Wallington Trust Hospital: Information Governance and Security Report

Verified

Added on 2023/01/16

AI Summary

This report provides a comprehensive analysis of Information Governance and Cybersecurity for Wallington Trust Hospital, a healthcare provider in London. It begins with an introduction to information security policies and their purpose, which is to ensure the confidentiality, integrity, and availability of patient and hospital data. The report outlines the scope of the policies, applying to all staff and those handling information. It then details the roles and responsibilities of key personnel, including the Chief Executive, Caldicott Guardian, Senior Information Risk Owner (SIRO), Data Protection Officer, Information Asset Owners, and Head of Corporate IT Cyber Security. The core of the report focuses on the Information Governance Policy Framework, encompassing policies on data protection, freedom of information, confidentiality, information security, document management, and information sharing. It also incorporates the NIST Cybersecurity Framework, outlining the functions of Identification, Protection, Detection, Response, and Recovery. The report concludes with an implementation plan, emphasizing executive support, role identification, policy formulation, and performance measurement. The report underscores the importance of a robust information governance framework to protect against security threats and mitigate vulnerabilities within the healthcare setting.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Information Governance and
Cyber Security
(Part 2)

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Table of Contents
Introduction......................................................................................................................................1
Purpose........................................................................................................................................1
Scope...........................................................................................................................................1
Roles & Responsibilities.............................................................................................................2
Information Governance Policy Framework...............................................................................3
Implementation plan as well as monitoring mechanism.............................................................6
Conclusion ......................................................................................................................................8
References........................................................................................................................................9

Introduction
Information security policy refers to policies which are being issued by firm for ensuring
that all IT users in domain of firm's network comply to all rules as well as guidelines that are
associated with security of information which is digitally stored within boundaries of authority
(Bang, 2018). Generally, they are outcomes of risk assessment where vulnerabilities are
determined as well as safeguard them. This report is based on Wallington Trust Hospital which
renders health services across London. They are making use of clinical management system for
maintaining integrity along with rendering privacy and confidentiality for information of patients
as well as hospital. This report comprises of purpose, scope along with roles & responsibilities
and information governance policy framework. Furthermore, it comprises of execution plan and
monitoring mechanism for addressing security threats along with mitigation of security
vulnerabilities.
Purpose
The rationale of information security policy is to communicate employees of Walington
Trust Hospital of information governance responsibilities along with other policies so that they
can comply to them. The central policy within the suite of policy is to inform employees what to
do, this have been specified below:
 To enhance organisational assets by making sure that data of Walington Trust Hospital
is held confidentially & securely, processed lawfully & fairly, record reliably &
accurately.
 To protect information assets of firm from all kind of threats whether they are internal or
external (Clarke, 2016). Along with this, data has to be protected against unauthorised
access by assuring its confidentiality.
 To ensure integrity of information for ensuring highest quality of data by meeting
legislative as well as regulatory requirements. Along with this, information governance
training has to be furnished to all employees.
Scope
The information security policies must be applied to all the staff of Walington Trust
Hospital and all others who are involved within handling of information that is furnished by
them (Inkster, 2018). Policies has to be related with information that is being stored as well as
1

one which is under processing. ISP's must address all the users of technology, programs,
systems and facilities without any exclusion. The policies must be deliberate for rendering
control, protecting and managing other crucial assets of Wallington Trust Hospital. These
policies are responsible to cover entire information which is present on their database,
computers and the one which is transmitted via network.
Along with this, it has to be acknowledged that all the staff member are in scope of the
policies that are being formulated (Jayanthi, 2017). They comprises of: staff working on behalf
of or in Wallington Trust Hospital (includes embedded staff, secondees, permanent employees,
contractors and temporary staff) and commissioning support units of Wallington Trust Hospital.
Roles & Responsibilities
Information security policies have to be clearly formulated so that the rationale behind
them can be understood by professionals. They have have to be created in such a way that all the
security breaches which might occur can be prevented as well as mitigated. The roles as
responsibilities of different individuals within Wallington Trust Hospital have been illustrated
beneath:
Chief Executive: They are liable for all the procedural documentation within
organisation. As a accountable officer, they have entire responsibility for establishment as well
as maintenance of effectual document management system along with their governance,
acknowledging entire statutory needs by complying to guidance which have been furnished in
context of procedural documents and information governance (Lam, 2016).
Caldicott Guardian: The Wallington Trust Hospital may appoint their medical director
as a caldicott guardian who will be responsible for ensuring that highest practical standards for
handling information. Along with this, they will facilitate as well as enable suitable data sharing
for making decisions on the behalf of Wallington Trust Hospital for adhering to ethical and
lawful processing of information. Furthermore, it will lead to make sure that confidentiality
issues are clearly covered within the policies.
Senior Information risk owner (SIRO): They are liable for taking up entire ownership of
firms information risk policies as well as will acknowledge the ways in which strategic business
goals may be affected by information risks along with there management (Laybats and
Tredinnick, 2016). SIRO will also be responsible for signing off and taking accountability for
formulation of risk based decisions along with reviews in context of processing of personal data.
2

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Furthermore, training will be given to them which will enable them be effectual within their roles
and responsibilities they have to carry out.
Data Protection Officer: They are liable to respond to SIRO within Wallington Trust
Hospital and can also act independently as well as report to Board related with data protection
matters. This might comprise of risks, privacy issues, information governance or new initiatives
(Perumal and et. al, 2018). They will render advice to firm as well as their employees for
adhering to obligations related with data protection law, furnish advice for assessment of
impacts, monitoring of data protection laws & policies and while carrying out these
responsibilities risk must be taken into consideration.
Information Asset Owners: IAO are liable for leading as well as fostering culture which
values, secure and makes use of data for facilitating patients. Acknowledge what information
comprises of as well as understand justification and nature of flow of data from & to the assets.
Along with this, provide access to assets as well as monitor them so that they comply with
formulated policies. Moreover, within Wallington Hospital IAO must address risks associated
with assets and also render assurance to SIRO.
Head of Corporate IT Cyber Security and ICT Technology: They are liable for
development, implementation and enforcement of relevant and appropriate information security
protocols as well as procedures for ensuring that Walling Trust Hospital's infrastructure and
systems remain complaint to Data Protection Act, 2018 (Ryan and et. al, 2019). Along with this,
they have to make sure that equipments which are being used within possess relevant security
measures for complying with data security regulations and legislations.
Information Governance Policy Framework
The framework has been formulated by Wallington Trust Hospital for their information
governance policy. The holistic approach that is being used for managing information through
execution of processes, metrics and roles for transforming information within business asset is
referred to as information governance (Smallwood, 2018). The rationale behind this is to set up
organisational approach. It is being supported by different set of policies along with related
procedures for covering all the aspects that are aligned with data security as well as protection
toolkit needs. Information Governance Policies have been specified below:
Policies Description
3

Data protection policy It is liable for setting up roles as well as
responsibilities with adherence to Data
Protection Act.
Freedom of information This policy is liable for setting out roles as well
as responsibilities for adhering with
Environmental information regulations along
with Freedom of Information Act.
Confidentiality This policy will lay out the principles which
needs to be observed by all employees of
Wallington Trust Hospital for having access to
confidential or personal information of
business. All employees needs to be aware
about responsibilities they have to carry out for
preserving as well as safeguarding information
for complying to common law obligations and
Confidentiality Code of Practice (Smallwood,
2019).
Information security This aims at protection of high standards along
with information assets. It is liable for
explicating security measures which have been
applied via technology and comprises of
anticipated behaviour who are responsible for
managing data within Wallington Trust
Hospital.
Document and management This policy aims at promoting effectual
management as well as usage of information
by recognition of their value along with
significance of resources for delivering
corporate as well as service objectives (Trim
4

and Lee, 2016).
Information sharing The policy will make sure that information
which is being processed or held by
Wallington Trust Hospital which is available
for rendering suitable protection for
confidentiality with respect to terms &
conditions in context of data that is being
shared. Basically, it is liable for ensuring that
equal & fair access is provided for supporting
range of procedures.
Along with this, Wallington Trust Hospital can opt for NIST Cybersecurity framework
which will render them with policy framework for computer security as a response for ways to
enhance their ability for prevention, detection and response to cyber attacks (Van Horenbeeck,
2018). The functions that will be furnished by NIST CSF have been illustrated beneath:
 Identification: This comprises of development of understanding of organisation like
Wallington Trust Hospital for managing cybersecurity risks to assets, capabilities, data
and systems. In this, policies of organisation must cover roles as well as responsibilities
for vendors, employees and individuals who have access for sensitive information. Along
with this, different steps are being taken for protecting against attacks as well as limiting
the damage which might occur (von Solms and von Solms, 2018). Its categories
comprises of business environment, risk assessment, asset management, their strategies
and supply chain management.
5

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

(Source: NIST Cybersecurity Framework For Organisations To Follow, 2019)
6
Illustration 1: NIST Framework

 Protection: Development as well as implementation of relevant safeguards for bringing
in complex infrastructure services (NIST Cybersecurity Framework For Organisations To
Follow, 2019). Here, access will be controlled with respect to who is making use of
network, usage of security software, encryption of sensitive data and many others. It
comprises of distinct categories, they are: identity management, awareness and training,
information protection, protective technology and authentication & access control. Detection: It includes developing and implementing relevant activities for identification
of occurrence of security events. With respect to Wallington Trust Hospital, they need to
monitor systems for unauthorised access and check the network for this. Along with this,
technical department needs to identify if any unusual activities are carried out within the
network by insiders or outsiders. Its categories comprises of security continuous
monitoring, anomalies & events and detection of processes. Respond: In this appropriate activities have to be carried out for taking action with
respect to detected cybersecurity event (Watson and Millerick, 2018). Here, a plan is
required by Wallington Trust Hospital which must include notifying employees,
customers and others in case if there data is at risk, attack must be reported to law
enforcement along with other authorities and appropriate investigation must be carried
out for attacks. Its categories comprises of communications, mitigation, analysis,
improvements and response planning.
 Recovering: Developing and executing relevant activities for taking actions with respect
to identified cybersecurity event. In this step, if any kind of attack has occurred then it
has to be repaired as well as restore the parts and equipments which are used within
network and were affected. Along with this, customers and employees must be kept
informed with respect to response as well as recovery activities. Categories of recovering
includes response planning, interactions and improvements (Bang, 2018).
Implementation plan as well as monitoring mechanism
There are certain steps which have to be used by Wallington Trust Hospital, they are
mentioned beneath:
 Accomplishment of executive support for driving in information governance framework
within the organisation.
7

 Identify individuals who are liable for information governance within Wallington Trust
Hospital in steering committee, chief information officer, designated C-Suite and
accountability structure.
 Developing charter in context of ways in which information governance program can be
implemented for conducting within cross-functional groups (Clarke, 2016) .
 Formulation of policies in context of information governance as well as initiation of
information asset such as critical data through which operational needs can be
accomplished.
 Development of baseline along with measuring progress on continual basis. In addition
to this, processes can be formulated for observing performance for compliance along
with information standards, policies and procedures.
Apart from this, there are certain other plans which are specified beneath: Distribution plan: The document must be provided to all employees of Wallington Trust
Hospital through usage of internet site (Inkster, 2018). Along with this, global notice has
to be furnished to employees for notifying them about release of peculiar document so
that each goes through this and adhere to things mentioned on that. A link has to be
provided within from Transformation as well as Corporate Directorate intranet site.
 Training plan: The needs for training have to be analysed which have to be taken up by
employees who are impacted through this document. Depending upon the findings
attained from the analysis that has been carried out, training will be furnished to staff
which is relevant. Apart from this, guidance will be rendered on Transformation as well
as corporate operations information governance site.
The plan is executed but this cannot be successful until this is monitored in an
appropriate manner (Jayanthi, 2017). An instance can be taken into consideration for addressing
this concept, framework or policies that are established as well as implemented in firm. In case,
if this is not monitored then unauthorised activities may occur within the network.
Vulnerability denotes state or quality exposed for possibilities related with getting
harmed or attacked either emotionally or physically. With respect to cyber security, this denotes
bugs which exist within the system through which intruder can enter within the system and can
carry out unauthorised activities. Mitigation implies the activities which has to be obviated
8

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

entirely. It is crucial for Wallington Trust Hospital for identification of significant steps by which
this can be eliminated. They have been illustrated below:
 The hospital must identify and document all the vulnerabilities that are related with assets
of firm. Thus, it is crucial for carrying out risk assessment by which if any vulnerability is
present within the system then it can be identified in an appropriate manner (Lam, 2016).
 It is essential for identification of internal as well external threats and document them so
that in case if same attack occurs again then it can be eliminated through the assistance of
document. Along with this, Wallington Trust Hospital needs to address techniques,
procedures and tactics that can be utilised in adverse conditions.
 Apart from this, probable business impacts needs to be considered for determination of
consequences associated with execution of distinct software versions or entire system.
While monitoring, it is crucial to comply with procedures as well as policies which are
being laid down within the document. They have to be monitored through Corporate Information
Governance team along with independent reviews which are being given by both external as well
as internal audit with respect to periodic basis (Laybats and Tredinnick, 2016). The head of
corporate information governance of Wallington Trust Hospital who is liable for monitoring,
revising along with updating the document on continuous basis or when the need occurs.
Conclusion
From above, it has been observed that information security policies are responsible for
identification of rules and procedures for all users who are making use as well as accessing all
the information technology resources along with liabilities of firm. The rationale behind this is to
make sure that organisation can possess error free environment that will aid them within
elimination of unauthorised risks or bugs that may occur in the working environment of
organisation. Scope illustrates the ways in which policies are being executed in context of
forthcoming aspects. In addition to this, information governance framework must be used that
illustrates adequate steps which can be taken for making sure that cyber security threats must be
mitigated.
9

References
Books & Journals
Bang, K.C., 2018. A Building Method of Designing National Cyber Security Governance Model
Through Diagnosis of Operational Experience. Journal of Digital Convergence, 16(6),
pp.205-212.
Clarke, S., 2016. Reducing the impact of cyberthreats with robust data governance. Computer
Fraud & Security, 2016(7), pp.12-15.
Inkster, N., 2018. China’s Cyber Power. Routledge.
Jayanthi, M.K., 2017, March. Strategic Planning for Information Security-DID Mechanism to
befriend the Cyber Criminals to Assure Cyber Freedom. In 2017 2nd International
Conference on Anti-Cyber Crimes (ICACC) (pp. 142-147). IEEE.
Lam, J., 2016. IIET: Cyber security in modern power systems-Protecting large and complex
networks (pp. 1-12). IET.
Laybats, C. and Tredinnick, L., 2016. Information security.
Perumal, S. and et. al, 2018. Transformative Cyber Security Model for Malaysian Government
Agencies. International Journal of Engineering & Technology, 7(4.15), pp.87-92.
Ryan, N. and et. al, 2019. LGA Cyber Security Stocktake.
Smallwood, R.F., 2018. Information Governance for Healthcare Professionals: A Practical
Approach. Productivity Press.
Smallwood, R.F., 2019. Information governance: Concepts, strategies and best practices. John
Wiley & Sons.
Trim, P. and Lee, Y.I., 2016. Cyber security management: a governance, risk and compliance
framework. Routledge.
Van Horenbeeck, M., 2018. The future of Internet governance and cyber-security. Computer
Fraud & Security, 2018(5), pp.6-8.
von Solms, B. and von Solms, R., 2018. Cybersecurity and information security–what goes
where?. Information & Computer Security, 26(1), pp.2-9.
Watson, D. and Millerick, R., 2018. GDPR and employee data protection: Cyber security data
example. Cyber Security: A Peer-Reviewed Journal, 2(1), pp.23-30.
Online
NIST Cybersecurity Framework For Organisations To Follow. 2019. [Online]. Available
through: <https://hackercombat.com/nist-cybersecurity-framework-for-organizations-to-
follow/>.
10