Policy Type General Policy

Policy Category Digital & Information

Policy Number GP/B2

Author Deputy Head of Digital Operations, Information Security Manager, Cyber Security Manager

Reviewer Head of Digital Operations

Signatory Director of Digital & Information

Implementation Date 01 January 2007

Last Review Date 05 December 2024

Next Review Date 05 December 2025

Version Number 6

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made.

1. FUNCTION

The purpose of this document is to define the framework within which NHS Fife provides and manages the Remote Connectivity which allows staff to securely access file storage and information systems from external locations using mobile devices i.e. laptops and iPads.By default, all corporate laptops and iPads have the remote access software installed. This document forms part of NHS Fife’s Information Security Management System (ISMS).

1.1 Definition

For the purpose of this document, Remote Access is defined as digital connectivity that uses a corporate device, over an internet connection to access NHS Fife’s network via a Virtual Private Network (VPN).

2. LOCATION

This policy is applicable to all staff and contractors working within NHS Fife.

3. RESPONSIBILITY

3.1 Responsibilities of the User

In accordance with GP/I5 Information Security Policy, it is the responsibility of all staff to ensure that information systems and the data accessed, remain safe and secure. Staff who are authorised to have remote access have additional responsibilities relating to information security, confidentiality, and appropriate use.

At no time will any NHS Fife Remote Access User provide their login credentials to anyone, not even family members, where the GP/P2 Password Policy applies.

Only NHS Fife issued Information Technology (IT) Equipment can be used to connect to NHS Fife resources using the VPN. i.e. network, file storage, digital systems.

Technology is in place to help prevent this, however: NHS Fife users with remote access privileges will ensure that their computer, which is remotely connected to the NHS Fife Network, or another NHS or SWAN connected LAN, is not concurrently connected to any other business network. For example, an unauthorised connection of corporate laptop to a home LAN, allowing access to other networks.

Users must ensure that their remote work environment is secure and private. Remote work should not be conducted in public spaces where unauthorised persons may view or overhear sensitive information.

Incident Reporting: Any security incidents, such as unauthorised access or a suspected data breach, must be reported immediately to the NHS Fife Service Desk.

3.2 Responsibility of the Line Manager

Where a member of staff requires remote access to perform their duties, the Line Manager shall ensure that they have access to a corporate laptop or an iPad.

3.3 Responsibility of the eHealth Department

It is the responsibility of the Digital & Information (D&I) Department to ensure that the correct remote access configuration of the laptop or iPad is implemented.

4. OPERATIONAL SYSTEM

4.1 Remote Access Solution

NHS Fife has adopted a Remote Access solution as the means of connection to the NHS Fife and through to SWAN IT networks.

4.2 Remote Access to NHS Fife Network

Secure Remote Access to the NHS Fife network will be strictly controlled by the D&I department. Control will be enforced using preconfigured mobile devices and authorised staff using their domain login accounts.

Services available via Remote Access are limited to those that have been security assessed. No file transfers will be available via remote access if the endpoint device is not encrypted.

Remote access to networks and directly to host systems is in widespread use throughout the NHS. It is used in support of:
• Home working for staff.
• Access for remote offices.
• Mobile access to enable Consultants, GPs, Community Nurses, etc., to gain access to clinical information systems.

4.3 Home Broadband Specification for Remote Access

For the VPN client to successfully work the home broadband router must support IPSec and/or “VPN passthrough”. The user’s ISP account must also support home working/VPN access. The Broadband Remote Access is only available for users with existing broadband routers which provide Ethernet or Wi-Fi connections and is not available to users who have a broadband connection via a USB modem or similar. It is important that the user has the router equipment successfully installed and working before setting up their device to use remote access. The responsibility for the ongoing support of the home broadband connection will remain with the user and their chosen Internet Service Provider.

The Remote Access solution will require the user to perform a level of basic configuration at home, as D&I staff do not support home broadband.

5. RISK MANAGEMENT

5.1 NHS Fife Staff shall respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.

5.2 The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

5.3 It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.

5.4 Regarding the Health & Social Care Partnership (H&SCP), the Partnership Management Group will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.

6. RELATED DOCUMENTS

GP/I5 Information Security Policy
GP/D3 Data Protection and Confidentiality Policy
GP/E6 Email Policy
GP/I3 Internet Policy
GP/I6 IT Change Management Policy
GP/M5 Mobile Device Management Policy
GP/O2 Corporate Communications Policy
GP/P2 Secure Use of Passwords Policy

7. REFERENCES

Data Protection Act (2018)
General Data Protection Regulations (GPDR)
Network and Information Systems (NIS) Regulations
Civil Contingencies Act (2004)
Computer Misuse Act (1990)
Freedom of Information (Scotland) Act (2002)
Human Rights Act (1998)
NHSS Information Security Policy Framework July 2015

IT Remote Access Policy