NHS Fife. Your Risk - Information Governance and Security Survey

Transcription

1 NHS Fife Your Risk - Information Governance and Security Survey Prepared for NHS Fife September 2014

2 Audit Scotland is a statutory body set up in April 2000 under the Public Finance and Accountability (Scotland) Act We help the Auditor General for Scotland and the Accounts Commission check that organisations spending public money use it properly, efficiently and effectively.

3 Contents Background... 4 Findings - Survey Results... 5 Survey Response... 5 Awareness of good practice... 5 Areas for improving knowledge and awareness... 5 Conclusion... 6 Management Action... 7 Acknowledgement... 7 Appendix A - Action Plan... 8 Appendix B - Questionnaire... 9 NHS Fife Page 3

4 Background Background 1. Your Risk (YB@R) is a web-based survey that helps bodies quickly assess procedural, cultural and ethical compliance risks that have the potential to undermine the effectiveness of their information governance policies. 2. The Graham Committee report on the Standards of Conduct in Public Life and the Standards Commission for Scotland endorsed this type of tool and recommended that a survey of this type be used throughout the whole of the public sector. 3. Effective information governance always comes down to people and behaviours. Security policies have to be understood, accepted and integrated with, rather than bolted on to the business processes used in an organisation. 4. YB@R provides a snapshot of whether an organisation s information governance policies are achieving their objectives and can help minimise the likelihood of data loss and the consequent corrective work that would ensue. 5. Participating in YB@R will help your organisation to be able to: assess awareness of the risks associated with the use of technology gauge how well policies and standards have been understood assess the levels of Information Communications and Technology (ICT) security awareness among staff highlight areas where you may need to improve governance and reduce risk. 6. A copy of the survey questionnaire has been included at appendix B to provide context for the readers of this report. Page 4 NHS Fife

5 Findings - Survey Results Findings - Survey Results Survey Response 7. All ICT users were invited by and advertisement on the board's intranet to participate in the web based survey to assess their awareness of security issues and their role in reducing risk to the organisation. The survey was launched on Monday 19 May and officially closed on Friday 6 June The survey was advertised on the board's intranet and staff were reminded of the survey in an on 26 May. 8. A total of 528 surveys were completed, equating to 6% of the potential survey population. Although the rate of responses was the lowest that we have received from similar organisations, they were from all the directorates, which allowed us to conclude that the summary analysis below provides representation from across the organisation. Awareness of good practice 9. The survey identified a number of areas where NHS Fife staff demonstrated an adequate level of awareness of good practice, while appreciating that there is always room for improvement: 98% of those who responded would report their concerns about security at their place of work 87% would either change their computer password immediately or seek advice if they suspected that someone knew their password more than 91% appreciate the medium to high risk nature of the information they handle and the potentially serious consequences incorrect disclosure would have 86% understand that everyone within NHS Fife is responsible for information security. However, 3% stated that they did not know where responsibility lay. Areas for improving knowledge and awareness 10. The survey also identified an apparent lack of knowledge and awareness among staff in many areas, representing potential risks to the organisation. These issues merit further consideration by management as on-going information security awareness training is developed, and should inform development of future information security policies and procedures: 72% of those who responded find they need to write some or all of their passwords down, with the majority storing them in paper format, for example in a diary or organiser 63% use the same password across all of the systems that they use; while this approach offers ease of use when interacting with several systems, it is important that staff are reminded that such passwords should be complex (use a mixture of letters, numbers and special characters) and be updated on a regular basis. 11% who reported using the same password across multiple systems also use this password for private use of ICT NHS Fife Page 5

6 Findings - Survey Results 71% indicated that they lock their computer when leaving it unattended. However, 24% only lock their computers sometimes with the remaining 5% never locking them Although 96% indicated being aware of the board's policies and procedures on the use of ICT resources, 46% are not familiar with the procedure to go through if they lost a work's laptop, PDA or mobile telephone Many members of respondents incorrectly identified pieces of information which are covered by the Data Protection Act, e.g. 18% were not aware that an from an individual is covered by the Act while 14% believed that a recording of wildlife is covered 49% indicated that they have not had any security awareness training 28% have accessed a computer that was logged on with another user s access credentials. We are concerned to note that 2% stated that this was without the other user s permission Only 77% would inform management if they found a way to over-ride security features, a significant number (22%) would do nothing. The remaining 2% stated they would use this knowledge Although responses indicated that a significant number of respondents share personal information using higher security practices, such as sending information by courier mail, recorded and special delivery, 38% indicated they share personal information by insecure means, e.g. standard post or electronically without any encryption. 34% do not know whether information shared with external organisations is given a higher level of security or not 9% advised that they used personal accounts to access confidential information when out of the office, while 31% indicated that they use removable storage such as memory sticks or CDs, including 24% who refer to paper copies of confidential information when out of the office. Conclusion 11. Overall, the low response rate was disappointing. However, on the basis of the survey, although the profile of results demonstrates that there is some information security awareness within NHS Fife, a number of areas have been highlighted that should be addressed to improve overall staff awareness of information security. 12. A high level of information security awareness is the first step to changing behaviours and establishing effective information governance within an organisation. The full results from the survey have been submitted to management for detailed review to assist with the improvement of information governance through increased information security awareness within the board. Page 6 NHS Fife

7 Findings - Survey Results Management Action 13. The overall finding from our survey has been included in the accompanying Appendix A. Planned action, responsibilities and timescales for action in response to the identified risk exposure have been provided by management. Acknowledgement 14. The contents of this report have been discussed with relevant officers to confirm factual accuracy. The co-operation and assistance we received from board officers is gratefully acknowledged, in particular the assistance afforded to us by Elena Beratarbide (ehealth Quality & Performance Manager) during the course of our survey. NHS Fife Page 7

8 Appendix A - Action Plan Appendix A - Action Plan No. Audit Finding Risk Proposed Management Response & Action Responsible Officer and Date 1 Our survey of ICT There is a The response rate was low, Elena users identified an risk of loss therefore a balanced Beratarbide apparent lack of of approach should be taken knowledge and awareness of information security among staff in many areas, representing potential risks to the board. The results of our survey can assist management in their drive to improve knowledge and awareness. information which could have serious legal and reputational implications for the board. around the validity of the assumptions on a Board wide basis. A newsletter will be produced which outlines staff responsibilities in relation to password security, reporting of breach procedure and offering departmental training session by the Board IG / IT Security Officers. The IG & IT security officers will continue - Newsletter issued via corporate communication by 31st October Corporate induction (Ongoing) to deliver awareness sessions at the Board Corporate Induction events. Page 8 NHS Fife

9 Appendix B - Questionnaire Appendix B - Questionnaire Q1 Q2 Q3 Q4 Q5 Q6 Do you feel it is necessary to write some or all of your passwords down? Yes because they are too complex Yes because I have too many to remember Yes, because the passwords to different systems expire at different times No If yes, how do you store them? Locked away (for example in a locked desk drawer) Stored electronically - on a network Stored electronically - on portable media (for example memory stick) Written down (for example in a diary or organiser) Stored electronically in a encrypted password protected file, document or database What would you do first if you suspect that someone knows your password (for example someone watched you type your password in)? Change it immediately Ask someone for advice Contact your help desk and report them Contact your help desk and ask them to change all your passwords Do nothing How often do you voluntarily change your passwords (that is before the system prompts you)? Never Weekly Monthly Every two months Between 3-6 Months More than 6 months Other Do you use the same password for more than one system that you use at work? Yes - where possible No Do you use the same password for the systems you use at work as you do for your personal systems (e.g. personal , banking, Facebook)? Yes No NHS Fife Page 9

10 Appendix B - Questionnaire Q7 Have you ever used or accessed a computer that has been logged in under someone else s password Yes - with their express permission Yes - without their express permission No Q8 Do you lock your computer when leaving it unattended? (for example CTRL+ALT+DEL, screensavers or smartcards) Always Sometimes Never Q9 You receive a call from an IT help desk operator about a problem you ve been having with your PC, what information would you give them if asked? (please tick all that apply) Your name Your staff number Your password/s Your logon id / username Asset Number / sticker (located on pc or laptop) Refuse or obtain their telephone number and call them back Q10 You receive an telling you of a new corporate system and asks you to open a web page and log on using your network user name and password. This is the first you have heard of this system - what would you do next? Open the site and log on to the system Check with your colleagues/manager to see if they are aware of the new system Check with your IT help desk Ignore it Q11 If you find a way to over-ride security features on your computer, would you? Use this knowledge Report it to the IT help desk Do nothing Q12 Have you seen someone viewing inappropriate material on their work computer? Yes No Page 10 NHS Fife

11 Appendix B - Questionnaire Q13 Q14 If you answered Yes to the previous question, what did you do? (Please tick all that apply) Reported it to IT help desk Reported it to your manager Reported it to their manager Spoke to them personally Nothing If you saw one of the following individuals accessing inappropriate material on their work computer, what would you do? Report it Speak to them personally Do nothing Someone in the office you don't know A good friend Your manager Q15 Q16 Q17 Are you aware of your organisations policy and procedures about the use of IT resources such as: internet, and telephones? Yes No Which of the following are covered by the Data Protection Act? (please tick all that apply) from an individual from HM Government Photo of a building Audio recording of wildlife Handwritten notes made during a job interview Audio recording of an individual Photo ID / passport Handwritten notes taken during a lecture If your job requires you to share personally identifiable information (internally or externally), how is this shared? (please tick all that apply) Electronically transmitted Electronically transmitted - Encrypted Electronically transmitted via secure system (for example GSI) By courier mail By Recorded delivery By Special delivery By standard post Collect or deliver in person NHS Fife Page 11

12 Appendix B - Questionnaire Q18 Q19 Q20 Q21 Q22 Which of the following items do you consider to be personal data? (please tick all that apply) An address written on a post-it note Your surname Your address Your pay number A photo of you and your colleagues taken on a work night out Your opinion published anonymously in a departmental survey or report Your anonymous notes from a performance review meeting that you conducted A tweet or blog-post with anonymised comments about a rare clinical case within your town Hand-written notes/actions taken during a departmental meeting Is shared information given a higher level of security if it is sent externally as opposed to internally? Yes Sometimes No Don t know If the information you use every day was incorrectly disclosed, do you think this would be? Low risk - little or no consequence Medium risk - limited consequence High risk - serious consequence If you access work related confidential information when out of the office, how is the information accessed? (Please tick all that apply) On your corporate network (for example Virtual Private Network (VPN)) Work Laptop / PDA Own equipment (for example via web based corporate site) Internet cafe Via personal (for example mailing documents to a private account) USB Pen Drive Other removable storage (for example CDs, media cards) Paper copy Other If you use a USB Pen Drive to access sensitive or confidential workplace information when out of the office, or to transfer it between computers, is the information on the Pen Drive encrypted? Yes - always Usually Never Page 12 NHS Fife

13 Appendix B - Questionnaire Q23 Q24 You receive a free promotional CD at your work address - what would you do first? Take a look at the contents on your work PC/laptop Contact your IT help desk for advice Pass it to your line manager/management Throw it away Take a look at the contents on your home PC/laptop For the following 4 scenarios - What would you do first if you found a CD on your work desk? (please tick one box per scenario): Put it in Contact Pass it to Put it in Look at it your PC your IT your line the bin at home help desk manager/ managem ent With your organisation's name/logo? Draft Restructuring Plan? Department Salary Report? Un-labelled Q25 Q26 Your desktop or laptop is destroyed and you are sent a replacement - how will the data be restored? It wouldn t as I hadn t backed it up From my own local back-ups From the network From attachments A mixture of the above My data is not critical (doesn t need to be backed up) Don t know You find a memory stick (USB flash/pen drive) - What would you do first? Refer to policy and procedures held on the Intranet Try to find the owner by checking the files on the drive Delete the files keep and use for personal use Contact your IT help desk Ask everyone in the office if they have lost a pen drive Leave it at reception Pin a notice on your notice board Other NHS Fife Page 13

14 Appendix B - Questionnaire Q27 If you found a memory stick, would you place it in your computer if you Yes No Found it in the car park? Found it in a communal area inside your building? Found it on your desk? It had your organisations logo on it? It was labelled [Your Department Head] Personal files? Q28 Q29 Q30 Q31 Q32 What would you do if you lost or mis-placed a removable media device (for example USB / CD) which contained information? - Do nothing Refer to policy and procedures on the Intranet Report it to the helpdesk Report it to your manager Are you aware of the procedures to be carried out if you lose your laptop, PDA or work s mobile? Yes No How would you describe your organisation s IT security policy / procedures?? Very good Good Adequate Poor Very poor Don t know Who is responsible for IT security in your organisation? Everyone Central IT Dedicated IT security department/personnel The board Don t know Have you had any security awareness training? Yes No Page 14 NHS Fife

15 Appendix B - Questionnaire Q33 Q34 What would you do if you are concerned about security (at your place of work) - would you report it? Yes No If yes, who would you report the security breach to? Line manager Help desk IT Manager Other NHS Fife Page 15