Information Governance – Health Care Unit
Guidance
Requirement PH 314
Does the Health Care Unit control, monitor and audit the use of mobile
computing systems to ensure their correct operation and to prevent
unauthorised access?
Objective: To ensure information security when using mobile computing or
teleworking facilities.
The security protection required should be commensurate with the risks these
ways of working cause. When using mobile computing the risks of working in
an unprotected environment should be considered and appropriate protection
applied. In the case of teleworking the organisation should consider and apply
protection to the teleworking site and ensure that acceptable arrangements are
in place for this way of working.
Mobile computing and communications
Mobile computing is now commonplace in many NHS and other organisations, with
users connecting remotely to required information services through laptops, mobile
phones, palmtops, etc. Users are also connecting from a variety of locations – home,
hotels, other NHS premises, and through wireless and dial-in technologies.
Therefore, it is essential that the following are considered within a risk assessment:

Theft, loss or damage of equipment. Equipment in transit is at particular risk of
being damaged, lost or stolen. This is especially the case of equipment used by
mobile workers who are likely to connect from a number and variety of locations.
Training, procedures and written guidance should be put in place for users, to
cover these threats. Staff members should be informed of some basic good
practice steps, to ensure that equipment is not stolen and to ensure that patient
confidentiality is maintained at all times. The good practice should include advice
about:






Locking the machine up overnight, or removal of the hard-drive if the machine
cannot be locked away
Not leaving the system unattended e.g. on the seat of a car
Use of passwords to prevent unauthorised access to information stored on
the computer
How to ensure password security
Reporting lost or stolen equipment promptly
Unauthorised access to data. Unauthorised access can be gained in a number of
ways. Users may leave equipment or data unattended in a place where it may be
seen by unauthorised users. The use of a clear screen and desk policy together
with user training can help alleviate this. Second, unauthorised use can be
gained through technical means, e.g. from ‘network sniffing’ or through guessed
1
passwords on unattended laptops etc. Encrypted data transfer, strong access
controls and user identification and authentication, and secure wireless networks
should all be considered to counter technical hacking/cracking. It is
recommended that ‘two factor’ authentication is used and token-based, biometric,
smartcard, etc controls are implemented.

Malicious and unauthorised mobile code. Care must be taken to ensure that all
mobile devices have their anti-virus / anti-spyware components regularly updated
to protect against these types of attacks.

Data backups. Mobile devices such as laptops are best configured so that data
processed on them is synchronised to the network at the end of a session. If
data is merely saved to a local drive and the device is lost, so is the data.

Mobile Working policy. There should be a policy (and written procedures) that
covers all aspects of mobile working. If a staff member is able to remotely
access the Health Care Unit system, e.g. by dialling in from home, or external
location, this must only be allowed if there is a process of strong authentication
through token or biometric mechanisms, e.g. fingerprint recognition. The type of
authentication in place should be decided on in conjunction with Quantum, the
PCT or Shared Services Agency if appropriate.
Improvement plans
 Level 1
The Health Care Unit has a documented procedure on the use of mobile computing
systems that contains guidelines for staff on appropriate information security and
confidentiality practice. All staff wishing to work in this way must sign up to the
procedure.
The documented procedure for mobile computing should cover authorisation and
approval of staff, authentication procedures to gain access to systems and set out
how and by whom access will be monitored and audited, etc.
 Level 2
The Health Care Unit has implemented the procedure on the use of mobile
computing systems. Robust remote access authentication solutions have been
provided and users have received appropriate instruction in their use. All staff
members working in this way have been appropriately approved and authorised to do
so.
 Level 3
The Health Care Unit ensures the use of mobile computing systems is controlled via
its staff approval and authorisation processes. Access to its systems is monitored
and audited.
Regular audits of mobile computing arrangements should be undertaken to ensure
that all users are approved, that assets can be accounted for, that secure remote
access is used, and that any sensitive or confidential information is securely
2
transported or stored in the remote location. Appropriate remedial or improvement
action should be documented and taken where appropriate.
Requirement checklist
IS_PH_314_V7_Checklist_09-01-01.doc
Key Guidance Document(s):
NHS Information Risk Management: Good Practice Guidance
The guidance is aimed at those responsible for managing information risk within NHS
organisations including the Senior Information Asset Owner (SIRO) and the
Information Asset Owners (IAOs). It reflects Government guidelines and is consistent
with the Cabinet Office data handling report.
System Level Security Policy (SLSP)
A template for defining system level security arrangements. This template is relevant
to the Good Practice Guide above. It should be read in conjunction with the section
specifically addressing security policy.
DH: Information Security NHS Code of Practice
The code is a guide to the methods and required standards of practice in the
management of information security for those who work within or under contract to,
or in business partnership with NHS organisations in England. It is based on current
legal requirements, relevant standards and professional best practice and replaces
HSG 1996/15 – NHS Information Management and Technology Security Manual.
BS ISO/IEC 27000 information security standards
Note that only NHS Information Governance Toolkit (IGT) administrators may
download a copy of the standards for their organisation. The administrator must be
logged on to download the standards.
NHSnet Remote Access Guidance
An NHSIA Security Operating Procedure that defines the security requirements for
connecting to NHSnet from a remote host, i.e. strong authentication and access
controls. Please note: Security Operating Procedures are no longer updated. This
will eventually be superseded by an NHS Connecting for Health Good Practice
Guideline: NHS Network users only
Exemplar materials:
The following are not model publications but examples of real documents in
use by organisations that represent elements of good practice. They have been
made available for organisations to adapt, use and improve on as they see fit.
Nottingham: Mobile Computing Guidelines for users
3
Walton Centre for Neurology and Neurosurgery NHS Trust
 Remote Working Standard
 Communications Standard (includes (remote communications)
This document is part of a BS7799 certified Information Security management
System. The full ISMS, suitably desensitised, is available here.
Model Remote Access policy
Local User Access Management policy
A policy describing the registration and de-registration process for access to
computer network (not suitable for specific applications).
Useful website:
Teleworking guidance for employers & employees
General guidance issued (August 2003) by the Department of Trade & Industry.
4