How to set up your NHS connection

Please read the following Code of Connection then sign and return the declaration form to the following email.

Email: NSS.psdophthalmic@nhs.scot

CODE AND PRACTICE FOR CONNECTION OF COMMUNITY OPTOMETRY PRACTICES TO SCOTTISH WIDE AREA NETWORK (SWAN)

Source: DaS, NSS

Date Released: 22 May 2020

Version: 3.0

Introduction

This Code and Practice for connection of Community Optometry Practices to SWAN has been written to facilitate and ensure acceptable use of SWAN by these practices in Scotland.

Aims of SWAN

SWAN aims to provide the best possible network services to its customers in terms of quality, access, security, reliability and value for money to support patient care and administration in the NHS. Background and Definitions

1. "SWAN" is the name given to the networking services and facilities that support the communication requirements of the National Health Service (NHS).

2. National Services Scotland (NSS) is the common name for the Common Services Agency (CSA). Acting through its Digital and Security department (DaS), NSS is responsible for the provision of SWAN in Scotland. DaS will resolve any dispute over the interpretation of this Policy. DaS oversees SWAN and researches, develops and provides advanced electronic communication facilities for use within the NHS Scotland community.

3. This Policy applies to any person or legal entity lawfully running a practice (hereafter referred to as a “Community Optometry Practice”) which:

a) provides General Ophthalmic Services on behalf of a territorial NHS Board under the National Health Service (Scotland) Act 1978, as amended, and in accordance with the National Health Service (General Ophthalmic Services) (Scotland) Regulations 2006, as amended; and/or

b) dispenses optical appliances (spectacles and contact lenses) and redeems an optical voucher in accordance with the National Health Service (Optical Charges and Payments) (Scotland) Regulations 1998, as amended;

and who is a User Organisation for the purposes of SWAN and this Code and Practice, as defined below.

4. Such a User Organisation may only permit the use of SWAN within its organisation:

• Under sub-paragraph 3a), by an individual who is providing services is included in the General Optical Council register of optometrists, or an individual who is working under that person’s direct supervision and for whom that person takes full responsibility for ensuring compliance with the obligations contained herein.

• Under sub-paragraph 3b), by an individual who is redeeming optical vouchers, or an individual who is working under that person’s direct management and for whom that person takes full responsibility for ensuring compliance with the obligations contained herein.It is the responsibility of the User Organisation to ensure that members of their own user community use SWAN services in accordance with the current Acceptable Use Policy (AUP) outlined below in this Code and Practice and in accordance with current legislation, technical and security requirements.

4. For the purpose of this Code and Practice a User Organisation is defined as a Community Optometry Practice to which a connection to SWAN is provided under the terms of this Code and Practice.

Policy Documents making up the Code of Connection

Acceptable Use Policy

Security Policy

Declaration

Disclaimer Neither NSS nor DaS accept any liability for loss or damage resulting from the use of the material contained herein or for any interruption to the service provided in facilitating access to SWAN. The information provided herein is believed to be correct, but no liability can be accepted for any inaccuracies, or for the consequences of any interruption, suspension or termination of the service as described below.

SWAN - Acceptable Use Policy

Contents

1. Why an Acceptable Use Policy?
2. Acceptable Use
3. Unacceptable Use
4. Compliance
5. Practice Specific Policy
6. Remote Support

Why an Acceptable Use Policy? The purpose of this Acceptable Use Policy (AUP) is to guide users to use SWAN connected facilities responsibly. That will assist SWAN to protect the integrity of the network so that at all times it will be available to serve your needs, those of patients, and of other users.

SWAN is to be used exclusively to enhance the quality of patient care, or to facilitate administration in the Health Service and the professional work of those providing the care.

The consequences of failing to observe this AUP are potentially very serious, and the Compliance section below sets out the range of measures that exist to enforce this AUP.

While the AUP can contribute to an enhanced level of security, as compared to that found in an unregulated network, this is dependent on all users observing the basic rules. Users should remember that SWAN cannot protect their systems from the actions, legitimate or otherwise, of other users. Therefore, an additional written and enforceable Security Policy is essential. A thorough understanding of the Security Policy document and of professional guidance on protecting the privacy and security of clinical data is essential. You should also check that you meet the requirements of the Data Protection Act 2018, which includes GDPR, and that you are compliant with the law as it applies to the relevant part of the UK, at all times.

If you have do have any questions, contact details are provided in Annex A. Acceptable Use A User Organisation may use SWAN for the purpose of interworking with other User Organisations, and with organisations attached to networks that can be contacted via interworking by agreement with DaS. All use of SWAN is subject to payment of the appropriate charges in force during the period of service.

SWAN connectivity may be used for any normal NHS business activity that is in furtherance of the aims and policies of the NHS.

SWAN connectivity may not be used for any purpose inconsistent with normal NHS business activity that is in furtherance of the aims and policies of the NHS, including those uses outlined in the Unacceptable Use section below.

Security policy

User Organisations must have documented arrangements in place to ensure that measures outlined in the Security Policy below are adhered to.

Unacceptable Use SWAN infrastructure and connectivity may NOT be used for any of the following:

1. The creation or transmission (other than for properly supervised and lawful clinical purposes) of any offensive, obscene or indecent images, data or other material, or any data capable of being resolved into obscene or indecent images or material;

2. The creation or transmission of material which is designed or likely to cause annoyance, inconvenience or needless anxiety;

3. The creation or transmission of defamatory material;

4. The transmission or obtaining of material such that this infringes the copyright of another person;

5. The transmission of unsolicited commercial or advertising material either to other User Organisations, or to organisations connected to other networks;

6. Non-Healthcare activity which may grossly abuse the service;

7. Other activities that do not benefit patient care or that do not support the professional concerns of those providing that care;

8. Gross abuse of the service by the unsolicited sending of inappropriate material;

9. Unauthorised access to facilities or services accessible via SWAN;

10. Activities with any of the following characteristics:

• flagrant wasting of staff effort or networked resources, including time on end systems accessible via SWAN and the effort of staff involved in the support of those systems; • altering, corrupting or destroying other users' data; • violating the privacy of other users; • disrupting the work of other users; • using SWAN in a way that denies service to other users (for example, deliberate or reckless overloading of access links or of switching equipment); • continuing to use an item of networking software or hardware after DaS has requested that such use cease because it is causing disruption to the correct functioning of SWAN; • other misuse of SWAN or networked resources, such as the introduction of "viruses".

Where SWAN is being used to access another network, any abuse of the acceptable use policy of that network will be regarded as unacceptable use of SWAN.

11. Carry out security testing in a manner that would negatively impact on the NHS SWAN network or services.

12. If you are in doubt about whether you may use SWAN for a particular purpose, you should seek advice from DaS (See Annex A).

13. It is not permitted to provide access to SWAN to third parties.

14. Illegal purposes

15. Note that this list is not exhaustive and will be updated in the light of experience. Compliance

16. It is the responsibility of the User Organisation to take all reasonable steps to ensure compliance with the conditions set out in this AUP by all persons accessing the service via the User Organisation and to ensure that unacceptable use of SWAN does not occur. The discharge of this responsibility must include informing those at the User Organisation with access to SWAN of their obligations in this respect, and exercising logging and monitoring of user behaviour in accordance with the guidance set down by the Information Commissioner (further guidance is available on the Information Commissioner’s website).

17. Connection may be subject to a satisfactory site visit by DaS to verify compliance with the SWAN Security Policy outlined below. A site visit would involve a network audit to ensure that; -

a. Supported Windows operating system with up to date security and patches are in place b. Anti-Virus software is installed, active and up to date on all networked devices c. No unauthorised wireless networks are connected

3. All changes to the connected environment must be communicated to DaS prior to implementation.

4. Approval of DaS to access SWAN will be subject to annual review.

5. DaS reserve the right to monitor the sites accessed by User Organisations via SWAN, and to retain such records of monitoring as are necessary in assessing compliance with this Code and Practice by any User Organisation. If DaS have reason to believe that a User Organisation's use of resources may contravene any principle described in the Code and Practice and AUP then DaS reserve the right to instruct it’s service provider or any other relevant service provider to terminate or suspend the connection. When the issue has been remedied to the satisfaction of DaS the connection will be restored.

By signing the Declaration of Compliance below, User Organisations, including all employees or agents, waive any right to take any action against NSS or DaS or the NHS for losses suffered, whether directly or indirectly, as a result of any interruption, suspension or termination of access to SWAN.

6. Where an action by a User Organisation, or anyone for whom it accepts responsibility under this Code and Practice, in violation of these conditions constitutes a breach of the terms of this Code and Practice or an illegal or unlawful act, or results in loss or damage to SWAN resources or the resources of third parties accessible via SWAN, the NSS on behalf of the NHS reserve the right to instigate an investigation and retain forensic evidence.

7. If you are given notice of any investigation into a security matter relating to a contravention of this AUP, you may appeal to DaS giving the notice within 28 days of such notice being given. The parties shall take all reasonable steps in the circumstances to resolve any dispute amicably.

8. It is preferable for misuse to be prevented by a combination of responsible attitudes to the use of SWAN resources on the part of individual users and appropriate disciplinary measures taken by User Organisations.

9. If you should become aware that your staff or colleagues are breaching the terms of this Code and Practice or the AUP then you should report this to DaS at once and address it within your own User Organisation, where appropriate.

10. This Code of Connection document may be reviewed and updated from time to time to keep up with changing security and cyber threats.

SWAN - Security Policy for Community Optometry Practices Introduction User Organisations should be aware that SWAN cannot protect the data on their systems from the actions, legitimate or otherwise, of other network users. It is therefore your responsibility to protect data held within your organisation from unauthorised access, whether from within your organisation, or via the SWAN, or any other network. Likewise the safety and privacy of clinical data being transmitted from one clinical domain to another needs to be protected to very high standards during transit. SWAN services are authorised for your organisation's use; only registered users (or individuals directly supervised by them) authorised by you should be allowed access to SWAN.
Security Policy

1. Data held within an organisation needs to be protected from any unauthorised access, and this is the responsibility of User Organisations, not NSS or DaS or the NHS. User Organisations should ensure protection in the following ways;

a. An organisation’s system must have adequate staff identification and authentication controls, logging and monitoring to detect actual or attempted misuse.
b. A User Organisation must ensure that there is readily accessible and well-publicised documentation to support these identification and authentication controls. This documentation should clearly state that members of staff who fail to comply with their terms will be denied access and liable to disciplinary action. 2. Personal Identifiable clinical data that is transmitted over the SWAN must be protected by cryptographic services conforming to current NHS standards at all times. It is ultimately the User Organisation who is responsible for any data transmitted.

3. User Organisations have a duty to protect the security and privacy of other organisations attached to the SWAN by the following means;

a. An organisation must have a malicious software prevention policy in place, and it must be implemented to accept scheduled updates from the vendor.

b. All data/files which an organisation sends or receives over the SWAN, or by any other means, must be scanned by an up to date virus scanner on the User Organisation’s system, and the software for this will need to be updated periodically by mechanisms appropriate to the relevant software.

c. User Organisations must ensure they have clear and accessible documented policies and procedures which set out for staff their responsibilities and obligations with regards to the processing of personal and business data. Training should be provided to all staff to ensure that their knowledge is kept up to date. Where users are registered with their professional body, they are required to follow their professional codes of practice.

Where unauthorised access has occurred, this may constitute grounds for disciplinary action against the member(s) of staff involved in accordance with the documentation provided by a User Organisation to its staff.

4. All incidents that constitute a threat to SWAN security must be reported to DaS immediately. Notification of security alerts shall be submitted to nss.nationalsecurityadvisor@nhs.net.

5. You must ensure that physical access to the SWAN router and ancillary equipment is restricted to only authorised personnel for whom you are responsible under the terms of this Code and Practice.

Remote Support Contents

1. Introduction
2. Risk Assessment
3. Code of Practice exception Introduction Community Optometry Practices may wish to engage with system suppliers to provide remote support. This type of support is generally provided by organisations using the accredited third party SWAN connection process; however some organisations choose to connect through the Internet.

This is not a recommendation by NHS, NSS or DaS, but a request from Community Optometry Practices and System Suppliers to allow this support using the SWAN infrastructure. Risk Assessment The use of remote access technology to provide remote support entails additional risks above previous normal operation that must be appropriately managed.

It is the responsibility of the Community Optometry Practice as the data controller to manage these risks to protect the sensitive information that is held on the Community Optometry Practice’s systems.

Examples of heightened risks include the following: • remote support engineer accesses personally identifiable, financial or other sensitive information for which they are not authorised (for example, browses through practice system or databases); • remote support engineer damages practice systems or information stored on the systems (for example, by accidentally deleting data or reconfiguring aspects of the system incorrectly); • vulnerabilities in remote support fourth party application are exploited by malicious code on the internet which spreads onto practice systems, potentially accessing/harvesting financial or other sensitive information, causing damage to practice systems and/or data and system downtime with associated subsequent cost to clean; • member of staff in fourth party remote access application company (e.g. WebEx) ‘overlooks’ personal or sensitive information on a restricted remote desktop session or otherwise abuses privileges gained through administrative access to remote access server; • internet user intercepts a remote session and accesses information for which they are not authorised.

The risks associated with the architecture are caused in particular by the use of a number of third-party support organisations that have administrative access to practice machines. Community Optometry Practices have limited and varying levels of control over the personnel and procedural controls within the support organisation.

It is anticipated that larger organisations will produce an appropriate risk management document detailing the impact and likelihood of each of these risks as part of a formal risk management process.

Smaller organisations that do not have the resources to devote to developing a full risk management document should undertake to implement the following controls:

• ensure the remote support session must be initiated by an individual at console in the practice and by no other means; • establish a tight support contract for third party support organisations with clearly set out personnel and procedural controls e.g. record the names of all support engineers within their organisation that have access, get a signed acknowledgement from such employees that they acknowledged the importance of security of data and patient confidentiality and that breach of the rules will constitute a serious disciplinary matter; • whenever possible ensure engineers providing remote support have undergone a Disclosure Scotland, basic check or other personnel screening equivalent process; limit the number of remote engineers to the minimum necessary, ideally named and identified individuals; select a single remote access technology, establish appropriate agreement with fourth party regarding use and configuration of this technology; • limiting the number of third party support organisations to those that have agreed to the minimum set of controls; • ensure all practice staff have appropriate security awareness training e.g. to be able to identify suspicious activity; • system backup procedures are in place to recover from damage to practice data; • separate data on practice system, store personally identifiable information in encrypted form that is not accessible by remote users.

Code of Practice Exception Part 2 of attached Code of Practice document should be signed by a responsible site representative. The signatory will accept all risks (accidentally or intentional) associated with this type of support. Some vulnerabilities have been identified above, but this is not a definitive list and will not identify all risks associated with this support arrangement.

It is strongly recommended that the practice has a contract which is made or evidenced in writing, with the System Supplier for the remote support services. This should require the System Supplier to comply with obligations equivalent to those imposed on the practice by the Seventh Data Protection Principle of the Data Protection Act 2018. This states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

This agreement should clearly outline:

• that the supplier should act only on instructions from the practice; • the guarantees in respect of the technical and organisational security measures they take;
• how the supplier takes all reasonable steps to ensure compliance with those measures; • any liability associated with the agreement.

It is important to note that the Seventh Principle relates to the security of the processing as a whole and the measures to be taken by data controllers to provide security against any breaches of the Act rather than just breaches of security.

Community Optometry Practice Declaration of Compliance with this Code and Practice and the SWAN Policies described within it.

A named optometrist has to take responsibility for signing this document. The document shall be signed by the optometrist if the Community Optometry practice is run by an individual, by the partners, if a partnership and by the director or company secretary if representing a body corporate.

Authorised signatories, in the case of companies, are permissible but evidence of authority must be provided e.g. board minute.

The document should be countersigned by the person responsible for security if different to named signatory.

Should the person signing not understand any part this agreement, then please consult DaS by email to nss.nationalsecurityadvisor@nhs.net

This declaration will normally remain valid for a period of five years subject to satisfactory annual review. After that time, a fresh declaration should be signed. If the person signing this declaration ceases to remain as representative, DaS must be informed at least one month in advance and a new representative should sign a fresh declaration. The representative signing this document has responsibility for making all members of staff in the practice(s) aware of the terms of this declaration, and for ensuring and monitoring their compliance.

Declaration

Please complete the declaration form and return it to the following email:

Email: NSS.psdophthalmic@nhs.scot