General Policy
Digital & Information
GP/S8
Head of Digital Operations
Information Security Manager, Digital Resilience Manager, Service Delivery Manager
Director of Digital & Information
01 June 2009
01 October 2024
01 October 2027
4

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out.  New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made

1.    FUNCTION

1.1    NHS Fife and the Health and Social Care Partnership relies upon Information Technology and Digital Services to deliver patient care and support business operations. Incident management is essential for maintaining adequate and sustainable levels of availability of these services.  

1.2    Incident management restores normal operation as quickly as possible and minimises the negative impact on healthcare and business operations, thus ensuring that the best possible levels of service quality and availability are maintained. Normal service operation is typically defined within the agreed service-level agreements (SLAs) of each service.

1.3    This policy ensures a consistent and effective approach to the management of incidents and that any regulatory requirements in relation to incident reporting are fulfilled. Incidents include unplanned disruptions, a reduction in the quality of service or the compromise of any Information Technology and Digital Service, which covers security breaches or unauthorised access or attempted access to a system.

2.    LOCATION & SCOPE

2.1    This policy is applicable to all staff, contractors and volunteers working within NHS Fife or accessing NHS Fife digital related infrastructure, systems or digital information, included within the Health and Social Care Partnership.  

2.2    This policy includes all digital related infrastructure or systems upon which any department or service within NHS Fife relies upon, in order to perform their normal duties.

3.    RESPONSIBILITIES

3.1    This section addresses the responsibilities for preventing, detecting, reporting and then investigating Digital Incidents. Based upon the reported incident/s, corrective and future preventative measures shall be implemented.  

3.2    Implementing the D&I Incident Management Policy ensures the mitigation of associated risks and minimise disruption to business-critical services.  

3.3    Refer to GP/D3 Data Protection & Confidentiality Policy, Appendix 2 NHS Fife Information Governance structure, roles & responsibilities, for detailed information on the type, distribution and roles responsible for information security within NHS Fife.

3.4    All Users

3.4.1     All users of NHS Fife digital systems or infrastructure are required to exercise responsibility in the reporting of incidents and events to the IT Service Desk as they are encountered. Contacting the IT Service Desk can be done using any of the following channels - IT Service Desk Portal or phone.

3.4.2   The Incident Identification Guide (Appendix 1) has been produced to provide staff with assistance in recognising when an incident has occurred and needs to be reported.  

3.5       IT Service Desk

3.5.1    The IT Service Desk is responsible for recording incidents on the IT Service Management System and each incident is assigned a unique reference number, which is provided to the reporter.

3.5.2    The IT Service Desk is also responsible for managing the overarching incident life cycle from recording to closure and to coordinate communications and work between all relevant parties. 

3.5.3    Depending on severity and impact, the management of the incident lifecycle to closure will be monitored by the IT Service Desk, as well as the senior members of the IT service desk including the Service Delivery Manager.

3.5.4    The incidents will be treated as per the Incident Management Procedure (Appendix 2), which involves escalation as appropriate (e.g. to the Head of Digital Operations Manager when applicable). 

3.5.5     During out of hours, a limited IT Service Desk will provide a password reset service, incident logging as well as escalating significant incidents for critical systems to our on-call IT Incident Response Team. For critical systems, please refer to BCDR framework policy (full name TBC).

3.6       Incident Response Teams

3.6.1   Incident Response Teams may include a combination of D&I staff e.g., engineers, analysts and specialists, including departmental system administrators out with D&I e.g. Laboratory, Radiology, Intranet services, external contractors and others.  

3.6.2   Incident Response Teams have a responsibility to ensure all detected incidents are registered in the IT service management system.

3.6.3   System administrators and staff involved in digital operations are responsible for monitoring systems and infrastructure e.g., log file reviews, network scanning, systems testing and reporting any incident detected. 

3.6.4   Systems managed externally are also subject to this policy, hence external system managers are also required to communicate any known or suspected incidents to the NHS Fife IT Service Desk as soon as detected.  

3.6.5   Incident Response Teams (internal or external) are also responsible for incident investigation, diagnosis, mitigation, and resolution to ensure the return to normal operations. The team will maintain active and effective communications and will update on status and impact on the IT service management system.  

3.6.6    Where Computer Misuse is suspected the Computer Misuse Procedure (see Appendix 3) will be implemented by staff with the appropriate skills to carry out this work.  

3.7       Service Delivery Manager

3.7.1    Measure and report monthly incident statistics to analyse for trends and SLA compliance.

3.7.2   Ensure that the channels in which users can report incidents are available at all times and put contingences in place for incident recording if and when required.

3.7.3   Manage the IT Service Desk to make sure they are complying with Digital Incident Management policy, monitoring the lifecycle of the incidents being triaged and resolved by the team.

3.7.4   Control the approved communications channels for incidents.   These channels are email, IT Service Desk Portal and phone system.

3.7.5   Continuous improvement of knowledge in regard to ongoing incidents, to make sure the IT Service Desk are aware of potential temporary and permanent solutions.

3.8       Digital Resilience Manager

3.8.1   On receipt of a Significant Incident Report, with a potentially reportable classification (see Appendix 1) the Digital Resilience Manager will Conduct a Post Incident Review with the Incident Response Team to review the report and incident handling.

3.8.2    The Digital Resilience Manager will record mitigating actions from the report and manage until they are implemented.

3.8.3    Responsible for implementing improvement initiatives to the Significant Incident Process and supporting Playbooks.

3.9         Information Security Manager

3.9.1    On receipt of an incident report, with a potentially reportable classification (see appendix) the Information Security Manager will review, classify and report the incident to the Competent Authority or ICO as required using the NIS Reporting Form.  

3.9.2    Security incidents relating to data breaches shall be passed to the Information Governance and Security department for investigation and action.  

3.9.3       The Information Security Manager should work with the Digital Resilience Manager to ensure that all reports of incidents are recorded for audit review and for the Information Governance and Security group (IG&S).  

3.9.4   The Information Security Manager will follow the procedure for reporting security incidents as described in the Detailed Incident Management & Reporting Procedure.

3.10    Cyber Security Manager

3.10.1    On receipt of an incident which can come from the diagram attached as appendix 6 this will be triaged and responded to in accordance with the cyber action card as shown below in appendix 7. If the incident is a false positive, then it will be returned to the Service Delivery Manager with detailed information to the analysis of the findings. 

3.10.2   A Service Now ticket if not already raised will be produced to aid in the management and timeline for audit and forensic purposes. The communication procedure for notifying affected parties will be utilised and the escalation of Major and Extreme incidents will invoke the Cyber Incident Response Process. The Information Security Manager will be alerted in the case of a data breach for their action. 

3.10.3    The communication procedure for notifying affected parties will be utilised and the escalation of Major and Extreme incidents will invoke the Cyber Incident Response Process. The Information Security Manager will be alerted in the case of a data breach for their action.

3.10.4    Steps for containing and mitigating security breaches will follow the incident process that it’s rated to as per the incident playbook.

3.10.5     Once the incident is secured and normal service is resumed, a lesson learned along with the appropriate teams will be drawn up and any changes to the playbooks will be passed onto the Digital Resilience Manager.

3.11     Head of Digital Operations  

3.11.1    Take an overall leadership role in the management of the incident and make key decisions on who, how and where resources need to be placed and utilised effectively.

3.11.2    Translate the technical updates from the responders involved and communicate to SLT and other non-technical parties holding a vested interest.

3.11.3    Communicate with third party agencies as appropriate based on the nature of the incident.

3.11.4    Ensure that the incident is being appropriately documented as the response progresses and make decisions on whether any evidence can be preserved without impeding the recovery timeline.

3.11.5   Establish the organisation’s position regarding sensitivity of the incident and appetite to communicate within a comms strategy. Share intelligence / information on mutual exposure with other Health Boards / Public Sector Agencies in accordance with the agreement.

3.11.6    Where clear actions or improvement lessons have been identified, the Head of Operations will ensure the continual progress to complete actions and implement learning associated with the incidents.  This may include the transfer of actions to other areas within the organisation. 

4.       OPERATIONAL SYSTEM

4.1     Incident Management 

NHS Fife Digital & Information must respond to digital incidents in a timely and effective manner and keep the affected users informed of progress made. The Incident Handling Procedure (see Appendix 2) details the actions required to successfully manage digital incidents. It must include details of the activities outlined in this section.

4.1.1     Incident Identification and Reporting:

NHS Fife Digital & Information must account for incidents that can be detected and identified using multiple methods. This includes but not limiting to system monitoring platforms, intrusion detection systems, 3rd party/vendor alerts and user reports.
Incidents must be recorded on the IT Service Management System as a single source of all digital incident records. The system must be designed in compliance with best practices and international standards, e.g. ITIL and Network & Information Security Regulations (NIS). 

4.1.2     Incident Assessment and Severity

Incidents must be classified by priority and categorised by type or service in accordance with the NIS Regulations Threshold criteria outlined in appendix 1. The priority of an Incident is determined by assessing its urgency and the impact to clinical and business operations.

4.1.3     Incident Diagnosis

The Incident Response Teams must investigate and diagnose the incident. This may involve escalation of the incident between teams or jointly working to determine the cause.

4.1.4     Incident Mitigation/Resolution

The Incident Response Teams must apply relevant solutions to resolve, or appropriate remediation work to mitigate, the incident and restore normal business operation. This may require a change be applied to the Digital System. Refer to the GP/I6 IT Change Management Policy.

4.1.5     Incident Closure

The Incident Response Team must update the incident record with the resolution steps. Confirmation of incident resolution must be communicated to the user.

4.3     Service Level Agreement

Incidents to be resolved within the agreed requirements of resolution times is detailed in our Service Level Agreement (SLA).  

4.4     Significant Incidents Management

Digital Incidents that are, or have the potential to be, assessed as high-impacting and/or of high urgency must be managed with a well-co-ordinated response effort, it requires a dedicated separate procedure, responsibilities, and review. See Appendix 4 Significant Incident Process Flow. In the event whereby a significant incident results in the sustained loss of a system defined within the NHSF Digital Critical Services/Systems list, for a considerable period of time and would adversely affect clinical and/or non-clinical activities, a disaster shall be declared, and Disaster Recovery procedures invoked. Refer to BCDR Framework Plan for the Critical Systems List and Disaster Recovery policy.

4.5     Cyber Incidents

Cyber incident response processes and procedures must be established to detect and respond to cyber security vulnerabilities and incidents. They shall outline the activities that NHS Fife D&I will take to discover potential attacks and to triage, analyse, contain/mitigate, remediate, recover and review incidents of a cyber security nature.

4.5.1    Unmanaged incidents that can affect NHS Fife's Digital & Information systems and its supporting Infrastructure present a significant risk to NHS Fife’s ability to perform its core business functions. 

4.5.2    NHS Fife Digital & Information Systems utilise a combination of technical and procedural controls to provide protection against threats that have the potential to result in the compromise, modification, unavailability of data or damage the reputation of NHS Fife. It should be noted that not all incidents, which may be either accidental or deliberate, can be prevented.

5.       RISK MANAGEMENT

5.1     The incident management process is a key component of the overall Digital & Information risk management approach, involving the collection, classification and use of incident data to protect people and systems from harm.   

5.2      The current Digital & Information incident management process is compliant with best practice and recommended standards, and provides a cost-effective way to minimise risks by:
•    Standardising the process and ensuring it is followed by all parts involved (Digital & Information, decentralised IT services, external parties, and all users).
•    Aggregating all relevant information such as investigations, solutions/fixes and preventative measures.
•    Coordinating the management of incidents from beginning-to-end and all relevant parties involved, users, managers, technical teams, communications, 3rd parties, decentralised IT services, etc.
•    Standardising the understanding of impact and seriousness and applying consistently this classification across the organisation, involving all relevant expertise in the creation and reviews of incident categories.
•    Bringing incident data together with risk and mitigation information, enabling management to see the overall picture, identify where controls need tightening and provide a growing knowledge base of successful controls, fallbacks, and actions.
•    Linking the standard incident management process to the significant incident management protocol, the information security management system and the disaster recovery plans and procedures.

5.3      With regard to the Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.
 
6.    RELATED DOCUMENTS

GP/D3 Information Governance & Data Protection Policy
GP/I5 Information Security Policy
GP/I6 IT Change Management Policy
BCDR Framework
All other supplementary NHS Fife Information Security Policies

7.     REFERENCES
Appendix 1: Incident Classification Guide
Appendix 2: Incident Identification Guide
Appendix 3: Incident Management Procedure
Appendix 4: Computer Misuse Procedure
Appendix 5: Significant Incident Process Flow
Computer Misuse Act (1990) 
Data Protection Act (1998) 
Human Rights Act (1998) 
The Regulation of Investigatory Powers Act (2000) 
Freedom of Information (Scotland) Act (2002) 
NHSS Information Security Policy Framework July 2015 
ITIL (IT Infrastructure Library)
COBIT (Control Objectives for Information and Related Technology)