Smartcard Registration Management - West London NHS Trust€¦ · Terms and Conditions of using a...
Transcript of Smartcard Registration Management - West London NHS Trust€¦ · Terms and Conditions of using a...
West London NHS Trust Page 1 of 19
Policy S41 | First issued in November 2018 This is version S41/01 November 2018
Policy: S41 Smartcard Registration Management
Policy relates to: I2 – Information Management and Technology Security Policy, I8 – Incident Reporting and Management Policy & D5 – Data Protection Policy
Version: 1.3
Ratified by: Clinical Design Group
Date ratified: 6th March 2018
Title of Author: RA Manager
Title of responsible Director
Director of Finance
Key Stakeholders Deputy Director of Bus Tech
RA Manager
RA Agent
Information Governance Manager
Chief Pharmacist
Data Quality Manager
Date issued: 5th November 2018
Review date: November 2020
Target audience: All Staff
Disclosure Status B: Can be disclosed to patients and the public
EIA / Sustainability N/A
West London NHS Trust Page 2 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
Equality & Diversity Statement
The Trust strives to ensure its policies are accessible, appropriate and inclusive for all. Therefore all relevant policies will be required to undergo an Equality Impact Assessment and will only be approved once this process has been completed.
Sustainable Development Statement
The Trust aims to ensure its policies consider and minimise the sustainable development impacts of its activities. All relevant policies are therefore required to undergo a Sustainable Development Impact Assessment to ensure that the financial, environmental and social implications have been considered. Policies will only be approved once this process has been completed.
West London NHS Trust Page 3 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
Version Control Sheet
Version Date Reviewed by Status Comment
0.1 November 2018
Clinical Applications & RA Manager
Ratified and issued New policy ratified at Clinical Design Group. Delay in publication due to further amendment in relation to GDPR
West London NHS Trust Page 4 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
Contents
1. Flowchart ................................................................................................................................ 5
2. Introduction ............................................................................................................................ 6
3. Scope ...................................................................................................................................... 6
4. Definitions .............................................................................................................................. 6
5. Duties ...................................................................................................................................... 6
6. Systems / Documentation ..................................................................................................... 8
7. Getting Started ....................................................................................................................... 8
8. Position Based Access Control (PBAC) ............................................................................... 9
9. Work Groups ........................................................................................................................ 10
10. Choose & Book................................................................................................................. 10
11. Identity Agent Software ................................................................................................... 10
12. External Access to Our Clinical Systems ....................................................................... 11
13. Lost Smartcards and Incident Reporting ........................................................................ 11
14. Leavers ............................................................................................................................. 12
15. Known Smartcard Errors/Tips ......................................................................................... 12
16. RA Forms .......................................................................................................................... 12
17. Training and Induction ..................................................................................................... 12
18. Monitoring ......................................................................................................................... 13
19. Sharing of Smartcards…………………………………………………..…………………… 13
20. References (external documents) ................................................................................... 14
21. Supporting documents (Trust documents) .................................................................... 14
22. Glossary of terms / acronyms ......................................................................................... 14
23. Appendices ....................................................................................................................... 14
Appendix 1 – Terms & Conditions ............................................................................................. 15
Appendix 2 - Known Smartcard Errors/Tips…………………………………………………………16
Appendix 3 - RA Forms…………………………………………………………………………………..17
West London NHS Trust Page 5 of 19
Policy S41 | First issued in November 2018 This is version S41/01 November 2018
1. Flowchart
Smartcard Process Map
Do you still have the Smartcard?
New or Existing Staff RA01 & RA02
Leavers RA03
Will you continue to work in the
NHS?
Yes
Staff member retains smartcard Manager
COMPLETES RA03 FORM
No
Manager returns smartcard to
COMPLETES RA03 FORM
Manager to inform HR and RA agent Staff Member has left
Change of Name by Deed Poll RA05
Staff Member to Contact RA Team if they
have changed their name by deed poll
COMPLETE RA05 FORM & Email
[email protected] With Request
You will be asked to provide evidence if you have changed your name by deed poll
Template Change / Create RA07 - For internal use only by the RA Agent / Manager re major changes to RBAC roles
Follow process for new Smartcard Request
COMPLETE RA01 FORM
Have you been issued a
Smartcard by another Trust?
No
Yes
Email [email protected]
With Request
Yes
COMPLETE RA02 FORM Proceed with Role
Assignment
No
West London NHS Trust Page 6 of 19
Policy S41 | First issued in November 2018 This is version S41/01 November 2018
2. Introduction
2.1 The Smartcard Registration Policy covers the safe and secure use of applications in use throughout the Trust that are reliant on Smartcards. (I.e. ESR, RiO, SystmOne).
The process guidelines are also utilised to support the Data Security and Protection Toolkit as evidence of compliance. It is therefore important that the policies are reviewed and updated regularly in line with national guidelines set out by Health and Social Care Information Systems (HSCIC). All Trust policies as detailed in section 21 should be reviewed when new national guidance is issued to ensure the documentation is still current and valid.
3. Scope
3.1 This policy describes the processes that the West London Health Trust has implemented, to enable the registration of staff within the Trust to gain access to national applications to support their role.
4. Definitions
4.1 The Trust is required to have a Registration Authority with a dedicated RA Manager to manage the registration, distribution and management of Smartcards. The Trust is also required to appoint an RA Agent to ensure appropriate access is given to Trust staff which will enable them to access relevant information from National Programme applications. Adherence to National and Local Guidelines is essential and will require implementation and management by both the RA Manager and Trust Sponsor.
The Trust’s RA team meets the required compliance with the latest published National Policies and Procedure.
The Trust ensures that RA Agents who have been identified and appointed follow the procedures outlined in terms of signing off end user registration authority applications, together with ensuring that the appropriate access has been requested.
5. Duties
5.1 Chief Executive
The Chief Executive is responsible for ensuring that the Trust has policies in place and complies with its legal and regulatory obligations.
5.2 Accountable Director
The Director of Finance represents the Trusts Registration Authority at Board Level, and the Director is responsible for the development of relevant policies and to
West London NHS Trust Page 7 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
ensure they comply with standards and criteria where applicable. They must also contain all the relevant details and processes as per the P3 policy and are responsible for Trust-wide implementation.
5.3 Managers
Managers are responsible for ensuring policies are communicated to their teams / staff. They are responsible for ensuring staff attend relevant training and adhere to the policy detail. They are also responsible for ensuring policies applicable to their services are implemented.
5.4 Policy Author
Policy Author is responsible for the development or review of a policy as well as ensuring the implementation and monitoring is communicated effectively throughout the Trust via CSU / Directorate leads and that monitoring arrangements are robust.
5.4.1 National or Trust-wide policies need to be reflected within this document. It is imperative that the RA staff ensure the processes are kept updated with those changes, and it is the responsibility of the policy author to ensure this takes place. Where appropriate, these changes should also be disseminated to Trust card users and the RA Groups or those that govern the processes for the Trust to ensure compliance to the national guidelines and Trust policies.
5.4.2 The following designated communication channels within the Trust should be utilised for this purpose:
a. Monday Matters
b. Exchange Pages – RiO or RA designated Intranet page
c. All User Mail distribution for any urgent communications on software etc.
5.5 Local Policy Leads
Local policy leads are responsible for ensuring policies are communicated and implemented within their CSU / Directorate as well as co-ordinating and systematically filing monitoring reports. Areas of poor performance should be raised at the CSU / Directorate SMT meetings.
5.6 Specific Staff for Policy
5.6.1 Registration Authority Manager
On a day-to-day basis, the Clinical Applications Manager has overall responsibility under this title.
This includes providing arrangements that will ensure tight control over the issue and maintenance of electronic Smartcards, whilst providing an efficient and responsive service that meets the needs of the users.
West London NHS Trust Page 8 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
Ensure that there is a sufficient supply of Smartcards and Smartcard hardware for the organisation and communicate technical requirements to CGI or HITS ICT Team (Information Communication & Technology);
Be the central point of contact for RA related security incidents and arrange for replacement cards to be produced as necessary.
5.6.2 Registration Authority Agents
At any one time the Trust shall have a sufficient number of RA Agents to ensure RA operations can be fulfilled
Ensuring that the National Registration processes are adhered to as stated in Registration Authorities Operational Process and Guidance and this document;
Ensuring that any local processes developed to support the National Registration processes are adhered to in full;
5.7 All Staff
5.7.1 Registration Authority Smartcard Users
Those members of staff issued a Smart Card are responsible for:
Maintaining the security of their Smart Card Pin Codes
Making appropriate measures to prevent misuse
Complying with HSCIC guidance notes provided to them when agreeing to the Terms and Conditions of using a Smartcard
6. Systems / Documentation
6.1 All of the documentation is recorded by either the RA Agent or Clinical Applications Manager
6.2 The documentation is updated as and when required, with various audits taking place throughout the year.
7. Issuing of Smartcards
7.1 If it is determined the role of a staff member requires access to an application, they must be registered as an Authorised User. Appropriate access must be organised through the Line Manager and RA Sponsor
7.2 Access allocated to staff MUST be based on the role they perform and MUST be agreed by their Line Manager and / or RA Sponsor before any Smartcard is issued
7.3 New starters are expected to provide relevant identification
West London NHS Trust Page 9 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
7.4 When a Smartcard is issued and a Personal Identification Number (PIN) registered this must not be written down or shared with anybody else. Smartcards must be kept secure at all times. ONCE ISSUED YOUR CARD IS YOUR RESPONSIBILITY
7.5 Access gained through the use of your Smartcard will be viewed as owner’s access and any inappropriate use will be the owner’s responsibility
7.6 In having a Smartcard the user has undertaken to agree and adhere to all National and Local policies and procedures relating to security and confidentiality
8. Position Based Access Control (PBAC)
Positions or PBACS are designed to add a group of staff who require the same access to a position. When a position needs to be changed, all users with that particular PBAC will automatically be updated.
All positions should be tested by the Clinical Application Team for the relevant system and signed off by the RA Manager prior to being added to the CIS, using the RA06 form.
PBAC’s are created using the ‘Manage’ button from the dashboard, followed by ‘Positions’. From here you can view all available Positions and create new ones.
Click the Create Position button; add the Position name and description. Click Create Access Profile, the organisation is pre-populated with WLMHT. Click on the Role tab, type the role into the filter box, when you find the correct one, sect it using the radio button. Click on the Activity tab and again use the filter box to search for the activities required. Continue adding Work Groups and Areas of Work where required. When complete, click on the Create Access Profile.
To add a group of staff to the position, use the Batch tab from the dashboard. Click Create User Batch; enter the name and description for the batch. Search for user’s using the search criteria boxes. Please note that the filters add all users ever linked to a profile at WLMHT, even if their profile is now closed, so it is necessary to sort the lists and remove any unnecessary profiles. When all user profiles are added, click Create Request.
To add the batch of user’s to a position, from the dashboard, select the batch tab, click on the batch that you want to use. Click on Create Request, select Bulk Position Assignment, Continue, select the position that you want to add the batch of user’s too.
Batches and Positions can be modified using the Modify buttons and change as necessary.
West London NHS Trust Page 10 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
9. Work Groups
Workgroups are the vehicle that will be used to establish whether the individual has a relationship with a particular patient and should therefore have access to their records (subject to the correct RBAC codes). Because healthcare is delivered by teams‟ rather than individuals, workgroups allow team members to access the records without needing to set up an explicit legitimate relationship with each team member which would be time, cost, and effort prohibitive.
Work Groups are required by some systems to enable the grouping of user for access to those systems. At WLMHT we currently only use one Work Group for users at Hounslow sites to access SystmOne.
The RA actions are to create, edit and remove the Work Groups. Once they have been set up they are administered by a Work Group Membership Administrator, who is responsible for providing the access to the local system.
Work Group Membership Administration
The membership of Work Groups will require maintenance when new starters join the organisation; people change their responsibilities within the organisation and also when they leave the organisation. The Work Group Membership Administrator (WGMA) is responsible for adding and removing users to and from Work Groups. This guide will provide details on how to View, Add and Remove users from a work group.
10. Choose & Book
RA actions for Choose & Book (CAB) are limited to adding the required activity codes, as outlines in the generic matrix and signed off on an RA02 by the User’s Sponsor.
11. Identity Agent Software
The trust is currently on version “BT Identity Agent 11.02.00a” and will be upgrading to version “V2 Identity Agent”. The update will be rolled out to the trust in the beginning of the New Year 2017.
HSCIC have issued the following advice to trusts around the upgrade of the IA
Only RA Managers and RA Agents are required to install the new middleware to enable them to perform card management operations. The GemAlto middleware should be installed in parallel to continue supporting existing series Smartcards until they are phased out.
Sponsors, Local Smartcard Administrators and Normal smartcard holders should not install the new middleware.
West London NHS Trust Page 11 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
12. External Access to Our Clinical Systems
There will be scenarios where other trusts will need to access our Clinical Systems. E.G. such as Juniors Doctors who are on a Two Year Management programme and are rotating across different trusts.
In this scenario the RA Manager and the other trust agree a Process of managing Access and issuing Smartcards and ensuring that other trust inform the RA team when they have left.
13. Lost Smartcards and Incident Reporting
13.1 Lost Smartcards
When a user reports that they have lost their smartcard, please advise them to follow the attached instructions.
Lost Smartcard Guidance
Once you receive the IR1 reference through the Service Desk, go to the CIS and find the users profile, select destroy card and enter the reason for destroying the card. Example “Lost” with the IR1 Reference number
13.2 Replacing a damaged Smartcard
The User either needs to complete an RAO3 form, with their manager’s signature or present the damaged card to the RA Agent.
Go to the CIS and find the users profile, select destroy card and enter the reason for destroying the card. Example “Damaged Card or Card Not Recognised”
13.3 Renewing Smartcard Certificates
Users will be prompted to reset the certificates on their smartcard about 60 days before it expires, they can follow the prompts into CIS, Select the Renew Certificates radio button and confirm, the certificates will start to reset themselves, this can take about 5 minutes.
It has been known for the NHS Spine Portal not to be installed in every PC in the trust, in this case the RA Agent will remote into the computer and install the software for the user.
If the user’s card has already expired, an RA Agent will need to reset it for them
West London NHS Trust Page 12 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
14. Leavers
User’s access should be removed as soon as possible after their last working day, by using the Modify Position function and deleting the position.
Users who are moving to another NHS Trust, they may take the Smartcard with them.
Users that are leaving the NHS, their manager should retain the card and send it to the RA staff to cancel and destroy
15. Known Smartcard Errors/Tips
See Appendix 2
16. RA Forms
See Appendix 3
17. Training and Induction
17.1 Sponsor Training: Unlocking Smartcard/Changing PIN
The RA Agent trains Sponsors on Unlocking cards and Changing passcodes.
17.2 Induction
Induction is held the first week of each month, currently the RiO Training is split between Ealing and Broadmoor. Previously RA staff attended the induction, introducing smartcards; hand out applications and check ID. However, as of the 1 June 2015, Recruitment and RA have got together to try to eliminate the number of times new starters are required to show their identity documents.
Recruitment scan all ID documents shown by the new starter at their DBS check, these are then entered onto TRAC, they will also be taking a photo of each new starter and saving it in a shared fold on the G Drive. This has not always been the case and Recruitment are working on ensuring Photos and identity documents are available on the G: Drive.
When RA receive the induction list from Ealing and Broadmoor, they will be able to view the new starters information on TRAC, using this and the photo they will be able to create a smartcard in advance. If there is no information available on
West London NHS Trust Page 13 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
TRAC, then the smartcards will not be created in advance, these will be done on the actual training day.
The only requirement from the new user will be to get their manager’s authorisation to access the relevant system.
As of Feb 2017 RA and the Training Team will attend the first day of induction, introducing smartcards, hand out applications, and determine whether they require RiO Training or have been previously trained at another trust. This will help eliminate unnecessary wastage of cards.
18. Monitoring
All new registrations and amendments to users and Smartcards needs to be recorded in the locally stored Smartcard Registration & Amendment Spread sheet, (G:\St Bernards\ Shared\Application Support\RA management\Smartcards)
All details regarding smartcards are recorded in the spread sheet and provide an audit.
A tab is available to look at all new users (RAO1 forms) and a tab for Amendments such as (RAO2, 3 & 5 forms)
18.1 Auditing / Reports
Audits are run quarterly to ensure that the RA processes are being followed and all card issuing is supporting the functionality of the RA processes nationally and at a Trust wide level. These include:
a. Verification that users with access profiles for this organisation still require the access.
b. Assessment that access profiles held within an organisation continue to be appropriate
c. Verification that all users registered have been issued with a Smartcard
18.2 Stock Control
Periodically there is a need to review the stock of cards and peripheral equipment, such as Omnikey readers. Monthly figures of card issuance are disseminated to the Clinical Applications Manager. Ensure that stock levels are monitored and ensure any order requests are made to the Clinical Applications Manager in a timely manner.
19. Sharing of Smartcards
19.1 Under NO circumstances should Smartcards and PINs be shared
19.2 Monitoring and review of the use of Smartcards and PIN will be conducted. Inappropriate access through the use of Smartcards will be investigated and both
West London NHS Trust Page 14 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
the registered holder and person using the card will be subject to disciplinary proceedings
20. References (external documents)
This policy should be read in conjunction with the following:
HSCIC National Policy
National Guidelines - http://systems.hscic.gov.uk/rasmartcards
21. Supporting documents (Trust documents)
Health Records Policy H8 (Last updated on 25 May 2016)
Information Management & Technology Security Policy I2(Last updated on 20 July 2015)
I8 Incident Reporting & Management Policy
RA Best Practice Guidelines
22. Glossary of terms / acronyms
RA REGISTRATION AUTHORITY
HSCIC
HEALTH & SOCIAL CARE INFORMATION CENTRE
23. Appendices
Appendix 1 – Terms & Conditions
Appendix 2 – Known Smartcard Errors/Tips
Appendix 3 – RA Forms
Appendix 4 – Other Related Procedures or Documents related to the RA Policy
West London NHS Trust Page 15 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
Appendix 1 – Terms & Conditions Smart Card Terms and Conditions
West London NHS Trust Page 16 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
Appendix 2 - Known Smartcard Errors/Tips
Connection to the server or http request to the server failed
When logging on to Rio or ESR you may encounter the “Connection to the server or http request to the server failed” error message. This error indicates the software on your workstation is unable to communicate with the server; this could be caused by a general network problem.
No Role Specified
This error appears when a user has already inserted their smart card and entered the pass code. When they click on the Rio or ESR icon this error indicates that either there is no role on the smart card or the smart card has not been synchronized with Rio or ESR. Contact the RA Agent.
Checking for card
This error occurs when a user has already inserted their smart card and entered the pass code. When they click on the Rio or ESR icon and the message ‘Checking for card’ appears and will not allow the user to go any further. This usually is a profile error and resetting the users profile will resolve this.
Invalid Smart card
This message indicates that the user has tried to open Rio or ESR before they have inserted their Smart card and pass code. Re-starting the computer will usually resolve this, however in extreme cases the Smart card may become locked and may need to be replaced.
Your smart card is about to expire
This message indicates that the certificates on the card are about to expire, the user should start the see this message about 60 days prior to the certificates expiring. The user can renew the certificates themselves. Instructions are available on the exchange
Your smart card has expired
This message indicates that the certificates have already expired in which case the user will need to take their card to the RA Agent to be reset. The smart card certificates expire every two years.
West London NHS Trust Page 17 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
Appendix 3 - RA Forms
RA01 – New application
This form is used for a first time smart card application. The staff member is to complete all the details on the first page, their sponsor or manager signs on the second page. The staff member should then make an appointment with the RA Agent (Tel: 020 8354 8323)
The staff member needs to bring the complete application to the appointment in addition to a valid passport or photo driver’s license and two documents to confirm their address, for example, utility bills, council tax, bank statements. These need to be dated within the past three months. Note: mobile phone bills are unacceptable nor P45/P60
RA01
RA02 – Role change or access to WLMHT
This form is used when a member of staff changes their job role, for example from a student to nurse.
OR
A new staff member, who already has a smart card from another Trust, joins WLMHT; this form is used to give them access
The staff member completes the form and once their sponsor or manager has signed it, it can be faxed/scanned to the RA Agent
RA02
RA03 – Replacement smart card or removing access
This form is used whenever a smart card needs to be replaced due to damage
OR
When a staff member is leaving WLMHT this form should be completed, in order for their access to be removed
The staff member completes the form and once their sponsor or manager has signed it, it can be faxed/scanned to the RA Agent
NB. If a member of staff is moving to another NHS Trust they should take their smart card with them. Only if the person is leaving the NHS altogether, should the smart card be returned to the RA Agent.
RA03
West London NHS Trust Page 18 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
RA05 – Name change
When a staff member changes their name, they should complete this form, make an appointment with the RA Agent (Tel: 020 8354 8323) to have a new card issued
Bring the completed form and the original name change certificate with them to the appointment.
RA05
RA07 - Template change / create
This form is used when an RBAC template needs to be changed. At WLMHT this form needs to be signed by the RA Manager/Clinical Applications Manager
Terms and Conditions
All smart card users should be aware of the terms and conditions regarding the use of a smart card. This document includes guidance on use, the collection of personal data, the declaration that the applicant agrees to when they sign an RA form and a glossary of terms
Smart Card Terms and Conditions
These are updated annually or as changes occur within the organisation.
CRB Checks – CRB Clinics are no longer conducted by WLMHT, as the core Human Resource functions are completed by Capita
New Starter Process - The New Starter process is now covered by Induction as CRB Clinics are no longer conducted by WLMHT, as the core Human Resource functions are completed by Capita
Induction Process – This will be reviewed whenever there is a change to the Trust Induction Training Programme
Leavers Process – Currently the leavers process is highlighted in the word document below. This will be revisited and reviewed with HR processes in 2017
LeaversProcessDocument.DOC
West London NHS Trust Page 19 of 19
Policy S41 | First issued in November 2018 This is version S41/1.0 November 2018
Name Change Process – When a person requires a Name Change on their Smartcard, the following process highlighted in the word document will need to be followed. This has been previously been communicated to users however as the Exchange Page is updated this information will be easily accessible to the users
NameChangeProcessDocument.DOC
Smartcard Security Issues – Currently the security process is highlighted in the word document below. This should be revisited with the Information Governance Manager
SecurityIssuesProcessDocument.DOC
Third Party Access – Currently the process for Third Party access to Our Clinical Applications is highlighted in the word document below however this will be reviewed in 2017
ThirdPartyProcessDocument.doc