1. FUNCTION
NHS Fife and the Health and Social Care Partnership relies increasingly upon Information Technology services in order to deliver patient care. The interdependencies between the elements of the IT infrastructure are complex and the results of changes made to one element may have serious consequences for the others.
The uncontrolled implementation of changes to NHS Fife's ICT systems and Infrastructure utilised to perform its core business functions presents a significant risk to NHS Fife. Changing system requirements, resolution of known issues, implementation of new services and routine maintenance all require appropriate Change Management.
Change Management ensures the stability of systems and IT infrastructure by; the identification and mitigation of associated implementation risks and the minimisation of disruption to NHS Fife's operations, consequently improving the services and service levels provided to the organisation.
Change management also acts as an enabler by supporting and facilitating the implementation and delivery of projects with IT dependencies driven by any NHS Fife Delivery rogramme.
NHS Fife has adopted a change management policy following the industry best-practice standards of ITIL – the IT Infrastructure Library, with a risk based approach.
This policy outlines the IT Change Management process, including its roles and accountabilities. The policy covers all IT based systems or services regardless of department. Breaches of policy will be recorded as a Datix Incident and reported to the IG&S Group.
2. LOCATION
This policy includes all IT related infrastructure, applications or systems upon which any department or service within NHS Fife relies upon in order to perform their normal duties, including the Health and Social Care Partnership. The eHealth department is the custodian of IT Change Management, but Information Technology is a function which spans the entire organisation and any area could introduce IT related change.
All changes to any of NHS Fife's IT related systems are required to follow the established “IT Change Management Process”, to ensure the mitigation of associated risks and minimise disruption to business critical services.
3. RESPONSIBILITY
3.1 SIRO (Senior Information Risk Owner)
The SIRO takes ownership of the organisation risks associated to Information Assets and acts as and advocate for information risks to the Board, providing advice to the Accounting Officer. The SIRO is the ultimate responsible to the Board for Information Asset Risk and the corresponding information asset policies, management and governance. Information Asset changes, which in the context of this policy may be subject to SIRO interest are as follows:
- Changes to the availability of information outside of the organisation.
- Changes which pose significant risk to the availability of information within the organisation.
- Fundamental changes to the logical or physical security of information assets.
- Fundamental changes to the business continuity capability, or changes which pose significant risk to the organisation’s ability to invoke the disaster recovery of information assets.
3.2 eHealth & IMT General Manager
The eHealth & IMT General Manager is responsible for the provision of formal assurance concerning the Information Assets managed by the eHealth department, directly or via subcontractors.
3.3 Change Owner (Project Manager or Senior Stakeholder)
The change owner, normally the change requester; is accountable for the request for change (RFC) and managing the delivery of the change as a project, while minimizing associated risks.
The change owner may also be the senior stakeholder involved in purchasing the system or solution who must fully engage with the Change Management Procedure before placing any order for IT equipment, or equipment which requires IT infrastructure or services to function.
The change owner must ensure projects under the IT delivery programme follows this policy in relation to any changes associated with its implementation. They must follow the eHealth Change Management Procedure and related best practices.
The change owner must arrange the resources required for the change to happen and ensure successful delivery of the project by covering; planning, scheduling, risk analysis, implementing, communicating, testing, training, and user acceptance, amongst other project management duties.
From the Business Management perspective the change owner is responsible for ensuring adequate allocation and management of the budget required to deliver a particular change or series of changes, and to provide visibility of financial risks associated with particular changes.
It is the responsibility of the change owner to ensure the information asset is not in use, including any new processing of information, until the legal basis for such processing is identified by the Data Protection Office as part of the initial asset registration process or any following updates as needed according to the RFC.
3.4 eHealth Head of IT Operations
The eHealth Head of IT Operations is responsible for the management of the actual implementation of changes in the IT Infrastructure and any subsequent incidents and problems associated with the IT infrastructure, particularly in the production environment. The Head of IT Operations is also responsible for ensuring that all NHS Fife staff are aware of the Change Management Policy and Procedures and that Change Management Process is followed.
The eHealth Head of IT Operations must ensure changes are implemented according to this policy considering the NHSS Information Security Policy Framework where applicable.
3.5 eHealth Information Security & Governance Manager
The eHealth Information Security and Governance Manager acts on behalf of the SIRO in, providing advice, monitoring and auditing the security and governance of information assets.
The eHealth Information Security & Governance Manager is the Data Protection Officer; who is by law in a position to perform their duties and tasks in an independent manner, including:
- Monitors completion of information risk assessments and the registration of information assets, ensuring they are documented.
- Informs and advises the organisation on how to carry out the change in compliance the regulations and legislation, in particular with regards to information assets.
- Cooperates with supervisory authorities in the event information assets are not compliant or breach current legislation (e.g. implemented changes breach data protection act in terms or privacy or insufficient security controls).
- Ensures that compliance with NIS and GDPR is achieved and that a Data Protection Impact Assessment can be completed if required.
3.6 IT Change Manager
The Change Manager is accountable for the overall process operation, including monitoring the process to identify and rectify issues and remove bottlenecks. The Change Manager also chairs CAB meetings, manages CAB approvals and performs the tasks related to updating the Request for Change (RFC) records, categorisation and reporting of change metrics.
Where the Change Manager becomes aware of a deviation to this policy a security incident will be logged.
3.6.1 The appointed Change Manager is the Change, Configuration and Release Manager (eCCR Manager). When unavailable, the Head of IT Operations would take responsibility over the role or designate a member of the eHealth team.
3.7 Infrastructure Lead(s) / System Manager(s) / Technical Owners
For each element of the IT infrastructure (e.g. system, network) within the scope of this process, Infrastructure Lead(s) / System Manager(s) are accountable for continued operation in the live environment.
The Infrastructure Lead(s) / System Manager(s) are required to take part in the assessment of all RFC’s affecting any service, and will also be accountable for authorisation of those RFC’s when required.
Where an Infrastructure Lead(s) / System Manager(s) is sponsoring an RFC they may be part of the approval process but not approve without oversight from a peer or the CAB.
Infrastructure Lead(s) / System Managers(s) must contribute to the risk assessment by identifying the technical threats, vulnerabilities and controls associated to the asset(s) affected by the change.
Infrastructure Lead(s) / System Managers(s) are responsible for providing the necessary technical description of the asset required for the registration of the asset.
3.9 Change Advisory Board (CAB)
The Change Advisory Board reviews all significant changes in regards to their planned implementation (as detailed in the IT Change Management Procedure) and provides a rigorous assessment of the proposed change. The CAB considers business and technical risks, the compliance with existing policies and procedures, the impact on the live environment, and the benefits associated with the RFC amongst other criteria. The CAB also provides feedback as per the Forward Schedule of Changes (FSC), ensuring resources are available and allocated, coordinating the change window to minimise disruption to services.
3.9.1 Based on the aforementioned assessment, CAB members advise the IT Change Manager whether the change should be approved or, they will recommend modifications to the proposed plans in order to meet organisational requirements.
3.9.2 The fixed membership of the CAB includes:
• IT Change Manager
• eHealth Head of IT Operations
• Infrastructure Manager (Core)
• Infrastructure Manager (Endpoint)
• Infrastructure Manager (Network & Telephony)
• Application Support Manager
• eHealth Security Manager
3.9.3 The resident membership of the CAB includes the following, dependent on the type of change in question:
• eHealth Programme /Project manager
• eHealth Information Governance & Security Manager
• eHealth Support Team Leader(s).
• Information Asset Owner
• Change Owner
• Infrastructure Lead(s) / System Manager(s)
• Managers / Key users
• Technical Consultants / Engineers (internal or external)
3.9.4 To conduct and complete a CAB meeting or consultation; and in the event of fixed members being unavailable, their respective line managers can make a decision on their behalf. The members required to make a CAB decision are subject to the discretion of the eHealth Change Manager, and there is a minimum quorum that should be contemplated of at least three members.
3.10 Emergency Change Advisory Board (ECAB)
When urgent significant changes arise (as per the eHealth Change Procedure) there may not be time to convene the full CAB. In these cases an Emergency Change Advisory Board (ECAB) can be assembled by the eHealth Change Manager or the CAB deputy chair.
Members of the ECAB should be identified, with the authority to make emergency decisions; and these may vary depending upon the different criteria related to the change in question.
3.10.1The members required to make an ECAB decision are subject to the discretion of the eHealth Change Manager where possible. During normal working hours a minimum quorum should be contemplated of at least three members. Out of hours, the duty eHealth Manager will authorise emergency changes.
3.10.2If the risks associated to the proposed emergency change are high, or the impact of its implementation is deemed to be of magnitude, the NHS Fife eHealth & IMT General Manager or appointed deputy should be engaged in the ECAB process.
3.11 Service Stakeholders
For each service within the scope of this process, the key stakeholders should be identified with help from the Change owner. This allows those stakeholders the opportunity to provide an assessment of any risks or impact from their perspective, and any other relevant feedback. The process should ensure these stakeholders are notified of any changes which may affect key services NHS Fife provides (e.g. system outage, service disruptions, hardware/software upgrades, etc.).
3.12 Urgent approvals
In the event that a CAB/eCAB cannot be assembled within reasonable notice or the change is urgent, the eHealth Head of IT Operations in consultation with any appropriate peers can deal with urgent change approvals, or delegate that responsibility as explained in the CAB section. The General Manager eHealth & IMT can also deal with urgent requests. The ultimate responsibility for Information Assets lies on the SIRO, who should be advised of urgent approvals if risk and impact on Information Assets is considered high.
4. OPERATIONAL SYSTEM
4.1 The operational system and application of this policy is detailed in the eHealth Change Management Procedure (Appendix 1) for normal non-emergency changes and is formalised in a separate document. The latest version of which can be located on the eHealth document repository and available on NHS Fife’s Intranet.
4.2 In turn, the operational system for urgent/emergency changes is formalised in the eHealth Emergency Change Procedure(Appendix 2).
4.3The IT Change Management Process provides assurance that standardised methods and procedures are used for efficient and prompt handling of all Changes. A formal process of recording, assessment, authorisation, scheduling, and comprehensive communications is in place for all changes. This is done to minimise the impact of Change-related Incidents upon service quality, and consequently to improve the day-to-day operations of the IT services that NHS Fife provides.
4.
4.4Change Management also aims to provide NHS Fife with the ability to rapidly adapt to NHS Fife's requirements as they change, increasing its ability to ensure a customer focused operation is maintained at all times, while minimising disruption to key eHealth systems and services.
5. RISK MANAGEMENT
5.1 The NHS Fife approach to Change Management relies on a Risk and Impact Management based approach. To comply with that, all changes must:
• Be properly documented as per the IT Change Management Procedure
• Be submitted for approval following the IT Change Management Procedure.
• Meet an agreed business need or fulfill a business case
• Be assessed for impact, risk and priority.
• Risks associated with Information Assets should be considered in line with the NHSS Information Security Policy Framework for risk assessments. Advice should be sought from the SIRO or the Information Security & Governance Manager where appropriate.
• A back out plan should be produced, in case the change implementation has unforeseen consequences
• Where possible and proportionate be tested in advance
• Require approval in advance of implementation in to the live environment
• Follow a communications protocol as per the IT Change Management Procedure.
• Have the supporting documentation updated to reflect the change (this includes end-user guidelines, technical documentation, service desk scripts and escalation protocols, service level agreements, and any other relevant service support documentation)
• Once implementation is complete, a review must be carried out
5.2 Only in exceptional circumstances may urgent/emergency changes be fully recorded and documented in retrospect as per the IT Emergency Change Procedure.
With regard to the relationship between NHS Fife and the Health & Social Care Partnership(H&SCP). The Integrated Joint Board (IJB) will continue to monitor the effectiveness of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with:
- Legislation that affects NHS Fife;
- Implements its policies, procedures and guidelines with respect to access, use or disclosure of its information.
6. RELATED DOCUMENTS
• GP/I6 Appendix 1 - IT Change Management Procedure
• GP/I6 Appendix 2 - IT Emergency Change Procedure
• GP/I6 Appendix 3 - RFC Form (Request for Change Form)
• NHSS Information Security Policy Framework
• GP/I5 Information Security Policy
7. REFERENCES & GLOSARY
IT: is an abbreviation for Information Technology and is used as a collective term to describe all systems and services associated with computers and data networks.
ICT: is an abbreviation for Information and Communications Technology, an umbrella term that includes any communication device or application, encompassing; phones, computer and network hardware and software, as well as the various services and applications associated with them, such as videoconferencing and distance learning.
ITIL: The IT Infrastructure Library is a collection of internationally recognised best-practices for delivering IT Services, covering all aspects of service provision, quality assurance, and providing a framework which allows customisation of internal processes
Change Management: One discipline within the ITIL process framework which has the aim of ensuring appropriate controls are placed around changes to IT Systems and Services to mitigate risks, ensure stability, provide responsiveness to changing organisational requirements and minimise service disruption.
CAB: The Change Advisory Board. As can be inferred from the name, this body has no governance role, but is tasked with advising the IT Change Manager and Service Stakeholder of the perceived impact of a requested change. This body is made up of fixed and resident members representing all major core ICT Services and teams. The CAB incorporates other required stakeholders depending on the nature of the RFC being assessed.
ECAB: When urgent/emergency significant changes arise there may not be time to convene the full CAB. For these cases an Emergency Change Advisory Board (ECAB) should be assembled, and provided with the authority to make emergency decisions. Membership of the ECAB may vary, depending upon the different criteria relating to changes.
RFC: Request for Change – is a paper or electronic form which contains all the required information for the process to be started, initiating the Change Management process.
GDPR: The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
NIS: Network Information System (NIS) is a network naming and administration system for smaller networks that was developed by Sun Microsystems. NIS+ is a later version that provides additional security and other facilities. Using NIS, each host client or server computer in the system has knowledge about the entire system.
Civil Contingencies Act 2004: Is an Act of the Parliament of the United Kingdom that establishes a coherent framework for emergency planning and response ranging from local to national level. It also replaces former Civil Defence and Emergency Powers legislation of the 20th century.