Picture Archiving and Communication System (PACS) Acceptable Use

Document Sample
Picture Archiving and Communication System (PACS) Acceptable Use Powered By Docstoc
					 Picture Archiving and Communication
            System (PACS)
         Acceptable Use Policy

 Policy number:                                     ULH-IM&T-AUP02
 Version:                                           2.4
 New or Replacement:                                Replacement
 Approved by:                                       Executive Board
 Date approved:                                     21 October 2008
 Name of author:                                    Andrew Stocks
 Name of Executive Sponsor:                         Michael Humber
 Name of responsible committee:                     Information Governance Board
 Date issued:                                       21 October 2008
 Review date:                                       21 October 2010
 Referenced Documents:                              Information Security Policy
                                                    Registration Authority Policy
 Relevant Legislation:                              Data protection Act (1988)
                                                    Computer Misuse Act (1990)
                                                    Human Rights Act (1988)
                                                    Freedom of Information Act (2000)
 Relevant Standards:                                BS ISO 27001
                                                    NHS N3 Statement of Compliance

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                                       Page 1 of 12

    Section                                                                    Page
        1             Introduction                                              3
           2          Threat Statement                                           4
           3          User Training                                              5
           4          Access to Patient Information & Acceptable use of PACS     5
           5          Administration and Organisation of Security                6
           6          Access Policy                                              8
           7          Audit of Use & Active Monitoring                           9
           8          Security Measures                                         10
           9          Security Arrangements                                     10
          10          User Guidance                                             11
          11          Accreditation Conditions                                  12

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                              Page 2 of 12
PACS Acceptable Use Policy

 1. Introduction

     1.1. Purpose: This Acceptable Use Policy (AUP) provides a framework for securing
          information held on the Picture Archiving and Communication System (PACS).
          The purpose being to provide direction on the registration, training and use of the
          system throughout the Trust to ensure compliance with acceptable standards.
          This policy is issued by ICT Ops (Security and Access) Department and has
          been approved by The Trust Information Governance Board.

     1.2. All personnel using this system are to comply with this policy and no departure
          from or amendment to them is permitted unless prior authorisation is obtained
          from the Information Governance Board. Breaches of this policy may result in
          formal disciplinary procedures being taken against individuals, or result in
          criminal prosecution, and potentially referral to the individual’s professional body
          if appropriate.

     1.3. Objectives: The objectives of the policy are:

             •   To ensure that the Trust complies with its legal obligations.
             •   To promote the use of PACS to support the clinical and operational work of
                 the Trust.
             •   To ensure that Trust resources provided to staff are not misused.
             •   To ensure that the security of computer systems and the information they
                 contain is not compromised in any way.
             •   To prevent the Trust’s reputation from being damaged by the inappropriate or
                 improper use of its information resources.
             •   To ensure that patient information is appropriately protected.

     1.4. Scope: The policy applies to all full-time and part-time employees of the Trust,
          non-executive directors, contracted third parties (including agency staff),
          students/trainees, secondees and other staff on placement with the Trust, and
          staff of partner organisations with approved access. It applies to all areas in
          support of the Trusts’ business objectives both clinical and corporate.

     1.5. Risk Assessment: This policy is based on the main threats to the security of the
          system and covers the key elements of security: Confidentiality, Availability and
          Integrity. It outlines the base line security measures that will apply to this

     1.6. System Details: The PACS system is a Connecting for Health (CfH) National
          Radiological based system that enables clinical staff to view radiological images
          and reports, save images and forward images for the purpose of clinical
          treatment planning.

     1.7. Users: PACS users are split unto two main groups, Radiology users and
          Enterprise users:

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                                    Page 3 of 12
PACS Acceptable Use Policy

             1.7.1. Radiology Users: The system enables radiology staff to capture and
                    store images and develop radiology reports.

             1.7.2. Enterprise Users: The PACS system stores Radiology reports locally and
                    provides the ability for approved users to search, view and forward
                    radiological images and radiological reports.

     1.8. NHS Care Record Service (CRS): The system will eventually be connected to
          the national NHS CfH data ‘Spine’ and will form part of the patients electronic
          record provided as part of the NHS CRS. This will allow radiology images and
          reports to be accessed by any approved users nationally.

             The processing of the spine data (both to ULHT records and those generated by
             other organisations) is out of the scope of this version of the policy and will be
             addressed in future versions where deemed appropriate.

     1.9. Access Control: Access to all NHS CRS applications is via the national Role
          Based Access Control (RBAC) model which requires the user to be issued with a
          CfH Smartcard.

     1.10. Data: The system processes and stores a large quantity of data, all of which can
           be classified as CONFIDENTIAL and pertains to patient records. None of the
           data held or processed by this system is deemed to be ‘public domain’ and
           releasable to the public under the requirements of the Freedom of Information
           Act. All 'Personal Data' held on PACS is to be processed in accordance with the
           Data Protection Act 1998 and the Caldicott principles.

 2. Threat Statement

     2.1. General: The origins and nature of the threats to information processed
          electronically are similar to those for information held in other forms. The main
          threat to data held in an electronic format comes from authorised users who may,
          for whatever motive, disrupt the system or gain access to confidential
          information, which they have no ‘need to know’. There is also a threat from
          external individuals who are likely to try to exploit any security weakness of which
          they become aware. This threat includes disaffected members of staff, members
          of the public and includes criminal activity, politically motivated organisations,
          and investigative journalists.

     2.2. Impact: The most serious impacts are in relation to the personal safety of
          patients following either unavailability of the information used in the treatment of
          patients or errors/corruption of similar data. Information about the course of
          treatment being given to patients or diagnoses that have been made lead to the
          highest requirements for confidentiality.

     2.3. Vulnerabilities: This system is available throughout the Trust where security
          standards may vary. Terminals are located in areas open to the public, the
          system is therefore vulnerable to a wide range of threats.

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                                     Page 4 of 12
PACS Acceptable Use Policy

     2.4. Specific Threats: The main threats to this system have been identified as:

                  • Staff using other members of staff’s accounts in order to gain
                    unauthorised access to information or facilities.
                  • Unauthorised modification of data.
                  • Unauthorised access.
                  • Unauthorised disclosure.
     2.5. Accidental Disclosure of Information: The likely impacts of accidental disclosure
          have been identified as:

             2.5.1. External Disclosure: The impact of accidental exposure of information
                    outside the Lincolnshire health community is potentially high and would
                    cause exceptional damage to the Trust and would undermine the
                    principle that the NHS is committed to.

             2.5.2. Internal Disclosure: The impact of accidental disclosure within the
                    community would be more likely to cause embarrassment rather than
                    threaten the interests of the community and could be construed as a
                    breach of the 'need to know' policy rather than a breach of security.

 3. User Training

     Enterprise Users

     3.1. Interactive web-based training will be provided to all users via The Trust intranet.

     Radiology Users

     3.2. Training will be provided by the department and users are not to be allowed to
          use the system until this training has been successfully completed.


     3.3. Training will address Security and Confidentiality issues where appropriate and
          all users will be directed to read this acceptable use policy before they use the

 4. Access to patient information and acceptable use of PACS

     4.1. Legitimate relationships: Access to patient information on the PACS system
          must at all times be based on the user having a legitimate relationship with the
          patient. Legitimate relationships are only created when the health professional is
          involved with the provision of care to a patient or carrying out a legitimate
          function in support of the patients care. For example, a Doctor in determining a
          treatment plan for a person under their direct care, would have such a ‘legitimate
          relationship’ and would be able to legitimately access the patients information on

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                                    Page 5 of 12
PACS Acceptable Use Policy

     4.2. Examples of acceptable use:

             •   A Doctor in determining a patients treatment plan.
             •   A Nurse in collating diagnostic information for multi-disciplinary purposes.
             •   A Therapist, in delivering treatment.

     4.3. Examples of unacceptable use:

             •   Using the system to check personal demographic information such as a
                 colleague or a friend’s phone number, address or date of birth.
             •   Viewing information of a patient who you are not providing care for.
             •   Using PACS to view the medical information of a friend, relative or colleague.

     4.4. Use of PACS: Any use of the system or the information contained on the
          system, other than in accordance with this policy is expressly prohibited.

 5. Administration and Organisation of Security

     5.1. System Owners: The system is managed on behalf of the Trust and the data
          owners by the Information Communications Technology Operational Department
          (ICT Ops) and a dedicated Systems Manager will be appointed.

     5.2. System Manager (SM): The SM is responsible for:

             • Ensuring that all security measures and configuration control procedures
               outlined in this document are implemented.
             • Ensuring that this system is registered with the data protection officer.
     5.3. System Administrators (SA): SA’s are responsible for the day to day
          administration of the system in accordance with this security policy.

     5.4. Security Accreditation: In accordance with the Trust Information Security Policy,
          this system will be accredited by the Trust Information Governance Board.

     5.5. Data Owners: The data owners for PACS are the Radiology Service Managers
          (RSM’s) who have overall responsibility for the management of the data within
          the system.

     5.6. Registration Authority: The Trust Registration Authority (RA) is responsible for
          the issues of smartcards to all ULHT personnel and the management of access
          rights based on this policy. The RA will at all times comply with national and
          local RA polices.

     5.7. Department Management: All departmental and ward managers are responsible

             •   The day to day security of this system within their area of responsibility
                 including asset management, staff training and the delegation of line
                 management responsibilities.

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                                       Page 6 of 12
PACS Acceptable Use Policy

             •   To act in the capacity of system sponsor.

             •   Ensuring that all users of this system, in accordance with the Caldicott
                 principles, are authorised and that they have a genuine need to gain access
                 in order that they can perform their duties.

             •   Ensuring that the Registration Authority are informed in a timely manner when
                 their staff no longer require access to the system, their access requirements
                 change, and when new staff require access.

             •   Ensuring that data is obtained fairly and lawfully from data subjects and that
                 all data protection principles of good practise contained in the Data Protection
                 Act are complied with.

             •   Ensure that their staff are aware of their security responsibilities and have
                 read this document.

             •   Ensure that any actual or potential breach of security policy within their area
                 of responsibility is reported, either directly to the ICT Ops Department or
                 through the Risk Management Process (IR1).

     5.8. User Security: The term ‘user’ throughout this document refers to an authorised
          User who has been approved for access to the system. Users have the following

             •   To safeguard hardware, software and information in their care.

             •   Ensure that all computer accounts are protected by the safeguarding of their
                 individual smartcard and Passcode (PIN number).

             •   Not to share their smartcard and Passcode with any other individual.

             •   Ensure they comply with the national terms and conditions for the uses of
                 their smartcard in accordance with the RA01 registration conditions.

             •   Ensure that no breach of computer security results from their action.

             •   Prevent the introduction of malicious software on the organisation’s IT

             •   Report any suspected or actual breaches in security to their line manager or
                 to the Risk Management Department (IR1).

             •   Accept and follow the terms laid out in The Trust Information Security and
                 Acceptable Use Policies.

             •   Ensure that personal information, including demographic and clinical
                 information, is not shared with anyone who is not involved with the care of the
                 patient (see section 4).

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                                        Page 7 of 12
PACS Acceptable Use Policy

             •   Remote Users: In addition to the requirements of this policy, all remote users
                 are required to comply with the Trust Mobile Computing and Home Working

 6. Access Policy

     6.1. Business requirements: Access to this system is based on the Caldicott
          principles. Only authorised individuals, who have a genuine need to access this
          data to enable them to perform their duties, are to be granted access. Personnel
          are not to be granted access based solely on status or position.

     6.2. Access Control: Access to the system will be granted to all appropriate staff who
          have been approved by their Sponsor in accordance with the Trust Registration
          Authority Policy.

     6.3. Roles: The RA will maintain an up to date role map which will identify all
          approved users and their appropriate role on the system. The role map is
          managed by the RA but is owned by the data owners who will authorise any
          changes to this document.

     6.4. Sponsors: Sponsor (who will normally be line managers) will be identified in all
          areas of the organisation and they will be required to identify their staff members
          access requirement in accordance with the role map. The sponsor will be
          responsible for:

             •   Ensuring that their staff members have a legitimate need to access the
                 system in accordance with this policy.
             •   Identifying new users and ensuring that their access is appropriately
                 authorised and requested.
             •   Identifying access changes requirement for their staff.
             •   Ensuring that the RA is informed when staff members no longer require
                 access or their access level requires changing.
             •   Ensuring that their staff member is appropriately trained for the level of
                 access required before they are given access.

     6.5. Requirements for Access: No one will be given access to PACS until the
          following have been completed:

             •   The user has been issued with an active NHS CRS smartcard.
             •   The user has been Sponsored for access to PACS by an approved sponsor.
             •   The user has a live and appropriate network account.

     6.6. Authentication: Once user access has been configured they will be verified on to
          the system by inputting their smartcard and Passcode.

     6.7. User ID: All users will be using their own smartcard and Passcode to access the
          system and they are responsible for their own actions. The use of generic
          accounts is not permitted for this system.

     6.8. Request for Access by Lincolnshire Health Community Users: All Lincolnshire
          Health Community (partnership trusts) users will be able to access the PACS

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                                       Page 8 of 12
PACS Acceptable Use Policy

             system client via their network account and will be required to obtain a smartcard
             from their own organisation. All requests for PACS access must then be
             submitted to a ULHT Radiology Service Manager (RSM) as a data owner who
             will act as sponsor. RSM’s must satisfy themselves that the user has a business
             need to access the system in accordance with this policy and where appropriate
             must request confirmation from the users line manager.

     6.9. Request for Access by other External (NHS Users): All requests for access to
          the PACS system by NHS staff not covered by section 6.8 above, i.e. visiting
          consultants, are to be submitted to the local Radiology Department who will be
          responsible for their network sponsorship. All requests for access must then be
          approved by a ULHT Radiology Service Manager (RSM) as a data owner who
          will act as PACS sponsor. RSM’s must satisfy themselves that the user has a
          business need to access the system in accordance with this policy. However, it is
          the individuals responsibility to obtain a live NHS CRS smartcard from their own

             ULHT Network Access

             This category of users will require a ULHT network account to be able to access
             the PACS client and the Trust Network Access Protocol must be followed.
             External clinical staff applying for access to the PACS system will first need to
             read and sign the generic access protocol and return the completed form to the
             Trusts Information Governance Department (ULHT Generic Protocol for Access
             to ULHT Networks for Non-ULHT Staff).

     6.10. Request for Access by External non NHS Bodies: All requests for access to the
           PACS system by non NHS organisational personnel i.e. third party access are to
           be submitted to the data owners for approval. Should the requirement for access
           be outside the remit of this group or the scope of this policy it is to be passed to
           the Information Governance Board for a decision. The RA and systems owners
           are not to grant access until all the relevant issues have been resolved and
           permission has been granted.

     6.11. Remote Access: All remote access must meet acceptable local and national
           standards of security and be approved by the Network Security Manager.

     6.12. Confidentiality Agreement: Where appropriate all third party organisations are
           required to sign the Trust Confidentiality Agreement before they are allowed

 7. Audit of use and Active Monitoring

     7.1. Activity monitoring: All activity undertaken using the system will be actively
          monitored by the systems management. This is for the following reasons:

             •   Identify system and user problems.
             •   Monitor and investigate acceptable usage.
             •   Investigate clinical and disciplinary incidents.

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                                    Page 9 of 12
PACS Acceptable Use Policy

     7.2. Management Reports: All patient information used for management reports will
          be in a an anonymised format. Patient Identifiable Information should only be
          used with the prior approval of the data owners.

 8. Security Measures

     8.1. Physical Security:

             8.1.1. Servers: All system servers reside within the server rooms at Lincoln,
                    Boston and Grantham. The server rooms are all in dedicated,
                    environmentally controlled rooms where access is controlled. They are
                    protected by a series of locks and are alarmed during non-working hours.

             8.1.2. Workstations: Workstations are situated in a number of different areas,
                    most of which are controlled areas. Workstations which are not situated
                    within a controlled environment are not to be left unattended whilst
                    logged on and their screens are to be positioned to minimise the risk of
                    data being exposed to unauthorised personnel. This is particularly
                    pertinent to mobile workstations which are in use on wards.

     8.2. Software security measures:

             8.2.1. All terminals are to be secured when left unattended. Users are to either
                    log off the system or lock the workstation. Additionally, password
                    protected screen savers are to be used on systems which support this

             8.2.2. The system will automatically log off any users where there has been no
                    activity for an agreed period of time (system idle time). The system idle
                    time is to be agreed by the data owners and may vary depending upon
                    operation requirements e.g. The idle time in an admin location may be
                    set to 30 minutes whereas in an operating theatre set to several hours.
                    However, the minimum time should always be set.

     8.3. Role Based Access: Access to data is managed by the system with the use of a
          combination of user roles and function access rights. All access rights will be
          based on the users need to access data and will be strictly based on their role in
          the organisation.

     8.4. Log out: All users are to log out and close the system window before leaving a
          workstation unattended or when they have completed the session.

 9. Security Arrangements

     9.1. Printing Restrictions:

             9.1.1. Radiology reports must NOT be printed from enterprise work stations.
                    Enterprise users are to only view images and their associated reports on
                    the screen in electronic version.

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                                    Page 10 of 12
PACS Acceptable Use Policy

             9.1.2. The radiology report when viewed on the PC screen will be a full and
                    complete report. If this report is printed via the PACS system important
                    lines may be omitted. It is therefore essential that users DO NOT print
                    this report.

             9.1.3. Paper copies of radiology reports will still continue to be distributed from
                    radiology and all requests for paper copy reports should be made via the
                    radiology department.

     9.2. Malicious Software: The system is protected by the host network system, which
          has appropriate, up to date, antivirus software installed. It is a requirement of
          any users who require remote access that their system has the same level of
          protection. Where this is not the case access will not be authorised.

     9.3. Incident Reporting: In accordance with the Trust Information Security Policy, any
          actual or potential breach of security is to be reported, either directly to ICT Ops
          or via the Trust Incident Reporting Procedure managed by the Risk Management

 10. User Guidance

    All users of this system are required, in accordance with the Information Security Policy

             •   Data Protection: Keep all personal/sensitive information/data confidential
                 (Data Protection Act 1998). Never divulge more information than is required.
                 Patient Information must only be given to authorised personnel. Try to use
                 anonymised data using NHS numbers as an identifier whenever possible.

             •   Systems Access: Do not access or help someone else to access this
                 computer system or modify any program or data unless you are authorised to
                 do so with written consent from the relevant system owner and Computer
                 Services. Never allow another individual to use your system account.

             •   Passcode (PIN Number): You are to keep your Passcode secure. You
                 should never give out your Passcode to others.

             •   Data Storage: Do not store systems information/data locally unless it is
                 extracted as part of a approved formal process. Any data used for this
                 purpose should be stored on a secure network server or be held in an
                 encrypted form.

             •   Data Transfer: All patient identifiable data (PID) transferred externally should
                 be encrypted in accordance with national data security standards. However,
                 where this cannot be achieved and where the transfer is essential to patient
                 care, the data should be copied to a CD and sent by special delivery and if
                 sent by courier (including sent by taxi) placed in a sealed tamper proof
                 envelope. These security standards may be relaxed if the data is encrypted.

             •   Physical Security: Observe building security procedures such as locking
                 doors and windows after working hours. Wear your identity badge at all times

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                                      Page 11 of 12
PACS Acceptable Use Policy

                 and challenge strangers that act suspiciously or are in restricted areas. You
                 should take steps to prevent the theft of any assets, especially information

             •   Compliance: You must comply with this Security Policy, all Legal
                 requirements and relating Policies and procedures including:

                                      Data Protection Act (1998)
                                      Computer Misuse Act (1990)
                                      Copyright Design and Patents Act (1988)
                                      Criminal and Public Orders Act (1994)
                                      Human Rights Act (1998)
                                      Telecommunications Regulations (2000)
                                      Regulation of Investigatory Powers Act (2000)
                                      ISO: 270001 – Information Security
                                      Information Security Policy

 11. Accreditation Conditions

     11.1. Modifications: All requests for modification to the system must first be
           considered by the SM and then submitted to the Data Owners . The group is to
           identify any security sensitive changes and submit them for approval by the
           Information Governance Board. In particular no new connectivity to the system,
           nor any reprocessing of data outside of the scope of this policy, may be made
           without the express approval of the Information Governance Board.

     11.2. There will be no variation from this document without the prior approval of the
           Trust Information Governance Board. In signing up to this document, the Trust
           Information Governance Board assumes that the information supplied is

     11.3. Further Information: For further information, concerns or questions regarding
           this policy please contact the Information Governance Team.

Policy Number: ULH-IM&T-AUP02 – Draft Version 2.4                                     Page 12 of 12

Shared By:
Description: Picture Archiving and Communication System (PACS) Acceptable Use