HSCIC Audit of Data Sharing Activities:



Similar documents
HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities:

HSCIC Post Audit Review of Data Sharing Activities:

ISO 14001:2004 EMS Internal Audit Checklist & Gap Analysis

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Security Overview. A guide to data security at AIMES Data Centres. TEL: enquiries@aimes.

Guidance for audit committees. The internal audit function

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Information Governance Management Framework

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

AUDITOR GUIDELINES. Responsibilities Supporting Inputs. Receive AAA, Sign and return to IMS with audit report. Document Review required?

CCG: IG06: Records Management Policy and Strategy

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report.

Third Party Security Requirements Policy

Preparation for ISO OH&S Management Systems

ISO 9001:2015 Overview of the Revised International Standard

Information Security Policies. Version 6.1

Data Quality Policy. Appendix A. 1. Why do we need a Data Quality Policy? Scope of this Policy Principles of data quality...

INFORMATION TECHNOLOGY SECURITY STANDARDS

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

Hertsmere Borough Council. Data Quality Strategy. December

Abu Dhabi EHSMS Regulatory Framework (AD EHSMS RF)

IS INFORMATION SECURITY POLICY

Data Access Request Service

CloudDesk - Security in the Cloud INFORMATION

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

Web Site Download Carol Johnston

Information Security: Business Assurance Guidelines

ISO 14001:2004 EMS Internal Audit Guidance

ISO27001 Controls and Objectives

Corporate Affairs Overview and Scrutiny Committee

Governance. Information. Bulletin. Welcome to the nineteenth edition of the information governance bulletin

University of Brighton School and Departmental Information Security Policy

ISMS Implementation Guide

Data Protection Act Guidance on the use of cloud computing

ISO :2005 Requirements Summary

ISO 9001:2008 Internal Audit Guidance

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

A Question of Balance

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Information Governance

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT

Records Management and Security Procedure. Approved by: Executive Management Team Version: 1.2 Date:

Corporate Information Security Policy

University of Sunderland Business Assurance Information Security Policy

State of Oregon. State of Oregon 1

ISO Controls and Objectives

Data Protection Breach Reporting Procedure

Mike Casey Director of IT

Information Governance Policy (incorporating IM&T Security)

Information Governance Strategy

Information security controls. Briefing for clients on Experian information security controls

Version: 2.0. Effective From: 28/11/2014

Information Governance Strategy :

JOB DESCRIPTION CONTRACTUAL POSITION

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Network Certification Body

Information Management Policy London Borough of Barnet

Network Security Policy

Preparing yourself for ISO/IEC

An Approach to Records Management Audit

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

University of Liverpool

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

Dataguard Advantage. cyber liability. Company information. Company name(s) Postal address. Postcode. Website address

YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Data Security Policy. 1. Document Status. Version 1.0. Approval. Review By June Secure Research Database Analyst. Change History. 1 Version 1.

ISO 9001: 2008 Boosting quality to differentiate yourself from the competition. xxxx November 2008

SERVICE DEFINITION G-CLOUD 7 CLOUD BACKUP. Classification: Open

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

INFORMATION SECURITY POLICY

The Health Foundation is an independent charity working to improve the quality of healthcare in the UK.

Performance Characteristics of Data Security. Fabasoft Cloud

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February Title: Information Security Policy

ISO 9001:2008 Clause PR018 Internal Audit Procedure

WORKPLACE HEALTH AND SAFETY AUDITING GUIDELINES

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Remote Data Extraction Policy and Procedure

INFORMATION GOVERNANCE POLICY

Information Security Assurance Plan 2015/16

Compliance Management Systems

Mapping the Technical Dependencies of Information Assets

Policy: Remote Working and Mobile Devices Policy

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Data Security Policy

ISO Information Security Management Services (Lot 4)

Access Control Policy

Information Security Policy. Chapter 12. Asset Management

Policy Document Control Page

Spillemyndigheden s change management programme. Version of 1 July 2012

Shropshire Community Health Service NHS Trust Policies, Procedures, Guidelines and Protocols

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

ISO 9001:2008 Quality Management System Requirements (Third Revision)

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

University of Liverpool

Transcription:

Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 20/04/2016 HSCIC Audit of Data Sharing Activities: King s College, London

Contents Executive Summary 3 1 About this Document 5 1.1 Introduction 5 1.2 Background 5 1.3 Purpose 6 1.4 Nonconformities and Observations 6 1.5 Audience 7 1.6 Scope 7 1.7 Audit Team 7 2 Audit Findings 8 2.1 Access Controls 8 2.2 Information Transfer 8 2.3 Disposal of Data 9 2.4 Risk Assessment and Treatments 9 2.5 Operational Planning and Control 10 3 Conclusions 11 3.1 Next Steps 12 Page 2 of 12

Executive Summary This document records the key findings of a Data Sharing Audit 1 at the School of Management Business at King s College, London on 8 th and 9 th December 2015 against the requirements of the Health and Social Care Information Centre (HSCIC) in relation to data sharing agreement NIC-236594-T3Q6Q covering the supply of bespoke Hospital Episode Statistics (HES) data. This audit used an approved and mature methodology based on ISO standard 19011: 2011 (Guidelines for auditing management systems) and follows the same format for all audits of Data Sharing Agreements conducted by HSCIC. In total, two minor nonconformities and seven observations were raised 2 : The College s data loss assessment and reporting procedure does not align with current HSCIC guidance and therefore a class of incidents could be incorrectly reported (Minor); An issue was identified with a particular control could lead to a security vulnerability (Minor); The process to communicate updates to policies/procedures to staff is not formalised (Observation); The IT asset register does not have a unique identifier (for example, asset tag or serial number) for each asset, which would help to identify an asset and allow traceability to any destruction certificate (Observation); Although there is a risk register within the Faculty, it was acknowledged that the risk assessment process needs to be developed further with a clear escalation route (Observation); The standard PC build includes access to a cloud based storage solution (One Drive), which is based outside of the UK. An accidental transfer to this storage would result in a breach of the contract. Whilst this link on the HES PC was removed after the Audit Team raised this risk, controls need to be put in place to ensure that this link is not added in future updates to this PC (Observation); The process for not returning a hard disc that is under warranty is not formally documented (Observation); An Information Asset Register needs to be developed which includes: detail of data owner, link to data sharing agreement and details of the risk assessment and controls in place (Observation); 1 An audit is defined by ISO 9000:2014 as a systematic and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled 2 Definitions found in Section 1.4 Page 3 of 12

The College has an agreement with an IT hardware disposal company. A list of assets provided to the disposal company is maintained by the College and a certificate of destruction is provided by the disposal company. However there is no reconciliation of the internal list and certificate of destruction (Observation). Areas of Good Practice Desktop PC used to access HSCIC data is encrypted. A secure backup storage solution with 256 bit encryption is used with appropriate management controls. There are a number of physical controls in place to prevent unauthorised access to HSCIC data. In summary, it is the Audit Team s opinion that at the current time and based on evidence presented on the day, there is minimal risk of inappropriate exposure and / or access to data provided by HSCIC to King s College, London under the terms and conditions of data sharing agreement NIC-236594-T3Q6Q signed by both parties. Page 4 of 12

1 About this Document 1.1 Introduction The Health and Social Care Act 2012 contains a provision that health and social care bodies and those providing functions related to the provision of public health services or adult social care in England handle confidential information 3 appropriately. The Review of Data Releases by the NHS Information Centre 4 produced by HSCIC Non-Executive Director Sir Nick Partridge recommended that the HSCIC should implement a robust audit function that will enable ongoing scrutiny of how data is being used, stored and deleted by those receiving it. In August 2014, the HSCIC commenced a programme of external audits with organisations with which it holds data sharing agreements. The established audit approach and methodology is using feedback received from the auditees to further improve our own audit function and our internal processes for data dissemination to ensure they remain relevant and well managed. Audit evidence was evaluated against a set of criteria drawn from the HSCIC s Code of Practice on Confidential Information 5, data sharing agreements signed by the relevant contractual parties and the international standard for Information Security, ISO 27001:2013. 1.2 Background London Heathrow airport has reached full capacity since 2011. One implication of this situation is that the UK government has to make a decision over its expansion. Understanding the full impact of airport expansion is critical to any cost-benefit analysis that will be used in decision-making. A significant gap exists in knowledge of the health and economic effects of airports on the local population, mainly from air and noise pollution. The School of Management Business at King s College, London is investigating how both air pollutants and noise correlate with health outcomes. They are comparing the backgrounds situation at Heathrow airport with other major airports to account for potential confounders in the relation between airports activity and health conditions. They receive a pseudonymised extract of HES data to carry out this research. It should be noted, that there had been no outputs at the time of this audit. 3 Confidential information is defined by the Code of Practice on Confidential Information as data which: Identifies any person Allows the identity of anyone to be discovered, including pseudonymised information Is held under a duty of confidence 4 www.hscic.gov.uk/datareview 5 www.hscic.gov.uk/cop Page 5 of 12

1.3 Purpose This report provides an evaluation of how King s College conforms to the requirements of the data sharing agreement NIC-236594-T3Q6Q, covering the supply of pseudonymous and non-sensitive dataset, and the associated data sharing contract framework. It also considers whether King s College conforms to its own and the policies and procedures. This report provides a summary of the key findings. 1.4 Nonconformities and Observations Where a requirement of either the data sharing agreement or the audit criteria was not fulfilled, it is classified as a Major Nonconformity or Minor Nonconformity. Potential deficiencies or areas for improvement are classed as Observations. 1.4.1 Major Nonconformity The finding of any of the following would constitute a major nonconformity: the absence of a required process or a procedure the total breakdown of the implementation of a process or procedure the execution of an activity which could lead to an undesirable situation significant loss of management control a number of Minor Nonconformities against the same requirement or clause which taken together are, in the Audit Team s considered opinion, suggestive of a significant risk. 1.4.2 Minor Nonconformity The finding of any of the following would constitute a minor nonconformity: an activity or practice that is an isolated deviation from a process or procedure and in the Audit Team s considered opinion is without serious risk a weakness in the implemented management system which has neither significantly affected the capability of the management system or put the delivery of products or services at risk an activity or practice that is ineffective but not likely to be associated with a significant risk 1.4.3 Observation An observation is a situation where a requirement is not being breached but a possible improvement or deficiency has been identified by the Audit Team. Page 6 of 12

1.5 Audience This document has been written for the HSCIC Director of Data Dissemination Services. A copy will be made available to the HSCIC Community of Audit Practitioners, Assurance and Risk Committee and the Information Assurance and Cyber Security Committee for governance purposes. The report will be published in a public forum. 1.6 Scope The audit considered the fitness for purpose of the main processes of data handling at King s College along with its associated documentation. Fundamentally, the audit sought to elicit whether: King s College is adhering to the standards and principles of the data sharing agreements and audit criteria data handling activities within the organisation pose any risk to patient confidentiality or HSCIC. 1.7 Audit Team The Audit Team was comprised of senior certified and experienced ISO 9001:2008 (Quality management systems) and ISO 27001:2013 (Information security management systems) auditors. The audit was conducted in accordance with ISO 19011:2011 (Guidelines for auditing management systems). Page 7 of 12

2 Audit Findings This section presents the key findings arising from the audit. 2.1 Access Controls The single desktop PC used to access and process HSCIC data is encrypted and secured with a Kensington lock. The PC is connected to the network and the Audit Team was able to confirm that the PC had the latest Windows operating system and anti-virus signature updates. HSCIC data is stored in a folder and technical controls through active directory restrict access to a specific PC to three named users. Access to the building where the PC is located, requires a King s College ID card and the room is kept locked when not in use. Only a small number of named staff have access to the key for the room. A backup copy of the data is kept on a password controlled encrypted external backup drive and stored in a secure location in another building. Access to the location and locked cabinet is restricted and controlled. IT Services is responsible for procuring, configuring and maintaining the IT infrastructure for the College. There is a process in place for granting access onto the network and revoking access when a person leaves. The Audit Team carried out checks on the desktop PC and found that the build included access to a cloud based storage solution (Microsoft s One Drive), which is based outside of the UK. An accidental transfer to this cloud based storage would result in a breach of the data sharing framework contract. As a result of the Audit Team identifying this possibility, the link on the desktop PC was removed. Controls, however, need to be put in place, to ensure that this link is not added in future updates to this PC or is available on any PC used to store HSCIC data in the future. There are a number of policies and procedures supporting access management including Acceptable Use policy, Network policy and Information Security policy. An issue was identified with a particular control would could lead to a security vulnerability. King s College confirmed that they had recently changed the nature of the control, but in light of the audit would re-consider the change. Conclusion: On the whole, the process used to manage access to secure data seems suitably managed; however there are certain controls that can be strengthen. 2.2 Information Transfer Data is obtained from the secure HSCIC portal as zipped files and saved on the desktop PC. HSCIC data stored on the desktop PC is transferred onto an external encrypted drive for backup purposes. The PC is connected to the Local Area Network (LAN), however it was confirmed by the College that no HSCIC data is transferred on the LAN. The PC is only used for storing and process HSCIC data. Page 8 of 12

At the time of the audit, there were no outputs of realised benefits as the project was still at an early stage. Conclusion: HSCIC data is limited to a single desktop PC and an encrypted backup drive. The PC is connected to the network; however no data is transferred over the LAN. 2.3 Disposal of Data A third party disposal company has been engaged to safely dispose of all computer assets. Prior to forwarding to the disposal company, hard disc drives containing sensitive data are securely erased using University approved deletion software. A list of assets provided to the disposal company is maintained by the College and a certificate of destruction is provided by the disposal company. However there is no reconciliation of the internal list and certificate of destruction. It was clearly stated that hardware used to store and process HSCIC data would not be sent back to the manufacturer, including items under warranty, if it were to fail. Instead, the hardware would be disposed of securely. However, this process has not been documented and there is a risk that other members of staff may not follow the correct process. Conclusion: Data assets appear to be securely disposed through a suitable third party contractor, however, there are areas of the process that need to be documented. Reconciliation should to be carried out between the certificate of destruction and the internal list to account for assets. 2.4 Risk Assessment and Treatments Risk are identified and assessed initially by the project owner and research lead and recorded in the project risk register. The Audit Team reviewed the risk register which included a number of IG and IT risks, and there was evidence of regular reviews. It was acknowledged by management that there are weaknesses in the risk management process which need to be addressed including breakdown of the risk score after controls have been implemented and a clear escalation route. The Audit Team noted that the Information Asset Register needs to be developed further which includes detail of data owner, link to HSCIC data sharing agreements and details of the risk assessment and controls in place. Conclusions: The risks in the risk register did take into account IG and IT risk related to HSCIC data and there was evidence of regular review, however further work is required to address weaknesses in the risk management process. Page 9 of 12

2.5 Operational Planning and Control The College s data loss assessment and reporting procedure sets out the steps to be followed to assess and handle a serious incident and makes reference to Department of Health 2010 guidelines. As the tables in the guidelines have changed in the latest version of the guidance (published 29 th May 2015), a class of incidents could be incorrectly reported. Staff are required to undertake data protection training, which is mandatory and in line with good practice. Adherence on training is monitored and reported. The material was reviewed by the Audit Team and found it covered all the Data Protection Act principles with practical examples. Staffs are required to achieve a minimum score in a test at the end of the training in order to pass. The Faculty has an IT asset register, however, it does not have a unique identifier (for example, asset tag or serial number) for each asset, which would help to identify an asset and allow traceability to any destruction certificate. Policies and procedures are accessible through the College s Internet site. There are a number of policies supporting its Information Governance framework including the Records and Information Management policy, Data Protection policy and Information Security policy. Version control has been implemented, however, the process to communicate updates to these documents has not been formalised. The Audit Team reviewed a local project protocol which outlined checks that would be carried out to ensure HSCIC copyright statement was included in any outputs as stated in the data sharing framework contract. Conclusions: A number of good practices have been implemented however there are number of areas that can be strengthened including updating the guidance on incident reporting, clear communication plan for new and updated policies and procedures and a unique identifier in the IT asset register to allow traceability. Page 10 of 12

3 Conclusions Table 1 identifies the minor nonconformities and observations raised as part of the audit. Ref Comments Section in this Report Designation 1. The College s data loss assessment and reporting procedure does not align with current HSCIC guidance and therefore a class of incidents could be incorrectly reported 2.5 Minor 2. An issue was identified with a particular control could lead to a security vulnerability. 2.1 Minor 3. The process to communicate updates to policies/procedures to staff is not formalised. 2.5 Observation 4. The IT asset register does not have a unique identifier (for example, asset tag or serial number) for each asset, which would help to identify an asset and allow traceability to any destruction certificate. 5. Although there is a risk register within the Faculty, it was acknowledged that the risk assessment process needs to be developed further with a clear escalation route 6. The standard PC build includes access to a cloud based storage solution (One Drive), which is based outside of the UK. An accidental transfer to this storage would result in a breach of the contract. Whilst this link on the HES PC was removed after the Audit Team raised this risk, controls need to be put in place to ensure that this link is not added in future updates to this PC. 2.5 Observation 2.4 Observation 2.1 Observation 7. The process for not returning a hard disc that is under warranty is not formally documented. 2.3 Observation 8. An Information Asset Register needs to be developed which includes: detail of data owner, link to data sharing agreement and details of the risk assessment and controls in place. 9. The College has an agreement with an IT hardware disposal company. A list of assets provided to the disposal company is maintained by the College and a certificate of destruction is provided by the disposal company. However there is no reconciliation of the internal list and certificate of destruction. 2.4 Observation 2.3 Observation Table 1: Nonconformities and Observations Page 11 of 12

3.1 Next Steps King s College is required to review and respond to this report, providing corrective action plans and details of the parties responsible for each action and the timeline (based on priority and practicalities for incorporation into existing workload). As per agreement, review of the management response will be discussed by the Audit Team and validated at a follow-up meeting with King s College. This follow-up will confirm whether the proposed actions will satisfactorily address the nonconformities and observations raised. Page 12 of 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information