Information Assurance Strategy. NHS Lanarkshire

Transcription

1 Information Assurance Strategy NHS Lanarkshire Issue 4 Issue 4 Page 1 of 15

2 Document History Date Author Change Version No. 2/1/13 James Cardwell- Initial draft 0.1 5/1/13 James Cardwell- Incorporating some comments from Dave 0.2 Philpott. Further detail added into section 8. 7/1/13 James Cardwell- Further detail added into section 9. Further comments from Dave Philpott. Then distributed to Dr Harpreet Kohli, Dr Philip McMenemy, Craig Tannahill and John Duncan on 8 th January /1/13 James Cardwell- 25/1/13 James Cardwell- 30/1/13 James Cardwell- 19/2/13 James Cardwell- for review and comment. Document updated following input and comments from Dr Harpreet Kohli, Dr Philip McMenemy, Craig Tannahill and John Duncan. Distributed to IG Committee members on 18 th January. Document updated following further input from John Duncan, Craig Tannahill and members of the IG Committee. This version to be presented to IG Committee on 29 th January for approval. Inclusion of comment from Gavin Cox. IG Committee final review and endorsement at IG meeting on 29 th January. Issue 1 document prepared ready to go to CMT on 14 th February. Inclusion of comments from CMT. Issue 2 document prepared to go to NHSL Board 27 th February. 27/2/13 James Cardwell- Endorsed and approved by the NHS Lanarkshire Board. 14/5/13 Craig Tannahill Review date added, comment received from Internal Audit 25/02/2013 Craig Tannahill Reviewed Sections 3, 8.4, 9, 10 and new section 11 addded Issue 1 Issue 2 Issue 2 Issue 3 Issue 4 Contributing Author / Authors CONSULTATION AND DISTRIBUTION RECORD Information Assurance Project Team Consultation Process / Approval: Information Governance Committee CMT Issue 4 Page 2 of 15

3 NHSL Board Distribution: DMT s Issue 4 Page 3 of 15

4 Table of Contents 1. Introduction Purpose Context and Background Threats and Vulnerabilities Aims and Scope Aims of Strategy Scope of Strategy Vision and Strategic Principles Benefits Strategic Focus and Action Leadership and Governance Information Risk Management Policy and Operations Monitoring and Compliance Implementation Next Steps Issue 4 Page 4 of 15

5 1. Introduction NHS Lanarkshire (hereafter NHSL) believes that the effective collection, storage, security, dissemination and use of information are fundamental to the safe treatment and care of patients. NHSL recognises its duty of care, at both an individual and corporate level, to ensure that personal and business information is used wisely and well as well as responsibly and with care. NHSL has, under its ehealth Strategy and Delivery Plan, made significant investment and progress in recent years to transform and improve the availability, integrity and confidentiality of information. NHSL s current structures and processes enable considerable sharing of information. However the information sharing landscape is changing quickly. The Scottish Government and the general public are demanding greater openness and transparency all at a time when the public are more anxious about the ubiquitous use of their data. The Board understands this changing environment and the need to provide confidence that information is held securely, appropriately, maintained accurately and is available when necessary. Therefore NHSL will now build on this position and fully develop and implement an Information Assurance Strategy. In essence, the term information assurance is used to describe confidence in the processes, systems and management to ensure the appropriate levels of availability, integrity and confidentiality of information assets. This is further defined as; Availability - to ensure that the right information is available to the right people at the right time; Integrity - to ensure that the data held is correct, current, and can only be modified by authorised users with clear audit trails; Confidentiality - the protection of information from unauthorised disclosure and ensuring that information is adequate, relevant and not excessive in relation to the purpose for which it is required and not kept longer than is necessary than the period that it is required. This also reflects the sensitivity of much of the information that NHSL requires to deliver its services safely, efficiently and diligently. 2. Purpose The purpose of this strategy is to formally set out the strategic direction and guiding principles for establishing and embedding an information assurance capability and culture across NHSL. This document includes an outline of the key areas of strategic focus and action. These areas are expressed at a high level however they will be supported in due course by an implementation plan and measurement framework. Together these documents set out NHSL s intent and plans around leadership, governance, risk management, policy, operations, monitoring and compliance of effective information assurance. Issue 4 Page 5 of 15

6 3. Context and Background In November 2011, the Scottish Government communicated to all NHS Board Chief Executives, its strategic direction for the development and embedding of an Information Assurance culture across NHS Scotland. This national strategy and approach supports the Scottish Government s ehealth Strategy and is pivotal in enabling NHS Scotland s Quality Strategy and its desired outcomes. NHS Board s are required to deliver against the principles and commitments set out in the national strategy and approach. This policy agenda has been determined against a background of transformational change across government departments, agencies and the voluntary sector. Advances in technology and the requirement that public services are designed and delivered around citizens are driving greater joining up of systems and the information they hold. This context means that on an unprecedented scale highly sensitive information must be shared and used with trust and confidence whilst ensuring its confidentiality and accuracy. Whilst ensuring safeguards and security, NHSL wishes to exploit the information assurance opportunities that integrated and more collaborative public (and private sector) services should provide. Such opportunities will notably avail themselves through the planned Scottish Government policy of much greater integration of health and social care adult services. NHSL information assurance strategy builds upon and aligns with; NHS Scotland Information Assurance Strategy; NHS Scotland ehealth Strategy ( ); NHS Scotland Quality Strategy; Records Management Code of Practice; Health Rights Information Scotland; Public Records Scotland Act 2011; NHSL Healthier Future Strategy ( ) NHSL ehealth Delivery Plan ( ) (part of NHSL LDP) The local NHSL IA strategy also aligns with relevant notable guidance and legislation including; 4. Threats and Vulnerabilities Data Protection Act 1998; Freedom of Information Act (Scotland) 2002; Caldicott Guidance; Information Commissioners Office. The pace of change in the ICT environment over the last twenty years has been phenomenal. This unprecedented development in ICT has opened up new frontiers and opportunities in healthcare but also it has brought significant threats and vulnerabilities to NHS organisations. New approaches to the sharing of information, including the increasing use of wireless devices and equipment combining different types of media, presents significant new threats to information and information systems. Issue 4 Page 6 of 15

7 The ability to invade (i.e. obtain access to data without changing it) attack and disrupt from distance coupled with malicious activity and intent is a serious concern. NHS organisations information and systems have become more vulnerable as increasing sharing of information across organisational and physical boundaries takes place. Any such incidents of attack or misuse of information quickly harm public confidence. It s for these reasons that a new approach to information governance and assurance is required that will be sufficiently flexible to anticipate changes to the way in which organisations and people use ICT to deliver patient and administrative benefits. The NHSL strategy places information assurance at the very centre of the organisation and its day to day operations. 5. Aims and Scope 5.1 Aims of Strategy This strategy aims to; Guide improvement in three broad areas: availability, integrity and confidentiality of information so that the management of information is an integral and effective part of normal robust business processes and day-to day operations; Build and develop an information assurance framework across the organisation; Ensure the trust and confidence of the public, patients and NHSL employees; Ensure that NHSL gets the best out if its information and develops its use, confident that the risks associated with collecting, holding, using and sharing information are well managed; Strike a balance between principles of corporate governance and public accountability, placing importance on confidentiality and security arrangements to safeguard both personal and business information. This Information Assurance strategy reflects the increasing value and importance of information to NHSL and the collaborative way in which it is now and will in the future be used and shared. 5.2 Scope of Strategy The strategy covers a wide range of different parties, functions and bodies including; All staff that collect, use and handle person identifiable or commercially sensitive information in the course of their day to day duties. NHSL Staff groups include clinical, non clinical, property and support services (including PFI staff); Electronic and paper records held by NHSL; Involvement with other partner agencies, independent contractors and external agencies. Issue 4 Page 7 of 15

8 6. Vision and Strategic Principles NHSL aligns to and shares the same vision of information assurance as the wider NHS Scotland. Its vision is stated; That NHS Lanarkshire gets the best out of its information; moves forward and develops its use, confident that the risks associated with collecting, holding, using and sharing information are well managed. NHSL s arrangements carry the trust and confidence of both patients and employees. NHSL will continue to move towards an Electronic Patient Record across all care settings. The EPR will be a virtual record and will be delivered through a clinical portal as the means of viewing agreed clinical summaries from a variety of systems. The guiding strategic principles for information assurance by NHSL are; That it believes that accurate, timely and relevant information is essential to deliver the highest quality healthcare. As such, it is the responsibility of all NHS Lanarkshire s employees to ensure and promote the quality of information and to actively use information in decision making processes; That it recognises the need to share patient information internally, with other NHS Boards and with key partners, in a controlled manner consistent with the interests of the individual and, in some circumstances, the public interest; That data will be shared based on the Data Protection and Caldicott principles; To work with other Boards as required to ensure consistency and best practice across all NHS Boards and to ensure joint working with partner organisations locally and nationally; Work collaboratively locally and nationally to ensure that systems are in place to make information more accessible at the point of delivery i.e. single sign on, whilst recognising the importance the person s rights to privacy. The vision and its principles map with the wider NHS Scotland, the strategic actions and implementation plan will reflect the local Lanarkshire status and situation. 7. Benefits A number of benefits will flow from the implementation of this strategy including; Quick easy access to information, enabling front line staff to spend more time focused on patient care; An increased level of trust, confidence and comfort in sharing information across care settings, with multi agency partners and third party contractors; Reduced security breaches and the costs of investigation; Improvements in data quality; Standardisation of health records; Improved protection against clinical, reputational, legal and financial risks; Issue 4 Page 8 of 15

9 Greater public and staff confidence in NHSL handing and storing their personal data; Building a greater level of knowledge and awareness of information security across NHSL; Improved risk assessment of threats and the vulnerability of critical assets which will allow a more informed and discriminating approach to risk migration and control. 8. Strategic Focus and Action Section 8 outlines the key areas of strategic action that NHSL intends to focus on in order to deliver its vision and strategic aims for information assurance. In order to achieve the strategic aims and remain consistent with best practice, the development of Information Assurance at NHSL will be focused around four core areas; leadership and governance, information risk management, policy and operations and monitoring and compliance. This section highlights some of the critical activities and actions within each of the areas of best practice. This does not represent an exhaustive list but signposts to the key areas of attention required to improve the availability, integrity and confidentiality of information so that the management of information becomes an integral part of normal business processes and operations. In some cases, a number of the actions or initiatives have been initiated through the ehealth Delivery Plan (e.g. single sign on, privacy breach detection). The table included on page 12 together with the supporting implementation plan provide further detail and a timetable for delivery. 8.1 Leadership and Governance Board and CMT Objectives - information assurance will become a component part of the NHS board s score card objectives. Whilst Information Governance and ehealth are already an integral part of the NHSL Local Delivery Plan, each member of the executive and corporate management team will now have information assurance included within their personal performance objectives. Clinical Leadership - the need for strong clinical engagement and leadership will be a key component of the change management process for embedding information assurance across the organisation. The Caldicott Guardian, Chair of the Information Governance Committee, Director of Nursing and Medical Director will work together with the NHSL ehealth Clinical Leads to establish an engagement programme to cover all clinical staff groups across all care settings (including independent contractors). The associated governance process will be strengthened and include increased clinical membership. The effective integration of information assurance and clinical governance will enable improvements in the use of information to support clinical decision making and enhance performance. Human Resources Contractual Documentation whilst employee contracts currently include data protection /confidentiality / information governance statements, this will Issue 4 Page 9 of 15

10 be broadened to include information assurance. Job descriptions will be amended to reflect the individual s responsibility to comply with information assurance. Staff engagement and communications meaningful engagement of staff at an operational level will be crucial to embedding of information assurance across NHSL and with its partners. This communication and messaging to promote a culture that values and protects information will come actively from the Executive team and other clinical leaders. Part of the activities of influencing behaviour will come through much clearer messaging, training, deterrents and sanctions that may be applied where appropriate. 8.2 Information Risk Management Board Governance this strategy affirms the importance and intent that for information assurance to become a reality across NHSL then strong visible leadership at board level is essential. It is also recognised that responsibility goes far beyond the Board and includes the Caldicott Guardian and Information Asset Owners (IAO). The role of the IAO is vital in supporting the IA framework and providing expertise to NHSL staff on information assurance issues. IAO s will be required to provide input to, and support the ongoing maintenance of the information asset register. Whilst the implementation planning will look in detail at the necessary structures and responsibilities to deliver and govern information assurance this strategy proposes that a Non Executive Director takes a leading role for this critical area. Risk Management Framework this framework and supporting process will be aligned to the Board s corporate risk management framework and link to local clinical service plans. This will allow NHSL to identify, manage, action and learn from the risk experiences and have mechanisms in place for highlighting areas of risk and actions to be taken. The approach to risk management will be proportionate but ensure structured and clear understanding of risks, threats, vulnerabilities, probabilities and impacts. The profile of such key risks will be visible at CEO, CMT and Audit Committee level. Information Asset Register A full information asset register will be developed and linked to the Disaster Recovery and Business Continuity plans. The information asset register will record all information assets, identify ownership for each information asset, document associated risks to assets and provide details of risk mitigation. Information Breach Reporting and Risk Assessment Potential and actual breaches will be identified and reported in a structured manner and information governance breaches recorded through the Datix system. The reporting of IT faults will continue to be triaged through the IT helpdesk, potential security breaches will be recorded on Datix. Quarterly risk assessments will be held with the Senior Information Risk Owner supported by the network of Information Asset Owners. This process is designed to drive behaviour change and ensure greater collective and active responsibility for the management of risks. Whilst technical risks and vulnerabilities in areas such as IT infrastructure continue to be current, NHSL recognises the need and intend to place Issue 4 Page 10 of 15

11 further focus around behavioural and culture change (management of information, its storage, its risk and importantly greater use to benefit patient care delivery). 8.3 Policy and Operations Policies and Procedures - the strategy will ensure that there are proportionate policies, procedures and protocols established with the required acceptable standards. These will be articulated to employees and partners, ensuring that roles and responsibilities are clearly understood. Policies will be readily available on First Port and where appropriate issued via Net Consent. IA standards and procedures will continue to evolve and will remain current and relevant with NHS Scotland national directives and local NHSL objectives and priorities. Education, Awareness and Training the education and training of staff will be fundamental to ensuring effective information assurance. Such a programme will be developed and delivered to ensure that staff are informed, kept up to date, have access to and are given the appropriate advice and support when required. Through the training and awareness programme front line staff will understand how IA will have a positive impact on how they work, enabling improvements in areas such as consistency in record keeping, reduction in record duplication, easier sharing of information, and building on existing good working practices. It will be important that key personnel have the necessary knowledge, experience and resources to support staff to design and implement information assurance at a local level. Current initiatives such as DOTS and Flying Start and information assurance awareness elearning for delivery of training will be built upon. NHSL will share the IA strategy with key partners with responsibility for education of professional staff including University of the West of Scotland. Data Quality There is a strong recognition that improvements in data quality bring significant healthcare benefits, these benefits will drive better clinical decision making, patient outcomes and greater public confidence in their interactions with the NHS as well as financial efficiency. Both clinical and administrative staff groups require greater confidence in the quality of data coming into and out NHSL. Information Assurance Capability NHSL currently has limited resources, capacity or capabilities to meaningfully embrace and embed information assurance. A broad range of capabilities will be designed and developed to cover the IA elements that need to be embedded within all parts of NHSL everyday business processes. These IA Capabilities will including knowledge, expert advice, performance benchmarking, systems, processes, structure, training and cultural change. At the heart of the strategy and its implementation would be the intent to create a network of Information Asset Owners to undertake an IA champion role and become a central liaison point for advice and communications across care setting and different departments. Patient Record Chronology whilst NHSL wishes to provide greater electronic access for patients into their records, this is seen as a longer term opportunity. The short to medium priority will be clinician-to-clinician interaction in improving the accuracy and quality of the patient record. The first step in this process is to build a chronological Issue 4 Page 11 of 15

12 history of the patient with data from different sources. This would provide significant immediate clinical treatment and care benefits. Technologies and Systems new technologies will bring opportunities to modernise working practices. They will provide staff with new ways of working i.e. the community nurse working remotely in patient s homes using smart phones and tablets to capture information, record diagnostics, update records in a timely fashion, having patient information instantly accessible and stored in a secure manner. Such opportunities also bring threats and so it s critical that staff, patients and the public are assured of security and confidentiality of the data that is held on their behalf. A key feature of IA is confidentiality and security together with the need for access; the full implementation of a system of single sign on replacing the current proliferation of usernames and passwords that are used by staff that access multiple systems will be a major strategic objective. Third Party Involvement all parties acting on behalf of or working with NHSL will adhere to the Information Assurance strategy. They will be required to sign Information Sharing Protocols and/or Non Disclosure Agreements therefore ensuring adherence to this strategy and to the Data Protection Act In association with NHSL Partner agencies, Information Assurance will either be a component part of Service Level Agreements (SLA s), non-disclosure agreements and / or Information Sharing Protocols. 8.4 Monitoring and Compliance The Information Assurance Strategy will require that there are sufficient systems and organisational infrastructure and resources in place to ensure that monitoring, review and compliance are achieved. These systems will be required to ensure effective compliance and provide positive assurance that NHSL Board policy is being governed and implemented in accordance with the vision, strategic aims and benefits. These systems include: Monitoring and Audit regular internal and external monitoring and audit will be undertaken against the IG toolkit, Public Records Scotland Act 2011 and Information Commissioner requirements and standards. Standards will need to be reviewed to ensure alignment with Board level information assurance expectations and compliance. Privacy Breach Detection - additional audit and monitoring functionality will be enabled with the introduction of a Privacy Breach Detection System. This will allow a centralised approach and oversight of the monitoring, audit and detection of potential privacy breaches. Privacy Impact Assessments (PIA s) - PIA s will continue to be utilised but mandated directly into the process of process change. Information Asset Owners will be central in the management and completion of PIA s. Information Governance Walk Rounds regular walk rounds by Executive and CMT individuals involving the support from a network information governance champions (to be developed). Issue 4 Page 12 of 15

13 Table 1 Development of Information Assurance; Key Areas of Activity and Action Leadership & Governance Information Risk Management Policy & Operations Monitoring & Compliance People & Culture Board and CMT IA objective Clinical engagement Staff engagement & comms Clear lines of accountability and oversight Local Data Sharing Partnership Board governance for IA Education, awareness and training Data quality Clear structure, roles and responsibilities Information Assurance capability Internal and external audit Processes & Procedures Human resources documentation Disaster recovery Patient history chronology IG walk rounds and audits Job descriptions Asset register Data sharing protocols IG, PRA and ICO standards Business continuity Third parties controls Breach detection and reporting Corporate records management Patient access to records Risk management framework Whistle Blowing Systems & Technology ehealth and IA strategy incorporated into LDP Fair warning - Privacy Impact Assessment Risk reporting through Datix system Single sign on software Remote & mobile working Security software IG toolkit compliance Systems audit and monitoring Explanatory context and narrative is provided in Sections 8.1 to 8.4 for the items in bold. Issue 4 Page 13 of 15

14 9. Implementation The scope of the Strategy and the scale of delivery required are significant and it will be practical to implement in stages. Therefore sitting alongside this strategy will be a transition and implementation plan. Transition will reflect activities and actions that can be considered in some cases as quick wins, some that require swift partial completion or require early set up. Many of these transition activates could be progressed as part of business as usual. Implementation will reflect activities that require development and completion over a longer period (i.e. 12 to 18 months). In many cases this work should be progressed will an appropriate level of project management and oversight. This plan will cover the following areas; Description of the action and its associated standard required Action owner Completion dates A review of future governance arrangements will be included as part of the strategic actions. Subject to the outcome of those discussions, the IA Committee will continue to take overall responsibility for the Information Assurance Strategy and oversight of its implementation. It is planned that the Information Assurance Strategy will be reviewed, consulted upon and formally approved by the IA Committee, Corporate Management Team and then the NHSL Board. The ultimate sign off would reside with the NHSL Chairman, Chief Executive, Medical Director and Caldicott Guardian. Subject to the necessary approvals, a full programme of staff engagement would be developed and launched. It is anticipated that to fully implement the requirements of information assurance, that there will be a resource impact. This will be quantified as part of implementation planning. Roles and responsibilities for further design, planning and early transition activities will primarily be managed and co-ordinated in the short term by the Information Assurance Project Team and any successor organisation. A tracking and monitoring and will be established as part of the implementation plan to support the implementation of the IA strategy. This will help highlight issues and demonstrate progress. 10. Next Steps The next steps planned are as follows; IG Committee review and approval of the IA Strategy 29 th January CMT review and approval of the IA Strategy 14 th February NHSL Board review and approval of the IA Strategy 27 th February Review date February 2014 Reviewed February 2014 Next Review Date February 2016 Issue 4 Page 14 of 15

15 11. Guidance Review Author Author s Job Title Division Department Craig Tannahill Information Governance Manager Corporate ehealth/ict Version number Issue 4 Ratifying Committee Information Assurance Committee Ratified Date 4 th March 2014 Review Date March 2016 Manager responsible for review Manager Job Title Key words General Manager ehealth General Manager ehealth IA Strategy Issue 4 Page 15 of 15