Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Similar documents
Data Security Standards

BOARD OF DIRECTORS (OPEN) Meeting Date: 14 th November 2018

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

Information Technology Branch Organization of Cyber Security Technical Standard

INFORMATION SECURITY AND RISK POLICY

Information Governance Incident Reporting Policy

The ehealth Annual Report aims to highlight the activities within the teams that make up the ehealth Department.

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Commissioning Digital Services for General Practice: GP IT Operating Arrangements, including addendum to the 2016/18 Operating Model

Business Continuity Policy

Information Governance Incident Reporting Procedure

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Procedure re-written. (i.e. All staff with responsibility for the creation, use and management of organisational responsibility)

Meeting of the BBC Audit and Risk Committee SUMMARY MINUTES. Thursday 22 June, 2017 New Broadcasting House, London

External Supplier Control Obligations. Cyber Security

Information Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure

GDPR Compliance. Clauses

INFORMATION TECHNOLOGY SECURITY POLICY

Digital Health Cyber Security Centre

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Data Sheet The PCI DSS

Public Safety Canada. Audit of the Business Continuity Planning Program

Information Governance Incident Reporting Policy and Procedure

Asda. Privacy and Electronic Communications Regulations audit report

University of Sunderland Business Assurance PCI Security Policy

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

NHS Scotland Cyber Attack: NSS Evidence to Scottish Parliament Health & Sport Committee (Jun 17)

Supporting the NHS to Improve Cyber Security. Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre

Data Security Standard 9 IT protection The bigger picture and how the standard fits in

Information Security Incident

Policy. Business Resilience MB2010.P.119

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

ICT Portable Devices and Portable Media Security

The Role of the Data Protection Officer

INFORMATION SECURITY POLICY

Information Governance Policy (incorporating IM&T Security)

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Canada Life Cyber Security Statement 2018

PRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

Information Security Policy

Ventilation Policy Type: Policy Register No: Status: Public. Developed in response to: Contributes to CQC Outcome number: Outcome 8 and 10

HSCIC Audit of Data Sharing Activities:

Director, Major Projects and Resilience. To: Planning and Performance Committee 6 November 2014

2018/19 Addendum to the GP IT Operating Model, Securing Excellence in GP IT Services, Webinar for GPIT Delivery Partners

Audit and Compliance Committee - Agenda

Cybersecurity and the Board of Directors

falanx Cyber ISO 27001: How and why your organisation should get certified

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Unclassified. Date Monday 24 September Business Continuity Plan Review - Mission Critical Activities

AUTHORITY FOR ELECTRICITY REGULATION

Cyber Security. Building and assuring defence in depth

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

NYDFS Cybersecurity Regulations

INFORMATION SYSTEMS SECURITY POLICY (ISSP)

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Data Encryption Policy

NHS R&D Forum Privacy Policy: FINAL v0.1 May 25 th 2018

Information Security Controls Policy

REPORT 2015/010 INTERNAL AUDIT DIVISION

Information Governance Toolkit

The National Fire Chiefs Council. Roy Wilsher Chair National Fire Chiefs Council

Dated 3 rd of November 2017 MEMORANDUM OF UNDERSTANDING SIERRA LEONE NATIONAL ehealth COORDINATION HUB

Information Security Strategy

The Project Charter. Date of Issue Author Description. Revision Number. Version 0.9 October 27 th, 2014 Moe Yousof Initial Draft

Regulating Cyber: the UK s plans for the NIS Directive

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Security and Privacy Governance Program Guidelines

ENISA s Position on the NIS Directive

AUDIT OF ICT STRATEGY IMPLEMENTATION

Protecting your data. EY s approach to data privacy and information security

NZ Certificate in Credit Management (Level 4)

Information Governance Policy

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

To be an active partner, always ready to improve by working with others

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

NERC Staff Organization Chart Budget 2019

New Zealand Certificate in Regulatory Compliance (Core Knowledge) (Level 3)

NERC Staff Organization Chart Budget 2018

Turning Risk into Advantage

National Ophthalmology Database Audit: Information Governance Overview V1.9

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

The NIS Directive and Cybersecurity in

Cyber Security Standards Drafting Team Update

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Cyber Security Program

NERC Staff Organization Chart Budget 2019

Cyber Security Strategy

Aneurin Bevan Health Board

DEPARTMENT OF HEALTH and HUMAN SERVICES. HANDBOOK for

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

SAFE USE OF MOBILE PHONES AT WORK POLICY

PS Mailing Services Ltd Data Protection Policy May 2018

Transcription:

1.0 Executive Summary Birmingham Community Healthcare NHS Foundation Trust 2017/17 Data Security and Protection Requirements March 2018 The Trust has received a request from NHS Improvement (NHSI) to self-assess and provide assurance to its Board of Directors and in turn to NHSI on ten data security standards and statutory obligations on data protection and data security. This report presents an assessment, assurance and any actions required in respect of each of the ten standards to enable the Trust to submit the return to NHSI by the end of March. Overall it is recommended that the Trust is in a strong position in respect of the ten standards and those rated amber require further verbal update at the board meeting due to the timing of the report or require formal approval of submissions. 2.0 Background From April 2018 the new Data Security and Protection (DSP) Toolkit replaces the Information Governance (IG) Toolkit. It will form part of a new framework for assuring that all health and social care organisations contracted to provide services under the NHS Standard Contract implement the ten data security standards and are meeting their statutory obligations on data protection and data security as part of the data security and protection requirements set out in that contract. When considering data security as part of the well-led element of inspections, the Care Quality Commission (CQC) will also look at how organisations are assuring themselves that the steps set out in this document are being taken. 3.0 NHS Providers At the end of the 2017/18 financial year NHSI will ask NHS providers to confirm that they have implemented the requirements set out in this document. In the longer term NHSI will ensure that data security is included in their oversight arrangements. 3.1 Leadership Obligation One People 1. Senior Level Responsibility: There must be a named senior executive to be responsible for data and cyber security in your organisation. Ideally The Chief Operating Officer is the senior executive on the Trust Board responsible for Information Technology. Information Governance (which currently incorporates Information Security) sits within the Chief Finance Officer this person will also be your Senior who is also the SIRO. The Medical Director also Information Risk Owner (SIRO), and undertakes the Caldicott Guardian Role. where applicable a member of your organisation s board. Cyber Security is a standing agenda item for discussion within the Estates & IT Steering Group (EITSG), chaired by the COO, which reports to the Finance and Performance Assurance Committee (FPAC). In addition, there is a specific risk in respect of cyber security on the Board Assurance Framework which is reviewed at EITSG and on a quarterly basis by the Trust Board. Action: consideration to be given as to whether the SIRO should become responsible for Cyber Security or the responsibility is shared between the CFO and the COO and explicit as to different areas of responsibility in

both roles. 2. Completing the Information The submission for the IG Toolkit for 17/18 is in the final Governance Toolkit v14.1: In stages of being finalised and there is an expectation that 2017/18, organisations are still the Trust will achieve the minimum level 2 on all domains required to achieve at least level two and controls. on the current IG Toolkit before it is replaced with a new approach (DSP Toolkit), from 2018/19 onwards, to measuring progress against the ten Internal Audit report received by Audit Committee on 22/3/18 providing significant assurance in respect of IG Toolkit submission by year end. data security standards. Action: Formal approval of the 17/18 IG Submission to 3. Prepare for the introduction of the General Data Protection Regulation (GDPR) in May 2018: The Beta version of the Data Security and Protection Toolkit, to go live in February 2018, will help organisations understand what actions they will need to take to implement GDPR, which comes into effect in May 2018. 4. Training Staff: All staff must complete appropriate annual data security and protection training. This training replaces the previous IG training whilst retaining key elements of it: https://www.elfh.org.uk/programmes/datasecurity-awareness/ be approved by QGRC virtually by 29 th March 2018. Significant work has already been undertaken in this area by the Information Governance team. A GDPR guide has also been produced and IG colleagues have attended a number of staff meetings, forums and groups. However, there has been no formal assessment received by the Trust Board or its committees to date. Action: Formal assurance against the Trust position in respect of the requirements of GDPR and the Beta version of the DSP Toolkit to be presented to QGRC in April ahead of May 2018 implementation date. All staff are mandated to complete the current IG training annually which includes training on data security and protection. Compliance as at the end of February 2018 is 96%. The IG Team has processes in place to monitor this training take-up, escalate to managers as required and prompt areas that may be falling behind. This is covered by remedial action plans at PPMG as required. 3.2 Leadership Obligation Two - Processes 5. Acting on CareCERT advisories: Organisations must: CareCERT advisories are already actioned by Technical Services staff in the IT. Act on CareCERT advisories where relevant to your organisation; The Technical Services Manager is the primary point of Confirm within 48 hours that plans are in place to act on High Severity CareCERT advisories, and evidence this through CareCERT Collect; and contact to receive and co-ordinate responses. Identify a primary point of contact for your organisation to receive and coordinate your organisation s response to CareCERT advisories, and provide this information through CareCERT Collect. Where confirmation and updates on CareCERT plans are required, these are co-ordinated by the Technical Services Manager and are responded to within a timely manner.

6. Continuity planning: A comprehensive business continuity plan must be in place to respond to Business continuity planning is an on-going process that ensures all areas of the Trust (clinical, non-clinical and corporate) have up to date business continuity plans in data and cyber security incidents. place. Business Continuity planning incorporates all potential service disruptions including specific IT, data and cyber security incidents. Following the Wannacry malware attack in May 2017 (which was a live exercise in business continuity), a large amount of feedback and lesson learning took place, with comprehensive reports and a Cyber Incident Recovery Plan forming the outputs from this work. The Trust has a risk in respect of ensuring resilience against cyber attacks and supporting the timely response and return of services to BAU should an attack be experienced. Mitigating actions include the comprehensive business continuity planning for all areas. 7. Reporting incidents: Staff across the organisation report data security incidents and near misses, and incidents are reported to CareCERT in line with reporting guidelines. The Trust has significantly updated and increased its existing cyber security to mitigate against the continual threat of further cyber attacks and malware. Trust staff are aware of the need to log all incidents and near misses on to the Datix and in addition, to the IT Service Desk. A cyber security report is received as a standing item at every EITSG. All incidents are also reported to CareCERT (via the Technical Services Manager) in line with reporting guidelines. 3.3 Leadership Obligation Three - Technology 8. Unsupported systems: Your organisation must: identify unsupported systems (including software, hardware and applications); and have a plan in place by April 2018 to remove, replace or actively mitigate or manage the risks associated with unsupported systems. Unsupported systems such as Windows XP and Microsoft Server 2003 have already been addressed and are no longer supported and staff have been upgraded. Other unsupported systems / hardware are currently being addressed through capital funds provided by NHS Digital and procurement taking place throughout March (to replace hardware and thereby enable software upgrades to be implemented or to facilitate the latest software / firmware to be present on the new device). Hence status as not complete at time of writing report. The cyber security report received at every EITSG identifies laptops that have not been connected to the network for two months to enable automatic updates. Details are escalated to managers and machines are disabled until clarification received as to requirements for access and updates enabled.

9. On-Site Assessments: Your organisation must: Undertake an on-site cyber and data security assessment if you are invited to do so by NHS Digital; and Act on the outcome of that assessment, including any recommendations, and share the outcome of the assessment with your commissioner. The Trust has already undertaken such an assessment through NHS Digital and is working through the recommendations (supported by capital funds provided by NHS Digital). The Trust has also undertaken a separate Cyber Security audit via Internal Audit and associated third party consultants, with an accompanying audit report and action plan forming the outputs. Updates on both action plans have been provided to both the Audit Committee and to the Estates & IT Steering 10. Checking Supplier Certification: Your organisation should ensure that any supplier of IT systems (including other heath and care organisations) and the system(s) provided have the appropriate certification. Group. The Trust is contacting all IT systems suppliers to confirm they comply with, and have supplied evidence of, the appropriate cyber security standards, accreditation and legislation, as per the certification frameworks provided by NHS Digital 1. A deadline for confirmation has been set as Friday 30 th March 2018 and progress will be verbally provided at the Trust Board meeting on 29 th March 2018, hence status at the time of writing the report. Allied to this, every IT system procured and implemented by the Trust is subject to a Privacy Impact Assessment; an element of which requires the confirmation of the supplier s Information Security certifications, processes and procedures together with supporting evidence. NHS Digital good practice guide on the management of unsupported systems can be found at: https://digital.nhs.uk/cybersecurity/policy-and-good-practice-in-health-care

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback