Data Protection Act 1998
advertisement
Policy on ‘ICT Security’ Guidance Aim To increase awareness of the policy on IT Security Policy . Introduction Proliferation of computerised systems, Internet (www), E-mail, E-commerce etc E-Health? Legislative drivers – Data Protection Act 1998; – Regulation of Investigatory Powers Act (RIP) 1998; – Human Rights Act 2000. Reflective Questions What do you think are the current strengths of the Trust’s ICT infrastructure? What do you think are the weaknesses? What is eHealth ? “Using the internet and other electronic channels to access and deliver health and lifestyle information and services” Current state of eHealth First online cancer support group (alt.support.cancer) founded 1992 There are > 100k medical websites, growing exponentially Over a third of UK homes claim an internet link in 2001 85% of UK doctors report some patients who benefited from the internet (Potts et al ’02) 44% of UK doctors report some patients who experienced problems from the internet ...fast, professional medical services ...worldwide consultation with your doctor by e-mail & phone ...and if you need to be seen, we offer convenient affordable appointments on the day you want. e-med offers all the services of a GP Surgery but with: - longer appointments, on the day you want - a relaxed uncrowded waiting room - a fast results service after tests The patient/client view What do people want ? Web sites: Reliable medical information Answers to medical questions Interactive services: data capture & charting, risk scoring, chronic disease management… Virtual communities Discussion forums, email lists, etc. Provide online social support, sympathy - social support more traffic than information exchange (Valaitis 2000) 1147 cancer-related mailing lists on Yahoo, 308 active – (Potts 2002) Why do people want it ? Information: Free, easy to search Convenient to access for a sick person - in your home 24X7 in local library Huge coverage, including rare diseases – the five common cancers account for only 52% of all cases Support groups, advice: As anonymous as you want Can choose a group you fit into No commitment to participate (lurkers) Do people use it ? Demand for email contact with Diabetes UK: 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Phone Email 1997 1999 2001 Source: Debbie Hammond, Diabetes UK Do people use it ? NHSDirect Online content: 10k users per day. NHSDirect Online Enquiry Service, 2002 figures: Average number of calls per day 90 80 70 60 50 40 30 20 10 0 Ja a nu ry Fe ua br ry ar M ch Ap ril ay M n Ju e Ju t ly A us ug pt e S be m e r ob ct O er N e ov m r be D e ec m r be Who / where do people use it ? Cancer patients: 10% of cancer patients in NI, 23% in London had used the net Higher usage in younger, educated sector No difference with gender, diagnosis (Mills ’02, Wilkins ‘02) UK population: ONS survey Jan ’01: overall, 14% would go to the net for cancer info. Gender / age figures varied: 25% males 25-44, <1% females 75+ The Freestyle Tracker “A Comprehensive Diabetes Management System in the Palm of Your Hand” • Combines blood glucose meter, diabetes manager, and (PDA) all in one compact device • World's smallest sample blood glucose testing for nearly painless monitoring • Tracks and stores diabetes information for on-the-go review • Displays data in various formats to enable easier understanding and management • Sleek PDA appearance makes glucose testing and diabetes data management more discreet • Provides easy access to a 2,500 item Food List … The professional view Potential benefits for Professionals Virtual electronic patient records - data from multiple sites on one screen Instant access to knowledge: guidelines, other reference material Professional knowledge services Globalisation of services Your own web site Electronic directory & booking of hospital tests, procedures Care pathways linking organisations Professional dept. / GP practice web sites Audience: patients, carers, GPs, Trust staff Contents: – Local practice information and patient advice – Links to good external sites (eg. patient support, leaflets) – Secure personal page for each patient - drug list, test results, letters, discharge summaries, asthma / DM data… Potential benefits: – Better information for patients, carers, others – Fewer telephone calls, appointments – Improved adherence to appointments, treatments… Potential harms Internet printout syndrome - more information to discuss “Cyber-chondria”, prescription drug abuse, other harms ? Loss of direct contact with patients – fewer consults, commercial eHealth sites ? Competition from alternative practitioners, cyberproviders Privacy Issues So, The ICT Security Policy What does IT Security mean? IT Security provides improvements in: – Confidentiality – Integrity – Availability All IT systems are subject to threats Incorrect input Theft Wilful damage Unauthorised access Software viruses The Impact of the Threats Personal privacy Legal damages and Personal health and penalties Disruption of services Political embarrassment safety Financial Commercial confidentiality The IT Security Policy Illustrates management commitment Relates to IM&T strategies Relates to business plans Defines security Shows intention to comply with legislation Defines responsibilities Covers everyone Acts as basis for procedures Why do we need a Security Policy? We need to preserve:– Confidentiality of data access; – Integrity of the Trust systems; – Availability of information to right staff. Security policy needed to defend against threats and to comply with prevailing legislation. Current Legislation Computer Misuse Act 1990 Data Protection Act 1998 Regulation of Investigatory Powers (RIP) 2000 Human Rights Act 2000 HPSS IS Security Policy Freedom of Information Act The Computer Misuse Act 1990 Introduced three new offences Unauthorised access to computers Unauthorised access with intent Unauthorised modification Regulation of Investigatory Powers (RIP) 2000 General presumption that communications (email & internet) traffic should not be intercepted, see Article 8 -HRA 2000 But ‘Lawful Business Practice Rules’ permits monitoring of communications without employees specific consent under clearly defined circumstances Main Provisions DPA 1998 Covers all HPSS records including electronic records Defines ‘processing’ as obtaining, holding and disclosing data Permits subject access to all records Imposes considerable penalties Data Protection ’98 Principles The 1. Personal data shall be processed fairly and lawfully 2. Personal data shall be obtained only for one or more specified and lawful purpose 3. Personal data shall be adequate, necessary and not excessive in relation to the purpose for which it was provided Data Protection ’98 The Principles continued... 4. Personal data shall be accurate and up to date 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for those purposes 6. Personal data shall be processed in accordance with the rights of the subject under the Act Data Protection ’98 The Principles continued... 7. Technical & organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or damage to personal data 8. Personal data shall not be transferred to a country outside the European Economic Area. General Security Measures Virus Control: Do not load files on PC unless virus checked. Do not load illegal software. Report any virus detection to ITSO. Remote access & laptop users should ensure anti-virus software is up-to-date. General Security Measures Protection of Hardware from theft: – Do not remove equipment from Trust sites without relevant authority (except for laptops). – Laptops , PDAs must use hard disk password or encryption to secure against loss of personal data. – Lock offices, drawers, close blinds/curtains after hours. General Security Measures Accidental Damage: – Avoid eating/drinking near hardware. – Location of hardware should comply with Health & Safety standards. – Switch off all IT hardware when not in use. – Avoid obstructing cooling fans on computers and printers. General Security Measures. Protection of data storage media: – Data on diskettes can be corrupted by being kept near electronic/magnetic devices or direct sunlight, radiators etc. – All media (diskettes, CD-ROM) should be locked away when not in use. – All storage media should be clearly marked. – Backup storage must be replaced within recommended time frames. General Security Measures. Unauthorised access to data: – Use power-on passwords where available. – Passwords should be changed. – Use password protected screen savers. – VDU’s should be tilted way from the public. – All sensitive printouts should be shredded. Staff using Email Trust email traffic is monitored and quarantined, if necessary Avoid inappropriate use of email Restrict access to recipients who are interested in the message Check email regularly Delete unwanted messages Staff using Email Inform IT dept when sending attachments >1MB Don’t email attachments with sensitive information outside the HPSS Report any virus incidents to ITSO, do not forward virus alerts to any other person except ITSO Passwords An important line of defence Need to be implemented to be effective Staff carry responsibility for impersonation Staff should use password protection for: • • • • Power-on Network login System login eg HRMS, SOSCARE etc Screensavers Do not duplicate passwords used in the above list: Passwords Choose a password with care Poor examples are: • Your own name • Spouses name • Pets name! • Car number • Favourite football team Use a phrase and compose password from initial letters and numbers; • ILIA2BH (I live in a 2 bedroom house) • IGOHO28J (I go on holiday on 28 June) Passwords Follow these simple rules; – Choose one that cannot be easily guessed; – Do not write it down – Keep it secret (except for contingency reasons) – Change on a regular basis – Change password immediately if you think it has been compromised Create a new account for temporary access to ‘outsiders’ The use of password ‘cracking’ software without prior approval of CE is a disciplinary offence Internet Policy Access permitted only through the Trust Wide Area Network Unacceptable use: anything – Illegal – Offensive – Unethical Internet Policy Business use only. – Personal use blocks other business users – DIS/Trust can block inappropriate sites Do not transmit sensitive information Remember obligations under the Data Protection Act 1998. Internet use monitored Users need to accept the terms of the Internet policy Internet Policy HPSS data posted by staff on the Internet must carry a message indicating ‘Crown Copyright’. Any document created & posted onto the Internet by staff must identify the author and include ‘North and West Belfast HSS Trust’ (as opposed to non Trust documents). Internet Policy User/News groups involvement requires director level authority. Never use ‘Trust’ based passwords on the internet. Avoid downloading files unless it is expressly permitted by the Web site. Internet Policy Do not enter into any agreements on behalf of Trust unless authorised to do so. Avoid downloading malicious software Make best use of Internet time by – Being search specific – Keep downloading time to a minimum Do not expect too much of the internet Exercise Can you describe a breach of IT security that occurred within your work area. Describe: What happened? Why it happened? What the impact was? How you recovered (if you did) Steps taken to prevent a repetition. Trust Example: Office Fire What Happened? – Recent fire destroyed 8 PCs, printer and PC based data Why it happened? – Accidental fire What was the impact? – Minimal as there was central backup of files. Would have catastrophic otherwise. How we recovered? – Data reloaded onto contingency PC’s in another Office. Conclusions Measures will: – reduce threats – reduce vulnerability – reduce impact If you are concerned about security, ask the IT department for help and advice. Security is everyone's responsibility Staff declaration A Poem for Computer Users over 40!! Thank-you for attending
