Policy on ‘ICT Security’ Guidance. Aim To increase awareness of the policy on IT Security Policy.

Policy on ‘ICT Security’

Guidance

Aim

To increase awareness of the policy on IT Security Policy

.

Introduction

Proliferation of computerised systems, Internet (www), E-mail, E-commerce etc

E-Health? Legislative drivers

– Data Protection Act 1998;– Regulation of Investigatory Powers Act (RIP)

1998;– Human Rights Act 2000.

Reflective Questions

What do you think are the current strengths of the Trust’s ICT infrastructure?

What do you think are the weaknesses?

What is eHealth ?

“Using the internet and other electronic

channels to access and deliver health and

lifestyle information and services”

Current state of eHealth

First online cancer support group (alt.support.cancer) founded 1992

There are > 100k medical websites, growing exponentially

Over a third of UK homes claim an internet link in 2001

85% of UK doctors report some patients who benefited from the internet (Potts et al ’02)

44% of UK doctors report some patients who experienced problems from the internet

...fast, professional medical services

...worldwide consultation with your doctor by e-mail & phone

...and if you need to be seen, we offer convenient affordable appointments on the day you want.

e-med offers all the services of a GP Surgery but with:- longer appointments, on the day you want - a relaxed uncrowded waiting room - a fast results service after tests

The patient/client view

What do people want ?Web sites: Reliable medical information Answers to medical questions Interactive services: data capture & charting, risk scoring,

chronic disease management…

Virtual communities Discussion forums, email lists, etc. Provide online social support, sympathy - social support

more traffic than information exchange (Valaitis 2000) 1147 cancer-related mailing lists on Yahoo, 308 active –

(Potts 2002)

Why do people want it ?Information: Free, easy to search Convenient to access for a sick person - in your home 24X7 /

in local library Huge coverage, including rare diseases

– the five common cancers account for only 52% of all cases

Support groups, advice: As anonymous as you want Can choose a group you fit into No commitment to participate (lurkers)

Do people use it ?Demand for email contact with Diabetes UK:

0%10%20%30%40%50%60%70%80%90%

100%

1997 1999 2001

PhoneEmail

Source: Debbie Hammond, Diabetes UK

Do people use it ?NHSDirect Online content: 10k users per day. NHSDirect Online Enquiry Service, 2002 figures:

Average number of calls per day

0

10

20

30

40

50

60

70

80

90

Who / where do people use it ?

Cancer patients: 10% of cancer patients in NI, 23% in London had

used the net Higher usage in younger, educated sector No difference with gender, diagnosis (Mills ’02, Wilkins ‘02)UK population: ONS survey Jan ’01: overall, 14% would go to the

net for cancer info. Gender / age figures varied: 25% males 25-44, <1% females

75+

• Combines blood glucose meter, diabetes manager, and (PDA) all in one compact device

• World's smallest sample blood glucose testing for nearly painless monitoring

• Tracks and stores diabetes information for on-the-go review • Displays data in various formats to enable easier

understanding and management • Sleek PDA appearance makes glucose testing and diabetes

data management more discreet • Provides easy access to a 2,500 item Food List …

The Freestyle Tracker

“A Comprehensive Diabetes Management Systemin the Palm of Your Hand”

The professional view

Potential benefits for Professionals Virtual electronic patient records - data from

multiple sites on one screen Instant access to knowledge: guidelines, other

reference material Professional knowledge services Globalisation of services Your own web site Electronic directory & booking of hospital tests,

procedures Care pathways linking organisations

Professional dept. / GP practice web sites Audience: patients, carers, GPs, Trust staff

Contents: – Local practice information and patient advice– Links to good external sites (eg. patient support, leaflets)– Secure personal page for each patient - drug list, test

results, letters, discharge summaries, asthma / DM data…

Potential benefits:– Better information for patients, carers, others– Fewer telephone calls, appointments– Improved adherence to appointments, treatments…

Potential harms

Internet printout syndrome - more information to discuss

“Cyber-chondria”, prescription drug abuse, other harms ?

Loss of direct contact with patients – fewer consults, commercial eHealth sites ?

Competition from alternative practitioners, cyber-providers

Privacy Issues

So, The ICT Security Policy

What does IT Security mean?

IT Security provides improvements in:

– Confidentiality– Integrity– Availability

Incorrect input Theft Wilful damage Unauthorised access Software viruses

All IT systems are subject tothreats

The Impact of the Threats

Personal privacy Personal health and

safety Financial Commercial

confidentiality

Legal damages and penalties

Disruption of services Political

embarrassment

The IT Security Policy Illustrates management commitment Relates to IM&T strategies Relates to business plans Defines security Shows intention to comply with legislation Defines responsibilities Covers everyone Acts as basis for procedures

Why do we need a Security Policy? We need to preserve:-

– Confidentiality of data access;– Integrity of the Trust systems;– Availability of information to right staff.

Security policy needed to defend against threats and to comply with prevailing legislation.

Current Legislation

Computer Misuse Act 1990 Data Protection Act 1998 Regulation of Investigatory Powers (RIP)

2000 Human Rights Act 2000 HPSS IS Security Policy Freedom of Information Act

The Computer Misuse Act 1990

Introduced three new offences

Unauthorised access to computers

Unauthorised access with intent

Unauthorised modification

Regulation of Investigatory Powers (RIP) 2000 General presumption that communications

(email & internet) traffic should not be intercepted, see Article 8 -HRA 2000

But ‘Lawful Business Practice Rules’ permits monitoring of communications without employees specific consent under clearly defined circumstances

Main Provisions DPA 1998

Covers all HPSS records including electronic records

Defines ‘processing’ as obtaining, holding and disclosing data

Permits subject access to all records

Imposes considerable penalties

Data Protection ’98 The Principles1. Personal data shall be processed fairly and lawfully

2. Personal data shall be obtained only for one or more specified and lawful purpose

3. Personal data shall be adequate, necessary and not excessive in relation to the purpose for which it was provided

4. Personal data shall be accurate and up to date

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for those purposes

6. Personal data shall be processed in accordance with the rights of the subject under the Act

Data Protection ’98 The Principles continued...

Data Protection ’98 The Principles continued...

7. Technical & organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or damage to personal data

8. Personal data shall not be transferred to a country outside the European Economic Area.

General Security Measures

Virus Control: Do not load files on PC unless virus checked. Do not load illegal software. Report any virus detection to ITSO. Remote access & laptop users should ensure

anti-virus software is up-to-date.

General Security Measures

Protection of Hardware from theft:– Do not remove equipment from Trust sites

without relevant authority (except for laptops).– Laptops , PDAs must use hard disk password or

encryption to secure against loss of personal data.

– Lock offices, drawers, close blinds/curtains after hours.

General Security Measures

Accidental Damage:– Avoid eating/drinking near hardware.– Location of hardware should comply with

Health & Safety standards.– Switch off all IT hardware when not in use.– Avoid obstructing cooling fans on computers

and printers.

General Security Measures.

Protection of data storage media:

– Data on diskettes can be corrupted by being kept near electronic/magnetic devices or direct sunlight, radiators etc.

– All media (diskettes, CD-ROM) should be locked away when not in use.

– All storage media should be clearly marked.– Backup storage must be replaced within

recommended time frames.

General Security Measures.

Unauthorised access to data:– Use power-on passwords where available.

– Passwords should be changed.

– Use password protected screen savers.

– VDU’s should be tilted way from the public.

– All sensitive printouts should be shredded.

Staff using Email

Trust email traffic is monitored and quarantined, if necessary

Avoid inappropriate use of email Restrict access to recipients who are interested in

the message Check email regularly Delete unwanted messages

Staff using Email Inform IT dept when sending attachments >1MB

Don’t email attachments with sensitive information outside the HPSS

Report any virus incidents to ITSO, do not forward virus alerts to any other person except ITSO

Passwords

An important line of defence Need to be implemented to be effective Staff carry responsibility for impersonation Staff should use password protection for:

• Power-on• Network login• System login eg HRMS, SOSCARE etc• Screensavers

Do not duplicate passwords used in the above list:

Passwords Choose a password with care Poor examples are:

• Your own name• Spouses name• Pets name!• Car number • Favourite football team

Use a phrase and compose password from initial letters and numbers;

• ILIA2BH (I live in a 2 bedroom house)• IGOHO28J (I go on holiday on 28 June)

Passwords Follow these simple rules;

– Choose one that cannot be easily guessed;– Do not write it down– Keep it secret (except for contingency reasons)– Change on a regular basis – Change password immediately if you think it has

been compromised Create a new account for temporary access to

‘outsiders’ The use of password ‘cracking’ software without prior

approval of CE is a disciplinary offence

Internet Policy

Access permitted only through the Trust Wide Area Network

Unacceptable use: anything– Illegal– Offensive– Unethical

Internet Policy

Business use only.– Personal use blocks other business users– DIS/Trust can block inappropriate sites

Do not transmit sensitive information Remember obligations under the Data

Protection Act 1998. Internet use monitored Users need to accept the terms of the

Internet policy

Internet Policy

HPSS data posted by staff on the Internet must carry a message indicating ‘Crown Copyright’.

Any document created & posted onto the Internet by staff must identify the author and include ‘North and West Belfast HSS Trust’ (as opposed to non Trust documents).

Internet Policy

User/News groups involvement requires director level authority.

Never use ‘Trust’ based passwords on the internet.

Avoid downloading files unless it is expressly permitted by the Web site.

Internet Policy

Do not enter into any agreements on behalf of Trust unless authorised to do so.

Avoid downloading malicious software

Make best use of Internet time by– Being search specific– Keep downloading time to a minimum

Do not expect too much of the internet

Exercise

Can you describe a breach of IT security that occurred within your work area.

Describe: What happened?

Why it happened?

What the impact was?

How you recovered (if you did)

Steps taken to prevent a repetition.

Trust Example: Office Fire

What Happened?– Recent fire destroyed 8 PCs, printer and PC based data

Why it happened?– Accidental fire

What was the impact?– Minimal as there was central backup of files. Would

have catastrophic otherwise.

How we recovered?– Data reloaded onto contingency PC’s in another Office.

Conclusions Measures will:

– reduce threats

– reduce vulnerability

– reduce impact

If you are concerned about security, ask the IT department for help and advice.

Security is everyone's responsibility Staff declaration A Poem for Computer Users over 40!!

Thank-you for attending