OH Assist Application Refresh Communications FAQ Issue 4 … First - Document Library/Health Safety and...OH Assist | Application Refresh FAQs 4 1 Document Overview 1.1 What is happening

IT Transformation An FAQ guide to the new OH Assist referral portal

Prepared for: All clients

Date and Issue number: Issue 4 – 21st March 2017

OH Assist | Application Refresh FAQs 1

Contents

1 Document Overview .................................................................................4

1.1 What is happening and how is it being communicated ......................................................... 4

1.2 How to use this document ................................................................................................ 4

1.3 How to submit a question................................................................................................. 4

2 Latest FAQs...............................................................................................5

2.1.1 Launch Date................................................................................................................ 5

2.1.2 Access to the New Portal .............................................................................................. 5

2.1.3 User Accounts and Passwords ....................................................................................... 5

2.1.4 Additional Managers..................................................................................................... 5

2.1.5 Communications .......................................................................................................... 6

2.1.6 Communications .......................................................................................................... 6

2.1.7 Online Booking ............................................................................................................ 6

2.1.8 Penetration Testing...................................................................................................... 7

2.1.9 ISO Certification .......................................................................................................... 7

2.1.10 IP Addresses............................................................................................................ 7

2.1.11 Security - Passwords................................................................................................. 8

2.1.12 Timeline of Activity ................................................................................................... 8

3 Previous FAQs.........................................................................................10

3.1 General Questions ......................................................................................................... 10

3.1.1 Reasons for the IT Change (published Issue 1 -11/11/16) .............................................. 10

3.1.2 New IT Partner (published Issue 1 -11/11/16)............................................................... 10

3.1.3 Deployment Timeline (published Issue 1 -11/11/16) ...................................................... 10

3.1.4 Contingency (published Issue 1 -11/11/16)................................................................... 11

3.1.5 ISO27001 Accreditation (published Issue 1 -11/11/16)................................................... 11

3.1.6 Client Feedback (published Issue 2 -15/12/16).............................................................. 11

3.1.7 Launch Date (published Issue 2 -15/12/16) .................................................................. 12

3.1.8 System Features (published Issue 2 -15/12/16)............................................................. 12

3.1.9 Launch Date (published Issue 3 -25/01/17) .................................................................. 12

3.2 Security........................................................................................................................ 13

3.2.1 Data Security (published Issue 1 -11/11/16) ................................................................. 13

3.2.2 Security Accreditation Process (published Issue 1 -11/11/16).......................................... 13

3.2.3 Security of Accounts (published Issue 1 -11/11/16) ....................................................... 13




3.2.7 Security of Data (published Issue 1 -11/11/16) ............................................................. 14




3.2.10 Security of Data (published Issue 1 -11/11/16).......................................................... 15





3.2.15 Security and Transfer of Data (published Issue 1 -11/11/16)....................................... 17



3.2.18 Destruction of Data (published Issue 1 -11/11/16) ..................................................... 18

3.2.19 Security and 3rd Parties (published Issue 1 -11/11/16)................................................ 18

3.2.20 Security Incident Process (published Issue 1 -11/11/16) ............................................. 18

3.2.21 Security Training (published Issue 1 -11/11/16)......................................................... 19

3.2.22 Security Testing (published Issue 1 -11/11/16).......................................................... 19

3.2.23 Data Protection (published Issue 2 -15/12/16)........................................................... 20

3.2.24 Technical Specification (published Issue 2 -15/12/16)................................................. 20

3.2.25 Data Storage (published Issue 2 -15/12/16) .............................................................. 21

3.2.26 Local Access Policy (published Issue 2 -15/12/16)...................................................... 21

3.2.27 Security Incidents (published Issue 2 -15/12/16) ....................................................... 21














3.3 Communications............................................................................................................ 27

3.3.1 Client Engagement (published Issue 1 -11/11/16) ......................................................... 27

3.4 Training and Testing...................................................................................................... 28

3.4.1 Training (published Issue 1 -11/11/16)......................................................................... 28

3.4.2 System Testing (published Issue 1 -11/11/16)............................................................... 28

3.4.3 Training (published Issue 2 -15/12/16)......................................................................... 28

3.4.4 User Acceptance Testing (published Issue 2 -15/12/16) ................................................. 29

3.4.5 Client Access (published Issue 2 -15/12/16).................................................................. 29

3.5 System Design .............................................................................................................. 30


3.5.1 Additional Managers (published Issue 1 -11/11/16)........................................................ 30

3.5.2 Future System Changes (published Issue 1 -11/11/16)................................................... 30

3.5.3 Single Sign-on (published Issue 1 -11/11/16)................................................................ 30

4 Appendix A .............................................................................................31

Updated ISO Certification for psHEALTH ..................................................................................... 31


1 Document Overview

1.1 What is happening and how is it being

communicated As a new legal entity OH Assist Limited, with investment partners CBPE Capital, has made the decision to

refresh our entire IT platform to place us as market leaders in technology enabled OH solutions. Changes include a new referral portal that will offer the efficiency of complete automation, client-specific workflow configuration and state of the art real-time reporting.

An initial communication has been issued to clients with information about why the change is required,

the benefits of the transformation and our proposed deployment plan. Following on from the initial briefing, OH Assist intends to send out a series of communications to support the upgrade activities on a regular basis, which includes this Frequently Asked Questions (FAQ) document.

The purpose of this document is to provide clients with information about the development and implementation of the IT upgrade and to share questions with corresponding answers that have been raised across our entire client base that may be useful to other clients.

1.2 How to use this document This document is a communication tool. It will be issued regularly to log and communicate any generic

questions from clients alongside the corresponding OH Assist responses.

The most recent set of questions, i.e. questions received since the previous issue of this communication document can be found within Section 2 ‘Latest FAQs’. We will publish all questions even if we are unable to provide an immediate response – this will avoid duplicate questions being asked. We will

respond to every question as quickly as we are able to do so.

Section 3 contains an archive record of all questions and responses from previous issues that are logged under the appropriate subject heading.

Subjects are all accessible from the main contents table.

1.3 How to submit a question You can communicate your questions via your Strategic Relationship Manager, or Service Delivery Manager – as always.

You can also submit your question directly to the project communications team by emailing:

[email protected]


2 Latest FAQs This is where to find all the latest questions and responses

2.1.1 Launch Date Question What date do you intend to launch the upgraded referral portal?

Response

The target date for the deployment of the upgraded referral portal is 2nd May 2017. If there are any changes to the deployment plans, including timescales, we will communicate this at the earliest

opportunity.

2.1.2 Access to the New Portal Question When will we provided with access details for the upgraded OH portal?

Response

It is anticipated that OH Assist will share the new URL for the portal with our clients in early April 2017. Following receipt of the link, clients may approach their internal IT department to ensure that the site will

be accessible to referring managers following the deployment date and not blocked as a result of security concerns. The actual referral portal will still be in development at the point that the URL is shared and will not be accessible via the URL.

2.1.3 User Accounts and Passwords Question Will user accounts and passwords be migrated to the upgraded portal?

Response

User accounts and passwords will be migrated, so that all referring managers with a current active Vista account will be able to log onto the upgraded referral portal post deployment. Upon accessing the portal, the user will be asked to reset their password as a security measure.

2.1.4 Additional Managers Question Will the additional manager links be migrated to the upgraded portal, so that

additional managers can see the OH referrals currently in progress that they are


associated with?

Response

All active user accounts and passwords will be migrated to the new system in preparation for the

deployment of the upgrade. In addition, referral data will be migrated. Therefore if an additional manager is currently associated with an open referral in Vista, all information relating to the referral will be visible to the additional manager in the upgraded referral portal.

2.1.5 Communications Question What specific messages need to be communicated in the run up to go live (i.e. no

referrals or new accounts from 6pm on Friday 28 April)?

Response

Specific messages will need to be shared with users of the service in advance of the system deployment.

All actions recommended to support deployment will be communicated via the OH Assist IT Transformation Newsletter. Issue 1 of the Newsletter recommended that clients provide a high level communication to users of the service to inform them about the pending changes. Further

communications will be recommended at the appropriate time.

OH Assist is currently designing training material to support account holders to navigate through the portal. A communication will be required to announce and distribute the training materials.

With regards to specific messages about downtime of the referral portal to support data migration

activities, specific details will be shared with clients in due course. It is our intention to schedule any downtime required for migration activity over a weekend, to minimise disruption for our clients.

2.1.6 Communications Question What support will be available to portal users following the launch of the service?

How will clients raise any issues?

Response

Following the business as usual processes, it is anticipated that issues relating to the deployment of the upgraded portal, will be reported via the OH Service Helpdesk. The Helpdesk will ensure that calls are logged, referring managers are supported with their enquires and that issues are escalated if it is appropriate to do so. Escalated issues will be addressed as a matter of urgency and remedial action

taken. OH Assist will proactively communicate issues that have been raised to our clients and provide details about the actions taken to address them.

2.1.7 Online Booking Question The new system will support online booking for the majority of referrals. Does this

include WSA/WPA?


Response

No. For services such as Workstation Assessments and Workplace Assessments, the referring manager will not be able to book an appointment using online booking. The request for an assessment will be

submitted via the portal, but due to the complexities of the service, OH Assist will hand hold these particular assessment types and schedule an appointment that is mutually beneficial for the employee and the practitioner that is due to deliver the assessment. It is not possible to predict when and where a Workstation or Workplace Assessment will be required in advance of a referral being submitted. OH

Assist is therefore unable to set up an advanced delivery session so that the manager is able to book the appointment immediately following the registration of the referral.

2.1.8 Penetration Testing Question Could you please provide an update with regards to penetration testing?

Response

OH Assist will not be able to complete penetration testing until early April, once the production environment has been built. This timescale gives us enough time prior to the launch date to address and

fix any critical and high risk vulnerabilities, if any are discovered during the penetration testing. If remedial action needs to be taken, we will re-run the test to confirm that all relevant risks and issues have indeed been removed from the solution prior to 2nd May launch date.

2.1.9 ISO Certification Question Would you please issue the updated ISO certification for psHEALTH?

Response

Yes, please see the Appendix A.

2.1.10 IP Addresses

Question Do you have the facility to restrict IPs? It would be preferable if that were put in place so that access could be further tightened

Response

We do have the ability to restrict incoming IPs. However, implementing such IP restrictions can be complex (due to the implications on other clients) and can limit access to the site in scenarios where that is not actually desired (for example, when referring managers are working from home or while travelling on business etc). We would be happy to discuss the relative advantages and disadvantages of this

approach, to ensure that a mutually acceptable solution is put in place.


2.1.11 Security - Passwords

Question Please clarify whether passwords that are stored are ‘hashed’ and ‘salted’.

Response

The platform uses industry standard password hashing algorithms with random salts. It uses BouncyCastle's implementation of the OpenPGP cryptography suite for password hashing.

2.1.12 Timeline of Activity

Question Are you able to provide a timeline of migration activity for the deployment of the upgraded portal?

Response

Please note that the target dates detailed below are subject to change

Migration Activity Target Date Comments

Product design complete 10/03/17 All design modules due to be complete in preparation for testing

Commencement of OH Assist internal UAT

13/03/17 OH Assist internal UAT will commence, testing that the development of the system mirrors the design requested

Data migration activities commence

27/03/17 This includes the transfer of historical referral data etc

Security accreditation process complete

31/03/17 All security questionnaires to be completed for all clients

Issue URL for the OH portal to clients

03/04/17 To issue to IT departments to ensure that

security protocols do not prevent access to the portal for the end user (please note that the

actual referral portal will still be in development and not accessible via the URL at this stage)

System demonstration and training commences

10/04/17 High level demonstrations of the system will be provided and training will begin

Issue of training materials 14/04/17 Issue of training aids to support system users

through the referral process and to navigate through the upgraded portal

Penetration testing 17/04/17 An executive summary will be shared with

clients providing information about the penetration test. Time will be allocated for any remedial action required following on from the test

Data migration activities 01/05/17 The migration activities will be completed in March and April, with residual data transfer for


referrals that are created in the weeks leading up to the launch date

Target deployment date 02/05/17 Deployment into live operations will commence


3 Previous FAQs

3.1 General Questions

3.1.1 Reasons for the IT Change (published Issue 1 -11/11/16) Question Why have OH Assist made the decision to change their current IT platform?

Response

Atos IT Services UK Limited provided a unique purpose built IT referral system for OH Assist to deliver Occupational Health services in 2002.

Our client base and the services we provide has grown over the last 14 years and our IT system requires significant development to meet the expanding requirements for our business and our clients

As a new legal entity, OH Assist Limited with investment partners CBPE Capital has made the decision to refresh our entire IT platform to place us as market leaders in technology enabled OH solutions.

Changes include a new referral portal used by our clients that will offer the efficiency of complete automation, client-specific configuration and state of the art real-time reporting to support our client’s business objectives

After extensive exploration of the market, OH Assist selected healthcare IT experts psHEALTH as our strategic partner for this milestone project

3.1.2 New IT Partner (published Issue 1 -11/11/16) Question Why did OH Assist choose psHEALTH as a partner?

Response

Our new IT platform will be provided by our strategic partner, psHEALTH, under a design-build-operate contract model

We have had an existing relationship with psHEALTH for four years and working in partnership with OH

Assist, psHEALTH is in the process of designing a customised IT platform built on an Appian software platform that will be hosted using Rackspace in the UK

psHEALTH are contracted to OH Assist to provide our end-to-end IT solution and manage their suppliers Rackspace and Appian. We have ensured that service levels and performance targets are aligned

throughout the supply chain

psHEALTH is the leading provider of cloud-based, customised patient management and workflow solutions to independent healthcare providers in the UK. psHEALTH delivers solutions to a range of

organisations including the NHS

For further information about psHEALTH, please refer to www.pshealth.co.uk

3.1.3 Deployment Timeline (published Issue 1 -11/11/16) Question What is the launch date of the new application?

Response

OH Assist anticipates that the new system will be in operation at the end of Q1, 2017. The anticipated

timeline is based on the progress that has been made so far and a projected estimation as to when all of


the future activity required for the deployment has been completed. Within the coming months, OH Assist will be able to provide you with a firm launch date and this question response will be updated accordingly.

3.1.4 Contingency (published Issue 1 -11/11/16) Question What happens if your IT provider is unable to deliver on the launch date or their

system goes down? Does OH Assist have a contingency arrangement?

Response

OH Assist has a contractual agreement with Atos IT Services UK Limited for a period of time that extends

beyond the anticipated launch date of the new system. Atos IT Services UK Limited are committed to supporting OH Assist through the transition process to ensure that the transfer of data is achieved prior to the launch date and that there is minimal disruption to the services that we provide to our clients. In

the unlikely event of an adverse incident prevents the launch of the new system, services will continue to be delivered by Atos IT Services UK Limited until such a time as the issues are resolved.

3.1.5 ISO27001 Accreditation (published Issue 1 -11/11/16) Question It is noted that one of the ISO27001 certificates expires in Feb 2017; does OH

Assist plan to renew it before it expires? Will the new system comply with ISO 27001 Information Security Management standard or equivalent?

Response

OH Assist and our IT providers have achieved ISO27001 accreditation. The issue and expiry dates are as follows

• OH Assist - The current ISO accreditation certificate was issued 30th September and expires 29th September 2019

• psHEALTH - The current ISO accreditation certificate was issued 24th February 2016 and is due to require reaccreditation 24th February 2017.

• Rackspace - The current ISO accreditation certificate was issued 21st October 2015 and is due to require reaccreditation 20th October 2018.

The psHEALTH ISO 270001 re-accreditation is due to take place January 2017. OH Assist will track progress of the accreditation and update the OH Assist Application and Security document with a copy of the renewed accreditation certificate.

3.1.6 Client Feedback (published Issue 2 -15/12/16) Question Do you intend to provide your clients with the opportunity to see the portal and

give feedback?


Response

Yes, it is our intention to provide clients with an opportunity to view the portal prior to the launch of the system upgrade. The client referral portal is currently in development as we continue to refine the look

and feel of the upgrade to ensure that the functionality supports our client needs.

Following the launch of the IT system upgrade, OH Assist will initiate a continuous improvement plan. Feedback that has been provided by clients will be reviewed and will influence how we improve the service offered going forward.

If you would like for your organisation to be involved in a webinar to provide feedback on the current Vista system and to see an advance demonstration of the new portal, please register your interest (if you haven’t already done so) by sending an email to [email protected]. Further details will be

released to interested parties in January 2017.

3.1.7 Launch Date (published Issue 2 -15/12/16) Question Please provide confirmation of the timescales for go live

Response

In previous communications, OH Assist advised that the launch date of the new system is likely to be at the end of Q1. OH Assist is currently reviewing the overall project plan and key milestones. The launch

date will be announced in January 2017 following the finalisation of the project plan.

3.1.8 System Features (published Issue 2 -15/12/16) Question Could you clarify the benefits and added features that the upgraded system will

provide for clients?

Response

In the initial communication about the IT Transformation, OH Assist outlined the benefits of the upgrade

and provided an initial overview of the anticipated enhancements that will support client referrals. Additional information will be provided to clients in the coming months through a series of

communications. OH Assist will provide clients with training aids prior to the launch date that will demonstrate new functionality and provide details about how to navigate through the system.

3.1.9 Launch Date (published Issue 3 -25/01/17) Question Is April 2017 still the Go Live date for the new portal?

Response

The target date for the deployment of the upgrade into live operations will be shared with clients in the

near future. Following the announcement, any changes to the deployment plan including timescales will

be communicated to clients at the earliest opportunity.


3.2 Security

3.2.1 Data Security (published Issue 1 -11/11/16)

Question Could OH Assist provide information about the security of data held within the new

system?

Responses

A Security Information document is available for clients, which addresses perceived concerns with regards to data protection. The document has been distributed to all clients as part of the initial communication process. A copy of the document can be requested via an email to

[email protected]. Should your organisation require additional information about data security or would like to talk with an OH Assist IT representative, please detail your requirements in your email.

3.2.2 Security Accreditation Process (published Issue 1 -11/11/16) Question I am advised that my organisation may be required to undertake a security

accreditation process prior to the launch of the new IT platform. Please advise on the steps required to commence this process?

Response

Some of our clients will need to complete a security accreditation process prior to the transfer of employee data from the existing IT platform to the new IT platform. A security information document

has been prepared by OH Assist to help inform clients about the new system and the security of the data held within it. Client representatives will need to advise their IT department of the anticipated change and enquire as to whether an accreditation process is required. If further information about the IT

platform is required, clients are encouraged to send an email to [email protected]. OH Assist will need to be notified at the earliest opportunity if an accreditation process is required. OH Assist will need to understand how long the accreditation process will take to complete and will need to track progress.

3.2.3 Security of Accounts (published Issue 1 -11/11/16) Question What is the process for joiners, movers and leavers to ensure only those with

business need can access the data via the system?

Response

Users of the OH portal will only have access to data that is relevant to them, i.e. information about an employee that is related to a referral where the user is a primary or secondary referring manager and the

employee has provided explicit consent for the user to see the information. Unique user accounts are created for each user using a strict role based security model. This determines what data the user can see and the functionality they have access to. On creation of an account, a user is given the lowest

privilege level. Higher access can only be granted by a user administrator. If a higher privilege account is requested, access to data can be controlled by the higher privilege account user.

With regards to OH Assist employees, access to client data is restricted to individuals with specific roles where there is a genuine need to access the information. The company’s HR department follow a formal process for handling changes to employment. In addition there is a separate procedure for handling all leavers. This includes the recovery of assets and the removal of access rights.


3.2.4 Security of Accounts (published Issue 1 -11/11/16) Question The HR Advisors have higher privilege admin accounts than line managers. Please

advise who controls the admin accounts?

Response

Unique user accounts are created for each user using a strict role based security model. This determines

what data the user can see and the functionality they have access to. On creation of an account, a user is given the lowest privilege level. Higher access can only be granted by a user administrator.

For some client organisations, HR Advisors have higher privilege accounts and can activate or deactivate user accounts on behalf of their organisation. To enable higher privilege accounts, the client will need to enlist the support of an OH Assist System Administrator. Higher privilege accounts will be created in line with protocols agreed between the Client OH Contract team and OH Assist.

Administrator Account creation and change activities are stored in an audit log.

3.2.5 Security of Accounts (published Issue 1 -11/11/16) Question How will users of the system be authenticated?

Response

All client users will have their own individual, unique username and password based accounts. All authentication and identity management will be done using industry-standard secure access management

procedures. Extensive access permission features are built into the new application and will ensure that access to features will be implemented on a 'least privilege' basis.

3.2.6 Security of Accounts (published Issue 1 -11/11/16) Question Could OH Assist provide clients with an access control policy which should cover

what users can view, amend and what the different levels of access are

Response

This is comprehensively addressed by the new applications security framework and the application of OH

Assist's logical access management policy. This is implemented, as is the industry-standard, on the basis of the 'least privilege' principle. Please note that this also includes fully auditable logs of all system and

data changes that can be used as part of an audit or indeed forensic investigations. OH Assist would be pleased to provide clients with access to policy documentation as part of an on site visit.

3.2.7 Security of Data (published Issue 1 -11/11/16) Question What levels of security are offered by the new IT platform to ensure the protection


of Data and compliance with the DPA?

Response

The new application contains comprehensive, industry-leading data security features that would be expected from an ISO27001 certified company such as OH Assist. This is documented in great detail

within OH Assist's ISO27001 certified information security policy and procedures framework. While OH Assist, as a matter of policy, cannot share the full details of the relevant security controls, we would be happy to provide clients access to the policy documentation as part of an on site visit. Furthermore, our ISO27001 Statement of Applicability document, which outlines at a high level the security topics and

relevant polices and controls, can be made available to clients upon request.

3.2.8 Security of Data (published Issue 1 -11/11/16) Question Cookies are sent via http. Does this mean they're susceptible to a man in the

middle attack and if so, how is this risk mitigated?

Response

Vulnerability to 'man in the middle' attacks can exist due to a variety of system features and configurations. Penetration and vulnerability testing will be conducted ahead of go-live which will

explicitly test for this security risk and, if present, corrective actions will be implemented ahead of launch.

3.2.9 Security of Data (published Issue 1 -11/11/16) Question Have psHEALTH gained Cyber Essentials?

Response

Not at present though psHEALTH would be willing to consider this upon request.

3.2.10 Security of Data (published Issue 1 -11/11/16) Question Could OH Assist provide assurance that;

- Services intended for the transmission of protectively marked material or for the protection of systems accredited to store or process protectively marked material

shall be protected and delivered to the standards set out in the Manual of Protective Security (MPS) or equivalent. - Services comply with the Information Age Government Security Framework or

equivalent - A Risk Management Accreditation Document Set (RMADS) (as defined in HMG Infosec Standard 2) is provided covering the scope of the Services in the Catalogue and shall maintain said RMADS throughout the term of this Agreement. The

RMADS shall be subject to the approval Accreditor?


Response

OH Assist provides assurances that all activities relating to the development, deployment and

management of the new application, including those aimed at data transmission, retention and destruction, are fully in line with the highest industry standards, applicable legislation and the ISO27001 standard. Specific evaluation against stated requirements and policies is being carried out and suitable assurances will be formally offered as soon as practically possible and in full cooperation with relevant

clients.

3.2.11 Security of Data (published Issue 1 -11/11/16) Question Will you implement appropriate technical and organisational measures to protect

the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure? These measures shall be appropriate to the harm which might result from any unauthorised or

unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and shall comply with the specific procedural requirements for the protection and

handling of personal data as set out in HMG IA Standard Number 6 (Protecting Personal Data and Managing Information Risk).

Response

This is a wide-ranging topic that spans several physical and technical security policies and procedures

that are part of OH Assist's ISO27001 certified information security framework. All industry-standard requirements relating to unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure of sensitive personal data will be addressed by appropriate

organisational and application security features and controls, proportional to the outcomes of formal privacy impact assessments that are being conducted as part of OH Assist's secure development policy and risk management framework.

3.2.12 Security of Data (published Issue 1 -11/11/16) Question Provide clear details on what information is recorded on each system

Response

The new application will require the gathering of the same type and quantity of information as our

current system. OH Assist would be happy to share this detailed documentation upon request.

3.2.13 Security of Data (published Issue 1 -11/11/16) Question What software programmes are being used and what servers/ platforms they would

be on?


Response

Full technical specification of this is available in a separate document that can be shared with clients upon

request.

3.2.14 Security of Data (published Issue 1 -11/11/16) Question Could OH Assist provide an audit control policy/ strategy to demonstrate how

people access the systems, whether access is monitored or recorded? This ties in with the data protection principles;

Response

This is comprehensively addressed by OH Assist's ISO27001 certified information security framework.

Details of all relevant policies, procedures and controls can be provided to clients during an on-site visit.

3.2.15 Security and Transfer of Data (published Issue 1 -11/11/16) Question Please provide details of plans for moving/migrating live data from the old system

to the new system, as this is sensitive data it will need to be risk assessed.

Response

Data Migration is one of the key work streams in the OH Assist's application refresh project. The design

work relating to this subject is currently underway. OH Assist is compelled to carry this out using highest security standards, in terms of both secure data transfer to the new platform and secure data destruction in the old platform, as part of its ISO27001 accredited information security policy as well as applicable

law. Details plans can be shared with clients once the full solution is in place.

3.2.16 Security and Transfer of Data (published Issue 1 -11/11/16) Question How will existing data held on the ATOS IT systems be transferred to the new IT

provider?

Response

Data will be transferred via Secure FTP (SFTP).

3.2.17 Security and Transfer of Data (published Issue 1 -11/11/16) Question The security document states data in transit is protected by https TLS. Does this

apply to all attachments?


Response

Yes, TLS encryption will include all attached files.

3.2.18 Destruction of Data (published Issue 1 -11/11/16) Question At the end of the contractual agreement, how will staff data be destroyed or

cleansed to make data irretrievable and unreadable in line with the Security Policy Framework?

Response

Both OH Assist and Atos IT Services UK are ISO27001 accredited. All data destruction activities will be

conducted using industry standard secure data disposal procedures, in line with the relevant policies that cover data erasure techniques and processes, full audit trails and certificates of secure destruction.

3.2.19 Security and 3rd Parties (published Issue 1 -11/11/16) Question How will OH Assist ensure 3rd party compliance with security requirements?

Response

Subcontractors are required to complete a contract containing relevant confidentiality clauses.

OH Assist quality assure and robustly manage all of our strategic partners to ensure their service, security arrangements and quality reach the same high standards we expect of ourselves.

We carry out monthly performance reviews with subcontractors to ensure that performance is in line with the expectations both we and our customers hold.

Our supplier management approach is based on:

• Clarity of performance, security and quality expectations, with monthly reviews based on robust

data; • Ownership of the Customer-Supplier relationship on both sides with transparent, mature

engagement at multiple levels; and • Joint action planning and forecasting of future needs, including regular innovation sessions where

suppliers present the latest trends/opportunities in their area of expertise.

Our relationship with all suppliers is managed in a structured, open and collaborative way. Clear communication to ensure subcontractors understand what is required of them is critical and the

objectives set for the provision of services is a key element of the formal governance procedures we have in place.

3.2.20 Security Incident Process (published Issue 1 -11/11/16) Question Can you outline the security incident process for OHAssist/PSHealth?


Response

Comprehensive security incident management process policy and procedures are in place, as part of OH

Assist's ISO27001 certified information security framework. Much of this documentation is considered confidential and sensitive, as it contains information that can potentially be exploited by 3rd parties. Hence, OH Assist cannot openly share such documentation but would be happy to provide access to it as part of an on-site visit.

3.2.21 Security Training (published Issue 1 -11/11/16) Question Can you provide details of the staff training provided to OH Assist employees to

ensure that staff are aware of the confidential nature of the data?

Response

OH Assist fully endorses the principles of the Data Protection Act 1998, and ensures that all of our staff are aware of the company’s and their own responsibilities under the Act.

Data Protection registration: OH Assist is registered with the Information Commissioner’s Office for

multiple instances of Data Processor and Data Owner. Our registration number is ZA142562.

OH Assist has an appointed Data Protection Manager and a Data Protection policy that documents how

data should be handled and treated by employees within the organisation. Data shall only be held, processed and communicated in accordance with the terms of our entry on the Data Protection Register.

OH Assist users are made aware of the various risks associated with using laptops outside of the office through information security awareness and training. This includes what information should and should not be stored on the laptop, protection of the asset against loss, theft or damage, preventing breaches of confidentiality, and other security risks of which users should be aware.

The company’s UK Information Security Policy contains clear statements about the responsibilities of employees, including those who manage other staff and those with other specific roles.

New, amended and retired policies are communicated to members of staff through the company’s weekly

bulletin which all members of staff receive. Policies are also highlighted and discussed at regular scheduled Site Security Forums.

Adherence to company policies is a contractual requirement and is also included in our contracts with our subcontractors. At induction new members of staff are required to sign to say that they have read and

understood the company’s security policy.

All reported security breaches are properly investigated and disciplinary action is taken when appropriate. Security policies make it clear that failure to comply may be treated as a disciplinary offence.

The company’s HR department follow a formal process for handling changes to employment. In addition there is a separate procedure for handling all leavers. This includes the recovery of assets and the removal of access rights.

3.2.22 Security Testing (published Issue 1 -11/11/16) Question Is it possible for OH Assist to provide a copy of the penetration test report for the


new system?

Response

The IT Transformation project is still in the development phase and it is therefore not possible to conduct

an independent penetration test of the new system at this time. Upon completion of the development phase, a penetration test will be scheduled into the project plan and will take place ahead of the launch date. An Executive Summary with information about the penetration and vulnerability tests will be made available to clients upon request.

3.2.23 Data Protection (published Issue 2 -15/12/16)

Question Please confirm your plans to meet the robust challenges of the new EU – General Data Protection Regulation in May 2018

Response

OH Assist has commissioned an independent Data Protection expert to provide an overview of current levels of adherence with the Data Protection Act (1998). The methodology undertaken to produce the

review was based upon the Information Commissioner’s (ICO) Data Privacy toolkit and adherence with the Data Privacy Principles. This review also took into account the current understanding of the GDPR.

The review focussed upon the key areas as stipulated by the ICO Data Privacy Toolkit and enshrined in the Data Privacy Principles, with the exception of marketing requirements as this is not undertaken by OH Assist:

• Data Protection Assurance

• Records Management

• Information Security • Data Sharing and Subject Access.

The review found that all of the above areas are compliant with the provisions as stipulated within the current Data Protection Act 1998. The Information Commissioner’s Office has stated that organisations

that have a high level of compliance with Data Privacy will have an easier transition to meet the requirements of the GDPR.

OH Assist acknowledges that changes will be needed to comply fully with the GDPR in terms of updating ‘fair processing notices’, updating Data Protection policies, changes to the Subject Access Request procedures, the introduction of the Privacy by Design and Default provisions. This is currently the case with many EU organisations.

A detailed plan for implementation is in the pipeline following the undertaking of this initial Data Privacy Review. However, OH Assist already has strong governance and leadership in place overseeing Data

Privacy and Security compliance which is a prerequisite of GDPR implementation that is necessary in order to drive the changes that are needed for compliance in this area. OH Assist has confidence that GDPR compliance will be achieved by the time the GDPR regulation comes into force in May 2018.

3.2.24 Technical Specification (published Issue 2 -15/12/16)

Question Please provide the technical specification for the new system


Response

A document providing details of the system upgrade requirements and high level specification is available to clients upon request. Please email [email protected] to obtain a copy of the document.

3.2.25 Data Storage (published Issue 2 -15/12/16)

Question What type of information will be recorded within the IT system?

Response

The information held within the upgraded IT system to support the management of referrals to OH Assist will be the same information that is required to process referrals today.

The following types of data are held within the system:

• Employee personal data; • Employee medical records;

• Customer data; • Customer user account data;

• Referral data for active customers; • Referral history i.e. Timeline tool and key point information;

• File notes for referrals; • Interventions and associated appointment details;

• Sessions; • Activities/requests that may relate to a referral.

3.2.26 Local Access Policy (published Issue 2 -15/12/16)

Question Please provide a copy of your Local Access Policy

Response

OH Assist would be pleased to provide clients with access to policy documentation as part of an on site

visit.

3.2.27 Security Incidents (published Issue 2 -15/12/16)

Question In the event of a security incident, how would this be reported to Clients by OH Assist?


Response

In the event of a security incident, OH Assist will immediately notify the named information security

contact within the client organisation. An assessment will take place to understand the severity of the incident and the actions required. Regular updates will be provided to the client to inform them of the progress made throughout the investigation process and to advise upon the remedial action undertaken.

Alternatively, where a specific process has been stipulated as part of a contractual agreement with OH Assist, the agreed process will commence immediately following the identification of an incident.

3.2.28 Security of Data (published Issue 3 -25/01/17)

Question Please provide details about the content of the new portal website, so that we can be reassured that the content is unlikely to be blocked by our web gateway or we

can put any work in place beforehand to get the site added as an exception if needed.

Response

OH Assist will provide clients with information about the new URL as soon as possible. This will be in the

near future. The distribution of the information will provide organisations with an opportunity to share details with their IT providers to ensure that the site is white listed and hence not blocked by client

firewalls etc. OH Assist will engage in discussions about any concerns clients may have about 'site content' following the distribution and testing of the URL and further information about client requirements.


Question All suppliers for contracts involving ICT, personal and sensitive information handling contracts are required to be Cyber Essentials Certified. Could you please ask

psHEALTH to look at the guidance on GOV.UK and consider working towards achieving Cyber Essentials?

Response

OH Assist will discuss Cyber Essentials with psHEALTH and will encourage them to work towards the

Cyber Essentials certification. We cannot fully anticipate the outcome of such conversations but a likely scenario is that a plan is put in place to achieve this certificate within a reasonable time period.


Question How long will personal information be retained by OH Assist?


Response

Personal medical information is retained by OH Assist for an appropriate amount of time in accordance

with legal requirements and guidance.

Type of Records Current Retention Period

Occupational Health (sick absence etc...) 10 years

Immunisation Records 40 years

Health Surveillance Records 40 years

Fitness For Work 10 years

Ionising Radiation 50 years

The medical records retention policy is applied to records that are held by OH Assist for the period of

time that OH Assist has a contractual arrangement with an organisation or where there is no forwarding occupational health provider following the exit of a contract.

Personal information such as name, date of birth etc is associated with the medical record and therefore

is retained for the period of time that the record is active.

OH Assist retention policies are not affected by the IT Transformation Project, but will remain under

review as industry practice and legal requirements evolve.

Question Is there a retention period built into the IT system?

Response

The IT system upgrade has been designed to the capture the date that individual medical records are

created and updated. This will support OH Assist to apply the current Medical Record Retention Policy at the appropriate time.


Question How will OH Assist review and securely destroy personal information when it is no longer required?


Response

OH Assist will review and securely destroy all personal information when it is no longer required as this

forms part of our ISO27001 certified information security framework and practice. The task will be completed using industry-standard, on-site secure data destruction techniques that include auditable destruction logs and formal certificates of secure deletion/destruction.


Question How will the personal information be stored securely? Include details of where the personal information will be stored and how will it be protected against unauthorised or unlawful disclosure, access, use or modification loss, destruction or

damage of data?

Response

Secure storage of client data is a mandatory requirement for the application and the underlying

infrastructure. There are many security controls in place that ensure this, for example multi-tier hosting design with IP-restricted firewalls between servers, network perimeter security controls, NIDS / HIDS features, logical access policy management, encryption of data in transit and at the storage level etc.

The system will also be pen tested at least once per year. All parties involved in the provision and operation of the application (OH Assist, psHEALTH and Rackspace) are fully ISO27001 certified.


Question Is any data sent to any non EEA destination?

Response

No data is sent to any non EEA destination. OH Assist and partners provide UK-based support for the system and software used to provide it. There is no hardware supplied to clients. Any hardware that OH

Assist uses to provide the system is supported by UK based contractors.

Technical support is provided that covers the provision of the system, its backend systems, processes and databases and all systems that enable the application to be accessible via the internet.

Procedural Support for use of the service will be provided by OH Assist.

Second Line and Third Line support will be provided by psHEALTH and Rackspace in the UK.

psHEALTH will manage the solution remotely from their UK offices using remote support via desktop technologies.


Question Rackspace is the data centre. Where is this based in the UK?


Response

Rackspace is the hosting provider. Customer data will be stored in the UK, in Rackspace Data Centres in

London.


Question Are usernames and password accounts used and changed regularly?

Response

The application requires a username which is comprised of the user’s email address. A strong, complex password is required.

Passwords require the minimum complexity requirements:

• Passwords be a mixture of Alpha and Numeric characters

• Passwords have a minimum of 8 characters

• Passwords make use of upper and lower case characters

• Passwords make use of non-alphanumeric characters

• The last previous 5 passwords cannot be re-used

The user is required to have a 6 digit numberic pin, of which the application will ask for 2 random digits during the log on process.

Passwords are hashed using an industry standard hashing algorithm and are stored using the hashed values only. When passwords are entered, they are similarly hashed using the same algorithm, and the

result is compared against the stored value.

OH Assist network passwords have an enforced change at 60 days. For the referral portal, password change is not enforced as modern best practice suggests that this harms, rather than enhances security.

Please see CESG password guidance: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guida

nce_-_simplifying_your_approach.pdf

“Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.”


Question Please provide the supplier’s data Protection Registration Number.

Response

The data Protection registration numbers are as follows;

• OH Assist: ZA142562

• Rackspace: Z5176267

• psHEALTH: ZA002514



Question Have any penetration tests been done on the Rackspace data centre?

Response

Yes, each major platform release is independently tested by the NCC Group. An annual Penetration test is performed on the solution. Any risks identified are rectified or mitigated. Test results can be made available to clients on request.

As the solution is not yet live, it has not been subjected to a penetration test. The platform and similar

implementations, provided by psHEALTH and hosted at Rackspace have been subjected to these tests. The platform will be tested prior to implementation and any risks rectified or mitigated.


Question Is data stored within the OH Assist Data centres encrypted?

Response

Data is encrypted at rest to AES-256 standards and can only be accessed with HTTPS using TLS 1.1 or

1.2.

SMTP server is used to send outgoing email including system notifications and email messages sent by

process instances. SMTP is secured with SSL/TLS and server authentication.


Question Are the OH Assist Data centres shared or only used by OH Assist?

Response

Hosting for the application will be in a shared data centre provided by Rackspace. The physical servers used are dedicated to OH Assist.

Rackspace is the global leader in enterprise-level hosting services to businesses of all sizes and kinds around the world since 1998 and have grown to serve more than 205,000 customers. Data centres for

hosting OH Assist data will be on-shore in the UK. For further information, please refer to www.rackspace.co.uk


Question Will the new OH Assist IT system be a multi-tenancy based solution? If so, how is data kept separate for each client?


Response

The solution has a role based access control security model that allows relevant users to access client

data. Each client is set up as a separate logical entity in the system and all records for that client are registered against that entity.

In addition;

• Clients can only access their own data. Each client account is registered against the relevant

client in the system;

• A line manager for a client can only see the referrals they have created or where they are the defined line manager of an employee;

• OH Assist users can see client data for the contracts they are assigned to;

• OH Assist super users will have access to the administration console to change settings e.g. add

a new service. This role does not have access to client data; and

• Audit logs and reports are available to review user access and changes.

3.3 Communications

3.3.1 Client Engagement (published Issue 1 -11/11/16) Question How do you intend to communicate the changes and engage with your clients?

Response

An initial communication regarding the IT transformation has been issued to all clients, providing

information about why the change is required, the benefits of the transformation and the proposed deployment plan. In addition to the initial communication, clients have also been provided with a technical brief regarding the security of data.

Following on from the initial communication, OH Assist intend to issue a Frequently Asked Questions document (FAQ) to clients on a monthly basis. OH Assist would like to invite clients to submit any questions that they may have about the new IT platform via the FAQ mailbox [email protected]. Questions that have been raised and the answers provided will be published

in the document on a monthly basis.

Communications will increase in frequency as we approach the launch date of the new system. It is our intention to keep all of our clients fully informed of progress as we progress through this transition

period.

To support the OH Assist continuous improvement programme and to inform future development of the IT platform, OH Assist would like to invite clients to participate in a working group forum. The working

group will be established, with a cross section of client stakeholder and will be provided with an opportunity to provide feedback on the existing IT referral system to help inform future development of the new referral portal, see an advanced demonstration of the new IT referral portal and feedback any initial observations about the new referral portal.

If your organisation would like to participate in the Working Group Forum, please register your interest via an email to [email protected]. A high level demonstration of the new system will be initially delivered to client representatives at a contract level. The new electronic system will be simple and easy

to navigate through, however a range of electronic training aids will be available to share with portal users.


3.4 Training and Testing

3.4.1 Training (published Issue 1 -11/11/16) Question Could you tell me more about the training that users of the portal will receive prior

to go live?

Response

We anticipate that the new system will be intuitive and easy to use and therefore training for users of the portal will not actually be required. We plan to provide clients with a video demonstration about how to navigate through the system, desk aids with prompts about how to make the most of your referral and a user guide. Upon viewing the training aids available, should you feel that you require any additional

support; please send your request to [email protected]. You will be contacted to discuss the options available.

3.4.2 System Testing (published Issue 1 -11/11/16) Question Does OH Assist intend to provide clients with an opportunity to conduct field

acceptance testing for the new IT portal?

Response

Detailed user acceptance testing of the new application is subject to a formal plan that is being implemented and managed very closely. This predominantly involves OH Assist staff and users testing

the delivered functionality on an ongoing, iterative basis. Formal user acceptance test cycles are also scheduled and these will comprise full end-to-end testing, in at least 2 full cycles, ahead of launch. Selected external users can also be invited to participate in the acceptance testing of the client-facing

features. This can be discussed directly with relevant parties.

3.4.3 Training (published Issue 2 -15/12/16) Question Are you able to provide a time line for the distribution of new guidance and

communications?

Response

Yes, the OH Assist training strategy is currently being developed as we refine our project plans and

develop the materials to support the upgrade. It is likely that training for clients will be delivered in the weeks leading up to the go live of the upgrade as it is not expected that there will be much training required. However, a number of steps will need to be completed to ensure effective logging onto the new system prior to go live. At the appropriate time, instructions will be circulated, to provide clients

with guidance about how to do this.


Confirmation of the timeline for the distribution of guidance and communications will be issued in the near future and there will be a number of tools available to support any additional activities at that time.

3.4.4 User Acceptance Testing (published Issue 2 -15/12/16) Question Are you able to provide details of the user acceptance testing schedule?

Response

User Acceptance Testing (UAT) has commenced within the OH Assist Design Team to ensure that the new system features are aligned with the requirements specified. Testing is ongoing and will be continuous following the design and build of each of the service modules. We anticipate that testing will

continue until 3rd March 2017. Formal user acceptance test cycles are also scheduled and these will comprise of full end-to-end testing throughout March and early April.

Selected external users may also be invited to participate in the testing of client-facing features. This will

be discussed directly with relevant parties.

3.4.5 Client Access (published Issue 2 -15/12/16) Question How will I know if the upgraded referral portal will be accessible from my current

system?

Response

If you can currently gain access to the World Wide Web, then you will be able to access the upgraded applications.


3.5 System Design

3.5.1 Additional Managers (published Issue 1 -11/11/16) Question In the new system will there be the facility to add an additional manager to the

referral and will the additional manager be able to view the outcome report?

Response

Yes. The new system will ask the referring manager whether they would like add an alternative manager to support the referral. The system default will assume that an additional manager is required and where this option is declined a reminder will be provided to the referrer of the benefits in selecting this option.

3.5.2 Future System Changes (published Issue 1 -11/11/16) Question Is there an opportunity to make changes the system once implemented?

Response

The initial phase of the IT development will focus on ensuring that the new system will support current processes and protocols for the delivery of services for our clients, but will also offer substantial

improvements to enhance the client experience.

Continuous improvement is important to OH Assist. We will continue to work in partnership with our IT partners following the launch of the service to enhance and improve the IT platform for our clients.

Clients with specific requirements for change should make contact with their Strategic Relationship

Manager or Service Manager in the first instance. Any system changes that are required as the result of the discussions will be analysed, designed and implemented within the agreed timescales for change.

3.5.3 Single Sign-on (published Issue 1 -11/11/16) Question I would like to ask whether my organisation is able to request use of the single sign

on functionality at the end of Q1.

Response

Although the new system will provide us with the functionality for single sign on, it is not intended that this functionality will be available to clients in preparation for the launch date. It is our intention to

replicate current sign on functionality in the first instance, however development of single sign on will commence post launch an will become available in the near future.

Following on from the launch date, clients with specific requirements for change should make contact with their Strategic Relationship Manager or Service Manager in the first instance. Any system changes

that are required as the result of the discussions will be analysed, designed and implemented within the agreed timescales for change.


4 Appendix A Updated ISO Certification for psHEALTH

Documents

OH Assist Application Refresh Communications FAQ Issue 4 … First - Document Library/Health Safety and...OH Assist | Application Refresh FAQs 4 1 Document Overview 1.1 What is happening