Information Governance & Cyber Security Incident Reporting Procedure

Information Governance & Cyber Security Incident Reporting Procedure

Document History

Document Reference:
Document Purpose: / To provide guidance in relation to information governance and cyber security breaches
Date Approved: / 22/11/2018
Approving Committee: / Derbyshire CCG Information Governance Committee
Version Number: / V1.7Final
Status: / Final
Next Revision Due: / November 2019
Developed by: / Information Governance, Arden &Greater East Midlands Commissioning Support Unit (Arden & GEM CSU)
Policy Sponsor: / Information Governance Services Arden & Greater East Midlands CSU
Target Audience: / This policy applies to any person directly employed, contracted, volunteering or otherwise associated with the Derbyshire CCGs
Associated Documents: / All Information Governance Policies and the Information Governance Toolkit

Revision History

Version / Revision date / Summary Changes
0.1 Draft / January 2016
1.0 Final / January 2016
1.1 Draft / May 2017 / Reviewed by AGEM IG Team
1.2 Draft / June 2017 / Reviewed by IGWG
1.3 Draft / July 2017 / Amended forms re Cyber Security
1.4 Draft / August 2017 / Reviewed by IG Leads
1.5 Draft / December 2017 / Process chart added
1.6 Draft / January 2018 / IG Leads review

Policy Dissemination information

Reference Number / Title / Available from
Information Governance & Cyber Security Incident Reporting Procedure

Contents

1. Introduction

2. Aims

3. Roles & Responsibilities

3.1 All CCG Employees

3.2 CCG Managers

3.3 CCG IG Lead

3.4 Arden & GEM CSU

3.5 North of England CSU (NECS)

4. Incident Definitions

4.1 Information Governance Incident

4.2 Cyber Security Incident

5. Incident Management

5.1 Reporting an Information Governance Incident

5.2 Reporting a Cyber Incident

5.3 Assessing an Incident

5.4 Incident Report Plan

5.5 Incident Investigation and Reporting

5.6 Incident Close Down

Appendix A: Information Governance Incident Report Form

Appendix B: Staff Guideline on Identifying and Reporting IG or Cyber Security Incidents

Appendix C – Incident Management and Reporting Flowchart

Appendix D - IG 32- Derbyshire Wide Protocol for Scoring Joint IG Incidents

1.Introduction

This procedure is to be used in conjunction with the Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation.[1] The CCG recognises that on occasions, IG incidents and near misses may occur that result in failure to meet the requirements of the Data Protection Act or the Common Law of Confidentiality. This document sets out the processes and clearly identifies the responsibility between the CCG, Arden & GEM CSU and NECS (North of England Commissioning Support) for managing incidents.

2. Aims

The aims of the procedure are:

• To describe the process for reporting and recording information and cyber incidents;

• To ensure the process conforms to NHS and best practice requirements;

• To encourage the prompt and consistent reporting of all information and cyber incidents, and near misses;

• To ensure investigation of information and cyber incidents and near misses;

• To provide a feedback mechanism and organisational learning from information and cyber incidents and near misses.

3. Roles & Responsibilities

3.1 All CCG Employees

All Employees of the CCG are responsible for reporting information and cyber incidents and near misses as soon as possible and their manager notified so that the event can be investigated, immediate steps taken to reduce any potential impact of the breach and measures taken to minimise the risk of a recurrence of the situation in the future.

3.2 CCG Managers

Managers are responsible for ensuring that information and cyber incidents and near misses are graded and investigated as soon as possible after the event and that measures are taken to minimise the risk of a recurrence of the situation.

3.3 CCG IG Lead

The CCG Information Governance Lead is responsible for ensuring that information security incidents and data breaches (collectively referred to as information governance) are graded according to the HSCIC: Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation1 and that the appropriate reporting route is taken depending on the level of incident. For level 1 and below incidents, the IG Lead will also ensure that appropriate investigation is undertaken. For level 2 and above incidents, the IG Lead will ensure the incident is reported via the CCG’s IG Toolkit.

3.4 Derbyshire CCGs IG Team

Provides expert Information Governance advice and will support the CCG IG Lead to assess and report any potential IG incidents, or support onward reporting to external agencies that are to be informed and for the type of event occurred...

3.5 North of England CSU (NECS)

NECS provides a managed security service to the Derbyshire CCGs for Information Management and Technology and will provide advice and support to the CCGs Senior Information Risk Owner

4. Incident Definitions

4.1 Information Governance Incident

There is no simple definition of an IG incident. What may at first appear to be of minor importance may, on further investigation, be found to be serious and vice versa.

As a guide:

• Any incident which involves actual or potential failure to meet the requirements of the Data Protection Act 1998[2] and/or the Common Law of Confidentiality;
• This includes unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data, information security breaches and inappropriate invasion of people’s privacy;
• Such personal data breaches which could lead to identity fraud or have other significant impact on individuals;
• Applies irrespective of the media involved and includes both electronic media and paper records relating to staff, service users and any other business sensitive information.

Incidents may be caused through, for example:

• Information being lost in transit:
• Information being lost or stolen;
• Information being disclosed in error through mis-directed e-mails and letters;

• Inappropriate access controls allowing unauthorised use of information

4.2 Cyber Security Incident

There are many possible definitions of what a Cyber incident is, for the purposes of reporting a Cyber incident is defined as:

A Cyber-related incident is anything that could (or has) compromised information assets within Cyberspace. “Cyberspace is an interactive domain made up of digital networks that is used to store, modify and communicate information. It includes the internet, but also the other information systems that support our businesses, infrastructure and services.”[3]

It is expected that the type of incidents reported would be of a serious enough nature to require investigation by the organisation. These types of incidents could include but not limited to:

•Denial of Service attacks – a machine or network resource becomes unavailable by disrupting services to the internet

•Phishing emails – emails from scammers that attempt to persuade the user into clicking onto links or disclosing personal information

•Social Media Disclosures – disclosing key organisational information via social media

•Website defacement – an attack on a website that changes the visual appearance of a webpage

•Malicious Internal damage – a virus or a worm corrupts a system or deletes data and electronic files

•Spoof website – a site that uses dishonest designs to trick users into thinking it is a legitimate website• Cyber Bullying – the use of electronic communication to send intimidating or threatening messages

5. Incident Management

All Organisations processing Health, Public Health and Adult Social Care personal data are required to use the IG Toolkit Incident Reporting Tool to report level 2 IG serious incidents to the Department of Health, Information Commissioner’s Officer and other regulators. All Level 2 Cyber Incidents will be notified to the Department of Health and NHS Digital.

5.1 Reporting an Information Governance Incident

All IG incidents and near misses e.g. sensitive data such as sexual health information is sent to the wrong person, mustbe reported to the CCG IG Lead using the form in Appendix A or any other recognised local procedures (i.e. reporting icon)

Reporting Timescales for IG incidents

From the 25th May 2018 the CCG will have a legal obligation under the General Data Protection Regulation (GDPR) to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible not later than 72 hours after having become aware of it. Therefore wherever possible the Incident Report form should be completed and submitted within 24 hours of the incident occurring in order to allow the CCG sufficient time to gather information to inform a reporting decision.

5.2 Reporting a Cyber Incident

Report any suspected spam emails to NHSmail spam reports mailbox and then delete from your mailbox. It is important that emails are not forwarded from your mailbox and are sent as an attachment. Please follow the NHS mail guidance notes

If you click on a link or attachment and you suspect your computer has become infected with a virus then unplug the network cable, turn off your Wi-Fi or power down your computer and immediately report the suspected infection to the NECS helpdesk. The IG Lead and your Line Manager must be made of aware of this incident by completing Appendix A or any other recognised local procedures (i.e. reporting icon)

5.3 Assessing an Incident

The Derbyshire CCGs IG team will support the assessment of the incident in conjunction with CCG using the guidance in Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation by establishing the scale of the incident and applying the sensitivity characteristics to determine the level of incident.

• Incidents graded as level 1 or below are to be managed locally.

Suspected incidents and near misses can still be recorded on the IG Toolkit, as lessons can often be learnt from them and they can be closed or withdrawn when all the facts are known.

These incidents can be recorded on the IG Toolkit, but will not generate a report to the Department of Health (DH).

In addition, CCGs may use a local incident reporting system in which case the IG incidents should be logged on this system to ensure they are captured and reported internally as any other incident type (e.g. through the appropriate Committee).

Incidents classed as level 1 should be aggregated and reported in the annual report in the format contained in the Checklist Guidance. Incidents rated as level 0 need not be reflected in annual reports.

• Incidents graded as level 2 and above must be reported via the IG Toolkit, which will generate reports to the DH and Information Commissioners Office (ICO) for IG SIRI and for Cyber SIRI reports will be generated to the DH and NHS Digital (formerly the Health and Social Care Information Centre)( ) The Incident Reporting Tool embedded within the IG Toolkit will also produce reports of closed incidents that will be made publically available.

Local clinical and corporate incident management and reporting tools (including STEIS) can continue to be used for local purposes - but notifications of IG & Cyber SIRI for the attention of the DH ,ICO and NHS Digital (formerly HSCIC) must be communicated using the IG Incident Reporting Tool.

The Derbyshire CCGs IG Team will support assessment, investigation and reporting of IG incidents on behalf of the CCG and will agree the escalation procedure with the CCG to notify relevant Officers and Stakeholders (normally the SIRO).

5.4 Incident Report Plan

The CCG IG Lead will be responsible for leading the incident response plan, adopting the checkpoints outlined in the HSCIC guidance. Derbyshire CCGs IG Team responsibility is to support and advise a CCG of the appropriate response to an incident.

Accountability for incident management rests with the CCG, e.g. decisions to write to patients would be taken by CCG and the final content of communications will require approval by the CCG before the communication is issued.

5.5 Incident Investigation and Reporting

The Derbyshire CCGs IG Team will support the CCG with the investigation into the incident and update the incident reporting tool accordingly.The Derbyshire CCGs will support this process where access to the CCG IG Toolkit has been given in order to report IG incidents.

The IT Service provider will provide information and support the investigation as appropriate.

The incident will be investigated as outlined in section 5.3 of the identified guidance1. The scale of the investigation and the degree of reporting will be commensurate with the nature of the incident.

A near miss may have the actions and learned fields on the reporting tool updated whereas a reportable level 2 SIRI would be subject to a root cause analysis exercise and formal report.

Where the incident impacts more than one of the Derbyshire CCGs the Derbyshire Wide Joint Protocol for Managing IG Incidents will be invoked. See Appendix D

5.6Incident Close Down

After the investigation the SIRO within the CCG will close or authorise closure of the incident on the reporting tool once they are satisfied that the incident has been fully investigated, that appropriate actions have been undertaken or a realistic action plan is in place, and a mechanism for disseminating any learning from the incident has been determined.

Appendix A:Information Governance Incident Report Form

(To be completed for all Information Governance (IG) Information Security, Cyber Security Incidents or Near Misses).

General Information
Reported By: / Date/Time Detected:
Department: / Date/Time Reported:
Job Role: / Mobile:
Phone: / Fax:
Email Address: / Additional Information:
Postal Address:
Incident Details
Type of Incident: Confidentiality / Integrity / Availability
Incident/ Near miss
Impacts on the Department (total failure, business as usual etc.): / Type of affected System: Patient information, finance, administration etc.
What is the information? Please list the data fields
(e.g. name; address, clinical data)
What security controls were in place? (Was the information encrypted?)
Scale of Incident: How many individuals is the information about? ______
If the scale of the incident is not known please estimate the maximum potential scale point.
Less than 11 individuals, 11- 100 , 100 + please estimate
Incident Summary:
Incident Details
Site Details: / Site Point of Contact:
Actions Taken:
Internal use
IG SIRI Level :

Appendix B: Staff Guideline on Identifying and Reporting IG or Cyber Security Incidents

Examples of what should you report?

• Finding a computer printout of Personal Confidential Data (PCD) details laying around;
• Identifying that a fax that was thought to have been sent to a recipient had been received by an unknown recipient or organisation;
• Finding confidential waste in a ‘normal’ waste bin;
• Losing a mobile computing device with personal information on it;
• Giving information to someone who should not have access to it – verbally, in writing or electronically;
• Accessing a computer database using someone else’s authorisation e.g. someone else’s user id and password;
• Trying to access a secure area using someone else’s swipe card or pin number when not authorised to access that area;
• Finding your PC and/or programmes aren’t working correctly – potentially because you may have a virus;
• Sending a sensitive e-mail to an unintended recipient or ‘all staff’ by mistake;
• Finding a colleague’s password written down on a ‘post-it’ note;
• Discovering a ‘break in’ to the organisation.

Appendix C – Incident Management and Reporting Flowchart

CCG IG Lead

Incident

Appendix D - IG 32- Derbyshire Wide Protocol for Scoring Joint IG Incidents

When an IG incident is reported CCG IG Leads should make an initial evaluation to determine, based on the information available at the time, whether it is likely that the incident impacts on any other organisation with particular emphasis on the other Derbyshire CCG’s.

At this stage the CCG IG Lead should undertake a preliminary assessment of the severity of the incident using the formula for categorising SIRI’s set out at Annex A of the Health & Social Care Information Centre – Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation.

At this early stage there may not be sufficient detail to determine if the incident impacts on another CCG, however, if the incident is not totally contained within the initial CCG it is reported to it is good practice to share basic details of any IG incident with the other CCG’s so they are aware and can make some initial enquiries.

If at the initial stage, or at any time during any subsequent investigation it is identified that the incident impacts on another CCG or CCG’s then the following process should be followed:

Joint Scoring Exercise

A joint scoring exercise should be carried out as soon as practicable to ensure that the reporting guidelines of within 24 hours are adhered to. Due to the timescales, geography and availability of individuals it may be appropriate to convene a teleconference.

The joint scoring exercise should follow the guidance set out at Annex A of the Health & Social Care Information Centre – Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation.

In order to reach a consensus on the final score the joint scoring exercise must include as a minimum:

• SIRO / Deputy SIRO and or Caldicott Guardian representing the CCG to which the incident was initially reported
• SIRO / Deputy SIRO and or Caldicott Guardian representing the CCG / CCG’s that are jointly affected
• Representative from Arden & GEM Information Governance team
• Subject matter expert / senior manager familiar with the circumstances of the incident from the CCG the incident was initially reported to along with relevant counterpart from other CCG/ CCG’s
• IG Leads may participate to further enhance the objectivity of the exercise; however, if not available lack of availability should not hold up the process.

If the final score results in the IG Incident being reported on the IG Toolkit i.e. a level 2, then the CCG which the incident impacts on the most should take the lead in reporting. Other CCG’s may need to report this separately, however, there may be occasions where it is a level 0 or 1 for one CCG and a 2 or higher for another. This could be due to differing levels of sensitivity or number affected for example. It is proposed that the Lead Commissioner will normally investigate any incident with support from other CCG’s if required. There may be occasions where the Lead Commissioner does not lead on the investigation, hover, sound reasons should be documented at the scoring stage regarding why this is the case.