMENT QUESTIONS 1. Was any data lost or compromised in the incident? eg. loss of an encrypted laptop will not actually have compromised any information, unless eg. the user was logged in when they lost it. 2. Was personal data lost or compromised? This is data about living individuals such as service users or employees. This could be a breach of the General Data Protection Regulations 3. If yes, was sensitive personal data compromised? This is data relating to health, ethnicity, sexual life, trade union membership, political or religious beliefs, potential or actual criminal offences, genetic or biometric. This could be a serious breach of the General Data Protection Regulations 4. Was adult social care, health or public health data involved? 5. What is the number of people whose data was affected by the incident? 6. Is the data breach unlikely to result in a risk to the individual/individuals? Physically, materially, or morally? Example - physical harm, fraud, reputation, financial loss, 7. Did people affected by the incident give the information to the CCG in confidence? Yes/ No (ie. with an expectation that it would be kept confidential) 8. Is there a risk that the incident could lead to damage to individuals eg. via identity theft/ fraud? eg. loss of bank details, NI numbers etc. 9. Could the incident damage an individual s reputation, or cause hurt, distress or humiliation eg. loss of medical records, disciplinary records etc.? 10. Can the incident have a serious impact on the reputation of the CCG? 11. Has any similar incident happened before in the section? 12. Please confirm you have contacted HR for advice regarding this incident, if applicable 13 If this incident involves the loss or theft of IT Equipment please confirm you have logged a call to the IT Help Desk? FURTHER ACTION: (to be completed by Information Governance) Completed by: Is further action required? Have data subjects been informed? Have key stakeholders been informed? Have control weaknesses been highlighted and recommendations made? Has sufficient and appropriate action been taken? Does the incident need reporting to Caldicott Guardian/SIRO? Does the incident need reporting to the ICO? Does the incident need reporting on the IG toolkit Page 14 of 18

15 Does the incident need reporting to CSU Information Security Manager? Has the Incident Log been updated? Further investigation undertaken by:- Date incident closed:- You can also contact the following for advice: Information Team and Corporate Services X 1436/1202 Appendix 2 Process Flowchart Make initial assessment, complete report and refer to IG Team within 72 hours Manage in accordance with local procedures Report to IG Working Group IG SIRI level 0 or 1? Page 15 of 18 Consider requirement to notify Data Subject

16 IG SIRI level 2? Report externally to ICO and DH via IG Reporting Tool Report internally to IG Working Group Review grading in light of findings Investigation Recommendations and actions Liaise with Quality Team if incident overlaps with NHSE SIRI specification** Incident Closure, note lessons learned and implement action plan ** Appendix 3 Grading of incident Source: f Baseline Scale 0 Information about less than 11 individuals 1 Information about individuals 1 Information about individuals 2 Information about individuals 2 Information about individuals 2 Information about 501 1,000 individuals 3 Information about 1,001 5,000 individuals 3 Information about 5,001 10,000 individuals Page 16 of 18

17 3 Information about 10, ,000 individuals 3 Information about 100,001 + individuals Low: For each of the following factors REDUCE the baseline score by 1 (A) No sensitive personal data (as defined by the Data Protection Act 1998) at risk nor data to which a duty of confidence is owed (B) Information readily accessible or already -1 for each in the public domain or would be made available under access to information legislation e.g. Freedom of Information Act 2000 (C ) Information unlikely to identify individual(s) High: The following factors INCREASE the baseline score by 1 (D) Detailed information at risk e.g. clinical/care case notes, social care notes (E) High risk confidential information (F) One or more previous incidents of a +1 for each similar type in the past 12 months (G) Failure to implement, enforce or follow appropriate organisational or technical safeguards to protect information (H) Likely to attract media interest and/or a complaint has been made directly to the ICO by a member of the public, another organisation or an individual (I) Individuals affected are likely to suffer substantial damage or distress, including significant embarrassment or detriment (J) Individuals affected are likely to have been placed at risk of or incurred physical harm or a clinical untoward incident Appendix 4 Grading of Cyber incident Cyber Baseline Scale 0 No impact: Attack(s) blocked 0 False Alarm 1 Individual, Internal group(s), team or department affected 2 Multiple departments or entire organisation Page 17 of 18

18 affected Low: For each of the following factors REDUCE the baseline score by 1 (1) A tertiary system affected which is -1 hosted on infrastructure outside health and social care networks High: The following factors INCREASE the baseline score by 1 (2) Repeat Incident (previous incident within last 3 months) (3) Critical business system unavailable for over 4 hours +1 for each (4) Likely to attract media interest (5) Confidential information release (nonpersonal) (6) Require advice on additional controls to put in place to reduce reoccurrence (7) Aware that other organisations have been affected (8) Multiple attacks detected and blocked over a period of 1 month Page 18 of 18