1.0 Executive Summary Birmingham Community Healthcare NHS Foundation Trust 2017/17 Data Security and Protection Requirements March 2018 The Trust has received a request from NHS Improvement (NHSI) to self-assess and provide assurance to its Board of Directors and in turn to NHSI on ten data security standards and statutory obligations on data protection and data security. This report presents an assessment, assurance and any actions required in respect of each of the ten standards to enable the Trust to submit the return to NHSI by the end of March. Overall it is recommended that the Trust is in a strong position in respect of the ten standards and those rated amber require further verbal update at the board meeting due to the timing of the report or require formal approval of submissions. 2.0 Background From April 2018 the new Data Security and Protection (DSP) Toolkit replaces the Information Governance (IG) Toolkit. It will form part of a new framework for assuring that all health and social care organisations contracted to provide services under the NHS Standard Contract implement the ten data security standards and are meeting their statutory obligations on data protection and data security as part of the data security and protection requirements set out in that contract. When considering data security as part of the well-led element of inspections, the Care Quality Commission (CQC) will also look at how organisations are assuring themselves that the steps set out in this document are being taken. 3.0 NHS Providers At the end of the 2017/18 financial year NHSI will ask NHS providers to confirm that they have implemented the requirements set out in this document. In the longer term NHSI will ensure that data security is included in their oversight arrangements. 3.1 Leadership Obligation One People 1. Senior Level Responsibility: There must be a named senior executive to be responsible for data and cyber security in your organisation. Ideally The Chief Operating Officer is the senior executive on the Trust Board responsible for Information Technology. Information Governance (which currently incorporates Information Security) sits within the Chief Finance Officer this person will also be your Senior who is also the SIRO. The Medical Director also Information Risk Owner (SIRO), and undertakes the Caldicott Guardian Role. where applicable a member of your organisation s board. Cyber Security is a standing agenda item for discussion within the Estates & IT Steering Group (EITSG), chaired by the COO, which reports to the Finance and Performance Assurance Committee (FPAC). In addition, there is a specific risk in respect of cyber security on the Board Assurance Framework which is reviewed at EITSG and on a quarterly basis by the Trust Board. Action: consideration to be given as to whether the SIRO should become responsible for Cyber Security or the responsibility is shared between the CFO and the COO and explicit as to different areas of responsibility in
both roles. 2. Completing the Information The submission for the IG Toolkit for 17/18 is in the final Governance Toolkit v14.1: In stages of being finalised and there is an expectation that 2017/18, organisations are still the Trust will achieve the minimum level 2 on all domains required to achieve at least level two and controls. on the current IG Toolkit before it is replaced with a new approach (DSP Toolkit), from 2018/19 onwards, to measuring progress against the ten Internal Audit report received by Audit Committee on 22/3/18 providing significant assurance in respect of IG Toolkit submission by year end. data security standards. Action: Formal approval of the 17/18 IG Submission to 3. Prepare for the introduction of the General Data Protection Regulation (GDPR) in May 2018: The Beta version of the Data Security and Protection Toolkit, to go live in February 2018, will help organisations understand what actions they will need to take to implement GDPR, which comes into effect in May 2018. 4. Training Staff: All staff must complete appropriate annual data security and protection training. This training replaces the previous IG training whilst retaining key elements of it: https://www.elfh.org.uk/programmes/datasecurity-awareness/ be approved by QGRC virtually by 29 th March 2018. Significant work has already been undertaken in this area by the Information Governance team. A GDPR guide has also been produced and IG colleagues have attended a number of staff meetings, forums and groups. However, there has been no formal assessment received by the Trust Board or its committees to date. Action: Formal assurance against the Trust position in respect of the requirements of GDPR and the Beta version of the DSP Toolkit to be presented to QGRC in April ahead of May 2018 implementation date. All staff are mandated to complete the current IG training annually which includes training on data security and protection. Compliance as at the end of February 2018 is 96%. The IG Team has processes in place to monitor this training take-up, escalate to managers as required and prompt areas that may be falling behind. This is covered by remedial action plans at PPMG as required. 3.2 Leadership Obligation Two - Processes 5. Acting on CareCERT advisories: Organisations must: CareCERT advisories are already actioned by Technical Services staff in the IT. Act on CareCERT advisories where relevant to your organisation; The Technical Services Manager is the primary point of Confirm within 48 hours that plans are in place to act on High Severity CareCERT advisories, and evidence this through CareCERT Collect; and contact to receive and co-ordinate responses. Identify a primary point of contact for your organisation to receive and coordinate your organisation s response to CareCERT advisories, and provide this information through CareCERT Collect. Where confirmation and updates on CareCERT plans are required, these are co-ordinated by the Technical Services Manager and are responded to within a timely manner.
6. Continuity planning: A comprehensive business continuity plan must be in place to respond to Business continuity planning is an on-going process that ensures all areas of the Trust (clinical, non-clinical and corporate) have up to date business continuity plans in data and cyber security incidents. place. Business Continuity planning incorporates all potential service disruptions including specific IT, data and cyber security incidents. Following the Wannacry malware attack in May 2017 (which was a live exercise in business continuity), a large amount of feedback and lesson learning took place, with comprehensive reports and a Cyber Incident Recovery Plan forming the outputs from this work. The Trust has a risk in respect of ensuring resilience against cyber attacks and supporting the timely response and return of services to BAU should an attack be experienced. Mitigating actions include the comprehensive business continuity planning for all areas. 7. Reporting incidents: Staff across the organisation report data security incidents and near misses, and incidents are reported to CareCERT in line with reporting guidelines. The Trust has significantly updated and increased its existing cyber security to mitigate against the continual threat of further cyber attacks and malware. Trust staff are aware of the need to log all incidents and near misses on to the Datix and in addition, to the IT Service Desk. A cyber security report is received as a standing item at every EITSG. All incidents are also reported to CareCERT (via the Technical Services Manager) in line with reporting guidelines. 3.3 Leadership Obligation Three - Technology 8. Unsupported systems: Your organisation must: identify unsupported systems (including software, hardware and applications); and have a plan in place by April 2018 to remove, replace or actively mitigate or manage the risks associated with unsupported systems. Unsupported systems such as Windows XP and Microsoft Server 2003 have already been addressed and are no longer supported and staff have been upgraded. Other unsupported systems / hardware are currently being addressed through capital funds provided by NHS Digital and procurement taking place throughout March (to replace hardware and thereby enable software upgrades to be implemented or to facilitate the latest software / firmware to be present on the new device). Hence status as not complete at time of writing report. The cyber security report received at every EITSG identifies laptops that have not been connected to the network for two months to enable automatic updates. Details are escalated to managers and machines are disabled until clarification received as to requirements for access and updates enabled.
9. On-Site Assessments: Your organisation must: Undertake an on-site cyber and data security assessment if you are invited to do so by NHS Digital; and Act on the outcome of that assessment, including any recommendations, and share the outcome of the assessment with your commissioner. The Trust has already undertaken such an assessment through NHS Digital and is working through the recommendations (supported by capital funds provided by NHS Digital). The Trust has also undertaken a separate Cyber Security audit via Internal Audit and associated third party consultants, with an accompanying audit report and action plan forming the outputs. Updates on both action plans have been provided to both the Audit Committee and to the Estates & IT Steering 10. Checking Supplier Certification: Your organisation should ensure that any supplier of IT systems (including other heath and care organisations) and the system(s) provided have the appropriate certification. Group. The Trust is contacting all IT systems suppliers to confirm they comply with, and have supplied evidence of, the appropriate cyber security standards, accreditation and legislation, as per the certification frameworks provided by NHS Digital 1. A deadline for confirmation has been set as Friday 30 th March 2018 and progress will be verbally provided at the Trust Board meeting on 29 th March 2018, hence status at the time of writing the report. Allied to this, every IT system procured and implemented by the Trust is subject to a Privacy Impact Assessment; an element of which requires the confirmation of the supplier s Information Security certifications, processes and procedures together with supporting evidence. NHS Digital good practice guide on the management of unsupported systems can be found at: https://digital.nhs.uk/cybersecurity/policy-and-good-practice-in-health-care