NY&H CSU Service Specification IMT Service SAMPLE ONLY

Transcription

1 SAMPLE IT SERVICE SPECIFICATION IG, NHS Mail Support, Clinical Safety (ISB160) and R.A. services North Yorkshire & Humber Commissioning Support Unit DATE: 23 September 2014 AUTHOR: STATUS: Doug Scott For Example use only

2 IMT Service Customer organisation: NHS England North Yorkshire & Humber Area Team Services Covered IG, NHS Mail Support, Clinical Safety (ISB160) and R.A. services In Scope: NHS England commissioned IMT support & IG services for GPs and other primary care contractors. Out of Scope: GP IMT core and additional services (CCG Commissioned) Customer Lead Contact: Provider Lead Contact: Version Control Version Date Status Amendments /10/2012 Draft /10/2012 Draft Inclusion of allocated days, Simplify Hosted Applications, C&B support service line option /11/2012 Draft Numerous revisions from customer feedback. Add IGT level 2 to Quality standards. Addition of Information Governance Framework. Modification of telephony support, Tidied up format of schedule A and C. Defined GP IT operating model requirements (GP IT Spec). Added KPI for lessons learned reports for business critical incidents /12/2012 Draft Updated KPIs 1 04/03/2013 Revisions throughout to incorporate detailed customer feedback and service feedback to allow KPIs to be operationalized, Rework calculation of available days. 2 30/04/2014 Revised Revised to cover new GP IT op model. Exclude NHS Mail support and IGT support for GPs

3 2.1 Jul-14 Revision Comments from reviews with CCGs & customers Table 5 includes Assets in Key activity data Enhanced data backup options & priority system tagging (for DR) Expanded IG specifications, Quality standard Custom addition catalogue item capability added Simplify categories for supported device counts 2.2 Jul-14 Revision Revision of OOH oncall catalogue item Modification of NHSMail, N3 and RA service catalogue items - revise impact of cessation of national funding Notice on planned downtime extended for critical systems Table 8: option to pool allocated days by mutual agreement reference third party audit assurance on data backup compliance 3.3 Added vendor access request response times 9. Right of continued use of provider developed applications commissioned by customer on termination of agreement 3.3 Qualified liabilities for application vendors work 2.2 Sep-14 Revision Revision of Telephone response KPI and inclusion of non-telephone response KPI Service Reference Service Name NHS England NYH AREA TEAM (GP)

4 Key Service Outcomes Service Reference # Key Outcomes to be Achieved 1. The customer is able to incorporate IMT solutions into its business strategies in a way which supports business development, innovation, effectiveness and efficiency 2. Customer information is stored and managed in a manner which is safe, secure and legal.

5 Table 1: Detailed Services Descriptions and Outputs Service Line Catalogue Reference Service Description Dependencies Scope, Volume, capacity KPIs, Quality Standards, & Activity IMT IT Service management 1.1 Service Desk and desktop support Provider Responsibilities Provision of a IT service desk accessible via telephone, or web interface Resolve faults by telephone advice, remote technical support or by site visit for all provider supported applications, services and IT infrastructure Provide customer with incident call reference number. Provide core service between 0800 and 1700 hours Monday to Friday excluding English Public Holidays Provide access to service desk database information on customer incidents. Inform Customer of any planned system / infrastructure downtime where this may affect whole sites, or whole services or whole critical or clinical applications service desk activity reports on metrics in table Support for locations and departments/practices specified in table 7 and numbers of staff and devices specified in table Publish to customers minimum dataset required to log incidents with service desk to enable efficient processing of the incident Customer Responsibilities Report all IT incidents and requests for change to the IT service desk by telephone, or web interface Provide service desk with required dataset to allow the correct recording of incident/request for change Allow Provider IMT staff reasonable access to premises and IT equipment to allow incident resolution to take place When escalating logged incidents to provide the incident reference number Ensure staff take appropriate action when advised of IT service downtime D11 D12 D13 D14 D1 K2 K3 K4 K5 K8 S1 A1 A2 A3 A4

6 IMT IT Service management 1.5 NHSMail Services Provider Responsibilities Processing of New account, Amend account, Close account and shared resource account requests and assigning correctly configured user accounts Limit customer staff to one individual NHSMail account per person Provide NHS Mail accounts for organisation functions where reasonably required Maintain limits on NHSMail mailboxes to protect the system performance and data Close and archive NHSmail accounts for staff who have left the customer organisation Provide all staff with access to their NHS account from any desktop PC or laptop connected to the supported IT infrastructure Support for number NHS Mail Accounts above those specified in the table Support customer in the setup and configuration of shared resource and distribution lists Provision of network based archiving solution, subject to available IT infrastructure Advise on national changes to the NHS Mail service and expected impact for customer Provision & configure (but not populate) automated and manual distribution lists on request where technically and operationally feasible services other than NHSMail are not supported Providing reports on live access accounts to assist in customer IT security audit and compliance In the event of central (NHS/DH) funding or eligibility of NHS Mail services for the customer continuity of this service will cease unless an alternative funding and/or an alternative solution is agreed between provider and customer Customer Responsibilities Correct and timely completion and submission of New account, Amend account and Close account requests approved by approved named sponsor Appointment of named sponsors for authorisation of account changes Promptly advise provider when individual holding account leaves the organisation Ensure all staff use NHSmail services in accordance with the providers acceptable use of standards, the customers policies and the NHSMail acceptable use policy Enforce breaches of this policy as a potential breach of employee contractual obligations Maintain content of distribution lists to ensure effective and efficient communications and use of services. D.7 K.1 A.6

7 IMT IT Service management 1.6 NHS LSP service desk interface Provider Responsibilities Provision of a service desk accessible via telephone, or web interface Log incidents and faults relevant to supported clinical system (Table ) and log on customer behalf with HSCIC servcie desk Liaise with customer, HSCIC service desk and clincial system supplier to facillitate resolution of incident or problem Provide customer with unique provider incident call reference number Provide customer with HSCIC NINN incident number Provide core service between 0800 and 1700 hours Monday to Friday excluding English Public Holidays Provide access to service desk database information on recorded customer incidents service desk activity reports on metrics in table Customer Responsibilities Report all relevant clinical system incidents and problems to the IT service desk by telephone, or web interface Provide service desk with required dataset to allow the correct recording of incident/request for change When escalating logged incidents to provide the incident reference number. K.2 K.4

8 IMT Registration Authority 2.1 Registration Authority Provider Responsibilities Processing of New account, Amend account, Close account RA (Smartcard) requests and assigning correctly configured access profiles Produce (current) ID photographs of RA account holder and carry out identity checks to required standard Provision of smartcard, holder and lanyard as needed on issue of new cards Processing of RA electronic requests and issuing of Smartcards with appropriate access rights to staff Advising and training of staff and RA sponsors Correctly functioning smartcard readers on all supported desktop and mobile computers where smartcard enabled applications are accessed Advise customer managers and RA sponsors on appropriate configuration of business functions, completion of RA documentation and use of RA systems eg to reset PINs Agree with customer an annual plan for RA audit In the event of central (NHS/DH) funding or eligibility of R.A. Smartcard services for the customer continuity of this service will cease unless an alternative funding and/or an alternative solution is agreed between provider and customer Customer Responsibilities Correct and timely completion and submission of New account, Amend account, Close account RA (Smartcard) requests Ensure staff understand the correct use of the Smartcard Ensure staff understand the NHS Care Records Guarantee Ensure staff produce the correct original ID documents to sponsors for identity checks to be completed Complete electronic documentation correctly to support the correct usage and configuration of R.A dependant solutions Identify appropriate named individuals as RA sponsors or unlockers to authorise smartcard issue and reset user PINs Ensure requests for replacement smartcards on expiry are made in sufficient time to allow replacements to be issued to the account holder Not to use smartcards for the purpose of organisation staff ID cards including overprinting with organisation identity. To ensure staff are able to take smartcards into other NHS organisations on changing employment. D8 K.1 A.7

9 IMT Information Governance & IT Security 7.1 Information Governance Support Provider Responsibilities Advise the Customer in ensuring compliance with provider's information security standards, Data Protection Act, NHS Care Records Guarantee, Computer Misuse Act and other relevant legislation, requirements and guidance Attendance of Information Governance Manager (or suitably qualified alternative) at customer's Governance Committee meetings as requested Provide IG and IT security investigative and forensic support as part of the provider SUI and IT security incident management service Support customer in the development of relevant customer policies, operating procedures and guidance on information governance and IT security issues Advise Customer on actions required to ensure their legal compliance status with regard to software licencing Provide services up to the allocated IG days in this agreement Completion of Privacy Impact Assessments as part of new project initiation where required Publish and maintain an Information Governance portal for customer staff to utilise as a knowledge resource Customer Responsibilities Advise Provider of any information security breaches or known risks of security breaches. Act on advice given by Provider on measures needed address these breaches/risks Ensure staff are aware of and adhere to their obligations under the Data Protection Act and the organisations obligations under the NHS Patient Care Record Guarantee Not to permit any 3rd party access to any of the managed infrastructure without prior agreement of the provider this will include any supplier or person attending to provide onsite or remote IT maintenance services To be compliant with the current Information Governance Statement of Compliance (IGSOC). Not to allow any wireless technology to be used with or connected to the supported infrastructure without the agreement of the provider To maintain an Information Security policy which complies with the provider's information security standards. Where there are any noncompliance issues to discuss and agree acceptability with provider. Where the customer does not have an Information security policy they will adopt the providers information security standard as their policy. S12

10 IMT Information Governance & Security 7.3 Information Governance Toolkit Support Provider Responsibilities Operate information governance standards within provider organisation to at least IGT level 2 or equivalent Provide evidence of this ( ) as requested to customer Support the Customer with advice and consultancy on the completion of the Information Governance Toolkit for the customer organisation Maintain and provide a comprehensive Information Governance Framework Support customer with formal audit requirements regarding IGT as required Provide customer with regular IGT progress reports Provide services up to the allocated IG days in this agreement Customer Responsibilities To be responsible for the development and management of an IGT action plan required for the completion of IGT Appoint named Caldicott Guardian, Senior Information Risk Owner and Data Protection Officer IMT Information Governance & IT Security 7.4 IT Security Provider Responsibilities Monitoring and assurance of infrastructure supplied to sites and on-site IT infrastructure to ensure appropriate standards of IT security are in place to protect customer s information assets Provide services up to the allocated IG days in this agreement Customer Responsibilities The customer agrees to take reasonable precautions to ensure that provider owned equipment is protected from theft or physical damage Not to allow any wireless technology to be used with or connected to the supported infrastructure without the agreement of the provider Not to allow general public or patients access to the supported infrastructure including internet unless this is through an agreed designated infrastructure network. S12

11 IMT Clinical & Other Application Support 8.7 Clinical (system) Safety Officer (ISB0160) Provider responsibilities To oversee adherence for clinical safety and assurance requirements of ISB0160 (DSCN 18/2009) Management of Clinical Risk relating to the deployment and use of health software To ensure the requirements for ISB0160 (DSCN 18/2009) are embedded into provider managed projects for the deployment, configuration and optimisation of electronic clinical systems To provide the customer with a change control process which will assist in identifying clinical safety risks in the deployment, configuration and use of their clinical systems To develop approve and follow a Clinical Safety Policy To use agreed incident management system to managed reported clinical safety issues Carry out Clinical Safety Assessments as part of new project initiation where necessary Customer Responsibilities To fully support and engage with the provider's arrangements for the services being supplied to support ISB0160(DSCN18/2009) To provide access to specialist clinical expertise relevant to the clinical system To advise provider when new clinical systems are to be deployed IMT General Services 10.3 Complaints Provider Responsibilities Record complaints from customer. Ensure designated customer account manager is aware or dealing with the complaint. Manage complaints in accordance with CSU IMT complaints procedure Customer Responsibilities Provide all requested details to support effective resolution of a reported complaint. Log complaints with Provider within 3 working days of being aware of the problem. S.10 IMT General Services 10.4 Core Hours Provider Responsibilities Unless specifically stated above the core manned hours for all services will be 0900 to 1700 Monday to Friday excluding English Public Holidays.

12 IMT General Services 10.5 Policies & Operating procedures Provider Responsibilities The provider will make available the following National Policies - NHS Patient Care Record Guarantee - NHS Information Governance Toolkit and Statement of Compliance The provider will maintain and make available the following local provider standards & policies - Information Security Standard - Acceptable use of Internet Standard - Acceptable use of Standard - Data backup policy - Disposal & Reuse of computer equipment Standard - Warranted Desktop Inventory for hardware and software - Business Continuity Policy and Plan - Disaster Recovery Plan (IT Infrastructure) - Information Governance Framework (provider) - IMT Service Management Complaints Procedure Customer Responsibilities The customer will maintain and ensure compliance with the following: - Information Security Policy - Acceptable use of Internet Policy - Acceptable use of Policy - Disposal and reuse of Computer Equipment Policy - Mobile and home working Policy (if required) - Information Governance Framework NB where the customer develops its own policies to support it s internal contracts they will ensure there is sufficient alignment with the above National and Provider policies and standards to avoid any ambiguities for the customer and its employees.

13 Table 2. Service dependencies Dependency Ref Category Item Qualifier Number Tolerance (%) D.1 Supported Organisation Staff Supported Number of individuals (headcount) customer is responsible for in receipt of service (incl employed, contractors, agency /- 10% D.2 Organisational units Number supported organisational units 1 0% D.7 NHS Mail Accounts Active NHSMail accounts registered to customer organisation /- 10% D.8 NHS Smartcards Active NHS Smartcards registered to customer organisation /- 10% D.11 Desktop Hardware (Customer Owned) Devices - PC Desktops Supported PC Desktops 0 +/- 10% D.12 Devices - PC notebooks, laptops and tablets Supported PC notebooks, laptops and tablets 0 +/- 10% D.13 Devices - ipads Supported ipads 0 +/- 10% D.14 Printers and scanners 0 +/- 10% D.17 Software Licences (provider Owned) Anti-virus desktop software 0 +/- 10% D.18 Laptop encryption software 0 +/- 10% D.19 Remote Support software Client 0 +/- 10% D.20 Asset Management and support software Client(s) 0 +/- 10%

14 Table 3: Key Performance Indicators NY&H CSU Service Specification IMT Service SAMPLE ONLY Indicator Description Calculation Method Target (RAG Thresholds) Reporting Frequency K.1 Access Account Management Hornbill supportworks & UIM reporting Service Wide reporting 90% of correctly completed & received requests will be processed within 3 working days of receipt K.2(a) IT Service Management telephone response Telephone System statistics reporting Service Wide Reporting 90% telephone calls to service desk will be answered within 2 minutes K.2(b) IT Service Management non-telephone response Hornbill Supportworks reporting Service Wide Reporting 90% , voic or web portal incidents/request logged to service desk will be responded to within 3 hours K.3 IT Service Management first fix Hornbill Supportworks reporting Contract Specific Reporting 40% of calls to be resolved within 1 working hour of logging K.4 IT Service Management incident response Hornbill Supportworks reporting Contract Specific Reporting 90% of logged incidents will be responded to in the target response time shown in Table 10 K.5 IT Service Management incident fix Hornbill Supportworks reporting Contract Specific Reporting 85% of logged incidents will be resolved in the target fix time shown in Table 10. K.6 Critical systems availability Solarwinds reporting Contract Specific Reporting Not less than 98% planned time availability of business critical services directly delivered by provider 24/7 K.8 IT Service Management incidents over 30 days Hornbill Supportworks Reporting Contract Specific Reporting <5% of incidents & requests logged and not placed on hold are open after 30 days.

15 Table 4: Quality Standards NY&H CSU Service Specification IMT Service SAMPLE ONLY Standard Description Calculation Method Target (RAG Thresholds) S.1 IT Service management By exception Service wide 100% of requests will be logged in the service desk database and will receive a unique call reference number S.5 Business Continuity Evidence By Customer For business critical incidents (priority level 1) a Lessons Learned Report (with relevant action plan as appropriate) to be provided to customer within 2 weeks of the recorded resolution of the incident on the service desk S.9 Complaints Complaints log By customer S.10 External Accreditation Evidence Service Wide S.11 Information Governance Toolkit Evidence Service Wide 100% of complaints will be managed in accordance with the IMT Service Management complaints management procedure. Maintain accreditation for informatics standards to NHS required levels Provide services to NHS Information Governance Toolkit level 2 standards

16 Table 5: Key Activity Data NY&H CSU Service Specification IMT Service SAMPLE ONLY Activity Description Calculation Method Reporting Frequency A.1 Incidents and requests logged this period Contract specific Grouped by Incident Category (Priority) A.2 Incidents and requests closed this period Contract specific Grouped by Incident Category (Priority) A.3 Incidents and requests open at period end Contract specific Grouped by Incident Category (Priority) A.4 Incidents and requests over 30 days old open at period end A.6 Assets: Count and List of staff with open NHS Mail Accounts A.7 Assets: Count and List of staff with open Smartcard Accounts Contract specific Grouped by Incident Category (Priority) Contract specific Contract specific On Request On Request

17 Table 6: Hosted & Supported Applications Applicati on Suppli er Instanc es Practice/Departm ent Provid er Hostin g NHS Mail HSCIC 250 All No - Access Only Hosted database requireme nt Data storage allocatio n (GB) Provider Maintain ed Applicatio n Provider Supporte d Applicati on Third Party Contract manageme nt Backu ps per 24hour D.R. Restor e Priorit y OOH Suppo rt Provider hosting Costs (included in this agreemen t) Provider Application License & Manageme nt Costs None N/A No Yes No n/a n/a No 0 0

18 Table 7: Supported Locations & connectivity N/A

19 Table 8: Allocated Resources (days) NY&H CSU Service Specification IMT Service SAMPLE ONLY Outline Service Description Restrictions Days Information Governance & IT Security As required for BAU support and project support 157

20 Table 9: Third Party Service recharges and Contract Management The following recurring direct (at cost pass through) recharges are based on the known costs for services and equipment which may be incurred by the provider on behalf of the customer in delivering this agreement. Where these services are only provided for part of the year they will be charged pro-rata at cost. Where the supplier of these services alters the costs for the same service or where the customer requests amended services these will be reflected at direct cost. Where the provider enters a contract for these services on behalf of the customer, the customer agrees to be liable for the full contractual value over contract term in the event the customer ceases to require these, or this agreement ends and the provider is unable to reassign or reallocate the services or otherwise recover the outstanding costs. These costs do not include VAT where this is chargeable to the provider this will be added to the recharge costs shown Contract Supplier Shared Contract Contract Management Cost (included in this agreement) Rechargeable Costs - estimates based on known supplier charges. Per Annum. (excl VAT).

21 Table 10: Incident and Request prioritisation and target times Priority Level Incident Category Target Response Time (1) Target Fix Time (2) Typical Examples 1 High Impact (Business Critical) <1 working hours <4 working hours Where it is not possible to meet the target, apply an agreed temporary solution with an agreed timescale for a permanent solution to be implemented Total loss of access to key systems for all staff on a single site Total loss of access to a critical system for all staff Security incident involving patient records Currently active unauthorised access to clinical system Virus attack which is compromising the integrity of the application and/or database 2 Medium Impact Serious fault <4 working hours <16 working hours Where it is not possible to meet the target, apply an agreed temporary solution with an agreed timescale for a permanent solution to be implemented Partial loss of service (i.e. loss of access to clinical systems, server or network) For any clinical user loss of clinical functions e.g. prescriptions, data entry, referrals, appointments including by: - Loss of access to clinical server or network - Total loss of desktop customer access Total loss of service for single users Loss of access to clinical system printing facilities (i.e. prescriptions) Lack of access to clinical messaging Back up device failure Network degradation on LAN where performance of business essential systems is significantly degraded 3 Access Requests <1 working day <3 days From receipt of completed and authorised documentation Issuing, amending and revoking smartcards, network accounts, NHSMail accounts, group permissions, supported application access accounts (for project requests see 5)

22 4 Low impact (other Faults of Issues) <1 working day <5 working days Where it is not possible to meet the target, apply an agreed temporary solution with an agreed timescale for a permanent solution to be implemented Loss of access to support system printing facilities PC and / or printer faults resulting in impaired usage Logon / Password incidents 5 Service Requests, Queries & Advice <5 working days As agreed with Customer for individual incident/request PC application incidents, nuisance value General advice and guidance Equipment and service requests New project request, training requests, office moves Quotations etc. 1. Target Response Time: is the elapsed period between the user reporting the incident to the service desk and the commencement of investigative activity. 2. Target Fix Time: is the elapsed period between the user reporting the incident and restoration of the service. All Target Response Times and Target Fix Times exclude travel time and delays arising from any inability to access Customer s premises. Where an activity is required to be completed by the User in order to rectify the fault, the time taken to complete this task is excluded from the measurement of the Service Level. 3. Where an out of hours on-call service incident is included in this agreement see Cat. Ref. 1.3 for details on expected response and fix times.

23 Table 11: Regular Meetings with or in support of customer Meeting Name Frequency Shared Meeting NY&Y EPS Project Review Meetings (Lessons Learned) Ad-Hoc As required EPS Kick-off Meetings As required Pharmacy Engagement Events Ad-Hoc As required (about 4 per year) NYY EPS Project Board Meeting Bi-