Mobile Devices and Removable Media Security Policy
CONSULTATION CHECKLIST Name of Policy / Procedure / Guideline / Protocol Mobile Devices and Removable Media Security Policy Named person developing Policy Mr Khaja Hussain Assistant Director Information Governance & Security Timescale for completion 31/03/2009 Consultation
Date Agreed
Information Governance Steering Group (IGSG)
10/02/2009
Risk Management Committee
18/02/2009
Approval Yes/No Assurance Risk Committee
YES
Date Assessed 09/03/2009
Approved Yes/No Signed____________________________________________ Designation________________________________________
IGP0005
2
MOBILE DEVICES AND REMOVABLE MEDIA SECURITY POLICY
APPROVAL/ADOPTED
Information Governance Steering Group Risk Management Committee Assurance Risk Committee
DATE OF APPROVL / ADOPTION
Draft Issued January 2008 (Version 1.0) Final Approval 09/03/2009 (Version 1.1)
REVIEW
April 2010
DISTRIBUTION
All Trust Staff
RELATED POLICIES / DOCUMENTS
IT Acceptable Use Policy Information Governance Policy Information Security Policy Data Protection Policy Confidentiality Policy Freedom of Information Policy Records Management Policy Safe Haven and Information Sharing Policy
AUTHOR/FURTHER INFORMATION
Khaja Hussain Assistant Director (Information Governance & Security) Ext 5295
THIS DOCUMENT REPLACES
N/A
IGP0005
3
1.
Introduction
This policy must be read in conjunction with the Trust’s IT Acceptable Use Policy and all other Information governance and security policies and guidance which are available on the Trust’s Intranet site. All NHS organisations have a legal duty to maintain the privacy and confidentiality of the personal information held and, caution must be exercised where that information is being transferred electronically. A number of Acts and guidance dictates the need for security arrangements to be set in place, they include: Data Protection Act 1998 (Principle 7): “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Confidentiality: NHS Code of Practice 2003: Annex A1 Protect Patient Information: “Care must be taken, particularly with confidential clinical information, to ensure that the means of transferring from one location to another are secure as they can be” This policy aims to prevent unauthorised disclosure, modification, removal or destruction of the Trust’s information assets and disruption to business activities. This policy applies to all individuals that access or process Information held by the Trust, whether directly employed by the Trust or contractors, third party IT/Information service providers and private sector care providers. 2.
Scope of Policy
All mobile devices and removable media for use on information systems owned or operated by the Trust are covered by the policy. Removable media can be classified as any portable device that can store and/or move data. These include and are not limited to:-
Floppy Disks Optical discs, i.e. CD or DVD ROM External hard drives and ZIP drives Magnetic tapes Solid state memory devices including USB memory sticks/pen drives, memory cards, MP3 players, etc. Mobile phones Digital cameras Personal Digital Assistant’s (PDA’s), e.g. Palms, Blackberrys
Other mobile devices include Laptops and Tablet PC’s. Only the NHS approved standard encryption algorithm, which is currently 256 bit AES, will be used to encrypt and protect NHS data.
IGP0005
4
3.
Responsibilities
Staff and contractors are not permitted to introduce or use any removable media other than those provided, or explicitly approved for use, by the Trust. Any bulk extracts of confidential or sensitive data must be authorised by the responsible Associate Director/Director for the work area. The Assistant Director of IT Services is responsible for ensuring an adequate supply of removable media that has been approved for use and, the implementation of any device configuration requirements that the Trust may require in order to comply with Information Governance security policy and standards, particularly data encryption capabilities. Line managers in collaboration with the IT services are responsible for the day to day management and oversight of removable media used within their work areas to ensure this policy is followed. Line managers are responsible for the secure storage of all unallocated removable media and its related control documentation as required by this procedure. Staff who have been authorised to use removable media for the purposes of their job roles are responsible for the secure use of those removable media as required by this policy. Staff involved in data extraction and data file creation must receive appropriate Information Governance and security training. Staff must be aware of policy and procedure governing the work area including consequences of breach of policy. Failure to comply with this policy may result in disciplinary or criminal action.
4. Security Procedures The Trust currently deploys the NHS approved encryption software (“McAfee Safeboot”) for device encryption and end point security for its IT infrastructure. Device encryption, e.g. of laptop hard drives, ensures that all data is stored in encrypted form and it can only be decrypted when it is accessed by an authorised user who has logged on to the machine. Stolen devices are therefore protected. Port control of USB ports on computers will be deployed on all Trust computers to restrict the use of removable media to only those that are approved for use by the Trust. The Trust will only allow the use of Trust approved hardware encrypted USB memory sticks for full read/write access of NHS data. All other non-approved USB memory sticks will only be accessible on a read only basis on all Trust owned computers. 4.1 Use of Mobile Devices and Removable Media All Trust laptops and tablet PC’s will be fully hard disk encrypted. Trust owned portable devices such as PDA’s will be only be encrypted if they are used to hold NHS applications and personal data, with the exception Blackberry’s as they are already encrypted by the manufacturer.
IGP0005
5
Each business area shall identify its need for removable media and the devices on which removable media are to be used by completing the authorisation request form in Appendix A. Mobile devices and removable media should not be taken or sent off-site unless a prior agreement or instruction exists. A record is to be maintained of all mobile devices sent off-site, or brought into or received by the Trust. This record should also identify the data files involved. Mobile devices and removable media must be physically protected against loss, damage, abuse or misuse when in use, storage and transit. Mobile devices and removable media shall only be used by staff and contractors who have an identified and agreed business need for them. The use of removable media by sub-contractors or temporary workers must be risk assessed and be specifically authorized. Removable media drives, including USB ports, are restricted as specified in the appropriate device management configuration in section 4.2 below. Any person identifiable information transferred to a USB memory stick must remain encrypted and not be transferred to any other external system in an unencrypted form. The user must note and accept that should their encryption password be forgotten, the memory stick allows for a new password to be created, but this will involve a reformatting of the device and thus a total loss of the data. The USB data stick must therefore not be used to keep data that is not backed-up securely somewhere else on the Trust network. Removable media may only be used to store and share NHS information that is required for a specific business purpose. When the business purpose has been satisfied, the contents of removable media, e.g. CD’s, must be removed from that media through a secure deletion method that makes recovery of the data impossible. Alternatively, the removable media and its data should be destroyed and disposed of beyond its potential reuse through IT services. In the case of Trust approved hardware encrypted memory sticks, it can be reset to reformat the device ensuring total loss of data so that it can be re-used.. In all cases, a record of the action to remove data from or to destroy data should be recorded in an auditable log file. If the user leaves the Trust or department then they should return their mobile or removable media device to IT services for secure destruction and/or redistribution. All incidents involving the use of removable media must be reported to the Information Governance department and logged on the on-line Datix incident form. Any such incidents will be fully investigated and may result in disciplinary action being taken.
4.2 Device Management The Trusts new end point security management software will affect all mobile devices and removable media access connections to all Trust networked PC’s and laptops as follows:-
IGP0005
6
CD/DVD Drives – enabled for read, but not write, access (unless authorised to be manually encrypted by IT services). Exception for creation of PACS CD’s on PACS workstation by Radiology staff. Floppy Disc Drives – enabled for read, but not write, access USB Memory Devices – enabled for read, but not write, access (unless Trust approved hardware encrypted memory sticks) Digital Dictation – enabled for 2 way data transmission, where authorised Digital Cameras – enabled for 1 way data transmission (from camera to the network) where authorised External Hard Disk Drives – disabled Memory cards – disabled Mobile Phones – disabled MP3 Players – disabled PDAs – enabled for authorised devices Modem devices (e.g. mobile broadband, etc) – blocked unless specifically authorised for remote access or IT support.
5. Monitoring and Audit The Trust will regularly monitor and audit its use of mobile devices and removable media for compliance with this policy. The use of technology will be regularly reviewed to ensure that latest up-to-date hardware and software is used to maintain the highest standard of security. The audit will: Identify areas of operation that are covered by the Trust’s policies and identify which procedures and/or guidance should comply to the policy; Follow a mechanism for adapting the policy to cover missing areas if these are critical to processes, and use a subsidiary development plan if there are major changes to be made; Set and maintain standards by implementing new procedures, including obtaining feedback where the procedures do not match the desired levels of performance; and Highlight where non-conformance to the procedures is occurring and suggest a tightening of controls and adjustment to related procedures. The results of audits will be reported to the Assurance Risk Committee. Failure to follow the requirements of the policy may result in investigation and management action being taken as considered appropriate. This may include formal action in line with the Trust’s disciplinary procedure.
IGP0005
7
Appendix A : Authorisation Form for Request to Use Mobile Devices and Removable Media ICT Ref No:
Requester Details Name: Job Title: Department:
Tel Extension No. PC ID No. Location/Site
Removable Media Device requested (Tick Box)
□ □ □ □
USB Memory Stick Memory Card CD/DVD PDA/Blackberry
□ Floppy Disk □ External Hard Drive □ ZIP/DAT Drive □ Laptop/Tablet PC
□
Other (Specify) …………………………………………..
Purpose:
Declaration: I have read and agree to abide by the Mobile devices and Removable Media Security Policy Requestors Signature: ………………………………………….. Date:
……………………………………………
Authorisation: I authorise the purchase of the above removable media device for the purpose specified. I confirm that I understand my responsibility for the management and oversight of this device accordance with the Mobile Devices and Removable Media Security Policy. Name : ………………………………………………………………. Title : …………………………………………………………………. Signature : ……………………………………………………………. Budget Code : ………………………………………………………… Date : ………………………………………………………………….. IT Services Use: Device Make/Model: Device Serial Number: Issued by : Date:: Approved by Information Governance Yes/No
IGP0005
8
