Data Security Standard 7 Continuity Planning The bigger picture and how the standard fits in

Similar documents
BUSINESS CONTINUITY MANAGEMENT POLICY

Meeting of Governing Body

UCL MAJOR INCIDENT TEAM MAJOR INCIDENT PLAN. Managing and Recovering from Major Incidents

Business Continuity Plan

Information Governance Management Framework

Investigation: WannaCry cyber attack and the NHS

BUSINESS CONTINUITY PLAN

Personal Electronic Devices Acceptable Use Policy

PORTER S AVENUE DOCTORS SURGERY UPDATE

HSCN Trust Funding Applications

Kings Crisis and Critical Incident Management Policy

NHS HARINGEY CLINICAL COMMISSIONING GROUP EMERGENCY PREPAREDNESS, RESILIENCE AND RESPONSE (EPRR) POLICY

BUSINESS CONTINUITY PLANNING POLICY

Special Presentation: HIPAA Survival. Dr. Ty Talcott, CHPSE C: / PH: /

Emergency Management. 1 of 8 Updated: June 20, 2014 Hospice with Residential Facilities

Getting started.. questions to consider when revising or developing your plans

POLYMER PROCESSING SOCIETY (PPS) International and Regional Conferences. Instructions to the Organizers January 2017

NHS HARINGEY CLINICAL COMMISSIONING GROUP

Miami-Dade County, Florida Emergency Operations Center (EOC) Continuity of Operations Plan (COOP) Template

NHS Digital Audit of Data Sharing Activities: London Borough of Enfield Council Public Health

Business Continuity Plan

BUSINESS CONTINUITY PLANNING

Chapter 3: Business Continuity Management

NOTES AND ACTIONS. Turn off power switch, wait a few seconds, turn back on. If paper jammed, remove and reinsert.

CEMP Criteria for Ambulatory Surgery Centers Emergency Management

Procedure: 3.4.1p2. (II.D.2a.) Business Continuity Planning

Amending Inaccuracies in Clinical Records Procedure

Head of Security and Business Continuity. Incident Response and Crisis Management Ser-Sec /11/2017

The future of patient care. 6 ways workflow automation will transform the healthcare experience

Emergency Preparedness

REPORT TO MERTON CLINICAL COMMISSIONING GROUP GOVERNING BODY

Implied Consent Model and Permission to View

PMA Business Continuity Plan

MODELS FOR BUSINESS CONTINUITY PLANNING

Security Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health

BCM in the Bundesbank Crisis management at the Bundesbank Christoph Stute October 2015

CAMBRIDGESHIRE COMMUNITY SERVICES NHS TRUST BUSINESS CONTINUITY PLAN VERSION 7.0

The impact of a flu or norovirus outbreak could have a significant impact on health and social services and could involve:

ATTACHMENT A STATEMENT OF WORK Request for Quotes (RFQ) PennDOT Specific Traffic Signal Training Solicitation Number:

DATA PROTECTION POLICY

NHS England (South) Surge Management Framework

Corporate Business Continuity Plan. Alison Whitehead, Head of Resilience. Fiona Noden, Director of Operations and Performance

Board Report In Public Meeting Title of Paper Information Governance Annual Report inc. Caldicott Guardian Annual Activity/Assurance Reports Author(s)

Business Continuity Plan

Continuity of Operations Plan for the. Kalamazoo Area Transportation Study. Approved: October 28, Kalamazoo Area Transportation Study

Business Continuity Management Policy and Plan Contacts removed

CHARITIES ONLINE: GIFT AID - BRIEFING FOR MEMBERS 30 th November 2012

Strategy for resilience and business continuity

Emergency Preparedness, Are You Ready?

East Cheshire NHS Trust VitalPAC Business Continuity

Table 1: Types of Emergencies Potentially Affecting Urgent Care Centers o Chemical Emergency

Managing Job Requisitions. Contingent Workforce Solutions Training for Client Users

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

BUSINESS CONTINUITY PLAN

THE CODE. Professional standards of conduct, ethics and performance for pharmacists in Northern Ireland. Effective from 1 March 2016

National Diabetes Audit Implementation Guidance

Renewal Inspection Report. Ninewells Hospital Date of Inspection: 13 May 2009 Date of Licence Committee: 12 August 2009

Vacancy Announcement

Helping healthcare: How Clinical Desktop can enrich patient care

Security Risk Analysis

Internal Audit. Health and Safety Governance. November Report Assessment

DISASTER CRISIS / CRITICAL INCIDENT MANAGEMENT POLICY

The software that powers HOME HEALTH. THERAPY. PRIVATE DUTY. HOSPICE

Sandwell and West Birmingham NHS Trust Occupational Health and Wellbeing service Accredited July 1 st 2011

Agenda item 8.5. Meeting date: Meeting / committee: Board of Directors. 24 th June Title: Emergency Preparedness Annual Report 2013/14.

Date ratified November Review Date November This Policy supersedes the following document which must now be destroyed:

Trust Business Continuity Plan

Babylon Healthcare Services

Emergency Preparedness, Resilience & Response (EPRR) 2016/17 Annual Report Public Board 28th September 2017

SIGNIFICANT ADVERSE EVENT REVIEW REPORT WEB MALWARE INCIDENT

CEMP Criteria for Adult Day Care Centers Emergency Management

CLINICAL SERVICES POLICY & PROCEDURE (CSPP No. 25) Clinical Photography Policy in the Pre-Hospital Setting. January 2017

Kingston CCG Emergency Preparedness, Resilience and Response (EPRR) Policy

UNIVERSITY OF HOUSTON

Chapter 9 Legal Aspects of Health Information Management

Disaster / Hurricane Evacuation Plan

Guidance for organisations applying for both registration and licensing as a new service provider

Policy for the Investigation, Analysis and Learning from Incidents, Complaints and Claims

Handling Organisational Complaints

Third Party Trust Manage your outsourcing arrangements

NHS Commissioning Board. Emergency Preparedness. Framework Framework

Northfield Lodge Care Home Service

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

EMERGENCY PREPAREDNESS CHECKLIST RECOMMENDED TOOL FOR EFFECTIVE HEALTH CARE FACILITY PLANNING

4.2. Clinical Trial Monitor (or Monitor): The person responsible for monitoring the data on behalf of the sponsor or contract research organization.

Preceptorship Framework for Newly Qualified Nurses, Midwives and Allied Health Professionals

Discussion Assurance Approval Regulatory requirement Mark relevant box with X

3 ESF 3 Public Works and. Engineering

Request for Quotation

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

Business Continuity Plan

Clinical Risk Management: Agile Development Implementation Guidance

Unit 11: Business Sector Recovery

SECTION EARTHQUAKE

Research Code of Practice

Policy to Manage. Information and Records

Road Fuel Supply Disruption: Strategic Guidance for NHS Boards in Scotland. NHSScotland Resilience. Scottish Government

EMERGENCY PREPAREDNESS, RESILIENCE & RESPONSE POLICY

PETERBOROUGH SAFEGUARDING ADULTS BOARD (PSAB) MULTI-AGENCY TRAINING STRATEGY

Agenda Item. NHS Cumbria CCG Governing Body. 4 February Business Continuity Plan. Purpose of Report:

Transcription:

Data Security Standard 7 Continuity Planning The bigger picture and how the standard fits in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

Contents Overview 3 Business continuity and disaster recovery 4 Definition and background 4 A continuity plan for data security incidents 4 Expanding your existing BCP 5 Expanding existing IT disaster recovery plan Creating a data security incident plan Testing the plan 6 Live testing 6 Desktop testing 6 Membership of the group The type and volume of scenarios 8 During the testing 8 Post testing 8 Roles and responsibilities 9 Digital contact list Press material Lessons learnt 10 Appendix 1-11 Table of data security level 7 assertions 11 Appendix 2-12 Useful resources 12 Appendix 3 13 Data security scenarios 13 Appendix 4 15 Example of results of a test 15 Appendix 5 19 The National Data Guardian reports 19 Copyright 2017 Health and Social Care Information Centre. 2

Overview The National Data Guardian review s data standard 7 states that: A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management. A business continuity exercise is run every year as a minimum, with guidance and templates available from the Toolkit. There should be a clear focus on enabling senior management to make good decisions, and this requires genuine understanding of the topic, as well as the good use of plain English. Maintenance Analysis Testing and acceptance Business Continuity Lifecycle Solution Implementation Copyright 2017 Health and Social Care Information Centre. 3

Business continuity and disaster recovery Definition and background The terms business continuity and disaster recovery are often interchanged and sometimes viewed as the same thing. A business continuity plan (BCP) is concerned with how you keep the organisation relocating and reshaping services. Disaster recovery is effectively a plan of attack of how you fix the problem and return the organisation back to normality. In the care system, organisation business continuity tends to focus on: "Act of God" Staffing Major Incident Site Unavailbaility Extreme Demand o Flooding o High winds o Medical virus outbreak o Industrial action o Terrorist attack o Major fire o Power outage o Road issues o Winter pressures o Service closures elsewhere The global WannaCry cyber-attack in May 2017 has reaffirmed the potential for cyber incidents to impact directly on patient care and the need for our health and care system to act decisively to minimise the impact on essential frontline services. Your Data: Better Security, Better Choice, Better Care Government Response In addition to this, organisations also need to have a business continuity plan that caters for data security incidents. There are examples of data security incidents and reporting procedures in Big Picture Guide 6. For small organisations, your data security plan can be an extension of your existing business continuity plan. If you are part of a larger organisation and use IT extensively it is recommended that you refer to the general guidance for this data standard as it has more indepth guidance for more complex IT systems. A continuity plan for data security incidents When creating your continuity plan for data security incidents, you can either extend your existing business continuity plan or keep the data security plan as a separate document. Copyright 2017 Health and Social Care Information Centre. 4

Whichever route you choose data security should be included in any plan, even those not related to cyber incidents. For example, where a restored system may have the full set of access rights in place. Writing your data security incident plan You are likely to have already considered some aspects of data security in your business continuity plan for example, what you would do if there was a flood or fire and you couldn t access care notes. It is important that you also consider what would happen if your phone line or broadband went down. What work arounds would you use? The 2017 WannaCry attack has also made it clear that health and care are vulnerable to cyber-attacks and your organisation should have considered a plan for if something similar were to happen again. There are examples of business continuity plans in There is a continuity plan in place for data security incidents, and staff understand how to put this into action. Data Security Standard 7.1 Appendix 2. Business Continuity Plan sign off Once your organisation has added a data security plan to your business continuity plan, this needs to be signed off by the appropriate person in senior management. This person may be called the Senior Information Risk Owner (SIRO). The incident management and business continuity plan has been approved by the SIRO or equivalent senior role. Data Security Standard 7.1.2 Copyright 2017 Health and Social Care Information Centre. 5

Testing the plan Once you have a business continuity plan you should test it at least annually. Testing the plan can generally be done in two ways - through live testing (simulation / active testing) or through desktop-based scenarios. Live testing Desktop testing Live testing For most small organisations, it may be difficult to live test continuity plans due to the amount of resources this will take. This is also designed for more complicated IT systems and so will often require the assistance of an external support service. If your organisation has the resources and need to live test your systems, we recommend you read the general guidance on this data security standard. Desktop testing This should form a realistic scenario and a frank and honest appraisal of your response. The goal of desktop testing is to identify gaps in your response in terms of people, processes and technology. These gaps should inform improvement actions that help your future response to any data security incidents. Copyright 2017 Health and Social Care Information Centre. 6

These test(s) need to occur at least annually and have representation from the highest level in your organisation. It will depend on your organisation size how many people should take part in the test. In very small organisations, there might only be one appropriate person who can carry out testing. The procedures in Data Security Standard 5 for reviewing processes might be a good way of managing this. When desktop testing, you should consider a possible scenario and run through how you would deal with it. If changes need to be made to your plan as a result of the test, then these should be recorded, and the plan should be updated. There are example scenarios in Appendix 3. There is an effective annual test of the continuity plan for data security incidents. Data Security Standard 7.2 Copyright 2017 Health and Social Care Information Centre. 7

The type and volume of scenarios The type of scenarios should be related to the most likely data security incidents. Some suggestions for the type of incidents are included in Appendix 3. During the testing During the test, the scenario should be explained to the incident team with replies and queries logged. The chair should probe the answer and develop the scenario. The intention is to identify areas for improvement. An example of a log of test is shown in Appendix 4. Where you find gaps, you should log them (together with a name to look at them). The primary purpose is to identify a gap and then move on. Post testing Post testing you should have an action plan with names and dates for who should complete each item. This should be followed up. An example action plan is contained in Appendix 4. Scanned copy of data security business continuity exercise registration sheet with attendee signatures and roles Data Security Standard 7.2.1 From the business continuity exercise which issues and actions were documented, with names of actionees listed against each item. Data Security Standard 7.2.3 Copyright 2017 Health and Social Care Information Centre. 8

Roles and responsibilities When there is an incident, it is essential that people within your organisation know who to contact. Therefore you should keep a hard-copy, up-to-date contact list. It is important that it is also known when it was last updated and printed. Consideration should be given to where the copy contact list is located, especially in a scenario that affects access to the site. You should consider keeping a copy on an appropriate cloud service. The contact list should be reviewed and updated at intervals. When updated the contact list should be reprinted. MANDATORY: All emergency contacts are kept securely, in hardcopy and are up-todate. Data Security Standard 7.2.4 MANDATORY: Location of hardcopy of emergency contacts. Data Security Standard 7.2.5 MANDATORY: Date emergency contact last updated. Data Security Standard 7.2.6 Date emergency contact last printed / shared Data Security Standard 7.2.7 Copyright 2017 Health and Social Care Information Centre. 9

Lessons Learnt Should form part of the Plan Do Check Act cycle and form part of any altered and new processes (see Data Security Standard 5 Process Reviews). Document any re-defined processes to respond to common forms of cyber-attack in the last twelve months. Data Security Standard 7.2.10 Copyright 2017 Health and Social Care Information Centre. 10

Appendix 1 - Table of data security level 7 assertions Assertion Mandatory Sub Assertion Evidence 7.1 There is a continuity plan in place for data security incidents, and staff understand how to put this into action. 7.2 There is an effective annual test of the continuity plan for data security incidents. Yes 7.1.1 There is an incident management and business continuity plan in place for data security and protection. No 7.1.2 The incident management and business continuity plan has been approved by the SIRO or equivalent senior role. No 7.1.3 Staff survey - contingency plan (Q17) - if a data security incident was to prevent technology from working in my organisation, there is a clear plan for dealing with this and I know how to continue doing the critical parts of my job. No 7.2.1 Scanned copy of data security business continuity exercise registration sheet with attendee signatures and roles held. No 7.2.3 From the business continuity exercise which issues and actions were documented, with names of actionees listed against each item. Yes 7.2.4 All emergency contacts are kept securely, in hardcopy and are up-to-date. Yes 7.2.5 Location of hardcopy of emergency contacts. Yes 7.2.6 Date emergency contact last updated. No 7.2.7 Date emergency contact last printed/shared No 7.2.10 Document any re-defined processes to respond to common forms of cyber-attack in the last twelve months. Copyright 2017 Health and Social Care Information Centre. 11

Appendix 2 - Useful resources Business Continuity Plan: Data Security The Care Provider Alliance has guidance and a template for the data security business continuity plans. https://www.careprovideralliance.org.uk/data-security-and-protection-toolkit.html Emergency Planning / Business Continuity: Pharmaceutical Services Negotiating Committee (PSNC) PSNC has produced a business continuity template to meet the requirements of community pharmacy service providers. https://psnc.org.uk/contract-it/essential-service-clinical-governance/emergency-planning/ Business continuity guidance for health and care organisations: NHS Digital good practice guide Guidance for health and care organisations on the factors to consider when producing an IT and information security business continuity policy and plan, to maintain business functions at acceptable predefined levels following a disruptive incident. The guidance covers incident management, business continuity and disaster recovery through a business continuity plan, as well as training for staff, management, implementation and testing of the plan and policy. https://digital.nhs.uk/cyber-security/policy-and-good-practice-in-health-care/business-continuity Copyright 2017 Health and Social Care Information Centre. 12

Appendix 3 Data security scenarios Example A: Stand and deliver! A member of your staff opens up an email attachment which looks legitimate. Sometime after they notice they are unable to open up their work documents. This is true for all people in your organisation. You notice that all documents have been encrypted. The member of staff receives a ransom mail detailing where to transfer money to rectify the issue. How do you proceed? Example B: makes you want to cry Your computer reboots and displays a screen asking for a bitcoin ransom to be paid to unlock. All your care plans and staff details are stored on this PC. How do you proceed? Example C: Not so fast, not so furious The company which makes your rota software has an error which causes your rota system to stop working. How do you proceed? Example D: Pass me the remote Your broadband connection is disrupted and you cannot update care plans and send these out to staff working on mobile devices. How do you proceed? Copyright 2017 Health and Social Care Information Centre. 13

Example E: Not my problem? Many of your staff share one password to access your computer. It turns out that a malicious former employee has returned to your organisation to use this password to look at records. How do you proceed? Example F: A modern classic? A folder containing care records is found in the staff car park and handed in to reception. It contains a sensitive care data. How do you proceed? Copyright 2017 Health and Social Care Information Centre. 14

Appendix 4 Example of results of a test Desktop test Attendance sheet There is a power outage in your area and your computer(s) cannot be turned on. Review venue A meeting room Date / Time dd/mm/yy @ hh:mm Attendees role Board member Mrs Patricia Personnel Responsible Person Registered Manager IG / data security Lead Mr Colin Cloud Miss Susan Septum Registered Manager IG Lead IG/ data security Mr Lee Privilege IG / IS Manager IT networks Miss Cat Five Network Manager IT servers Mr Stan Bye IT Server Manager Adjudicator Mr Aton Detail External Audit Service Copyright 2017 Health and Social Care Information Centre. 15

Note that this example scenario only considers the data implications of a power outage it does not consider the wider ramifications such as loss of power to clinical fridges, loss of call bells and alarm systems, etc. In a real scenario you would probably want to consider the wider ramifications of such a thing happening. Process review Review venue Log of responses There is a power outage in your area and your computer(s) cannot be turned on. A meeting room Date / time dd/mm/yy @ hh:mm Notes the scenario is not known to the group beforehand. PP delivers the scenario. CC suggests going to the fuse board for the site and, if that doesn t solve the problem calling the electricity supplier. SS doesn t know who the supplier is or where to find the number. Action 1: CC to update emergency contact list and ensure that all staff are trained on where to find it. CC says that because care plans are stored and updated digitally, emergency laptops will be used to access vital data and that in the meantime, care records will revert to paper templates. Action 2: SS to ensure that there are template care records stored in the right location for emergency situations. There followed a discussion on what the procedure would be once there was power again to retroactively upload the care records which had been hand written and what the procedure should be around keeping or destroying the paper records. Action 3: PP has said she will review who would be best placed to take on this action and would update the continuity plan. Copyright 2017 Health and Social Care Information Centre. 16

Improvement notes for next meeting Useful to bring copies of the BCP, whiteboard for sketching ideas and more role play and time lapsed to give a sense of urgency. Next scenario scheduled dd/mm/yy hh:mm @ 123 Room followed by follow up action meeting Copyright 2017 Health and Social Care Information Centre. 17

Process review Action plan There is a power outage in your area and your computer(s) cannot be turned on. Review venue Agenda / actions 1) A meeting room Date / time dd/mm/yy @ hh:mm Agenda item Action Due Allocated Status Emergency Contact List Updated Emergency Contact List and trained staff on where to find it Action complete dd/mm/yy SS Resolved 2) Back up care record templates 3) Process for care record upload following power failure Blank back up records have been printed and stored in agreed location Action complete CC has been working to redevelop this process and train staff on how it works Actions: ongoing dd/mm/yy SS Resolved dd/mm/yy CC Unresolved Copyright 2017 Health and Social Care Information Centre. 18

Appendix 5 The National Data Guardian reports The NDG report Recommendations to improve security of health and care information and ensure people can make informed choices about how their data is used. Review of Data Security, Consent and Opt-Outs The government response Your Data: Better Security, Better Choice, Better Care is the government s response to: the National Data Guardian for Health and Care s Review of Data Security, Consent and Opt-Outs the public consultation on that review the Care Quality Commission s review Safe Data, Safe Care It sets out that the government accepts the recommendations in both the National Data Guardian review and the Care Quality Commission review. It also reflects on what we heard through consultation to set out immediate and longer-term action for implementation. Your Data: Better Security, Better Choice, Better Care Copyright 2017 Health and Social Care Information Centre. 19

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback