🌪️

Business Continuity Plan - Data and Cyber Security

ℹ️
Last updated 27th June 2024 by Peter Huang. Date of next review: 4th February 2024

Introduction

ℹ️
Forenote: key points of contact for this area are cofounder and director Peter Huang (07415510288) , and our DPO, Umar Sabat (umar.sabat@ig-health.co.uk)

This document sets out:

  • What digital systems and devices the organisation currently has in place. This includes identification of ‘critical’ systems and devices
  • Business continuity scenarios. The organisation considers 6 different scenarios in terms of threats and for each a continuity plan is provided:
    • Office unavailability – e.g. through fire/flood
    • Phoneline / broadband failure
    • Power cut
    • Broken computer
    • If you were hacked
    • If your supplier’s system failed e.g. care planning system
  • Business continuity plan testing. How we test our plans, and record what tests have we carried out and when, and any remedial action taken.

This plan is reviewed and updated on an annual basis, and when any critical systems are changed or new systems introduced.  Reviews are part of the annual tasks around data and cyber security as set out in our Data security policy/plan.

What digital systems and devices does the organisation currently have in place?

Digital systems

Complete one row below for each of the organisation’s digital systems. 

💡
Examples of systems that you might have are as follows:  Email (e.g. NHSMail, and/or another email system); care planning; HR/Staffing system; payroll; document storage (e.g. Dropbox, Google drive); electronic MAR charts; accounts and finance system; office phone system; CCTV software

Healthtech 1 Digital systems

Digital systemsRate the impact of these systems failing in terms of severity (1 – 10) 1 being low, 10 being highCan you use an alternative method e.g. paper – based alternative? If so where is this stored?Date Completed

3

Internally, we use slack. For those getting in contact we have non-typical communication channels such as our company twitter and linked in pages, or private messaging with employees on social networks.

February 4, 2023

5

This is all of our company documentation, planning and knowledge. We could move to paper within the office.

February 4, 2023

5

Would be an incumbrance because we can't access previous messages but we could very easily use other messaging platforms such as teams, google chat or discord.

February 4, 2023

2

We'll store things locally, or use an alternative provider temporarily until this is back online.

February 4, 2023

2

We'll use local software, such as Word or Pages and continue our business activities there. Collaboration will be slower.

February 4, 2023

8

We could migrate quickly to another provider like AWS, may take a day.

February 4, 2023

3

Our devices and data are regularly synced and securely encrypted in the background. This gives us the ability to recover and access data over the internet.

February 4, 2023

Devices

💡
Complete one row below for each of the organisation’s devices.  Examples of devices that you might have include: servers, desktop computers, laptops, tablets, smartphones, memory sticks. Include any devices that are personal that are used for work purposes, e.g. if the owner uses their personal smartphone to access company emails, then this should be included in this list.

Devices

Rate the impact of these systems becoming broken/lost/stolen in terms of severity (1 – 10) 1 being low, 10 being highDate CompletedWork / Personal

5

February 4, 2023
Work

4

February 4, 2023
Personal

2

February 4, 2023

Critical systems and devices

💡
Complete one row below for any system or device rated over a 5 in severity (in 3.1 and 3.2 above) – these are our ‘critical systems’.

Critical systems and devices

Provider / contact detailsDoes the supplier have their own business continuity plan in place? Where can this be found?Date CompletedColumn 4

Azure

https://servicetrust.microsoft.com/ViewPage/TrustDocumentsV3?command=Download&downloadType=Document&downloadId=64f922a6-d624-40dd-a8ae-6f996b5186f3&tab=7f51cb60-3d6c-11e9-b2af-7bb9f5d2d913&docTab=7f

October 20, 2021

Business continuity: scenarios

Scenario 1 – Office unavailability

💡
Consider how you would access the information and systems that you need to run the business, should one or more offices become unavailable. For example, if there is a fire or flood, and office phones, computers and servers are irretrievably lost/unavailable.

General back up

We operate within 1 site of 4 GP practices where we can move our infrastructure, resources and team. These GP practices are within 30 minutes travel of our current HQ. We have a redundancy backup with several smartcards and spare desktops at another F4HG location.

Systems and data access

Luckily our communications, documentation and productivity suite all live in the cloud, so in the event of office unavailability the goal is to get access to any secure laptop. We would be able to use personal laptops or purchase new ones.

Typically we are working on the site of a GP practice, but can always relocate to the trading office in Dalston, which is a secured business building with concierge and WIFI. Alternatively, employees can work from home from their own workstations.

If needed, we could get backups from online (more up to date) or from the external hard drive, which will be stored separate from the office. We also back up our device data on a continual basis meaning as long as we have secure internet access, we can recover our data.

First actions and Leadership

An assessment by the directors need to be made as soon as possible. After assessment and if alternate actions need to be taken, the team will be led by the two directors, Pete Huang and Raj Kohli. Pete as the IT admin will lead on getting our digital systems and devices back in use and Raj will work on office availability.

Communication

All employees to be notified of the situation as soon as possible. Further updates on next steps and actions by directors to come as progress / new information is found.

Ensuring Success

All employees need to have an understand of possible measures during an office availability event, within a week of when employees are onboarded. Peter Huang to ensure onboarding includes such information and is completed.

Scenario 2 - Phoneline / broadband failure

💡
Consider what would happen if your phone lines and broadband were to fail.  For example, would you be able to access care plans? Would you be able to access the telephone numbers for service user’s families for example? Would you be able to direct staff to where they need to be to provide care to service users?

General

  • Raj to work on how to get phone lines back online, communicate with stakeholders
  • Failing that we move to home or the Dalston office
  • Similar to Scenario 1
  • If Ht1 network down then we would hotspot from our phones with a VPN work from another practice using a VPN
  • If the HSCN line is down, we’d have to fall back to another practice with a HSCN line to do all NHS network related work

What external telephone numbers are critical to running the business and how will we know what numbers these are?

Phone numbers are stored in the intranet, within emails. Emergency contacts are stored in hardcopy at the Dalston trading office.

What will we use to make phone calls?

Personal

How will we connect to the internet (e.g. for email, and any other online critical systems)

We will use internet dongles as a first preference, a personal hotspot next, and never unsecured public internet. The Dalston office has secured high speed internet.

If this happens, who needs to do what, and by when

Who needs to be told and how will we tell them

What needs to be put in place so that our plan will work, who will do this and by when

Please see answers to Scenario 1

Scenario 3 - What would happen in the event of a power outage?

💡
Consider how you would access the information and systems that you need to run the business, should you experience an extended power cut. If you have a laptop this would last for a period of time using its battery power.  You could consider investing in an Uninterruptible Power Supply (UPS) system that will provide power, so your plugged-in devices remain powered (for e.g. a couple of hours) despite a black out.

How will we access our systems and data

Our equipment is not wired so we can work from battery power. We expect to have at least 4 hours of battery power per laptop (we monitor battery health using device management software). We also carry chargers with us so we can solve the battery problem as long as we find a standard UK plug (Dalston office / coffee shop / neighbour). Alternatively we could use personal laptops (if secured) and access our files and work online.

Where will we work from

If we are working on non-sensitive items, we can work from public locations (libraries, coffee shops, hotels). But if sensitive we can move to another F4HG practice site with access to HSCN, the Dalston office or work from home with a VPN.

If this happens, who needs to do what, and by when

Who needs to be told and how will we tell them

What needs to be put in place so that our plan will work, who will do this and by when

Please see answers to Scenario 1 above.

Scenario 4 - What would happen if a device failed? What would happen if a device became lost or stolen?

💡
Consider the devices you identified in 3.2 above; what action would be needed if one of these devices became broken, or was lost or stolen?

Is your service reliant on one main computer or laptop or do you have other devices that you could use if the computer/laptop stopped working?

We don't have a main 'key risk' laptop as our work is on the cloud and highly available. We have spare laptops ready to be used if our work laptops fail.

Laptops, tablets and smartphones are particularly vulnerable to becoming lost or stolen. Do you protect them to prevent unauthorised access?  E.g. is there a pin, fingerprint or facial scan? Is there an app set up to track the location of a lost/ stolen smartphone, and ‘wipe’ its contents remotely?

All laptops and personal smartphones have strong and secure passwords, are locatable and remote lockable and wipeable. Our laptops use biometric fingerprint access.

To make laptops and tablets especially difficult to get into, they can be encrypted (this protects information by converting it into unreadable code that cannot be deciphered easily by unauthorised people) – you then need a ‘pin’ or password to start up the device.  Or, you can use ‘two factor authentication’ – a security process which requires more than a single password, for example a fingerprint or facial scan, or a security token (e.g. a smart card or key fob which displays a number which you then put into the device to access it).  You must also have an operating system password (something different to the original password the device came with) to access the software e.g. email/Word.

Our laptops (and backups) are all encrypted. Logging into device doesn't 2FA, but core cloud services do upon login (Slack, Notion, Google, Azure). Knowing that a device was lost or stolen we could force logout sessions, and also contact their IT support team to invalidate sessions.

If this happens, who needs to do what, and by when

Who needs to be told and how will we tell them

What needs to be put in place so that our plan will work, who will do this and by when

Please see answers to Scenario 1 above

More generally,

  • employee devices will be replaced on failure
  • employee devices will also be wiped using MDM software if stolen
  • operational machines will be replaced with spare machines we already own

Scenario 5 - What would you do if you were hacked?

💡
If you are hacked then you’ll need to act quickly and get the right support – it’s therefore important to have a robust plan in place.  The best way to avoid being hacked is to follow good practice in terms of technical approaches but also importantly by making sure staff have the right training.

Resources:

NHS England Digital Respond to an NHS cyber alert - NHS England DigitalNHS England Digital Respond to an NHS cyber alert - NHS England Digital

Report a breachReport a breach

Contact Action Fraud Action Fraud is the UK’s national reporting centre for fraud and cybercrime where you should report fraud if you have been scammed, defrauded or experienced cyber crime. You can report fraud or cyber crime using their online reporting service any time of the day or night; the service enables you to both report a fraud and find help and support. You can talk to their fraud and cybercrime specialists by calling 0300 123 2040

Do you protect your devices from malware?  Malware is malicious software (such as viruses) designed to cause damage – for example deleting all your data or blocking access to it until a sum of money is paid.

Yes we use anti-virus and anti-malware software that actively protects and regularly scans laptops for issues.

Out of date operating systems (e.g. versions of Windows or MacOS that are no longer supported by the manufacturer, or supported versions of Windows or MacOS which are not subject to regular updates) are vulnerable to this type of attack. Do you keep operating systems for your computers and smartphones updated or ‘patched’?

Yes, we keep updated all the time. We also use Microsoft Intune (MDM) to remote force operating system and software updates so that our software isn't vulnerable.

Antivirus software helps protect your computers/laptops – is this in place?  A firewall (which can be software) blocks unauthorised access from outside of your organisation – do you have one of these?  Do you avoid unsecure or public wifi?

Yes we have a firewall, we avoid public wifi, and we use a VPN whenever we are accessing the internet from a non-office location.

💡
In terms of staff training, all staff should be made aware of what to look out for as part of induction training and then provided with reminders at least annually and/or highlighted in other ways such as on agenda of regular meetings or in supervision. See https://www.digitalsocialcare.co.uk/resource/staff-training-guidance-june-2020/

What prevention measures do we have in place in terms of our technical approaches?

We follow Cyber Security Essentials best practice for preventative measures. Examples include:

  • configuring user accounts and devices properly
  • encrypting all data, in transit, in rest, but not during view
  • using secure internet and using VPNs where not in office environment
  • active antivirus actively running
  • MDM to ability to remote lock and wipe devices if compromised
  • Annual pen test (proactively seeking vulns)
  • general software engineer best practice
  • Separation of network between employee and bot machines
  • MFA all on user accounts

What prevention measures do we have in place in terms of staff training?

  • documentation (policy and procedure) at the point of induction
  • general training

Scenario 6 - What would happen if a supplier had a fault? i.e. the care planning system won’t work and it’s the supplier’s fault?

💡
Consider how you would access the information and systems that you need to run the business, should a critical system provided by an external supplier stops working, where this is the supplier’s fault. Here you will need to consider sector specific software, such as care planning systems, rota systems, electronic MAR sheets etc.  Global systems such as Google, Dropbox or Microsoft fail sufficiently rarely that continuity plans are not typically necessary.

For us our critical systems are EMIS, RPA or retool.

What if the system was down for an extended period? What paper or alternative systems (identified in 3.1 above) would you be able to put into place?

All of the services we use have alternatives that are secure and easy to setup. We can continue progress by using these.

  • Notify our direct GP partners to use their EMIS/SystmOne to do registrations them selves
  • Store our data in our own forms, ready for the next availability moment.

What critical aspects of our business will be affected?

In most areas we would experience a productivity slowdown.

In registrations we would have a back log of forms to complete so we would have to organise a temporary workforce behind these tasks.

How will we access the information that we need?

If we can't access our cloud data, we can restore our past files from backups, and use temporary and alternative methods for productivity to continue services and progress.

If this happens, who needs to do what, and by when

Who needs to be told and how will we tell them

What needs to be put in place so that our plan will work, who will do this and by when

Please see answers to Scenario 1 above.

Business continuity plan for other scenarios

ht1ht^1