UNIVERSITY OF SURREY Risk assessment of the physical security of the premises of the Clinical Informatics and Health Outcomes Research Group Section of Clinical Medicine and Ageing Department of Clinical and Experimental Medicine Faculty of Health and Medical Sciences University of Surrey Reviewed in November 2017 John Briggs IT Services Manager Faculty of Health and Medical Sciences Dr Tom Chan Department of Clinical and Experimental Medicine Faculty of Health and Medical SciencesClinical Informatics UNIVERSITY OF SURREY and Health Outcomes Research Group Department of Clinical and Experimental Medicine Risk assessment of the Physical security of the premises of the Research Group Version Number Date Reviewed Date of Next Review Authors Name Dr Tom Chan Title Senior Research Fellow Signature ao 47 Date 16}// 208 Authorised by Name Prof Simon de Lusignan Title Clinical Informatics and 3.2 07/11/2017 01/01/2020 Name John Briggs Title IT Services Manager Signature Date 79 ) [We Professor of Primary Care Chair in Health Care Management sinature SiN ar” Date tollsDOCUMENT HISTORY UNIVERSITY OF SURREY Hive : = becamentna. |e eran hangs [eats Rekassnient oft Pre eaty fhe premises of the Research as wi ui oupvia © V1.0 of the report was reviewed against listed Secondary Ue Tease Veron 12 sang exe tsk assesment ofthe + Undoteine diagram othe esenc— |rkassessment ofthe Pryce of he Groups secare network Phyl secu he ooonas premises of the Research ‘©The up-dated report noted that a clear__| premises of the Group V2.0 desk policy was documented, and that | Research Group V1.0 the Unerstys ena ow maa an asset register for all faculties. Ws changes ker than ending the ev sae Weare ating for the publi of det sau standards recommended by Dare ina Clots expec repr The publication of the report has been delayed andy tobe pubiched star te EU Risk assessment of the ‘referendum on 23% June. As there have not Risk assessment of the bean ay secant angst the ei Physical security of the Physical security of the premises of the Research | 7-04-16 Fee ee eee ein ne sectedto. | Premises of the monies conrmertandthatthetam wespeceto | emesat he inv oa ne estan nth ee ih necssatean immediate reve Pa de Ug ado op nd kn es, racy ences Manager who ashe inovdte raping denier poten teal fhe acy, ares we woul ester the reve ate ul 31/12/2016. tkssesment ofthe One 7 ly 2016, the section of cal Va eeu fhe Physical security of the niece st rae anes fais tee rain’ | Physical security of the earch . a = remises of the brates of the Rete 28.07.16 Building in the Manor Park, which triggered a es Group V3.0 review of the risk assessment of the physical security of the new team base. Research Group V2.1UNIVERSITY OF SURREY Effective re Previous Document no. mee Significant Changes ee No changes were ni hi Risk assessment of the | 39.13.2017 wges were noted to the SECUrE | risk assessment of the Physical security of the premises of the Research Group V3.2 arrangements for the team base or to the two on-site data centres where the Research Group's servers are housed. Crime statistics for Surrey was up- dated The development and plementation of a system of information governance compliance monitoring was documented. Physical security of the premises of the Research Group V3.0UNIVERSITY OF SURREY PREAMBLE The Clinical Informatics and Health Outcomes Research Group, Department of Clinical and Experimental Medicine at the University of Surrey works with routinely collected healthcare data in a number of research and evaluation projects. Our research interests focus on evaluating health outcomes from routine data, quality improvement and technology trials to inform healthcare decisions, and supporting the application of. information technologies in clinical practices. ‘The management of the Clinical Informatics and Health Outcomes Research Group (referred to as the Research Group from this point), was transferred to the Faculty of Health and Medical Sciences on 1/8/2015. Prof Simon de Lusignan remains as the Head of the Research Group, and was later appointed as Head of the wider Department of Clinical and Experimental Medicine of which the Research Group is a part. The Clinical Informatics and Health Outcomes Research Group has continuously worked to adapt to the changing research environment to reflect innovations in technologies and developments in Information Governance standards. The Research Group reviews its security arrangements in the use and protection of patient level clinical information against the standards of the NHS Information Governance Toolkit (IGTK). The purpose is to meet the requirements of the NHS IGTK for Hosted Secondary Use Tearn/Project in order that the Research Group can continue to process and analyse patient level data in a secure environment. The IGTK for Hosted Secondary Use Team/Project Version 14.1 has 14 criteria (Appendix 1), one of which is to provide assurance that ‘unauthorised access to the premises, equipment, records and other assets is prevented’ (Requirement 14.1-332, https://www.igt.hscic.gov.uk/home.aspx). PURPOSE OF THIS PAPER On the 7" July 2016, the Research Group moved out of the main University Stag Hill Campus to the Leggett Building in the Manor Park Campus of the University, which triggered the need for a review of the risk assessment of the physical security of the new team base. In November this year, a routine review of the physical security of the premise of the Research Group in the Leggett Building was conducted. ‘The purpose of this paper is to report the outcome of the review, to note if there had been any significant changes to the risk profile since the last review, and to make recommendations as needed on how the security arrangements could be improved. METHOD OF WORKING Patient level databases are held in the database server within the Research Group's secure network. All staff members of the Research Group working within the team base work from secure workstations or secure laptops with encrypted drive within the Research Group's secure network. The secure network is located behind a firewall within the University’s network, all in-bounded connections are blocked, but out-bounded connections are allowed. The Research Group's secure network is diagrammatically represented in Diagram 1 (Appendix 2). Risk assessment of the physical security of the premises of the Research Group therefore needs to consider the physical security of (1) the offices where the workstations and (2) the rooms where the database and analysis servers are located. In conducting this assessment, the authors consulted with the University’sUNIVERSITY OF SURREY Central Security Services and the local Gatekeeper, Mr James Taylor (gatekeepers are approved members of the faculty, school or department who authorise all access rights for their relevant buildings) Separate risk assessments for the team’s office and for the server room are conducted using an IGTK recommended exemplar: the Cheshire Adapted Risk Assessment Form for General Practice (hi jat.hscic.gov.uk/RequirementQuestionNew.aspx?tk=4157347683541458nv=2&cb=3bbeb20 6-36fe-4fa-87d4-d14afBa9ecfc&sViewOrgType=228.reqid=2439). The rationale for adopting the risk ‘assessment tool for GP practices is because the Research Group's team base shares common security issues with GP practices in terms of: + Physical environment — broadly office environment * Information assets - paper-based records, and healthcare data held within computers and servers * Exposure to risks — office premises with broadly office opening hours and controlled accessibility by students and invited colleagues and visiting researchers by appointment The scoring system for this risk assessment exercise models on the National Patient Safety risk matrix for managers (niu nsa.ohsshl Implication of incident (i.e. consequences) 1: negligible; 2: minor; 3: moderate; 4: major; 5: catastrophic * Likelihood of occurrence 1: rare; 2: unlikely; 3: possible; 4: likely; 5: almost certain The risk score is the product of consequences and likelihood of occurrence (i.e. consequences X likelihood). Itis generally accepted that risk scores of: - 1-2 minimal risk 3-9 = low risk 10-15 moderate risk 16-25 igh risk RESULTS ‘The University of Surrey, Guildford is located one of the safest counties in the UK. According to the Complete University Guide’s statistics for crimes in student cities and towns, England and Wales (robbery, burglary, violence and sexual offences), Surrey has an incidents rate of 26.4/1000 residents in 2016, and ranked 22% lowest na list of 129 student cities and towns. ‘The university campus has a dedicated Security Department with 24/7 cover support system to deal with emergencies. Outside office hours, patrols of the campus are made by security personnel, which includes patrols of the Leggett Building. ‘The Clinical informatics and Health Outcomes Research Group's Offices ‘The Research Group's Offices are located in the third floor (Floor 02) of the Leggett Building. There is an alarm system covering entrances to the building. Entrance to all departments within the Leggett Pearce Building is controlled by individualised role-based swipe card access. The local gatekeeper authorises access rights for their relevant buildings, issues swipe cards appropriate to the level of access for staff members, and notifies Central Security of the removal of any access rights.UNIVERSITY OF SURREY All offices are individually locked and keys to these offices are issued by the gatekeeper to the individual occupants (academic, administrative and support staff and research students on placements) of these offices, Master keys are held by a small number of authorised staff such as the local Gatekeeper and the receptionist; master keys are locked out of sight or carried on their person during working hours. ‘An impromptu penetration test was conducted by a visiting colleague, Information Governance Manager of a local Clinical Commissioning Group. He found that whilst he could accessed the reception areas and the stair well of Leggett Building, access to all departments and offices of the building was not accessible without the swipe card or escorted by the receptionist/legitimate staff with swipe cards. Our visiting colleague also commented that the security in the ground floor offices could be improved by the use of frosted or one-way mirror windows. This comment will be conveyed to the local gatekeeper. As recommended in Version 1.0 of this report, the Research Group has approved a Departmental Security Desk Clear Screen and Printing (https://clininf,eu/index.php/information-governance/). Since 2015, all printing, photocopying, and scanning of documents are conducted using a secure printer/copier. Access to this printer/copier and collection of printed documents is swipe card controlled using the same individualised access swipe card for entrance to the building, further reducing the risk of accidental disclosure of confidential information. It is also noted that the University’s Central IT now maintains an asset register for all faculties. As part of the Research Group's information governance improvement plan for 2017, the Research Group has also developed and implemented a system of spot-checks in October to ensure system and staff compliance with recommended security standards. The Information Governance Compliance Monitoring Procedure can be downloaded from https://clininf.eu/index. php/information-governance/. The overall risk score for the Research Group's Offices is minimal at 2. The actual risk scores using the Cheshire Adapted Risk Assessment Form for General Practice are shown in Appendix 3. ‘The Server Room There are two main data centres used in the University, Manor Park data centres (MPDC) and Austin Pearce data centres (APDC). Both data centres have a high degree of physical security, with 24x7 monitoring and alarmed to the University Security Team. Each data centres is protected against power loss through UPS and generator technologies and are further protected against fire through the use of fire suppressant. ‘Access to the data centres is controlled by the central IT Operations team, with access in and out of each data centres monitored and recorded. Only authorised IT staff are able to enter the data centres, and they must be accompanied by a member of the operations team. Emergency access can be achieved via the on- call team and the University Security team. ‘The actual risk score are shown in Appendix 4. The overall risk score is low at 4. CONCLUSION AND RECOMMENDATIONS ‘The University of Surrey, Guildford is located in one of the safest counties in the UK with the latest published crime incidents (robbery, burglary, violence and sexual offences) rate of 26.4/1000 residents in 2016, and ranked 22” lowest in a list of 129 student cities and towns. The university campus has a dedicated Security Department with 24/7 cover support system to deal with emergencies. Outside office hours, patrols of the ‘campus are made by security personnel, which includes patrols of the Leggett Building,UNIVERSITY OF SURREY Staff members of the Research Group working within the team base work from secure workstations or secure laptops with encrypted drive within the Research Group's secure network. The secure network is located behind a firewall within the University’s network. The risk assessment for the physical security of the offices and the Server Room where the computer and servers (and therefore healthcare data) are located shows that the risk of unauthorised access to the premises, equipment, records and other assets is low. This overall finding is reinforced by an impromptu penetration test conducted by a visiting colleague, Information Governance Manager of a local Clinical Commissioning Group, who found that the team’s offices were inaccessible to people without the security swipe card. Our visiting colleague also commented that the security in the ground floor offices could be improved by the use of frosted or one-way mirror windows. This ‘comment will be conveyed to the local gatekeeper. Itis recommended that a risk assessment of physical security of the premises of the Research Group will be conducted two yearly, and as needed (e.g. when there are significant changes to the risk profile of the physical security of the Research Group's team base, or to reflect any significant changes in national guidance for best practice in information security)SURREY Appendix 1 ste Pre Requirement list fone Pree 14.1-120 | Responsibility for Information Governance has been assigned to an appropriate member, or members, of staff 14.1-121 | There isan information governance policy that addresses the overall requirements of information governance 14.1-122 | all contracts (staff, contractor and third party] contain clauses that clearly identify information governance responsibilities. All staff members are provided with appropriate training on Information governance requirements. 14.1-220 | Personal information is only used in ways that do not directly contribute to the delivery of care services where there is @ lawful basis to do so and objections to the disclosure of confidential personal information are appropriately respected There are appropriate confidentiality audit procedures to monitor access to confidential personal Information All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines All transfers of personal and sensitive information are conducted in a secure and confidential manner Policy and procedures ensure that mobile computing and teleworking are secure There is an information asset register that includes all key information, software, hardware and services Unauthorised access to the premises, equipment, records and other assets is prevented There are documented incident management and reporting procedures The confidentiality of service user information Is protected through use of pseudonymisation and ‘anonymisation techniques where appropriate ‘There are adequate safeguards in place to ensure that all patient/client information is collected and used within a secure data processing environment (safe haven) distinct from other areas of organisational activity.UNIVERSITY OF SURREYal secu of promises: UNIVERSITY OF SURREY a 1. Are there window locks on downstairs windows? YOSaronie NO van Ifresponse is No complete the following section A B Total Implications of | Likelihood of | Score Incident Occurrence AxB Action / Comment NN/Aas there the Offices are in the second floor Ye Senos NO. If response is No complete the following section Do the downstairs windows have security bars? If response is No complete the following section A B Total Risk Implications of | Likelihood of | Score = Incident Occurrence AxB Action / Comment N/Aas there the Offices are in the second floor 3, Is there a burglar alarm with intruder monitors at all appropriate points? YeSueVuere NOwe If response is No complete the following section A B Total Risk Implications of | Likelihood of | Score = Incident Occurrence AxB Action / Comment an alarm system in the Leggett Building 4, Are there appropriate locks or Keypad access on all doors? YesuVuue NO a B Total Risk Implications of | Likelihood of | Score Incident Occurrence AxB Action / Comment Entrance to the Leggett Building and to individual departments are controlled by swipe cards issued to staff members. All offices have individual locks and are locked when not in use.5. (*)Are you able to seal off separate areas of lockable doors? YeSuVenws NO Not Applicable If response is No complete the following section UNIVERSITY OF SURREY the building e.g. in reception are there shutters and A B Total Risk Implications of Score = Incident AxB ‘Action / Comment _ Different departments/areas of the Leggett Building are separately protected by access swipe card system, 6. (*) Do all consulting rooms hi fave separate do YesNun. NO Not Applicable . If response is No complete the following section or locks? A B Implications of | Likelihood of Incident Occurrence Total Risk Score = AxB Action / Comment All offices have individual locks and are locked when not in use. 7. (*) When the building is not fully occupied e4 administrative offices secured? g. out of hours cl are unused areas such as Yes Veus NO nue Not Applicable Ifresponse is No complete the following section A B Total Risk Implications of | Likelihood of | Score = Incident Occurrence AXB Action / Comment ‘Al offices have individual locks and are locked when not in use. Ground floor entrance to the Leggett Building is closed outside office hours, entrance Outside office hours are possible to legitimate staff members with appropriate role-based swipe card. 8. Are you able to ensure all keys stored on site are not obvious and any instructions regarding key locations or keypad codes are not easily accessible? Yes Nowe NO {f response is No complete the following section ry B Total Risk Implications of | Likelihood of | score = Incident Occurrence AXxB Action / CommentYesiNi NO on If response is No complete the following section UNIVERSITY OF Is there a procedure for dealing with unauthorised access during open hours? A 8 Total Risk Implications of | Likelihood of | Score = Incident Occurrence AxB Action / Comment The University has an established Health and Safety procedures that address personal and building security. Full-time security team provides 24/7 support in the University; emergency number (Ext 3333) is prominently displayed in all departments. » NON, If response is No complete the following section 10. Are you able to ensure keypad and alarm codes are changed regularly? 8 Total Risk Likelihood of | Score = Occurrence AXB Action / Comment | N/as there isa centrally managed swipe card 2 1 2 system through the Security office which up-dates all access rights. Permissions are granted by local gatekeepers who are approved members of the faculty, school or department who authorise all access rights for their relevant buildings ‘otal score for Physical Security Risk of Research Group's Offices 7 If the risk is HIGH scoring what are the consequences to the patients? Answer: The risk score is minimal at 2. If the risk is HIGH scoring what are the consequences to the Practice? ‘Answer: N/AUNIVERSITY OF SURREY Physical security of pret Server Room 1. Are there window locks on downst: Ye S.renn NO. If response is No complete the following section windows? If response is No complete the following section A B Total Risk Implications of | Likelihood of | Score = Incident Occurrence AxB Action / Comment N/A Both data centres have no windows. 2. Do the downstairs windows have security bars? VO Seers NO If response is No complete the following section A B Total Risk Implications of | Likelihood of Score = Incident Occurrence AxB Action / Comment N/A Both data centres has no windows. 3. Is there a burglar alarm with intruder monitors at all appropriate points? FOS. NON. VO5eeVenes NO sone If response is No complete the following section A B Total Risk Implications of | Likelihood of | Score = Incident Occurrence AxB Action / Comment ‘Access to the data centres is controlled by access 2 1 2 reader system with additional access reader to the Server Room within. Only members of the University IT Services Operations Team have swipe access, all other access is via the Operations team, 4. Are there appropriate locks or Keypad access on all doors? A 8 Total Risk Implications of | Likelihood of | — Score= Occurrence AxB Action / Comment ‘Access to the data centres is controlled by access reader system with additional access reader to the Server Room within. Only members of the 14UNIVERSITY OF SURREY University IT Services Operations Team have swipe access, all other access is via the Operations team. 5. If response is No complete the following section. (*) Are you able to seal off separate areas of lockable doors? YES NO Not Applicable ...V... the ling e.g. in reception are there shutters and Implications of __ Incident Total Risk Score AxB A B Likelihood of Occurrence Action / Comment ‘We can seal off separate areas, but not needed because of the set-up of the swipe card system to the departments within the building 6 if response is No complete the following section (*) Do all consulting rooms have separate door locks? YeSuNews NOwnem NOLApplicable.. a B Total Risk Implications of | Likelihood of | — Score = Incident Occurrence AxB Action / Comment Yes 7 If response is No complete the following section (*) When the building is not fully occupied e. administrative offices secured? Ye Sens NOnnom NOLAppHEABIE - out of hours clinic, are unused areas such as. A B Total Risk Implications of | Likelihood of | score Incident Occurrence AxB ‘Action / Comment Yes Are you able to ensure all keys stored on site are not obvious and any instructions regarding key locations or keypad codes are not easily accessible? Ye So Voree NO von Ifresponse is No complete the following section a a B Total Risk Implications of | Likelihood of | Score = Incident Occurrence AXB Action / Comment Yes 15UNIVERSITY OF SURREY 9, _ Is there a procedure for dealing with unauthorised access during open hours? Vesna NO a If response is No complete the following section A 8 Implications of | Likelihood of Incident Occurrence Total Risk Score = AxB Action / Comment Fulltime security team providing 24/7 support. Emergency number Ext 3333 10. Are you able to ensure keypad and alarm codes are changed regularly? Yes. No...V. If response is No complete the following section A B Total Risk Implications of | Likelihood of | Score= Incident Occurrence AxB Action / Comment There is a system to ensure that cards are returned 2 1 2 and destroyed when the staff members leave the employment of the university Total score for Physical Security of Premises of server room = 4 If the risk is HIGH scoring what are the consequences to the patients? ‘Answer: - The risk score is low at 6. If the risk is HIGH scoring what are the consequences to the Practice? Answer: N/A 16