Version Owner Date 1.0 Dr Debashish Das 10/10/2017 1.1 Dr Debashish Das 01/12/2018 1.2 Dr Debashish Das 01/03/2019 Summary System Name ManageMyHealth Company Ortus iHealth System Overview/Purpose for processing information ManageMyHealth™ is a secure portal which will be used to facilitate the delivery of a virtual clinic and will be used by both clinicians and patients to enable them to interact via video call as well as collect and communicate patient clinical information remotely. The system connects and enables clinicians to empower their patients, resulting in enhanced wellness and quality of care while substantially reducing cost of care delivery. The system provides a Tele health application where patient and providers can perform Vidyo/Audio consultation. Patient’s vital data will be input by the patient and can be viewed instantaneously by Trust clinical staff.
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 2 of 14 A secure central system holds the key patient demographics and vitals, e.g. patient demographic and contact information, medication, diagnoses and a schedule of clinic appointments. Clinicians can view the details as part of the consultation and can monitor, track the various activities or indicators. Data Protection Act 1998 compliance ICO Notification Number (Appropriate registration under the Data Protection Act to process personal data) What are the agreed purposes the information will be processed for? Ortus iHealth is registered with the ICO as a controller of data. The registration number is as follows: A8215168. Organisation name: Ortus Solutions Limited Ortus iHealth have achieved Level 2 for the IG Toolkit across all requirements relevant to a third party commercial organisation. Ortus iHealth’s ODS Code is 8JR73. Ortus iHealth plans to conduct a commercial ventures within NHS Trusts & Private Clinical Providers for the purposes of delivering a virtual clinic service for patients located geographically remote from the hopitals, providing a more efficient and convenient service for patients, avoiding unnecessary travel. The following is an overview of the the nature of the information collected. The legal basis and purpose of the processing of patient data is for the purposes of conducting a virtual clinical service and to support the clinical teams in providing the remote clinic service safely and effectively. Patients will be on-boarded by NHS staff. As part of the on-boarding process, patient demographic information will be input – e.g. name, and contact details and any clinic referral letters will be uploaded to the system for clinicians to view as part of conducting the virtual clinic appointment.
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 3 of 14 Patients will have to consent to be referred to the virtual clinic. Ortus will need to discharge their legal responsibilities under Data Protection Regulations and ensure patients provide full and informed consent. Getting patient agreement will be a requirement before they access the service. This will be an opt-in service and patient care will be provided as per standard clinical protocols for patient not wishing to access the virtual service. It is anticipated that clinical staff will inform the patients regarding their participation get their consent prior to accessing the electronic clinic service. They will be informed of their rights in the initial letter they receive as part of their referral process. Subsequent downloading the Application or accessing the system for the first time will constitute that implicit consent has been granted and they will have to acknowledge and confirm their appointment. On referral and enrolment to the virtual service, patients will be provided with a letter giving then an overview of the virtual service and how to access it. The patient will be provided with a link to download an application or a web address and provided with a user name and a temporary password with details on how to change their password on first log in to the system. On first log in, patients will be prompted to check that their details correct and will be able to amend if necessary. They will be promoted to change their temporary password. In addition, clinician users will be provided with a username and password, which will given them user access, and will be assigned the appropriate role within the system (as per the systems role-based access controls). Clinicians will be on-boarded by Ortus system managers and provided with username and password access to the system. They too will be prompted to change their password on first log in. The functionality that clinicians are able to access will depend on their role and the permissions granted as per the system’s role based access controls granted by the system administrator.
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 4 of 14 There will be no electronic links or interfaces to other sources of patient or clinical data, and the Cerner system will continue to maintain a master patient record. Contained within the ManageMyHealth system, will be uploads of medical clinics letters. On completion of virtual clinic appointment, the clinician will type his notes within the ManageMyHealth system and a PDF created which will be uploaded to the Cerner system patient record. The Patient will be asked to input their symptoms into the ManageMyHealth phone based app or web portal as well as keep a diary and input relevant clinical observations e.g. blood pressure, temperature. Records Management Records retention and disposal Do you have a retention and disposal policy? How long will the information be held for? When the information is longer required it will be disposed of appropriately in accordance to the Data Protection Act and other relevant regulations, where appropriate e.g., Waste electrical and Ortus iHealth have an Information Asset register which outlines all sources of sensitive information, held on Ortus systems, where it is held, how it is protected and for how long the data will be kept. In addition, the company’s policy for data retention is included within the company’s information Governance Policy. Ortus iHealth have submitted a self assessment to the NHS Information Governance Toolkit and have achieved level 2 compliance against all requirements and now submitting for DSP tool kit compliance. It is assumed that the clinical sites will maintain a master clinical record of all patients on the service, within existing patient record systems. The information held within the ManageMyHealth database, will be a duplicate of this information required solely for the purposes of carrying out the remote consultation.
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 5 of 14 electronic (WEEE) Regulations. Upon discharge from the remote service, all patient records will be market as ‘inactive’ on the system which renders then unable to be accessed. As part of the set up activities, Ortus iHealth will agree with NHS & Private healthcare organisatrions an acceptable data retention timeframe and policy for this pilot and ensure that patient records are held for no longer than necessary. There will be no paper records produced as part of this service. All information regarding a patient will be held within an encrypted database. We use 256 bit encryption (config option in SQL server) for data encryption. Information Security An information security policy must be in place for the processing of personidentifiable information to ensure the appropriate safeguards are in place to ensure confidentiality of paper and electronic information. This must cover the following: • Password controlled access to the application • Controls of passwords including expiry, Information Security Policy Ortus iHealth has a comprehensive Information security policy which outlines Ortus iHealth’s approach to ensuring safeguards are in place to protect and ensure the accuracy, confidentiality and availability of sensitive and personal information held on Ortus systems. In addition, Ortus iHealth has submitted an Information Governance Toolkit and have achieved level 2 on all requirements. The technology design and hosting arrangements will ensure that due consideration is made to the sensitive nature of the information held and processed and therefore all relevant data protection legislation (including the Data Protection Act 1998, information governance regulations, codes of practice, guidance notes and other requirements of any relevant government or governmental agency has been
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 6 of 14 length, reuse, complexity, hashing etc • Role based security model • Comprehensive audit trail including record viewing • Backup Protocols • Disaster Recovery Plans • Firewall considered. Storing and transmitting sensitive information (such as patient clinical information within a UK hosted facility would necessitate precautions be taken to ensure the safety and confidentiality of the data stored and ensure that all security mechanisms are in place to avoid unauthorised access and data breaches. System users will need to be informed about how their data is being stored and managed. The system security features are as follows: • HTTPS for data transferring (256 bit SSL encryption). • One-way hashing using ASP.NET Membership. • Secure password access • Role based access controls. • User access monitoring and audits • Secure UK cloud based data center hosting • Use of Firewall software • Redundancy, fail over and back up systems in place to ensure data availability. ManageMyHealth is tested by an external agency for security and certified with all the top OWAS to monitor for • Injection • Broken Authentication and Session Management • Cross-Site Scripting (XSS) • Broken Access Control • Security Misconfiguration • Sensitive Data Exposure
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 7 of 14 • Insufficient Attack Protection • Cross-Site Request Forgery (CSRF) Password controlled access to the application: The ManageMyHealth system has a comprehensive password management functionality, controlling password use and system access. • The system controls access to information held within the ManageMyhealth system via the use of usernames and passwords. • The password strength settings are as follows: to create/change Password: Must be a minimum of 6 characters long (over 8 characters recommended) with upper & lower case letters and at least one numeric and/or special character(e.g.&,?,@,etc.). • The threshold for number of failed login attempts is set as follows: Account Locked if a user enters invalid password 5 times, the user account is locked out. • Users can reset their password using
FORGOT PASSWORD feature Role based security model The system operates a comprehensive role based access control system. Each role is set to the boundary or limitation between the users to control an individual’s responsibilities and therefore their accessibility needs. The access required will be determined by the System administrator as informed by the individual’s line manager. Roles are assigned to the user at the time of user account creation or activation. The system provides different roles, which are assigned based on the user types. User can have one or more roles as needed to perform their role. The roles and system access rights are as follows: • Practice Administrator: This is used to administer the practice details e.g. adding new locations,
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 8 of 14 creating contact details for the practice and setting up providers (clinicians and support staff). • Clinical Provider (Clinician): This is set up to allow the provider to conduct a patient consultation. • Service Provider (Support Staff): This is set up to allow the staff to maintain appointments or other support related work. • Patient: This role allows the patient to access their Health summary and Health Indicator and appointment information. Backup and Recovery UKCloud’s business continuity and disaster recovery arrangements have been designed to align with the risk levels identified within its Information Security Management Systems (ISO27001 & ISO27018 certifications) and HMG IAS1&2 documented risk assessments. These assessments address a comprehensive range of external and internal threats, including malicious, accidental, environmental and natural events. Internally, UKCloud has implemented a Business Continuity Management Policy and associated Framework, which direct and control business continuity arrangements and disaster recovery plans to ensure continued availability of UKCloud services. The UKCloud management domain has its configurations and data automatically backed up daily to the alternative data centre environment, offering high levels of security to the backed-up data set. This ensures that backed up data is securely stored remotely to the devices from which it originated, assisting in the continuity of service in the event of an outage at one data centre. Backed up data is subject to routine monitoring and testing to ensure that (a) the backup tasks are successfully completed as planned, and that (b) backed up data is recoverable and capable of being restored in the event of an emergency. UKCloud is responsible for ensuring the correct operation of the dedicated backup infrastructure which is used to backup data from customer environments, as applicable. UKCloud’s business continuity and disaster recovery capabilities have been evidenced during external assessments of UKCloud’s ISO20000 and ISO27001 certifications, undertaken by LRQA. ISO20000 has
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 9 of 14 a comprehensive set of requirements for Service Continuity and Availability Management which must be fully met prior to certification. These activities have been assessed and validated by the National Cyber Security Centre (NCSC) on behalf of specific customers. Backups will be taken every 30 minutes via a virtual machine snapshot with the ability to restore the data from any one of the snapshots. and we have the ability to restore any one of the snapshots. In the event there is a disaster the recovery point of the data is a maximum of 30 minutes prior to the disaster occurrence causing data loss. UK cloud have automated procedures for backup and recovery. Back up data will be retained for a period of 14 days. Audit: In accordance with the NIST defined characteristics of cloud computing, UKCloud’s on-demand services provide access to the following audit trails: 1. account logs – reports which outline service consumption, incident and change management tickets, and service requests which are applicable to a customer’s account. 2. audit logs – reports which detail all authentication requests by username and IP address with date and time stamps for each customer’s account. 3. firewall logs – exposing customer firewall log data which capture firewall rule breaches and traffic activities passing through the customer’s virtual firewall (vShield Edge). Servers • Will information be held on Servers? • How secure are severs rooms, what security will be applied to any servers situated e.g. EEA, USA (state Country) Ortus iHealth have entered into a contract with UK Cloud for the hosting of the ManageMyHealth system. The software will be stored on virtual machines located within UK Cloud’s UK based data centres. All data centres used by UKCloud are UK-domained and located within secure former UK military campuses. The physical data centre buildings, provided by UKCloud’s partner “Ark Data Centres” are in Farnborough (Hampshire) and Corsham (Wiltshire), and are over 100 km apart from each other. Data centre locations have been visited and assessed during formal accreditation activities undertaken by
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 10 of 14 accreditors and assessors from the National Cyber Security Centre, Home Office (PASF) and by BSI and LRQA external assessors during routine ISO9001, ISO20000, ISO22301, ISO27001 and ISO27018 certification assessments. All data centres used by UKCloud are protected by a robust framework of physical, technical and logical security controls, which ensure the data, applications and ICT infrastructure are afforded the highest possible levels of protection and resilience. Such security controls, which are communicated to customers, include: 1. 24x7x365 dedicated manned guarding, with control rooms and mobile security personnel 2. Military grade fencing, full height turnstiles and perimeter protection sensors and beams 3. Solid construction of all walls and floor slabs. No windows 4. Triple-authentication access control, incorporating ID cards, PIN numbers and biometric data 5. Extensive external and internal digital CCTV coverage with on-site and off-site recordings 6. Segregated delivery and loading/unloading areas, incorporating strategic airlocks 7. Formal “white list” access lists. Robust procedures for visitor access and emergency access 8. Highly resilient diverse power feeds, supplied from separate sub-stations
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 11 of 14 9. Extensive UPS capability The UK Cloud’s data centres have been subject to external validation by multiple external accreditors and assessors. Data management locations have been visited and assessed during formal accreditation activities undertaken by accreditors and assessors from the National Cyber Security Centre, Home Office (PASF), and by LRQA external assessors during routine ISO20000, ISO27001 and ISO27018 certification assessments. Virtual disks within UKCloud’s VMware powered clouds are provided by VMware vSphere v.5 (assured to EAL4+) and vSphere v.6 (certification currently in progress). Physically, the services are underpinned by either: EMC VNX storage arrays (assured to EAL3+) or locally installed disks managed and presented by EMC ScaleIO (assured to EAL2+) software. Both are configured in accordance with NCSC guidance and best practice security hardening guides. For all VMware based virtual machines, UKCloud utilises the prezeroing functionality of VMFS (VMware File System). This technique resets storage at a bit level when new virtual disks are presented to a virtual machine: regardless of how the previous configuration or data was deleted, the underlying storage is thereby thoroughly cleansed to prevent any data being recovered from the new Virtual Disk. This control is independently validated by periodic IT Security Health Check tests. Whilst the solution does not align with the documented requirements of HMG IA Standard No.5, it has successfully passed all CHECK/ITSHC activities, and has been assessed and validated by the National Cyber Security Centre (NCSC) on behalf of specific customers.
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 12 of 14 Incident reporting Incident Reporting Policy Must clearly stipulate that breaches of security and/or confidentiality of personal information by their employees or subcontractors will be reported immediately to the Trust? This may be addressed in the contract; however it will be useful to have a timeframe in which they will report incidents to the Trust. Ortus iHealth has a comprehensive company policy on information security incident reporting and management. This informs all staff on what constitutes a data / security breach or near miss, how to report, who to report it to and the steps to be taken internally to investigate the incident or near miss. Ortus iHealth assures the Trust that it will report any actual or potential data security breaches to the Trust’s designated contact immediately (within 2 hours) upon becoming aware and will comply fully with any investigations or requests for information as needed. Secure Data Transfer Will Data be transferred outside the NHS/Private Healthcare providers? • How will the data be The ManageMyHealth system, its database and all patient information will be held in a UK based Cloud hosted data centre. The hosting service will be provided by UK Cloud. UKCloud maintains a comprehensive portfolio of certifications and accreditations, which are summarised
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 13 of 14 transferred/uploaded? o Portable media e.g. USB stick, removable hard drive o Across the Internet, Web Access • Has appropriate encryption been deployed (256 bit as recommended by NHS CfH)? below: 10. National Cyber Security Centre Accredited – specifically for the IaaS (Compute & Storage) services supplied by UKCloud to the Department for Work & Pensions 11. Completed GDS audits of specific services on earlier G-Cloud Frameworks 12. PSN Accredited Services 13. LRQA certified ISO9001 Quality Management System 14. LRQA certified ISO20000 IT Service Management System 15. LRQA certified ISO27001 Information Security Management System 16. LRQA certified ISO27018 for Personal Data in Cloud Environments 17. Cyber Essentials and Cyber Essentials Plus 18. Home Office/PASF Assured Facilities & Data Centres 19. HSCIC/NHS Digital N3 Aggregator status 20. Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) Ortus iHealth have engaged UK Cloud to host and manage the system within their cloud based data
PRIVACY IMPACT ASSESSMENT Data Protection Impact Assessment Page 14 of 14 centre and put in place the necessary security management and controls. A contract is in place between UK Cloud and Ortus iHealth. The ManageMy Health system is accessed via a webservice from a web browser via an internet connected device. Portable devices and hardware used by Trust staff to access the ManageMyhealth system will be subject to local Trust hardware encryption policies and controls in place. The system security features in place for data transferred outside the Trust is as follows: • HTTPS for data transferring(256 bit SSL encryption). • One way hashing using ASP.NET Membership. • Secure UK cloud based data center hosting