policy on ‘ict security’ guidance. aim to increase awareness of the policy on it security policy
Post on 19-Dec-2015
222 views
TRANSCRIPT
Policy on ‘ICT Security’
Guidance
Aim
To increase awareness of the policy on IT Security Policy
.
Introduction
Proliferation of computerised systems, Internet (www), E-mail, E-commerce etc
E-Health? Legislative drivers
– Data Protection Act 1998;– Regulation of Investigatory Powers Act (RIP)
1998;– Human Rights Act 2000.
Reflective Questions
What do you think are the current strengths of the Trust’s ICT infrastructure?
What do you think are the weaknesses?
What is eHealth ?
“Using the internet and other electronic
channels to access and deliver health and
lifestyle information and services”
Current state of eHealth
First online cancer support group (alt.support.cancer) founded 1992
There are > 100k medical websites, growing exponentially
Over a third of UK homes claim an internet link in 2001
85% of UK doctors report some patients who benefited from the internet (Potts et al ’02)
44% of UK doctors report some patients who experienced problems from the internet
...fast, professional medical services
...worldwide consultation with your doctor by e-mail & phone
...and if you need to be seen, we offer convenient affordable appointments on the day you want.
e-med offers all the services of a GP Surgery but with:- longer appointments, on the day you want - a relaxed uncrowded waiting room - a fast results service after tests
The patient/client view
What do people want ?Web sites: Reliable medical information Answers to medical questions Interactive services: data capture & charting, risk scoring,
chronic disease management…
Virtual communities Discussion forums, email lists, etc. Provide online social support, sympathy - social support
more traffic than information exchange (Valaitis 2000) 1147 cancer-related mailing lists on Yahoo, 308 active –
(Potts 2002)
Why do people want it ?Information: Free, easy to search Convenient to access for a sick person - in your home 24X7 /
in local library Huge coverage, including rare diseases
– the five common cancers account for only 52% of all cases
Support groups, advice: As anonymous as you want Can choose a group you fit into No commitment to participate (lurkers)
Do people use it ?Demand for email contact with Diabetes UK:
0%10%20%30%40%50%60%70%80%90%
100%
1997 1999 2001
PhoneEmail
Source: Debbie Hammond, Diabetes UK
Do people use it ?NHSDirect Online content: 10k users per day. NHSDirect Online Enquiry Service, 2002 figures:
Average number of calls per day
0
10
20
30
40
50
60
70
80
90
Who / where do people use it ?
Cancer patients: 10% of cancer patients in NI, 23% in London had
used the net Higher usage in younger, educated sector No difference with gender, diagnosis (Mills ’02, Wilkins ‘02)UK population: ONS survey Jan ’01: overall, 14% would go to the
net for cancer info. Gender / age figures varied: 25% males 25-44, <1% females
75+
• Combines blood glucose meter, diabetes manager, and (PDA) all in one compact device
• World's smallest sample blood glucose testing for nearly painless monitoring
• Tracks and stores diabetes information for on-the-go review • Displays data in various formats to enable easier
understanding and management • Sleek PDA appearance makes glucose testing and diabetes
data management more discreet • Provides easy access to a 2,500 item Food List …
The Freestyle Tracker
“A Comprehensive Diabetes Management Systemin the Palm of Your Hand”
The professional view
Potential benefits for Professionals Virtual electronic patient records - data from
multiple sites on one screen Instant access to knowledge: guidelines, other
reference material Professional knowledge services Globalisation of services Your own web site Electronic directory & booking of hospital tests,
procedures Care pathways linking organisations
Professional dept. / GP practice web sites Audience: patients, carers, GPs, Trust staff
Contents: – Local practice information and patient advice– Links to good external sites (eg. patient support, leaflets)– Secure personal page for each patient - drug list, test
results, letters, discharge summaries, asthma / DM data…
Potential benefits:– Better information for patients, carers, others– Fewer telephone calls, appointments– Improved adherence to appointments, treatments…
Potential harms
Internet printout syndrome - more information to discuss
“Cyber-chondria”, prescription drug abuse, other harms ?
Loss of direct contact with patients – fewer consults, commercial eHealth sites ?
Competition from alternative practitioners, cyber-providers
Privacy Issues
So, The ICT Security Policy
What does IT Security mean?
IT Security provides improvements in:
– Confidentiality– Integrity– Availability
Incorrect input Theft Wilful damage Unauthorised access Software viruses
All IT systems are subject tothreats
The Impact of the Threats
Personal privacy Personal health and
safety Financial Commercial
confidentiality
Legal damages and penalties
Disruption of services Political
embarrassment
The IT Security Policy Illustrates management commitment Relates to IM&T strategies Relates to business plans Defines security Shows intention to comply with legislation Defines responsibilities Covers everyone Acts as basis for procedures
Why do we need a Security Policy? We need to preserve:-
– Confidentiality of data access;– Integrity of the Trust systems;– Availability of information to right staff.
Security policy needed to defend against threats and to comply with prevailing legislation.
Current Legislation
Computer Misuse Act 1990 Data Protection Act 1998 Regulation of Investigatory Powers (RIP)
2000 Human Rights Act 2000 HPSS IS Security Policy Freedom of Information Act
The Computer Misuse Act 1990
Introduced three new offences
Unauthorised access to computers
Unauthorised access with intent
Unauthorised modification
Regulation of Investigatory Powers (RIP) 2000 General presumption that communications
(email & internet) traffic should not be intercepted, see Article 8 -HRA 2000
But ‘Lawful Business Practice Rules’ permits monitoring of communications without employees specific consent under clearly defined circumstances
Main Provisions DPA 1998
Covers all HPSS records including electronic records
Defines ‘processing’ as obtaining, holding and disclosing data
Permits subject access to all records
Imposes considerable penalties
Data Protection ’98 The Principles1. Personal data shall be processed fairly and lawfully
2. Personal data shall be obtained only for one or more specified and lawful purpose
3. Personal data shall be adequate, necessary and not excessive in relation to the purpose for which it was provided
4. Personal data shall be accurate and up to date
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for those purposes
6. Personal data shall be processed in accordance with the rights of the subject under the Act
Data Protection ’98 The Principles continued...
Data Protection ’98 The Principles continued...
7. Technical & organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or damage to personal data
8. Personal data shall not be transferred to a country outside the European Economic Area.
General Security Measures
Virus Control: Do not load files on PC unless virus checked. Do not load illegal software. Report any virus detection to ITSO. Remote access & laptop users should ensure
anti-virus software is up-to-date.
General Security Measures
Protection of Hardware from theft:– Do not remove equipment from Trust sites
without relevant authority (except for laptops).– Laptops , PDAs must use hard disk password or
encryption to secure against loss of personal data.
– Lock offices, drawers, close blinds/curtains after hours.
General Security Measures
Accidental Damage:– Avoid eating/drinking near hardware.– Location of hardware should comply with
Health & Safety standards.– Switch off all IT hardware when not in use.– Avoid obstructing cooling fans on computers
and printers.
General Security Measures.
Protection of data storage media:
– Data on diskettes can be corrupted by being kept near electronic/magnetic devices or direct sunlight, radiators etc.
– All media (diskettes, CD-ROM) should be locked away when not in use.
– All storage media should be clearly marked.– Backup storage must be replaced within
recommended time frames.
General Security Measures.
Unauthorised access to data:– Use power-on passwords where available.
– Passwords should be changed.
– Use password protected screen savers.
– VDU’s should be tilted way from the public.
– All sensitive printouts should be shredded.
Staff using Email
Trust email traffic is monitored and quarantined, if necessary
Avoid inappropriate use of email Restrict access to recipients who are interested in
the message Check email regularly Delete unwanted messages
Staff using Email Inform IT dept when sending attachments >1MB
Don’t email attachments with sensitive information outside the HPSS
Report any virus incidents to ITSO, do not forward virus alerts to any other person except ITSO
Passwords
An important line of defence Need to be implemented to be effective Staff carry responsibility for impersonation Staff should use password protection for:
• Power-on• Network login• System login eg HRMS, SOSCARE etc• Screensavers
Do not duplicate passwords used in the above list:
Passwords Choose a password with care Poor examples are:
• Your own name• Spouses name• Pets name!• Car number • Favourite football team
Use a phrase and compose password from initial letters and numbers;
• ILIA2BH (I live in a 2 bedroom house)• IGOHO28J (I go on holiday on 28 June)
Passwords Follow these simple rules;
– Choose one that cannot be easily guessed;– Do not write it down– Keep it secret (except for contingency reasons)– Change on a regular basis – Change password immediately if you think it has
been compromised Create a new account for temporary access to
‘outsiders’ The use of password ‘cracking’ software without prior
approval of CE is a disciplinary offence
Internet Policy
Access permitted only through the Trust Wide Area Network
Unacceptable use: anything– Illegal– Offensive– Unethical
Internet Policy
Business use only.– Personal use blocks other business users– DIS/Trust can block inappropriate sites
Do not transmit sensitive information Remember obligations under the Data
Protection Act 1998. Internet use monitored Users need to accept the terms of the
Internet policy
Internet Policy
HPSS data posted by staff on the Internet must carry a message indicating ‘Crown Copyright’.
Any document created & posted onto the Internet by staff must identify the author and include ‘North and West Belfast HSS Trust’ (as opposed to non Trust documents).
Internet Policy
User/News groups involvement requires director level authority.
Never use ‘Trust’ based passwords on the internet.
Avoid downloading files unless it is expressly permitted by the Web site.
Internet Policy
Do not enter into any agreements on behalf of Trust unless authorised to do so.
Avoid downloading malicious software
Make best use of Internet time by– Being search specific– Keep downloading time to a minimum
Do not expect too much of the internet
Exercise
Can you describe a breach of IT security that occurred within your work area.
Describe: What happened?
Why it happened?
What the impact was?
How you recovered (if you did)
Steps taken to prevent a repetition.
Trust Example: Office Fire
What Happened?– Recent fire destroyed 8 PCs, printer and PC based data
Why it happened?– Accidental fire
What was the impact?– Minimal as there was central backup of files. Would
have catastrophic otherwise.
How we recovered?– Data reloaded onto contingency PC’s in another Office.
Conclusions Measures will:
– reduce threats
– reduce vulnerability
– reduce impact
If you are concerned about security, ask the IT department for help and advice.
Security is everyone's responsibility Staff declaration A Poem for Computer Users over 40!!
Thank-you for attending