DATA SECURITY, PROTECTION AND RECOVERY POLICIES

(last updated 11/12/2019, reviewed 14/08/2020)

Confidential data

In this context, confidential data means any information or matter which is not in the public domain and which relates to the business, products, affairs or finances of the Company or any of its business contacts and includes:

Personal data is stored in locked cabinets in a secure location (paper) or on a secure area in the Company Server. Access to confidential data is only authorised to specific staff who need it for their currently role (typically the Office Manager) and authorisation is removed as soon as no longer required. Staff may request access to their personal data at any time. No external supplier has access to personal data.

Employees are required to comply with the Company’s regulations to keep such records safe, and at no time either during or after their employment with the Company use or disclose to any person, cause or facilitate the unauthorised disclosure of confidential information, or make use of any confidential information about the business or affairs of the Company or any of its business contacts, or about any other matters which may come to their knowledge in the course of their employment.

Employees cannot remove from the Company premises without prior authority, any document, computer media or other tangible item which contains any confidential information or which belongs to the Company or their clients/customers, suppliers or agents.

Employees cannot without the prior written authorisation of the Company publish literature, deliver any lecture or make any recording, broadcast or demonstration relating in any way to the Company’s activities or in which the name of the Company is mentioned, except with the prior consent of the Company or as required by law.

Although no information relating to patients is held by the Company, employees will process computer records relating to patients on Trust sites. This will include (but is not limited to) personal details and medical examinations records including images. In dealing with such data, employees are required to comply with the principles of the Data Protection Act 2018

No requests for access to personal data have been made in the last 12months

Information security

The Data Protection Officer (currently Prof. T. Ritchings) is responsible for Information Security in the Company. All employees are made aware of the impact their actions can have on privacy and security through their Job Contract and annual data security training and testing.

The Company’s information security policies include the technologies used by the Company to protect the confidential information, and define the processes and action plans in place to recover from a computer security incident. A security incident is the violation or imminent threat of violation of confidential information, such as unauthorised employee activity, infected computer, or Cyber-attack (DDoS). Depending on the severity of the incident, it may be necessary to implement the Business Continuity plan to keep the company operating, and if this fails implement the Disaster Recovery plan. The Incident Recovery plan is defined below after describing the technologies currently used by the Company to protect the confidential information.

Technologies

The Company computer infrastructure, internet access, and administration is managed by an external professional IT support and technology services Company, ManchesterIT. The Company has achieved CyberEssentials certification (19/8/2020)

The infrastructure consists of an internal network with 8 PC Workstations (Windows 10), 2 Servers (Windows 2016) and a DrayTek router which provides access to the Internet. ManchesterIT ensure that all high-risk or critical security updates for Operating Systems and firmware are installed and tested promptly (within 14days). They are also responsible for backing up the Servers and the recovery process, and documenting and reviewing this annually.

They are responsible for managing the system firewalls and anti-virus software (currently Solarwinds Managed Anti-virus but moving to Bitdefender). There is an embedded firewall in the DrayTek routers, and all PC have Windows firewalls enabled. The only services enabled are VPN remote access, to allow ManchesterIT access into the system, and a ManchesterIT FTP server. Users cannot access the system remotely (see note in Business Continuity section), or use tablets or smartphones to access the network.

ManchesterIT also manage users accounts on written notification (email) from the Company including:

The SPAM filters are currently blocking approximately 100 threats per day. No phishing emails have been reported in the last 12months

Incident Response plan

The incident response plan has the following stages:

Preparation
Identification
Containment
Eradication
Recovery
Lessons learnt

No Security Incidents have been reported in the last 12months

Business continuity/Disaster Recovery plans

The Business Continuity and Disaster Recovery plans define the actions and arrangements that take place following a security or other incident that could prevent the Company from operating normally. The most critical risk relates to the Company’s Help Desk which provides real-time support and maintenance for the Hospitals clinics using the Company’s clinical applications. Plans that are in place to ensure continuity of the Help Desk and software development are as follows:

Staffing

An inventory of staff expertise is maintained and updated regularly to ensure that all software development staff, especially new employees, are able to use the development tools effectively, and understand the details of the applications and the computer interfaces to the hospitals in sufficient depth to perform updates and testing. Any software modifications are tested by a second developer before release. Succession planning is in place.

Information security

All software sources and Company documentation are saved on the main server, which is backed up by ManchesterIT weekly and stored in a data warehouse off-site. Only ManchesterIT have Administrative rights to the backup/recovery process. Depending on the severity of an incident, information can be partially or fully restored from the backup. No patient information is held by the Company at any time, and so is not affected by any information security breaches in the Company.

Premises

The Company PCs and Servers and situated in locked rooms in a building that is fully alarms and monitored 24hours by a professional Security firm. Alarm is enabled/disabled by key-fob and all alarm status changes logged. In the event of a break-in and damage or theft of the computers, the affected computers are replaced and the appropriate software downloaded by ManchesterIT, and in the case of the Server the backup restored. In the case of serious damage to the premises such as fire, or electrical power-out, staff can be relocated to work at home on a temporary basis, access to new or relocated machine being managed by ManchesterIT and the main telephone switchboard diverted to the Office Manager’s home

Since the out-break of Covid-19, Business Continuity has been maintained by staff have been working from home and secure access to the Office network via VPN has been enabled by ManchesterIT on a temporary basis. The Help Desk and software development has been operating normally.