Garry Bolland

Information Security Officer / Data Protection Office x3671

Security is a Culture

Protection of Personal Data

Security starts at Home• Have an updated Virus (& Malware) checker• Use Strong Passwords• Don’t download from unknown sites• Don’t open emails from unknown sources• Keep your security software patches up to date• Back-up copies of important/precious files, etc.• Shop online Safely • Beware of Bogus calls for Computer help

Gameover (Zeus)

•http://www.getsafeonline.org/•https://www.getsafeonline.org/themes/site_themes/getsafeonline/pdf/GetSafeOnline_RoughGuide.pdf•https://www.cyberstreetwise.com/•http://ceop.police.uk/safety-centre/•http://www.bbc.co.uk/webwise/0/22717886•Victim of Malware – http://www.actionfraud.police.uk/scam-emails •Or call 0300 123 2040

Email – Phishing Scams

Don’t get hooked by a bogus eMailStop & Think

DON’T CLICK

What is a Phishing Attack?

• Phishing is the act of attempting to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

• Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Example – Phishing 1

Guidance from Tax Office

• HM Revenue & Customs (HMRC) will never send notifications of a tax rebate / refund by email, or ask you to disclose personal or payment information by email.

• Do not visit the website contained within the email or disclose any personal or payment information.

• http://www.hmrc.gov.uk/security/examples.htm

Guidance from RLBUHT• Don’t’ click on any links within the email• Do NOT respond• Save the email (Save As)• Forward to Server Team • They will get N3 network to BLOCK that email address• Brightmail should remove any Virus Component• Delete Email

Example – Phishing 2

Barclays - 2

Example - 1a

Example - 1b

Example – 2a

Example – 2b

Example 3a

Example 3b

What are Data Flows?

• Data Flows are a requirement that must be done every 2 years

• They are done per Department of every Data (PID) that flows into / out of the Trust

• They take the form of a spread sheet that asks for all process on how data flows i.e. by letter, fax, email, File Transfer Protocol (FTP), etc.

• Phase out Fax & send encrypted email (PGP).

What are Data Flows - Spreadsheet?

Email UsageEmail is a business tool and the language used in all correspondence should reflect this

Staff should not use abusive language or profanity in any correspondence regardless of who it’s being sent to

Email filtering software is currently in place that monitors all incoming and outgoing Email for abusive language and profanity

Staff must also not send any Personal Identifiable Data (PID) or commercially sensitive data insecurely. Here are some do’s and don'ts:

RLBUHT Trust to RLBUHT Trust - Secure NHS Mail to NHS Mail - Secure  NHS Mail to the following domains: x.gsi.gov.uk .gsi.gov.uk; gse.gov.uk; gsx.gov.uk;

pnn.police.uk; csjm.net; scn.gov.uk; gcsx.gov.uk; mod.uk RLBUHT Trust to another Trust – not secure   

RLBUHT Trust to NHS Mail - not secure  NHS Mail to RLBUHT Trust - not secure 

PGP – Email Encryption (sending)

• Within Outlook select Tags• Select Sensitivity Drop-down• Change Normal to Confidential• Select Close• Send as normal• Recipient gets re-directed to

RLBUHT portal• Recipient enters passphrase• No Patient, No., DOB names in

Header (Not encrypted).

PGP – Email Encryption (receiving)

Certificate Error

Initial Setup

PGP – Email Encryption (receiving)

PGP – Email Encryption (receiving)

PGP – Email Encryption (receiving)

Facebook & Twitter• Facebook is an online (internet) social networking

service• It enables people & groups to chat, share ideas &

photographs• The Trust allows the use of this facility during allocated

lunch breaks for personal use• It does not allow ‘posting’ of Trust related information• Do not post anything that may bring the Trust into

disrepute – Don’t be a Twit be a careful Tweeter• Warning - Facebook has a license to use your content

in any way it sees fit.

Blogs• A blog (a truncation of the expression web log)• A personal website or web page on which an individual

records opinions, links to other sites, etc. on a regular basis

• As for Facebook don’t bring the Trust into disrepute• And certainly don’t start to record medical information

even if anonymised.• You will be ask to remove and delete

Why shouldn’t ‘we’ be using XP?• Microsoft no loner supporting XP since July

8th 2014• Anti-Virus Vendors may stop supporting XP

(MSE to July 2015)• A greater risk to vulnerabilities• Patch Tuesday fixed latest IE Flaw• Migrate to Windows 7 (or Windows 8)• But not all process’s run on Win7/8 (Risk)• Residual Risk or Accept

Why are some Sites Blocked?

• Both large and small companies block sites to cut down on security breaches

• and boost productivity (Facebook etc. now OK)• To prevent downloading virus's and malicious

code• To prevent unauthorised software• To prevent any licensing copyright laws

Why can’t I just download any software?

• Control of Software• Trust Process

– IT Asset Management Policy - Section 9– Design Board – Meets every 3rd Tuesday of the

Month– Project Mandate Form

Software Request Form

Why do I need an NDA?

• Non–Disclosure Agreement (NDA)– Is required when dealing with outside contractors

dealing with patient, staff or financial Trust data– is a legal contract between at least two parties that

outlines confidential material, knowledge, or information that the parties wish to share with one another

• Information Sharing Agreement (ISA)

Why do I need an ISA?

• Information Sharing Agreement (ISA)– Is required when dealing with outside contractors

dealing with patient, staff or financial Trust data, when data is shared, copied, moved of site (or viewed by external Contractors

– is a legal contract between at least two parties– Data Controller– Data Processor

What is the IG Toolkit?• It is a requirement placed on all NHS organisations

(or partners)• The Information Governance Toolkit (IGT) is an

online tool that enables organisations to measure their performance against the information governance requirements

• To provide NHS organisations with a means of self assessing performance against key aspects of information governance

Who are the ICO?• The Information Commissioner’s Office is the

UK’s independent authority set up to uphold information rights in the public interest,

• promoting openness by public bodies • and data privacy for individuals• And they have the ability to fine the Trust up to

£500,000 per incident if a breach is caused

Why do I need a Clear Desk Policy?• Information needs to be Protected (especially outside

normal working hours)• Need to Know Principal• Lock unused documents in desks or lock whole office• Lock PC’s when not in use• File documents so that can easily be referenced or

located• A Tidy Ship is a Happy Ship

What is an IAO/IAA?• Trust systems that store information (patient, staff or

financial) are information Assets• If you are a Manager of a Department or a System

then it is likely you are an Information Asset Owner (IAO) or if you administer it you are an Information Asset Administrator (IAA)

• AS an IAO/IAA you have to manage this asset and any risks associated with it and defined by Policy

_

What is DATIX?• Software for Patient Safety

– A tool to register clinical incidents within the Trust• Software for IT Risks

– A tool to register IT incidents/risks within the Trust– Additional access over & above clinical risks for IT

Project Risks (TB)

I am being Monitored?• Data Loss Prevention (DLP) is a automated tool that

monitors all outgoing email for patient, staff or financial information (Outlook or Web Mail)

• Websense is an automated tool that monitors all web traffic and blocks certain web sites

• All Clinical Systems have account log in details & monitor who logs in and when

• Note Tablets/Laptops & Desktops have tracking• You have been Warned.

Programme Managers• Need to know how IG relates to programs• IG Checklist

– Privacy Impact Assessment– NDA/ISA & Data Flows– Does it contain PID– Is it being transferred Securely– Asset Register and Risk Assessments (IAO/IAA)– Design Board– Requirements to satisfy IG Toolkit

On Line IG Training - ESR•Use Your Smart Card and sign into ESR

They are Watching

Any Questions?

Questions?