- Introduction
- What digital systems and devices does the organisation currently have in place?
- Digital systems
- Devices
- Critical systems and devices
- Business continuity: scenarios
- Scenario 1 – Office unavailability
- Scenario 2 - Phoneline / broadband failure
- Scenario 3 - What would happen in the event of a power outage?
- Scenario 4 - What would happen if a device failed? What would happen if a device became lost or stolen?
- Scenario 5 - What would you do if you were hacked?
- Scenario 6 - What would happen if a supplier had a fault? i.e. the care planning system won’t work and it’s the supplier’s fault?
- Business continuity plan for other scenarios
Introduction
This document sets out:
- What digital systems and devices the organisation currently has in place. This includes identification of ‘critical’ systems and devices
- Business continuity scenarios. The organisation considers 6 different scenarios in terms of threats and for each a continuity plan is provided:
- Office unavailability – e.g. through fire/flood
- Phoneline / broadband failure
- Power cut
- Broken computer
- If you were hacked
- If your supplier’s system failed e.g. care planning system
- Business continuity plan testing. How we test our plans, and record what tests have we carried out and when, and any remedial action taken.
This plan is reviewed and updated on an annual basis, and when any critical systems are changed or new systems introduced. Reviews are part of the annual tasks around data and cyber security as set out in our Data security policy/plan.
What digital systems and devices does the organisation currently have in place?
Digital systems
Complete one row below for each of the organisation’s digital systems.
| Digital systems | Rate the impact of these systems failing in terms of severity (1 – 10) 1 being low, 10 being high | Can you use an alternative method e.g. paper – based alternative? If so where is this stored? | Date Completed |
|---|---|---|---|
3 | Internally, we use slack. For those getting in contact we have non-typical communication channels such as our company twitter and linked in pages, or private messaging with employees on social networks. | February 4, 2023 | |
5 | This is all of our company documentation, planning and knowledge. We could move to paper within the office. | February 4, 2023 | |
5 | Would be an incumbrance because we can't access previous messages but we could very easily use other messaging platforms such as teams, google chat or discord. | February 4, 2023 | |
2 | We'll store things locally, or use an alternative provider temporarily until this is back online. | February 4, 2023 | |
2 | We'll use local software, such as Word or Pages and continue our business activities there. Collaboration will be slower. | February 4, 2023 | |
8 | We could migrate quickly to another provider like AWS, may take a day. | February 4, 2023 | |
3 | Our devices and data are regularly synced and securely encrypted in the background. This gives us the ability to recover and access data over the internet. | February 4, 2023 |
Devices
| Rate the impact of these systems becoming broken/lost/stolen in terms of severity (1 – 10) 1 being low, 10 being high | Date Completed | Work / Personal |
|---|---|---|
5 | February 4, 2023 | Work |
4 | February 4, 2023 | Personal |
2 | February 4, 2023 |
Critical systems and devices
| Provider / contact details | Does the supplier have their own business continuity plan in place? Where can this be found? | Date Completed | Column 4 |
|---|---|---|---|
Azure | October 20, 2021 |
Business continuity: scenarios
Scenario 1 – Office unavailability
General back up
We operate within 1 site of 4 GP practices where we can move our infrastructure, resources and team. These GP practices are within 30 minutes travel of our current HQ. We have a redundancy backup with several smartcards and spare desktops at another F4HG location.
Systems and data access
Luckily our communications, documentation and productivity suite all live in the cloud, so in the event of office unavailability the goal is to get access to any secure laptop. We would be able to use personal laptops or purchase new ones.
Typically we are working on the site of a GP practice, but can always relocate to the trading office in Dalston, which is a secured business building with concierge and WIFI. Alternatively, employees can work from home from their own workstations.
If needed, we could get backups from online (more up to date) or from the external hard drive, which will be stored separate from the office. We also back up our device data on a continual basis meaning as long as we have secure internet access, we can recover our data.
First actions and Leadership
An assessment by the directors need to be made as soon as possible. After assessment and if alternate actions need to be taken, the team will be led by the two directors, Pete Huang and Raj Kohli. Pete as the IT admin will lead on getting our digital systems and devices back in use and Raj will work on office availability.
Communication
All employees to be notified of the situation as soon as possible. Further updates on next steps and actions by directors to come as progress / new information is found.
Ensuring Success
All employees need to have an understand of possible measures during an office availability event, within a week of when employees are onboarded. Peter Huang to ensure onboarding includes such information and is completed.
Scenario 2 - Phoneline / broadband failure
General
- Raj to work on how to get phone lines back online, communicate with stakeholders
- Failing that we move to home or the Dalston office
- Similar to Scenario 1
- If Ht1 network down then we would hotspot from our phones with a VPN work from another practice using a VPN
- If the HSCN line is down, we’d have to fall back to another practice with a HSCN line to do all NHS network related work
What external telephone numbers are critical to running the business and how will we know what numbers these are?
Phone numbers are stored in the intranet, within emails. Emergency contacts are stored in hardcopy at the Dalston trading office.
What will we use to make phone calls?
Personal
How will we connect to the internet (e.g. for email, and any other online critical systems)
We will use internet dongles as a first preference, a personal hotspot next, and never unsecured public internet. The Dalston office has secured high speed internet.
If this happens, who needs to do what, and by when
Who needs to be told and how will we tell them
What needs to be put in place so that our plan will work, who will do this and by when
Please see answers to Scenario 1
Scenario 3 - What would happen in the event of a power outage?
How will we access our systems and data
Our equipment is not wired so we can work from battery power. We expect to have at least 4 hours of battery power per laptop (we monitor battery health using device management software). We also carry chargers with us so we can solve the battery problem as long as we find a standard UK plug (Dalston office / coffee shop / neighbour). Alternatively we could use personal laptops (if secured) and access our files and work online.
Where will we work from
If we are working on non-sensitive items, we can work from public locations (libraries, coffee shops, hotels). But if sensitive we can move to another F4HG practice site with access to HSCN, the Dalston office or work from home with a VPN.
If this happens, who needs to do what, and by when
Who needs to be told and how will we tell them
What needs to be put in place so that our plan will work, who will do this and by when
Please see answers to Scenario 1 above.
Scenario 4 - What would happen if a device failed? What would happen if a device became lost or stolen?
Is your service reliant on one main computer or laptop or do you have other devices that you could use if the computer/laptop stopped working?
We don't have a main 'key risk' laptop as our work is on the cloud and highly available. We have spare laptops ready to be used if our work laptops fail.
Laptops, tablets and smartphones are particularly vulnerable to becoming lost or stolen. Do you protect them to prevent unauthorised access? E.g. is there a pin, fingerprint or facial scan? Is there an app set up to track the location of a lost/ stolen smartphone, and ‘wipe’ its contents remotely?
All laptops and personal smartphones have strong and secure passwords, are locatable and remote lockable and wipeable. Our laptops use biometric fingerprint access.
To make laptops and tablets especially difficult to get into, they can be encrypted (this protects information by converting it into unreadable code that cannot be deciphered easily by unauthorised people) – you then need a ‘pin’ or password to start up the device. Or, you can use ‘two factor authentication’ – a security process which requires more than a single password, for example a fingerprint or facial scan, or a security token (e.g. a smart card or key fob which displays a number which you then put into the device to access it). You must also have an operating system password (something different to the original password the device came with) to access the software e.g. email/Word.
Our laptops (and backups) are all encrypted. Logging into device doesn't 2FA, but core cloud services do upon login (Slack, Notion, Google, Azure). Knowing that a device was lost or stolen we could force logout sessions, and also contact their IT support team to invalidate sessions.
If this happens, who needs to do what, and by when
Who needs to be told and how will we tell them
What needs to be put in place so that our plan will work, who will do this and by when
Please see answers to Scenario 1 above
More generally,
- employee devices will be replaced on failure
- employee devices will also be wiped using MDM software if stolen
- operational machines will be replaced with spare machines we already own
Scenario 5 - What would you do if you were hacked?
Resources:
‣
‣
Contact Action Fraud Action Fraud is the UK’s national reporting centre for fraud and cybercrime where you should report fraud if you have been scammed, defrauded or experienced cyber crime. You can report fraud or cyber crime using their online reporting service any time of the day or night; the service enables you to both report a fraud and find help and support. You can talk to their fraud and cybercrime specialists by calling 0300 123 2040
Do you protect your devices from malware? Malware is malicious software (such as viruses) designed to cause damage – for example deleting all your data or blocking access to it until a sum of money is paid.
Yes we use anti-virus and anti-malware software that actively protects and regularly scans laptops for issues.
Out of date operating systems (e.g. versions of Windows or MacOS that are no longer supported by the manufacturer, or supported versions of Windows or MacOS which are not subject to regular updates) are vulnerable to this type of attack. Do you keep operating systems for your computers and smartphones updated or ‘patched’?
Yes, we keep updated all the time. We also use Microsoft Intune (MDM) to remote force operating system and software updates so that our software isn't vulnerable.
Antivirus software helps protect your computers/laptops – is this in place? A firewall (which can be software) blocks unauthorised access from outside of your organisation – do you have one of these? Do you avoid unsecure or public wifi?
Yes we have a firewall, we avoid public wifi, and we use a VPN whenever we are accessing the internet from a non-office location.
What prevention measures do we have in place in terms of our technical approaches?
We follow Cyber Security Essentials best practice for preventative measures. Examples include:
- configuring user accounts and devices properly
- encrypting all data, in transit, in rest, but not during view
- using secure internet and using VPNs where not in office environment
- active antivirus actively running
- MDM to ability to remote lock and wipe devices if compromised
- Annual pen test (proactively seeking vulns)
- general software engineer best practice
- Separation of network between employee and bot machines
- MFA all on user accounts
What prevention measures do we have in place in terms of staff training?
- documentation (policy and procedure) at the point of induction
- general training
Scenario 6 - What would happen if a supplier had a fault? i.e. the care planning system won’t work and it’s the supplier’s fault?
For us our critical systems are EMIS, RPA or retool.
What if the system was down for an extended period? What paper or alternative systems (identified in 3.1 above) would you be able to put into place?
All of the services we use have alternatives that are secure and easy to setup. We can continue progress by using these.
- Notify our direct GP partners to use their EMIS/SystmOne to do registrations them selves
- Store our data in our own forms, ready for the next availability moment.
What critical aspects of our business will be affected?
In most areas we would experience a productivity slowdown.
In registrations we would have a back log of forms to complete so we would have to organise a temporary workforce behind these tasks.
How will we access the information that we need?
If we can't access our cloud data, we can restore our past files from backups, and use temporary and alternative methods for productivity to continue services and progress.
If this happens, who needs to do what, and by when
Who needs to be told and how will we tell them
What needs to be put in place so that our plan will work, who will do this and by when
Please see answers to Scenario 1 above.
Business continuity plan for other scenarios