NHS IT Security Flashcards
What are the 3 core principles of information assurance?
1) Confidentiality
2) Integrity
3) Availability
What are the 3 main ways to manage information security in the NHS?
- The information governance toolkit
- The data security and protection toolkit
- Local trust policies and procedures
Define information assurance audit
Regularly reviewing performance against standards, codes of practice and/or best practice.
How are risks identified and quantified?
For each risk, the perceived severity of impact and likelihood of occurrence are recorded within a risk register.
How are risks addressed?
Action plans are put in place for each risk, and the risk register/action plans are reviewed regularly.
What are the two purposes of clinical systems?
1) To be a robust IT system
2) To fulfill a clinical function
How can the safety of clinical systems be managed?
By applying an IT security policy
What is NHS Digital?
A department of NHS England that carried out various functions, including:
- Standard setting
- Data collection
- Implementation/management of information systems
- Cybersecurity
- Providing cybersecurity training assured by NCSC
What is NCSC?
The National Cyber Security Centre. An organisation that provides advice and support on how to avoid cyber security threats.
What are the Data Security Standards?
A set of 10 standards to address people, process, and technology issues surrounding data security. They protect sensitive information from unauthorized access, use, disclosure, or destruction.
What are the 3 data security standards for people?
1) All staff ensure that personal confidential data is handled, stored, and transmitted securely, whether in electronic or paper form, and only shared for lawful and appropriate purposes
2) All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches
3) All staff complete appropriate annual data security training and pass a mandatory test
What are the 4 data security standards for processes?
1) Personal confidential data is only accessible to staff who need it for their current role, and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals
2) Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or that force staff to use workarounds which compromise data security
3) Cyber attacks against services are identified and resisted, and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection
4) A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management
What are the 3 data security standards for technology?
1) No unsupported operating systems, software or internet browsers are used within the IT estate.
2) A strategy is in place for protecting IT systems from cyber threats, which is based on a proven cybersecurity framework such as Cyber Essentials. This is reviewed at least annually
3) IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards
What is DTAC?
The digital technology assessment criteria. It gives staff, patients, and citizens confidence that the digital health tools they use meet clinical safety, data protection, technical security, interoperability and useability, and accessibility standards.
Which products should be assessed using the digital technology assessment criteria?
All new health IT systems, even those in piloting or trials.
What is a health IT system?
A product used to provide electronic information for health and social care purposes.
What is DCB0129?
A clinical risk management standard from NHS Digital that applies to manufacturers of health IT systems. It ensures the clinical safety of products by requiring a formal risk assessment and the development of a Clinical Risk Management System (CRMS).
What is DCB0160?
A clinical risk management standard from NHS Digital that applies to the deployment and use of health IT systems. It ensures the clinical safety of products by requiring a formal risk assessment and the development of a Clinical Risk Management System (CRMS).
What is a clinical safety officer?
A Clinical Safety Officer (CSO) is a registered healthcare professional responsible for ensuring the safety of patients and users of health IT systems.
What are the Security of Network and Information Systems Regulations 2018?
Regulations intended to protect the cyber security of key national infrastructure, including all NHS Trusts.
Under NIS 2018, the national cyber security centre has been appointed as the ‘______ _____ __ _____’ (SPOC) for cyber security and as the ‘_______ _______ _______ ________ ____’ (CSIRT) for the NHS
Single point of contact
Computer security incident response team
State 8 ways in which passwords can be cracked?
1) Interception over a network
2) Brute force
3) Searching for electronically stored information
4) Stealing insecurely stored passwords
5) Manual guessing using personal information
6) Shoulder surfing
7) Social engineering
8) Key logging
What are the 10 steps to cyber security?
1) Network security
2) User education and awareness
3) Malware prevention
4) Removable media controls
5) Secure configuration
6) Managing user privileges
7) Incident management
8) Monitoring
9) Home and mobile working policies
10) Set up a risk management regime
What are the 5 technical control requirements for IT infrastructure?
- Firewalls
- Secure configurations
- User access control
- Malware protection
- Patch management
