AGENDA ITEM: 3.5 INFORMATION MANAGEMENT, TECHNOLOGY AND GOVERNANCE COMMITTEE DATE OF MEETING: 2 OCTOBER 2018 Subject : Approved and Presented by: Prepared by: Other Committees and meetings considered at: Andrew Durant/Ellen Sullivan Michael Jones None PURPOSE: The purpose of this paper is to provide the Information Management, Technology an update against the ICT Disaster Recovery and Business Continuity Plans of PTHB. RECOMMENDATION(S): It is recommended that the Committee DISCUSSES the content and NOTES that to re-risk (reduce the risk level) will involve increased costs. Once determined these costs will form part of a business case put forward to the health board so that an informed decision as to the degree of risk that the health board is willing to accept can be agreed. Approval/Ratification/Decision 1 Discussion Information 1 Equality Impact Assessment (EiA) must be undertaken to support all organisational decision making at a strategic level 1 Information Management, Technology
THE PAPER IS ALIGNED TO THE DELIVERY OF THE FOLLOWING STRATEGIC OBJECTIVE(S) AND HEALTH AND CARE STANDARD(S): Strategic Objectives: Health and Care Standards: 1. Focus on Wellbeing 2. Provide Early Help and Support 3. Tackle the Big Four 4. Enable Joined up Care 5. Develop Workforce Futures 6. Promote Innovative Environments 7. Put Digital First 8. Transforming in Partnership 1. Staying Healthy 2. Safe Care 3. Effective Care 4. Dignified Care 5. Timely Care 6. Individual Care 7. Staff and Resources 8. Governance, Leadership & Accountability EXECUTIVE SUMMARY: This report provides an update on the following area: 1. ICT Disaster Recovery and Business Continuity Plan Actions undertaken: An integrated Business Continuity Plan (covering all of Powys ICT functions across council and health) has been developed. The ICT Infrastructure team are working on testing recovery systems and processes. This will allow them to further refine recovery processes, provide assurance on data integrity, confirm RTA (Recovery Time Actual) for systems. This testing and assurance programme is part of the teams ongoing standard operating processes. 2 Information Management, Technology
Preliminary investigations have been undertaken on the infrastructure, to determine appropriate system consolidation and future infrastructure requirements. Work is ongoing to develop a business case around moving systems into a 3 rd party data centre and/or cloud solutions. This work is designed to further de-risk the organisation, develop a more flexible, resilient, secure infrastructure and address some of the remaining single points of failure. DETAILED BACKGROUND AND ASSESSMENT: Business Continuity Plan Part of the integration of the service across council and health is to ensure policies / process are aligned as far as possible. This minimises response times or confusion when responding to incidents. As part of this work the Cyber Security Officer has developed a single Business Continuity Plan for the ICT Service covering all its operations across the council and health service. As with any such plan this will be subject to ongoing refinement and development. Disaster Recovery and Back Testing Having disaster recovery processes and backup policies is of minimal value unless subject to ongoing testing and refinement. Without regular backup testing to provide assurance on information integrity no backup system can be warranted as fit for purpose. To this end the Infrastructure Team are undertaking ongoing, regular testing of the present backup system and the DR systems we have implemented as a temporary mitigation pending a longer term solution. These tests are designed to provide assurance as to data integrity (can we recover data from backup, is data actually being backed up); can we recover servers to alternative infrastructure, can the DR system (located in Brecon) be used to bring up servers in an alternative location. This testing provides the team with experience in using recovery systems, allows them to identify issues with recovery processes and systems, to refine those processes or systems. They can also use the actions to provide actual recovery times which will be used as part of service SLA s. This testing regime, now the team has the resource, will be ongoing using a regular cycle of testing (They aim to do some form of testing every week). 3 rd Party Data Centre / Cloud Whilst we have documented our systems, recovery processes and implemented some mitigation in respect of our infrastructure (improvements in network hardware, failover capabilities, and primary hosting in Bronllys) 3 Information Management, Technology
there is significant work required to provide the health board with a truly resilient infrastructure that re-risks the organisation. The main computer room in Bronllys has a number of limitations. It is a repurposed ground floor room in a former ward. The floor above consists of a toilet block so there is a potential flood risk. The structure is part of the original hospital, so dates back 100 years. It is difficult to maintain the room as a completely clean room environment. The hospital electrical supply has a number of issues and there is a single point of failure, in regard to the link to the room. The network connection into the room consists of a single fibre optic cable (4-cores). The wide area connection is dependent on a single connection into the site due to our rural location it is financially infeasible to provide a resilient connection. Whilst we have tried to provide a degree of security to the room, we have limited response capabilities out of hours (i.e. there will be a significant delay in response should the room be compromised). The failover infrastructure uses older equipment, no longer required for primary purposes, and is located in Brecon hospital. The Brecon computer room has even more limitations in regard to environment, security, power. The network connection is presently over utilised (i.e. too much data for bandwidth) so this would limit performance in the event of a failover incident. Our offsite backup systems are reaching end of life and we need to determine how best to provide such a solution going forward. Following an a detailed assessment of our capabilities it has been determined that to provide the health board the robust, secure, agile infrastructure it requires we need to de-risk ourselves, moving to hosting solutions. Improving our on premise environment is not cost effective and limits our capabilities. At present our investigations are centred on cloud and where on premise requirements will be required, use of a dedicated third party data centre. Cloud Cloud is generally used about a certain type of linked data centres which use advanced management systems providing an agile, secure and responsive solution. They incorporate a number of systems and solutions building on traditional ICT models to provide advanced capabilities in regard to use of data, applications and management. For our purposes when we talk of cloud solutions we are looking at Microsoft Azure as the best fit for our requirements, infrastructure. 4 Information Management, Technology
Azure has a number of capabilities in regard to backup and DR that would ensure our systems are appropriately protected and services can be restored in a timely fashion in the event of an incident. Our present work is investigating how cloud would best fit our requirements, whilst controlling costs, improving support. Some legacy systems may not be best suited for a cloud solution and as such we may have to operate a hybrid model and have a local data centre requirement. This would be provided via a 3 rd party data centre 3 rd Party Data Centre A number of providers have dedicated data centres and will rent space to organisations or provide hosting capabilities for virtual servers. Such spaces will have appropriate security, environmental controls (including power, cooling, and fire protection) and resilient network connectivity. We are presently investigating a number of options around such solutions to provide an integrated hosting environment for both health and council systems. Where possible we are looking to provide a single solution for council and health systems, this is to simplify support and keep costs to a minimum. NHS Wales have implemented a cloud solution (Azure tenancy) that should be available to all health boards. We will investigate this option as a primary solution, as opposed to our own tenancy. NEXT STEPS: Develop a business case in regard to hosting as part of providing an appropriate disaster recovery and business continuity solution for the health board. 5 Information Management, Technology