NHSNottinghamshireClinical Commissioning Groups
Electronic Remote Working Policy
Document History
Document Reference: / IG12Document Purpose: / This document sets out the responsibilitiesof staff about the confidentiality and security of information when working remotely
Date Approved: / 22nd September 2017
Approving Committee: / Information Governance Management and Technology Committee
Version Number: / 2.3
Status: / Approved
Next Revision Due: / 22nd September 2018
Developed by: / NHIS, CCG Information Governance Leads
Head of Information Governance (NHS Nottingham City CCG providing support to the three South Nottingham CCG’s under an SLA)
Policy Sponsor: / Nottinghamshire Clinical Commissioning Groups– Director of Outcomes and Information
Target Audience: / The procedure applies to all permanent, temporary staff and secondees of the CCG.
Associated Documents: / All Information Governance Policies and the Information Governance Toolkit
Revision History
Version / Revision date / Summary of Changes1.0 / March 2013 / Developed by Nottingham Health Informatics Service and adopted by Nottinghamshire Clinical Commissioning Groups
1.1 / November 2014 / Reviewed in line with version 12 of the IG Toolkit and in consultation with the Information Governance Management and Technology Committee.
2.0 / January 2015 / Approved by the Information Management and Technology Committee
2.1 / September 2016 / Minor updates
2.2 / August 2017 / Reviewed in line with NHS Digital Guidance
2.3 / September 2017 / Approved by the Nottinghamshire CCG Information Governance Management and Technology Committee
Policy Distribution and Implementation
Reference Number / Title / Available fromIG12 / Electronic Remote Working Policy / CCG Internet websites, hard copy from the IG Lead
Contents
1 Introduction
2Policy Statement
3. Definitions
4. Scope of Policy
5. Remote Access Process
6. Accessing Information Remotely
7. Mobile Device Security
8. Appropriate Use of Mobile Devices
9. Responsibilities
10. Monitoring Compliance
11. Access to the Organisation’s Infrastructure
12. Remote Access and Smartcard Access
13. Reporting Security Incidents and Weaknesses
14. Training Requirements
15Equality and Diversity
16Due Regard
Appendix: Remote Access Application Form
1Introduction
1.1This policy applies to Nottinghamshire Clinical Commissioning Groups (CCGs), subsequently referred to in this document as the CCGs. They include:
NHS Mansfield and Ashfield CCG
NHS Newark and Sherwood CCG
NHS Nottingham North and East CCG
NHS Nottingham West CCG
NHS Rushcliffe CCG
CCGs are separate independent statutory organisations.
1.2This policy has been developed to ensure that those with a business requirement to access the organisation’s systems remotely or to use mobile devices in a standalone mode do so securely, and without introducing unacceptable threats to both the processing of information or the networked system. Remote access is a method of accessing files and systems that can only usually be accessed from an NHS site or by using an authorised Virtual Private Network (VPN) token.
1.3Due to changing working practices and the development of technology, remote access to systems by NHS staff is now seen as an important way of working. Remote working can only be undertaken with the use of mobile devices purchased through the Nottinghamshire Health Informatics Service (NHIS). Personal devices are not permitted to be used for work purposes other than expressly permitted by the relevant data controller and in accordance with the CCGs Bring Your Own Device (BYOD) policy.
1.4Critical business processes rely on easy and reliable access to organisational information systems. In practice, the benefits of securing remote access are considerable – business can be conducted remotely with confidence and the confidentiality of sensitive information is assured. This document sets out the policy for, holding, obtaining, recording, using and sharing information by remote access via the use of mobile devices and includes a set of common controls, which can be applied to reduce the risks associated with a remote access function.
2Policy Statement
The purpose of this policy is:
2.1.To ensure the processing of information is operated in accordance with national guidance such as Department of Health Codes of Practice, ISO 27001:2013 – Information Security, the Data Protection Act (1998), Caldicott Principles and local organisational policies.
2.2.To ensure that all staff are aware of their responsibilities and comply with the policy and that the areas covered in this policy are part of information governance and IT training.
2.3.This policy forms part of an overall group of Information Governance Policies, and should be read in conjunction with these.
Failure by any employee of the organisation to adhere to the policy and its guidelines willbeviewed as a serious matter and may result in disciplinary action.
3. Definitions
3.1User - In this policy, the term ‘user’ includes anyone who makes use of the organisation’s network or computing facilities to gain access to systems and applies specifically to: -
All organisation employees.
Any authorised individual using organisational systems such as Governing Body member, trainee, student, contractor, volunteer or otherwise.
3.2The Organisation – Means the listed Clinical Commissioning Groups.
3.3Mobile Devices – This includes but is not limited to portable computers such as laptops, notebooks, tablets, mobile telephones, blackberries and smartphones.
4. Scope of Policy
4.1To identify processes to ensure remote access is agreed and managed in line with the Information Security Policy and with the organisationalbusiness requirements.
4.2To ensure that access toinformation away from the organisation is conducted in a secure and confidential environment.
4.3Ensuring the appropriate use of mobile devices, which includes portable computers such as laptops, notebooks, tablets, mobile telephones, blackberries, and smart phones.
4.4Outlining the principles of accessing, processing and transferring information using home computers and mobile devices, in dispersed locations – whatever the location.
4.5Applicable legislation and Freedom of Information principles shall apply to remote workers operating CCG approved mobile devices to process official or NHS information. This includes information held in personal email accounts and on personal ICT devices.
4.6This policy covers staff including Governing Body membersand those working for and on behalf of the organisation and includes:
- Travelling users (e.g. staff working across sites or are temporarily based at other locations).
- Staff working from home
- Non-NHS staff (e.g. Social Services, contractors and other 3rd party organisations with appropriate authorisation when accessing NHS systems).
5. Remote Access Process
5.1Authorisation and approval for remote access shall be obtained from CCG management before mobile and remote working systems are set up. The Head of Department or Service must be aware that to support remote access, provision of circuits and equipment including in some cases line installations, must be provided from departmental budgets. Furthermore, all recurrent costs of line rental, maintenance etc must be met by departmental budget.
Remote access refers to any technology that enables users to connect in geographically dispersed locations to organisation owned systems. This includes users who use a ‘store and forward’ option to access data securely stored on a mobile device, which is then synchronised with the live system when returning to base for example clinical information systems.Remote access is typically over a wireless/GPRS/3G and broadband connections, although it can include Wide Area Network (WAN) connections.
5.2Applications for remote access should be submitted to theNottinghamshire Health Informatics Service (NHIS) Service Desk for technical approval using the Application for Remote Access form (Appendix A) or via the NHIS Customer Portal on
5.3Each application must include reasonable justification for users to have remote access to administrative and/or clinical systems, outlining the high-level requirement for each request and have management approval.
5.4Remote workers shall ensure they know who to contact for security advice and guidance when working remotely and how to contact them.
6. Accessing Information Remotely
6.1Users shall ensure that NHS, UK Government Security Classified or other sensitive information is not removed from site without prior approval and authorisation from management and in accordance with the organisations Information Security Policies.
6.2Users shall ensure that mobile systems or devices are not used outside of the CCG premises without prior approval and authorisation from management.
6.3No mobile device shall store personal confidential information unless the device is appropriately encrypted to the NHS standard. All remote workers should ensure that they abide by their local organisational policy regarding confidentiality and security of personal confidential data.
6.4Any problems that arise with remote access or mobile devices should be reported to the NHIS Service Desk.
Remote access and encryption queries can only be supported within the NHIS Service Desk opening hours which are: Monday to Friday 8.30am to 5pm.
7. Mobile Device Security
7.1Mobile devices must never be left unattended in cars or easily accessible areas to reduce the risk of opportunistic theft. If possible devices should be kept securely locked away when not in use and precautions taken to protect assets from opportunistic thefts.
7.2Remote locations shall be secure to work in, ie not overlooked by unauthorised persons. Sensitive matter shall not be worked on in public places.
7.3Classified or sensitive information must be appropriately protected at all times eg encrypted and password protected as per organisational policy. Sensitive conversations shall not be carried out in public. Secure email should be used or staff should wait until back on secure premises.
7.4Care should also be taken during transit. Heavy jolts to a mobile device could cause damage to the hard disk and render the system inoperable.
7.5Virus protection software must be installed, active and up to date.Users should routinely connect to the network to ensure the most up to date software and anti-virus programme is installed.
7.6NHS sensitive or personal confidential information should be brought back to CCG premises for secure disposal.
7.7Mobile systems, devices or information shall not be checked in as hold luggage when travelling, but treated as hand or cabin luggage at all times.
7.8 All devices shall be configured and operated in accordance with this policy and the organisation shall determine which types of devices are relevant to this policy and whether staff are allowed to use personal devices connected to the corporate network. All users should abide by the Bring Your Own Devices (BYOD) where this is accepted.
8. Appropriate Use of Mobile Devices
8.1Unauthorised software must not be installed on any organisational equipment, including mobile devices.
8.2Personal confidential information must not be sent via email unless this complies with the Policy on Internet and Electronic Mail.
8.3All removable media shall be virus checked prior to use.
8.4Mobile devices shall have security options enabled, such as PIN numbers or a password. Automatic lock outs shall be enabled when IT equipment is left unattended.
9. Responsibilities
9.1The CCG Accountable Officeris ultimately responsible for ensuring that remote access by staff is managed securely.
9.2The Information Governance Management and Technology Committee will maintain policy, standards and procedures for remote access and use of mobile devices and ensure that risks are identified and appropriate controls implemented to reduce those risks.
9.3Nottingham Health Informatics Service will ensure that organisational end systems are securely maintained.
9.6All staff with remote access and/or use mobile devices are responsible for complying with this policy and associated standards. All staff must safeguard organisational equipment and information resources, and notify the organisation immediately of any security incidents and breaches.
9.7All users of information systems, applications and the networks must ensure they seek the necessary security guidance, awareness and where appropriate training to ensure they are aware of their security responsibilities. Irresponsible or improper actions will result in disciplinary action(s).
9.8Users must return all relevant equipment (including software) to their line managerwhen remote access and/or the mobile device are no longer required.
10. Monitoring Compliance
To ensure the most comprehensive level of protection possible, every network should include security components that address the following five aspects of network security.
10.1User Identity
All remote users must be registered and authorised. Organisations must locally audit remote access and ensure the authorised users still require this. User identity will be confirmed by User ID and password authentication. Nottinghamshire Health Informatics Service is responsible for ensuring a log is kept of all user remote access.
10.2Perimeter Security
Nottinghamshire Health Informatics Service (NHIS)is responsible for ensuring perimeter security devices are in place and operating properly. Perimeter security solutions control access to critical network applications, data, and services so that only legitimate users and information can pass through the network. Routers and switches handle this access control with access control lists and by dedicated firewall appliances.
Remote Access Systems with strong authentication software control remote dial in users to the network. A firewall provides a barrier to traffic crossing a network's ’perimeter’ and permits only authorised traffic to pass, according to a predefined security policy. Complementary tools, including virus scanners and content filters, also help control network perimeters. Firewalls are generally the first security products that organisations deploy to improve their security status.
10.3Security Monitoring
Network vulnerability scanners will be used to identify areas of weakness, and intrusion detection systems to monitor and reactively respond to security events as they occur.
10.4Remote diagnostic services and 3rd parties
Suppliers of central systems/software that require access to their systems in order to investigate/fix faults will be allowed through remote N3 connection and secure 1-time password token.
Each supplier or user requiring remote access will be required to commit to maintaining confidentiality of data and information and only using qualified representatives.
Each request for dial up access will be authorised by the approved NHIS staff, who will only make the connection when satisfied of the need and upon receipt of an appropriate level of assurance from the third party.
10.5Encryption SoftwareAll mobile devices must have appropriate encryption software installed.
11. Access to the organisation’s Infrastructure
Remote access to the organisation’s infrastructure is via secure token.
11.1Definition: A token is an electronic 1-time password generation device, which is used to enable remote access to the organisation’s system. This device works through dedicated software being installed on a device.
11.2Tokens are issued by NHIS. Issue will be subject to completion of the ‘Application for Remote Access’ form in Appendix A, which includes a detailed description of why the access is required, and confirmation that this has been endorsed by the CCG Line Manager
11.3All users of tokens must comply with their organisations Information Security Policy, Internet and Electronic Mail Use Policyand the Confidentiality and Data Protection Policy.
11.4It is the responsibility of the person who holds the token to ensure that this is always held in a safe and secure manner.This is in addition to the responsibilities outlined by the above-named policies, and must always be observed.
11.5Any VPN connection must be correctly terminated once all remote work has been completed to ensure that the applications are closed appropriately.
12. Remote Access and Smartcard Access
12.1Users wishing to gain access to clinical information systems will need to install a Smartcard reader and software onto the remote computer. Remote access to these systems should be instigated by the Head of Department or Service. The NHISService Desk will provide advice on installing the Smartcard reader and software.
12.2Smartcard policies and procedures must be followed.
13. Reporting Security Incidents and Weaknesses
All security incidents and weaknesses must be reported using the Organisation’s Incident Reporting mechanisms and the NHIS Service Desk notified in order to ensure that the connection is removed.
If a token is lost/stolen/misplaced this must be reported to the NHIS Service Desk as an incident as soon as possible.
14. Training Requirements
14.1It is the responsibility of the CCG to ensure that relevant training on security and confidentiality is made readily available, and pro-actively encouragecompliance with the policy.
14.2All new starters to the organisation will undertake Information Governance training as part of the induction process; this could be either face to face or via e-learning, as agreed by the CCG IG training strategy. Extra training will be provided for all staff that process personal confidential information in line with the requirements of their role.
14.3 All Line Managers must ensure that their staff, complete an annual IG training session as part of their mandatory update
15Equality and Diversity
15.1The CCG aims to design and implement policy documents that meet the diverse needs of the services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all.
15.2This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act.
15.3In carrying out its functions, the CCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all the activities for which the organisation is responsible, including policy development, review and implementation.
16Due Regard
16.1This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to eliminate discrimination, harassment, victimisation; to advance equality of opportunity; and foster good relations.
Appendix 1
Application for Remote Access
Please complete the following fields in order to obtain remote access to the Nottinghamshire Health Informatics Service network. Once complete please send the form to the NHIS via email or complete the request online at