3. Security starts at Home
• Have an updated Virus (& Malware) checker
• Use Strong Passwords
• Don’t download from unknown sites
• Don’t open emails from unknown sources
• Keep your security software patches up to date
• Back-up copies of important/precious files, etc.
• Shop online Safely
• Beware of Bogus calls for Computer help
5. Email – Phishing Scams
Don’t get hooked by a bogus eMail
Stop & Think
DON’T CLICK
6. What is a Phishing Attack?
• Phishing is the act of attempting to acquire sensitive
information such as usernames, passwords, and credit
card details (and sometimes, indirectly, money) by
masquerading as a trustworthy entity in an electronic
communication.
• Phishing is typically carried out by email spoofing or
instant messaging, and it often directs users to enter
details at a fake website whose look and feel are
almost identical to the legitimate one.
8. Guidance from Tax Office
• HM Revenue & Customs (HMRC) will never send
notifications of a tax rebate / refund by email, or ask
you to disclose personal or payment information by
email.
• Do not visit the website contained within the email or
disclose any personal or payment information.
• http://www.hmrc.gov.uk/security/examples.htm
9. Guidance from RLBUHT
• Don’t’ click on any links within the email
• Do NOT respond
• Save the email (Save As)
• Forward to Server Team
• They will get N3 network to BLOCK that email address
• Brightmail should remove any Virus Component
• Delete Email
18. What are Data Flows?
• Data Flows are a requirement that must be
done every 2 years
• They are done per Department of every Data
(PID) that flows into / out of the Trust
• They take the form of a spread sheet that asks
for all process on how data flows i.e. by letter,
fax, email, File Transfer Protocol (FTP), etc.
• Phase out Fax & send encrypted email (PGP).
20. Email Usage
Email is a business tool and the language used in all correspondence should reflect this
Staff should not use abusive language or profanity in any correspondence regardless of who it’s being sent to
Email filtering software is currently in place that monitors all incoming and outgoing Email for abusive language
and profanity
Staff must also not send any Personal Identifiable Data (PID) or commercially sensitive data insecurely. Here
are some do’s and don'ts:
RLBUHT Trust to RLBUHT Trust - Secure
NHS Mail to NHS Mail - Secure
NHS Mail to the following domains: x.gsi.gov.uk .gsi.gov.uk; gse.gov.uk; gsx.gov.uk;
pnn.police.uk; csjm.net; scn.gov.uk; gcsx.gov.uk; mod.uk
RLBUHT Trust to another Trust – not secure
RLBUHT Trust to NHS Mail - not secure
NHS Mail to RLBUHT Trust - not secure
21. PGP – Email Encryption (sending)
• Within Outlook select Tags
• Select Sensitivity Drop-down
• Change Normal to Confidential
• Select Close
• Send as normal
• Recipient gets re-directed to
RLBUHT portal
• Recipient enters passphrase
• No Patient, No., DOB names in
Header (Not encrypted).
28. Facebook & Twitter
• Facebook is an online (internet) social networking
service
• It enables people & groups to chat, share ideas &
photographs
• The Trust allows the use of this facility during allocated
lunch breaks for personal use
• It does not allow ‘posting’ of Trust related information
• Do not post anything that may bring the Trust into
disrepute – Don’t be a Twit be a careful Tweeter
• Warning - Facebook has a license to use your content
in any way it sees fit.
29. Blogs
• A blog (a truncation of the expression web log)
• A personal website or web page on which an individual
records opinions, links to other sites, etc. on a regular
basis
• As for Facebook don’t bring the Trust into disrepute
• And certainly don’t start to record medical information
even if anonymised.
• You will be ask to remove and delete
30. Why shouldn’t ‘we’ be using XP?
• Microsoft no loner supporting XP since July
8th
2014
• Anti-Virus Vendors may stop supporting XP
(MSE to July 2015)
• A greater risk to vulnerabilities
• Patch Tuesday fixed latest IE Flaw
• Migrate to Windows 7 (or Windows 8)
• But not all process’s run on Win7/8 (Risk)
• Residual Risk or Accept
31. Why are some Sites Blocked?
• Both large and small companies block sites to
cut down on security breaches
• and boost productivity (Facebook etc. now OK)
• To prevent downloading virus's and malicious
code
• To prevent unauthorised software
• To prevent any licensing copyright laws
32. Why can’t I just download any
software?
• Control of Software
• Trust Process
– IT Asset Management Policy - Section 9
– Design Board – Meets every 3rd
Tuesday of the
Month
– Project Mandate Form
34. Why do I need an NDA?
• Non–Disclosure Agreement (NDA)
– Is required when dealing with outside contractors
dealing with patient, staff or financial Trust data
– is a legal contract between at least two parties that
outlines confidential material, knowledge, or
information that the parties wish to share with one
another
• Information Sharing Agreement (ISA)
35. Why do I need an ISA?
• Information Sharing Agreement (ISA)
– Is required when dealing with outside contractors
dealing with patient, staff or financial Trust data,
when data is shared, copied, moved of site (or
viewed by external Contractors
– is a legal contract between at least two parties
– Data Controller
– Data Processor
36. What is the IG Toolkit?
• It is a requirement placed on all NHS
organisations (or partners)
• The Information Governance Toolkit (IGT) is an
online tool that enables organisations to
measure their performance against the
information governance requirements
• To provide NHS organisations with a means of
self assessing performance against key aspects
of information governance
37. Who are the ICO?
• The Information Commissioner’s Office is the
UK’s independent authority set up to uphold
information rights in the public interest,
• promoting openness by public bodies
• and data privacy for individuals
• And they have the ability to fine the Trust up to
£500,000 per incident if a breach is caused
38. Why do I need a Clear Desk Policy?
• Information needs to be Protected (especially
outside normal working hours)
• Need to Know Principal
• Lock unused documents in desks or lock whole
office
• Lock PC’s when not in use
• File documents so that can easily be referenced
or located
• A Tidy Ship is a Happy Ship
39. What is an IAO/IAA?
• Trust systems that store information (patient,
staff or financial) are information Assets
• If you are a Manager of a Department or a
System then it is likely you are an Information
Asset Owner (IAO) or if you administer it you
are an Information Asset Administrator (IAA)
• AS an IAO/IAA you have to manage this asset
and any risks associated with it and defined by
Policy
_
40. What is DATIX?
• Software for Patient Safety
– A tool to register clinical incidents within the Trust
• Software for IT Risks
– A tool to register IT incidents/risks within the Trust
– Additional access over & above clinical risks for IT
Project Risks (TB)
41. I am being Monitored?
• Data Loss Prevention (DLP) is a automated tool
that monitors all outgoing email for patient, staff
or financial information (Outlook or Web Mail)
• Websense is an automated tool that monitors all
web traffic and blocks certain web sites
• All Clinical Systems have account log in details
& monitor who logs in and when
• Note Tablets/Laptops & Desktops have tracking
• You have been Warned.
42. Programme Managers
• Need to know how IG relates to programs
• IG Checklist
– Privacy Impact Assessment
– NDA/ISA & Data Flows
– Does it contain PID
– Is it being transferred Securely
– Asset Register and Risk Assessments (IAO/IAA)
– Design Board
– Requirements to satisfy IG Toolkit
43. On Line IG Training - ESR
•Use Your Smart Card and sign into ESR
Email is a business tool and the language used in all correspondence should reflect this.
There are filtering tools that block emails containing any profanity so please don’t place any inappropriate language in your emails. Remember you emails belong to the trust and can be requested under FOI.
And never put anything into an email that you are not prepared to say face to face.
Please follow these basis rules around sending personal identifiable data securely – NHS Mail to NHS Mail is the only secure emailing method for this Trust.
And remember that we can supply your manager with a report on your internet access.
Do not send any identifiable information via a Goggle mail account, or Hotmail account or any personal account as firstly this is not secure and secondly it can be freely distributed.
Anything sent by g-mail becomes the intellectual property of Google. Re the patriots act in America.
For consultants, Do you email information to patients, what does it contain? does it include demographics or clinical information.
Please make sure that you read a copy of the email and internet policy as this presentation only covers a very small amount of guidance relating to email and internet usage.
In relation to sending any emails containing personal identifiable information from now on the 1st offence PW 2nd meeting with PW & JN 3rd Disciplinary.