Data Security Standard 7 Continuity Planning The bigger picture and how the standard fits in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.
Contents Overview 3 Business continuity and disaster recovery 4 Definition and background 4 A continuity plan for data security incidents 4 Expanding your existing BCP 5 Expanding existing IT disaster recovery plan Creating a data security incident plan Testing the plan 6 Live testing 6 Desktop testing 6 Membership of the group The type and volume of scenarios 8 During the testing 8 Post testing 8 Roles and responsibilities 9 Digital contact list Press material Lessons learnt 10 Appendix 1-11 Table of data security level 7 assertions 11 Appendix 2-12 Useful resources 12 Appendix 3 13 Data security scenarios 13 Appendix 4 15 Example of results of a test 15 Appendix 5 19 The National Data Guardian reports 19 Copyright 2017 Health and Social Care Information Centre. 2
Overview The National Data Guardian review s data standard 7 states that: A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management. A business continuity exercise is run every year as a minimum, with guidance and templates available from the Toolkit. There should be a clear focus on enabling senior management to make good decisions, and this requires genuine understanding of the topic, as well as the good use of plain English. Maintenance Analysis Testing and acceptance Business Continuity Lifecycle Solution Implementation Copyright 2017 Health and Social Care Information Centre. 3
Business continuity and disaster recovery Definition and background The terms business continuity and disaster recovery are often interchanged and sometimes viewed as the same thing. A business continuity plan (BCP) is concerned with how you keep the organisation relocating and reshaping services. Disaster recovery is effectively a plan of attack of how you fix the problem and return the organisation back to normality. In the care system, organisation business continuity tends to focus on: "Act of God" Staffing Major Incident Site Unavailbaility Extreme Demand o Flooding o High winds o Medical virus outbreak o Industrial action o Terrorist attack o Major fire o Power outage o Road issues o Winter pressures o Service closures elsewhere The global WannaCry cyber-attack in May 2017 has reaffirmed the potential for cyber incidents to impact directly on patient care and the need for our health and care system to act decisively to minimise the impact on essential frontline services. Your Data: Better Security, Better Choice, Better Care Government Response In addition to this, organisations also need to have a business continuity plan that caters for data security incidents. There are examples of data security incidents and reporting procedures in Big Picture Guide 6. For small organisations, your data security plan can be an extension of your existing business continuity plan. If you are part of a larger organisation and use IT extensively it is recommended that you refer to the general guidance for this data standard as it has more indepth guidance for more complex IT systems. A continuity plan for data security incidents When creating your continuity plan for data security incidents, you can either extend your existing business continuity plan or keep the data security plan as a separate document. Copyright 2017 Health and Social Care Information Centre. 4
Whichever route you choose data security should be included in any plan, even those not related to cyber incidents. For example, where a restored system may have the full set of access rights in place. Writing your data security incident plan You are likely to have already considered some aspects of data security in your business continuity plan for example, what you would do if there was a flood or fire and you couldn t access care notes. It is important that you also consider what would happen if your phone line or broadband went down. What work arounds would you use? The 2017 WannaCry attack has also made it clear that health and care are vulnerable to cyber-attacks and your organisation should have considered a plan for if something similar were to happen again. There are examples of business continuity plans in There is a continuity plan in place for data security incidents, and staff understand how to put this into action. Data Security Standard 7.1 Appendix 2. Business Continuity Plan sign off Once your organisation has added a data security plan to your business continuity plan, this needs to be signed off by the appropriate person in senior management. This person may be called the Senior Information Risk Owner (SIRO). The incident management and business continuity plan has been approved by the SIRO or equivalent senior role. Data Security Standard 7.1.2 Copyright 2017 Health and Social Care Information Centre. 5
Testing the plan Once you have a business continuity plan you should test it at least annually. Testing the plan can generally be done in two ways - through live testing (simulation / active testing) or through desktop-based scenarios. Live testing Desktop testing Live testing For most small organisations, it may be difficult to live test continuity plans due to the amount of resources this will take. This is also designed for more complicated IT systems and so will often require the assistance of an external support service. If your organisation has the resources and need to live test your systems, we recommend you read the general guidance on this data security standard. Desktop testing This should form a realistic scenario and a frank and honest appraisal of your response. The goal of desktop testing is to identify gaps in your response in terms of people, processes and technology. These gaps should inform improvement actions that help your future response to any data security incidents. Copyright 2017 Health and Social Care Information Centre. 6
These test(s) need to occur at least annually and have representation from the highest level in your organisation. It will depend on your organisation size how many people should take part in the test. In very small organisations, there might only be one appropriate person who can carry out testing. The procedures in Data Security Standard 5 for reviewing processes might be a good way of managing this. When desktop testing, you should consider a possible scenario and run through how you would deal with it. If changes need to be made to your plan as a result of the test, then these should be recorded, and the plan should be updated. There are example scenarios in Appendix 3. There is an effective annual test of the continuity plan for data security incidents. Data Security Standard 7.2 Copyright 2017 Health and Social Care Information Centre. 7
The type and volume of scenarios The type of scenarios should be related to the most likely data security incidents. Some suggestions for the type of incidents are included in Appendix 3. During the testing During the test, the scenario should be explained to the incident team with replies and queries logged. The chair should probe the answer and develop the scenario. The intention is to identify areas for improvement. An example of a log of test is shown in Appendix 4. Where you find gaps, you should log them (together with a name to look at them). The primary purpose is to identify a gap and then move on. Post testing Post testing you should have an action plan with names and dates for who should complete each item. This should be followed up. An example action plan is contained in Appendix 4. Scanned copy of data security business continuity exercise registration sheet with attendee signatures and roles Data Security Standard 7.2.1 From the business continuity exercise which issues and actions were documented, with names of actionees listed against each item. Data Security Standard 7.2.3 Copyright 2017 Health and Social Care Information Centre. 8
Roles and responsibilities When there is an incident, it is essential that people within your organisation know who to contact. Therefore you should keep a hard-copy, up-to-date contact list. It is important that it is also known when it was last updated and printed. Consideration should be given to where the copy contact list is located, especially in a scenario that affects access to the site. You should consider keeping a copy on an appropriate cloud service. The contact list should be reviewed and updated at intervals. When updated the contact list should be reprinted. MANDATORY: All emergency contacts are kept securely, in hardcopy and are up-todate. Data Security Standard 7.2.4 MANDATORY: Location of hardcopy of emergency contacts. Data Security Standard 7.2.5 MANDATORY: Date emergency contact last updated. Data Security Standard 7.2.6 Date emergency contact last printed / shared Data Security Standard 7.2.7 Copyright 2017 Health and Social Care Information Centre. 9
Lessons Learnt Should form part of the Plan Do Check Act cycle and form part of any altered and new processes (see Data Security Standard 5 Process Reviews). Document any re-defined processes to respond to common forms of cyber-attack in the last twelve months. Data Security Standard 7.2.10 Copyright 2017 Health and Social Care Information Centre. 10
Appendix 1 - Table of data security level 7 assertions Assertion Mandatory Sub Assertion Evidence 7.1 There is a continuity plan in place for data security incidents, and staff understand how to put this into action. 7.2 There is an effective annual test of the continuity plan for data security incidents. Yes 7.1.1 There is an incident management and business continuity plan in place for data security and protection. No 7.1.2 The incident management and business continuity plan has been approved by the SIRO or equivalent senior role. No 7.1.3 Staff survey - contingency plan (Q17) - if a data security incident was to prevent technology from working in my organisation, there is a clear plan for dealing with this and I know how to continue doing the critical parts of my job. No 7.2.1 Scanned copy of data security business continuity exercise registration sheet with attendee signatures and roles held. No 7.2.3 From the business continuity exercise which issues and actions were documented, with names of actionees listed against each item. Yes 7.2.4 All emergency contacts are kept securely, in hardcopy and are up-to-date. Yes 7.2.5 Location of hardcopy of emergency contacts. Yes 7.2.6 Date emergency contact last updated. No 7.2.7 Date emergency contact last printed/shared No 7.2.10 Document any re-defined processes to respond to common forms of cyber-attack in the last twelve months. Copyright 2017 Health and Social Care Information Centre. 11
Appendix 2 - Useful resources Business Continuity Plan: Data Security The Care Provider Alliance has guidance and a template for the data security business continuity plans. https://www.careprovideralliance.org.uk/data-security-and-protection-toolkit.html Emergency Planning / Business Continuity: Pharmaceutical Services Negotiating Committee (PSNC) PSNC has produced a business continuity template to meet the requirements of community pharmacy service providers. https://psnc.org.uk/contract-it/essential-service-clinical-governance/emergency-planning/ Business continuity guidance for health and care organisations: NHS Digital good practice guide Guidance for health and care organisations on the factors to consider when producing an IT and information security business continuity policy and plan, to maintain business functions at acceptable predefined levels following a disruptive incident. The guidance covers incident management, business continuity and disaster recovery through a business continuity plan, as well as training for staff, management, implementation and testing of the plan and policy. https://digital.nhs.uk/cyber-security/policy-and-good-practice-in-health-care/business-continuity Copyright 2017 Health and Social Care Information Centre. 12
Appendix 3 Data security scenarios Example A: Stand and deliver! A member of your staff opens up an email attachment which looks legitimate. Sometime after they notice they are unable to open up their work documents. This is true for all people in your organisation. You notice that all documents have been encrypted. The member of staff receives a ransom mail detailing where to transfer money to rectify the issue. How do you proceed? Example B: makes you want to cry Your computer reboots and displays a screen asking for a bitcoin ransom to be paid to unlock. All your care plans and staff details are stored on this PC. How do you proceed? Example C: Not so fast, not so furious The company which makes your rota software has an error which causes your rota system to stop working. How do you proceed? Example D: Pass me the remote Your broadband connection is disrupted and you cannot update care plans and send these out to staff working on mobile devices. How do you proceed? Copyright 2017 Health and Social Care Information Centre. 13
Example E: Not my problem? Many of your staff share one password to access your computer. It turns out that a malicious former employee has returned to your organisation to use this password to look at records. How do you proceed? Example F: A modern classic? A folder containing care records is found in the staff car park and handed in to reception. It contains a sensitive care data. How do you proceed? Copyright 2017 Health and Social Care Information Centre. 14
Appendix 4 Example of results of a test Desktop test Attendance sheet There is a power outage in your area and your computer(s) cannot be turned on. Review venue A meeting room Date / Time dd/mm/yy @ hh:mm Attendees role Board member Mrs Patricia Personnel Responsible Person Registered Manager IG / data security Lead Mr Colin Cloud Miss Susan Septum Registered Manager IG Lead IG/ data security Mr Lee Privilege IG / IS Manager IT networks Miss Cat Five Network Manager IT servers Mr Stan Bye IT Server Manager Adjudicator Mr Aton Detail External Audit Service Copyright 2017 Health and Social Care Information Centre. 15
Note that this example scenario only considers the data implications of a power outage it does not consider the wider ramifications such as loss of power to clinical fridges, loss of call bells and alarm systems, etc. In a real scenario you would probably want to consider the wider ramifications of such a thing happening. Process review Review venue Log of responses There is a power outage in your area and your computer(s) cannot be turned on. A meeting room Date / time dd/mm/yy @ hh:mm Notes the scenario is not known to the group beforehand. PP delivers the scenario. CC suggests going to the fuse board for the site and, if that doesn t solve the problem calling the electricity supplier. SS doesn t know who the supplier is or where to find the number. Action 1: CC to update emergency contact list and ensure that all staff are trained on where to find it. CC says that because care plans are stored and updated digitally, emergency laptops will be used to access vital data and that in the meantime, care records will revert to paper templates. Action 2: SS to ensure that there are template care records stored in the right location for emergency situations. There followed a discussion on what the procedure would be once there was power again to retroactively upload the care records which had been hand written and what the procedure should be around keeping or destroying the paper records. Action 3: PP has said she will review who would be best placed to take on this action and would update the continuity plan. Copyright 2017 Health and Social Care Information Centre. 16
Improvement notes for next meeting Useful to bring copies of the BCP, whiteboard for sketching ideas and more role play and time lapsed to give a sense of urgency. Next scenario scheduled dd/mm/yy hh:mm @ 123 Room followed by follow up action meeting Copyright 2017 Health and Social Care Information Centre. 17
Process review Action plan There is a power outage in your area and your computer(s) cannot be turned on. Review venue Agenda / actions 1) A meeting room Date / time dd/mm/yy @ hh:mm Agenda item Action Due Allocated Status Emergency Contact List Updated Emergency Contact List and trained staff on where to find it Action complete dd/mm/yy SS Resolved 2) Back up care record templates 3) Process for care record upload following power failure Blank back up records have been printed and stored in agreed location Action complete CC has been working to redevelop this process and train staff on how it works Actions: ongoing dd/mm/yy SS Resolved dd/mm/yy CC Unresolved Copyright 2017 Health and Social Care Information Centre. 18
Appendix 5 The National Data Guardian reports The NDG report Recommendations to improve security of health and care information and ensure people can make informed choices about how their data is used. Review of Data Security, Consent and Opt-Outs The government response Your Data: Better Security, Better Choice, Better Care is the government s response to: the National Data Guardian for Health and Care s Review of Data Security, Consent and Opt-Outs the public consultation on that review the Care Quality Commission s review Safe Data, Safe Care It sets out that the government accepts the recommendations in both the National Data Guardian review and the Care Quality Commission review. It also reflects on what we heard through consultation to set out immediate and longer-term action for implementation. Your Data: Better Security, Better Choice, Better Care Copyright 2017 Health and Social Care Information Centre. 19