DATA SECURITY, PROTECTION, RECOVERY policies
(last updated 10/9/2024, reviewed 11/9/2024)
In dealing with confidential data,
employees are required to fully comply with the principles of the Data
Protection Act 2018
In this context, confidential data means
any information or matter which is not in the public domain
and which relates to the business, products, affairs or finances of the Company
or any of its business contacts and includes:
·
information
relating to patient records or any medical records;
Personal data are stored in locked cabinets
in a secure location (paper) or on a secure area in the Company Server. Access
to confidential data is only authorised to specific
staff who need it for their currently role (typically the Office Manager) and authorisation is removed as soon as no longer required.
Staff may request access to their personal data at any time. No requests have
been made in the last 12months. No external supplier has access to personal
data.
Employees are required to comply with the
Company’s regulations to keep such records safe, and at no time either during
or after their employment with the Company use or disclose to any person, cause
or facilitate the unauthorised disclosure of
confidential information, or make use of any confidential information about the
business or affairs of the Company or any of its business contacts, or about
any other matters which may come to their knowledge in the course of their
employment.
Employees cannot remove from the Company
premises without prior authority, any document, computer media or other
tangible item which contains any confidential information
or which belongs to the Company or their clients/customers, suppliers or
agents.
Employees cannot without the prior written authorisation of the Company publish literature, deliver
any lecture or make any recording, broadcast or demonstration relating in any
way to the Company’s activities or in which the name of the Company is
mentioned, except with the prior consent of the Company or as required by law.
Employees are also required to comply the
Company’s GDPR Code of Conduct, which in the Company’s case is primarily
related to the processing of patient data. The Code of Conduct is overseen and
managed by the Data Protection Officer (currently Prof. T. Ritchings) and
approved by Trust Data Controllers.
Employees must ensure that no information
relating to patients is held by the Company, employees processing computer
records relating to patients on Trust sites. This will includes
(but is not limited to) personal details and medical examination records
including images.
Employees must only access patients records
that a Trust’s Data Controllers indicate need processing, the Trust making
access to these records on a temporary basis for the duration of the
processing.
Any breach observed by the Data Controller or the Company is raised immediately to the DPO,
who will investigate and take appropriate action.
The Data Protection Officer (currently
Prof. T. Ritchings) is responsible for Information Security in the Company. All
employees are made aware of the impact their actions can have on privacy and
security through their Job Contract and annual data security training and
testing.
The Company’s information security policies
include the technologies used by the Company to protect the confidential information, and define the processes and action plans in
place to recover from a computer security incident. A security incident is the
violation or imminent threat of violation of confidential information, such as unauthorised employee activity, infected computer, or
Cyber-attack (DDoS). Depending on the severity of the incident, it may be
necessary to implement the Business Continuity plan to keep the company
operating, and if this fails implement the Disaster Recovery plan. The Incident
Recovery plan is defined below after describing the technologies currently used
by the Company to protect the confidential information.
The Company achieved CyberEssentials
re-certification (7/12/2023).
The Company computer infrastructure,
internet access, and administration is managed by an external professional IT
support and technology services Company, ManchesterIT.
The infrastructure consists of an internal
network with 10 PC Workstations (Windows 10), 1 Server (Windows 2016) and a DrayTek router which provides access to the Internet. ManchesterIT ensure that all high-risk or critical security
updates for Operating Systems and firmware are installed and tested promptly
(within 14days). They are also responsible for backing up the Servers and the
recovery process, and documenting and reviewing this annually. The Company also
has a PC (Windows 10) connected to the HSCN network via a separate DrayTek router/firewall.
They are responsible for managing the
system firewalls and anti-virus software (currently Bitdefender). There is an
embedded firewall in the DrayTek routers, and all PC
have Windows firewalls enabled. Staff cannot access the system remotely (see
note in Business Continuity section), or use tablets
or smartphones to access the network. ManchesterIT
have access into the system via Kaseya RMM.
ManchesterIT also
manage users accounts on written notification (email) from the Company
including:
·
creating
new user accounts
·
resetting
account passwords
·
deleting
user accounts when users leave the Company
·
restricting
secure access to the Servers depending a user’s role
·
setting
up user emails and email groups, such as HelpDesk
·
monitoring
the SPAM filters, currently Microsoft 365 EOL†
†The
SPAM filters are currently blocking approximately 100 threats per day. No
phishing emails have been reported in the last 12months
The incident response plan has the
following stages:
·
staff
regularly discuss potential incidents
·
staff
identify key assets
·
staff
made aware of the response plan and actions.
·
ManchesterIT and all staff are informed immediately
·
the
nature of the attack is confirmed
·
all
are made aware of what has been compromised.
·
make
temporary fixes (eg isolate PCs and/or servers,
change passwords) to the system immediately
·
check
that further breach/damage is prevented.
·
ManchesterIT/key staff understand the incident
·
patches
are put in place immediately to prevent the incident re-occurring.
·
ManchesterIT/key staff work out the implications of
the incident
·
data
and systems are repaired, as necessary
·
test
that the system has returned to normal
·
an
Incident Report form is completed by the person reporting the
incident
·
the
Incident Report is forwarded to the Information Security Officer
·
staff
awareness is raised and appropriate training scheduled
No Security Incidents have been reported in
the last 12months.
The Business Continuity and Disaster
Recovery plans define the actions and arrangements that take place following a
security or other incident that could prevent the Company from operating
normally. The most critical risk relates to the Company’s Help Desk which
provides real-time support and maintenance for the Hospitals clinics using the
Company’s clinical applications (see note in Clinical Risk Management section).
Plans that are in place to ensure continuity of the Help Desk and software
development are as follows:
An inventory of staff expertise is
maintained and updated regularly to ensure that all software development staff,
especially new employees, are able to use the
development tools effectively, and understand the details of the applications
and the computer interfaces to the hospitals in sufficient depth to perform
updates and testing. Any software modifications are tested by a second
developer before release. Succession planning is in place.
All software sources and Company
documentation are saved on the main server, which is backed up by ManchesterIT weekly and stored in a data warehouse
off-site. Only ManchesterIT have Administrative
rights to the backup/recovery process. Depending on the severity of an
incident, information can be partially or fully restored from the backup. No
patient information is held by the Company at any time, and so is not affected
by any information security breaches in the Company.
The Company PCs and Servers and situated in
locked rooms in a building that is fully alarms and monitored 24hours by a
professional Security firm. Alarm is enabled/disabled by key-fob and all alarm
status changes logged. In the event of a break-in and damage or theft of the
computers, the affected computers are replaced and the appropriate software
downloaded by ManchesterIT, and in the case of the
Server the backup restored. In the case of serious damage to the premises such
as fire, or electrical power-out, staff can be relocated to work at home on a
temporary basis, access to new or relocated machine being managed by ManchesterIT and the main telephone switchboard diverted to
the Office Manager’s home
Since the out-break of Covid-19, Business Continuity has been maintained by
staff have been working from home and secure access to the Office network via
VPN has been enabled by ManchesterIT on a temporary
basis. The Help Desk and software development has been operating normally.