Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
IT Transformation An FAQ guide to the new OH Assist referral portal
Prepared for: All clients
Date and Issue number: Issue 4 – 21st March 2017
OH Assist | Application Refresh FAQs 1
Contents
1 Document Overview .................................................................................4
1.1 What is happening and how is it being communicated ......................................................... 4
1.2 How to use this document ................................................................................................ 4
1.3 How to submit a question................................................................................................. 4
2 Latest FAQs...............................................................................................5
2.1.1 Launch Date................................................................................................................ 5
2.1.2 Access to the New Portal .............................................................................................. 5
2.1.3 User Accounts and Passwords ....................................................................................... 5
2.1.4 Additional Managers..................................................................................................... 5
2.1.5 Communications .......................................................................................................... 6
2.1.6 Communications .......................................................................................................... 6
2.1.7 Online Booking ............................................................................................................ 6
2.1.8 Penetration Testing...................................................................................................... 7
2.1.9 ISO Certification .......................................................................................................... 7
2.1.10 IP Addresses............................................................................................................ 7
2.1.11 Security - Passwords................................................................................................. 8
2.1.12 Timeline of Activity ................................................................................................... 8
3 Previous FAQs.........................................................................................10
3.1 General Questions ......................................................................................................... 10
3.1.1 Reasons for the IT Change (published Issue 1 -11/11/16) .............................................. 10
3.1.2 New IT Partner (published Issue 1 -11/11/16)............................................................... 10
3.1.3 Deployment Timeline (published Issue 1 -11/11/16) ...................................................... 10
3.1.4 Contingency (published Issue 1 -11/11/16)................................................................... 11
3.1.5 ISO27001 Accreditation (published Issue 1 -11/11/16)................................................... 11
3.1.6 Client Feedback (published Issue 2 -15/12/16).............................................................. 11
3.1.7 Launch Date (published Issue 2 -15/12/16) .................................................................. 12
3.1.8 System Features (published Issue 2 -15/12/16)............................................................. 12
3.1.9 Launch Date (published Issue 3 -25/01/17) .................................................................. 12
3.2 Security........................................................................................................................ 13
3.2.1 Data Security (published Issue 1 -11/11/16) ................................................................. 13
3.2.2 Security Accreditation Process (published Issue 1 -11/11/16).......................................... 13
3.2.3 Security of Accounts (published Issue 1 -11/11/16) ....................................................... 13
3.2.4 Security of Accounts (published Issue 1 -11/11/16) ....................................................... 14
3.2.5 Security of Accounts (published Issue 1 -11/11/16) ....................................................... 14
3.2.6 Security of Accounts (published Issue 1 -11/11/16) ....................................................... 14
3.2.7 Security of Data (published Issue 1 -11/11/16) ............................................................. 14
3.2.8 Security of Data (published Issue 1 -11/11/16) ............................................................. 15
OH Assist | Application Refresh FAQs 2
3.2.9 Security of Data (published Issue 1 -11/11/16) ............................................................. 15
3.2.10 Security of Data (published Issue 1 -11/11/16).......................................................... 15
3.2.11 Security of Data (published Issue 1 -11/11/16).......................................................... 16
3.2.12 Security of Data (published Issue 1 -11/11/16).......................................................... 16
3.2.13 Security of Data (published Issue 1 -11/11/16).......................................................... 16
3.2.14 Security of Data (published Issue 1 -11/11/16).......................................................... 17
3.2.15 Security and Transfer of Data (published Issue 1 -11/11/16)....................................... 17
3.2.16 Security and Transfer of Data (published Issue 1 -11/11/16)....................................... 17
3.2.17 Security and Transfer of Data (published Issue 1 -11/11/16)....................................... 17
3.2.18 Destruction of Data (published Issue 1 -11/11/16) ..................................................... 18
3.2.19 Security and 3rd Parties (published Issue 1 -11/11/16)................................................ 18
3.2.20 Security Incident Process (published Issue 1 -11/11/16) ............................................. 18
3.2.21 Security Training (published Issue 1 -11/11/16)......................................................... 19
3.2.22 Security Testing (published Issue 1 -11/11/16).......................................................... 19
3.2.23 Data Protection (published Issue 2 -15/12/16)........................................................... 20
3.2.24 Technical Specification (published Issue 2 -15/12/16)................................................. 20
3.2.25 Data Storage (published Issue 2 -15/12/16) .............................................................. 21
3.2.26 Local Access Policy (published Issue 2 -15/12/16)...................................................... 21
3.2.27 Security Incidents (published Issue 2 -15/12/16) ....................................................... 21
3.2.28 Security of Data (published Issue 3 -25/01/17).......................................................... 22
3.2.29 Security of Data (published Issue 3 -25/01/17).......................................................... 22
3.2.30 Security of Data (published Issue 3 -25/01/17).......................................................... 22
3.2.31 Security of Data (published Issue 3 -25/01/17).......................................................... 23
3.2.32 Security of Data (published Issue 3 -25/01/17).......................................................... 24
3.2.33 Security of Data (published Issue 3 -25/01/17).......................................................... 24
3.2.34 Security of Data (published Issue 3 -25/01/17).......................................................... 24
3.2.35 Security of Data (published Issue 3 -25/01/17).......................................................... 25
3.2.36 Security of Data (published Issue 3 -25/01/17).......................................................... 25
3.2.37 Security of Data (published Issue 3 -25/01/17).......................................................... 26
3.2.38 Security of Data (published Issue 3 -25/01/17).......................................................... 26
3.2.39 Security of Data (published Issue 3 -25/01/17).......................................................... 26
3.2.40 Security of Data (published Issue 3 -25/01/17).......................................................... 26
3.3 Communications............................................................................................................ 27
3.3.1 Client Engagement (published Issue 1 -11/11/16) ......................................................... 27
3.4 Training and Testing...................................................................................................... 28
3.4.1 Training (published Issue 1 -11/11/16)......................................................................... 28
3.4.2 System Testing (published Issue 1 -11/11/16)............................................................... 28
3.4.3 Training (published Issue 2 -15/12/16)......................................................................... 28
3.4.4 User Acceptance Testing (published Issue 2 -15/12/16) ................................................. 29
3.4.5 Client Access (published Issue 2 -15/12/16).................................................................. 29
3.5 System Design .............................................................................................................. 30
OH Assist | Application Refresh FAQs 3
3.5.1 Additional Managers (published Issue 1 -11/11/16)........................................................ 30
3.5.2 Future System Changes (published Issue 1 -11/11/16)................................................... 30
3.5.3 Single Sign-on (published Issue 1 -11/11/16)................................................................ 30
4 Appendix A .............................................................................................31
Updated ISO Certification for psHEALTH ..................................................................................... 31
OH Assist | Application Refresh FAQs 4
1 Document Overview
1.1 What is happening and how is it being
communicated As a new legal entity OH Assist Limited, with investment partners CBPE Capital, has made the decision to
refresh our entire IT platform to place us as market leaders in technology enabled OH solutions. Changes include a new referral portal that will offer the efficiency of complete automation, client-specific workflow configuration and state of the art real-time reporting.
An initial communication has been issued to clients with information about why the change is required,
the benefits of the transformation and our proposed deployment plan. Following on from the initial briefing, OH Assist intends to send out a series of communications to support the upgrade activities on a regular basis, which includes this Frequently Asked Questions (FAQ) document.
The purpose of this document is to provide clients with information about the development and implementation of the IT upgrade and to share questions with corresponding answers that have been raised across our entire client base that may be useful to other clients.
1.2 How to use this document This document is a communication tool. It will be issued regularly to log and communicate any generic
questions from clients alongside the corresponding OH Assist responses.
The most recent set of questions, i.e. questions received since the previous issue of this communication document can be found within Section 2 ‘Latest FAQs’. We will publish all questions even if we are unable to provide an immediate response – this will avoid duplicate questions being asked. We will
respond to every question as quickly as we are able to do so.
Section 3 contains an archive record of all questions and responses from previous issues that are logged under the appropriate subject heading.
Subjects are all accessible from the main contents table.
1.3 How to submit a question You can communicate your questions via your Strategic Relationship Manager, or Service Delivery Manager – as always.
You can also submit your question directly to the project communications team by emailing:
OH Assist | Application Refresh FAQs 5
2 Latest FAQs This is where to find all the latest questions and responses
2.1.1 Launch Date Question What date do you intend to launch the upgraded referral portal?
Response
The target date for the deployment of the upgraded referral portal is 2nd May 2017. If there are any changes to the deployment plans, including timescales, we will communicate this at the earliest
opportunity.
2.1.2 Access to the New Portal Question When will we provided with access details for the upgraded OH portal?
Response
It is anticipated that OH Assist will share the new URL for the portal with our clients in early April 2017. Following receipt of the link, clients may approach their internal IT department to ensure that the site will
be accessible to referring managers following the deployment date and not blocked as a result of security concerns. The actual referral portal will still be in development at the point that the URL is shared and will not be accessible via the URL.
2.1.3 User Accounts and Passwords Question Will user accounts and passwords be migrated to the upgraded portal?
Response
User accounts and passwords will be migrated, so that all referring managers with a current active Vista account will be able to log onto the upgraded referral portal post deployment. Upon accessing the portal, the user will be asked to reset their password as a security measure.
2.1.4 Additional Managers Question Will the additional manager links be migrated to the upgraded portal, so that
additional managers can see the OH referrals currently in progress that they are
OH Assist | Application Refresh FAQs 6
associated with?
Response
All active user accounts and passwords will be migrated to the new system in preparation for the
deployment of the upgrade. In addition, referral data will be migrated. Therefore if an additional manager is currently associated with an open referral in Vista, all information relating to the referral will be visible to the additional manager in the upgraded referral portal.
2.1.5 Communications Question What specific messages need to be communicated in the run up to go live (i.e. no
referrals or new accounts from 6pm on Friday 28 April)?
Response
Specific messages will need to be shared with users of the service in advance of the system deployment.
All actions recommended to support deployment will be communicated via the OH Assist IT Transformation Newsletter. Issue 1 of the Newsletter recommended that clients provide a high level communication to users of the service to inform them about the pending changes. Further
communications will be recommended at the appropriate time.
OH Assist is currently designing training material to support account holders to navigate through the portal. A communication will be required to announce and distribute the training materials.
With regards to specific messages about downtime of the referral portal to support data migration
activities, specific details will be shared with clients in due course. It is our intention to schedule any downtime required for migration activity over a weekend, to minimise disruption for our clients.
2.1.6 Communications Question What support will be available to portal users following the launch of the service?
How will clients raise any issues?
Response
Following the business as usual processes, it is anticipated that issues relating to the deployment of the upgraded portal, will be reported via the OH Service Helpdesk. The Helpdesk will ensure that calls are logged, referring managers are supported with their enquires and that issues are escalated if it is appropriate to do so. Escalated issues will be addressed as a matter of urgency and remedial action
taken. OH Assist will proactively communicate issues that have been raised to our clients and provide details about the actions taken to address them.
2.1.7 Online Booking Question The new system will support online booking for the majority of referrals. Does this
include WSA/WPA?
OH Assist | Application Refresh FAQs 7
Response
No. For services such as Workstation Assessments and Workplace Assessments, the referring manager will not be able to book an appointment using online booking. The request for an assessment will be
submitted via the portal, but due to the complexities of the service, OH Assist will hand hold these particular assessment types and schedule an appointment that is mutually beneficial for the employee and the practitioner that is due to deliver the assessment. It is not possible to predict when and where a Workstation or Workplace Assessment will be required in advance of a referral being submitted. OH
Assist is therefore unable to set up an advanced delivery session so that the manager is able to book the appointment immediately following the registration of the referral.
2.1.8 Penetration Testing Question Could you please provide an update with regards to penetration testing?
Response
OH Assist will not be able to complete penetration testing until early April, once the production environment has been built. This timescale gives us enough time prior to the launch date to address and
fix any critical and high risk vulnerabilities, if any are discovered during the penetration testing. If remedial action needs to be taken, we will re-run the test to confirm that all relevant risks and issues have indeed been removed from the solution prior to 2nd May launch date.
2.1.9 ISO Certification Question Would you please issue the updated ISO certification for psHEALTH?
Response
Yes, please see the Appendix A.
2.1.10 IP Addresses
Question Do you have the facility to restrict IPs? It would be preferable if that were put in place so that access could be further tightened
Response
We do have the ability to restrict incoming IPs. However, implementing such IP restrictions can be complex (due to the implications on other clients) and can limit access to the site in scenarios where that is not actually desired (for example, when referring managers are working from home or while travelling on business etc). We would be happy to discuss the relative advantages and disadvantages of this
approach, to ensure that a mutually acceptable solution is put in place.
OH Assist | Application Refresh FAQs 8
2.1.11 Security - Passwords
Question Please clarify whether passwords that are stored are ‘hashed’ and ‘salted’.
Response
The platform uses industry standard password hashing algorithms with random salts. It uses BouncyCastle's implementation of the OpenPGP cryptography suite for password hashing.
2.1.12 Timeline of Activity
Question Are you able to provide a timeline of migration activity for the deployment of the upgraded portal?
Response
Please note that the target dates detailed below are subject to change
Migration Activity Target Date Comments
Product design complete 10/03/17 All design modules due to be complete in preparation for testing
Commencement of OH Assist internal UAT
13/03/17 OH Assist internal UAT will commence, testing that the development of the system mirrors the design requested
Data migration activities commence
27/03/17 This includes the transfer of historical referral data etc
Security accreditation process complete
31/03/17 All security questionnaires to be completed for all clients
Issue URL for the OH portal to clients
03/04/17 To issue to IT departments to ensure that
security protocols do not prevent access to the portal for the end user (please note that the
actual referral portal will still be in development and not accessible via the URL at this stage)
System demonstration and training commences
10/04/17 High level demonstrations of the system will be provided and training will begin
Issue of training materials 14/04/17 Issue of training aids to support system users
through the referral process and to navigate through the upgraded portal
Penetration testing 17/04/17 An executive summary will be shared with
clients providing information about the penetration test. Time will be allocated for any remedial action required following on from the test
Data migration activities 01/05/17 The migration activities will be completed in March and April, with residual data transfer for
OH Assist | Application Refresh FAQs 9
referrals that are created in the weeks leading up to the launch date
Target deployment date 02/05/17 Deployment into live operations will commence
OH Assist | Application Refresh FAQs 10
3 Previous FAQs
3.1 General Questions
3.1.1 Reasons for the IT Change (published Issue 1 -11/11/16) Question Why have OH Assist made the decision to change their current IT platform?
Response
Atos IT Services UK Limited provided a unique purpose built IT referral system for OH Assist to deliver Occupational Health services in 2002.
Our client base and the services we provide has grown over the last 14 years and our IT system requires significant development to meet the expanding requirements for our business and our clients
As a new legal entity, OH Assist Limited with investment partners CBPE Capital has made the decision to refresh our entire IT platform to place us as market leaders in technology enabled OH solutions.
Changes include a new referral portal used by our clients that will offer the efficiency of complete automation, client-specific configuration and state of the art real-time reporting to support our client’s business objectives
After extensive exploration of the market, OH Assist selected healthcare IT experts psHEALTH as our strategic partner for this milestone project
3.1.2 New IT Partner (published Issue 1 -11/11/16) Question Why did OH Assist choose psHEALTH as a partner?
Response
Our new IT platform will be provided by our strategic partner, psHEALTH, under a design-build-operate contract model
We have had an existing relationship with psHEALTH for four years and working in partnership with OH
Assist, psHEALTH is in the process of designing a customised IT platform built on an Appian software platform that will be hosted using Rackspace in the UK
psHEALTH are contracted to OH Assist to provide our end-to-end IT solution and manage their suppliers Rackspace and Appian. We have ensured that service levels and performance targets are aligned
throughout the supply chain
psHEALTH is the leading provider of cloud-based, customised patient management and workflow solutions to independent healthcare providers in the UK. psHEALTH delivers solutions to a range of
organisations including the NHS
For further information about psHEALTH, please refer to www.pshealth.co.uk
3.1.3 Deployment Timeline (published Issue 1 -11/11/16) Question What is the launch date of the new application?
Response
OH Assist anticipates that the new system will be in operation at the end of Q1, 2017. The anticipated
timeline is based on the progress that has been made so far and a projected estimation as to when all of
OH Assist | Application Refresh FAQs 11
the future activity required for the deployment has been completed. Within the coming months, OH Assist will be able to provide you with a firm launch date and this question response will be updated accordingly.
3.1.4 Contingency (published Issue 1 -11/11/16) Question What happens if your IT provider is unable to deliver on the launch date or their
system goes down? Does OH Assist have a contingency arrangement?
Response
OH Assist has a contractual agreement with Atos IT Services UK Limited for a period of time that extends
beyond the anticipated launch date of the new system. Atos IT Services UK Limited are committed to supporting OH Assist through the transition process to ensure that the transfer of data is achieved prior to the launch date and that there is minimal disruption to the services that we provide to our clients. In
the unlikely event of an adverse incident prevents the launch of the new system, services will continue to be delivered by Atos IT Services UK Limited until such a time as the issues are resolved.
3.1.5 ISO27001 Accreditation (published Issue 1 -11/11/16) Question It is noted that one of the ISO27001 certificates expires in Feb 2017; does OH
Assist plan to renew it before it expires? Will the new system comply with ISO 27001 Information Security Management standard or equivalent?
Response
OH Assist and our IT providers have achieved ISO27001 accreditation. The issue and expiry dates are as follows
• OH Assist - The current ISO accreditation certificate was issued 30th September and expires 29th September 2019
• psHEALTH - The current ISO accreditation certificate was issued 24th February 2016 and is due to require reaccreditation 24th February 2017.
• Rackspace - The current ISO accreditation certificate was issued 21st October 2015 and is due to require reaccreditation 20th October 2018.
The psHEALTH ISO 270001 re-accreditation is due to take place January 2017. OH Assist will track progress of the accreditation and update the OH Assist Application and Security document with a copy of the renewed accreditation certificate.
3.1.6 Client Feedback (published Issue 2 -15/12/16) Question Do you intend to provide your clients with the opportunity to see the portal and
give feedback?
OH Assist | Application Refresh FAQs 12
Response
Yes, it is our intention to provide clients with an opportunity to view the portal prior to the launch of the system upgrade. The client referral portal is currently in development as we continue to refine the look
and feel of the upgrade to ensure that the functionality supports our client needs.
Following the launch of the IT system upgrade, OH Assist will initiate a continuous improvement plan. Feedback that has been provided by clients will be reviewed and will influence how we improve the service offered going forward.
If you would like for your organisation to be involved in a webinar to provide feedback on the current Vista system and to see an advance demonstration of the new portal, please register your interest (if you haven’t already done so) by sending an email to [email protected]. Further details will be
released to interested parties in January 2017.
3.1.7 Launch Date (published Issue 2 -15/12/16) Question Please provide confirmation of the timescales for go live
Response
In previous communications, OH Assist advised that the launch date of the new system is likely to be at the end of Q1. OH Assist is currently reviewing the overall project plan and key milestones. The launch
date will be announced in January 2017 following the finalisation of the project plan.
3.1.8 System Features (published Issue 2 -15/12/16) Question Could you clarify the benefits and added features that the upgraded system will
provide for clients?
Response
In the initial communication about the IT Transformation, OH Assist outlined the benefits of the upgrade
and provided an initial overview of the anticipated enhancements that will support client referrals. Additional information will be provided to clients in the coming months through a series of
communications. OH Assist will provide clients with training aids prior to the launch date that will demonstrate new functionality and provide details about how to navigate through the system.
3.1.9 Launch Date (published Issue 3 -25/01/17) Question Is April 2017 still the Go Live date for the new portal?
Response
The target date for the deployment of the upgrade into live operations will be shared with clients in the
near future. Following the announcement, any changes to the deployment plan including timescales will
be communicated to clients at the earliest opportunity.
OH Assist | Application Refresh FAQs 13
3.2 Security
3.2.1 Data Security (published Issue 1 -11/11/16)
Question Could OH Assist provide information about the security of data held within the new
system?
Responses
A Security Information document is available for clients, which addresses perceived concerns with regards to data protection. The document has been distributed to all clients as part of the initial communication process. A copy of the document can be requested via an email to
[email protected]. Should your organisation require additional information about data security or would like to talk with an OH Assist IT representative, please detail your requirements in your email.
3.2.2 Security Accreditation Process (published Issue 1 -11/11/16) Question I am advised that my organisation may be required to undertake a security
accreditation process prior to the launch of the new IT platform. Please advise on the steps required to commence this process?
Response
Some of our clients will need to complete a security accreditation process prior to the transfer of employee data from the existing IT platform to the new IT platform. A security information document
has been prepared by OH Assist to help inform clients about the new system and the security of the data held within it. Client representatives will need to advise their IT department of the anticipated change and enquire as to whether an accreditation process is required. If further information about the IT
platform is required, clients are encouraged to send an email to [email protected]. OH Assist will need to be notified at the earliest opportunity if an accreditation process is required. OH Assist will need to understand how long the accreditation process will take to complete and will need to track progress.
3.2.3 Security of Accounts (published Issue 1 -11/11/16) Question What is the process for joiners, movers and leavers to ensure only those with
business need can access the data via the system?
Response
Users of the OH portal will only have access to data that is relevant to them, i.e. information about an employee that is related to a referral where the user is a primary or secondary referring manager and the
employee has provided explicit consent for the user to see the information. Unique user accounts are created for each user using a strict role based security model. This determines what data the user can see and the functionality they have access to. On creation of an account, a user is given the lowest
privilege level. Higher access can only be granted by a user administrator. If a higher privilege account is requested, access to data can be controlled by the higher privilege account user.
With regards to OH Assist employees, access to client data is restricted to individuals with specific roles where there is a genuine need to access the information. The company’s HR department follow a formal process for handling changes to employment. In addition there is a separate procedure for handling all leavers. This includes the recovery of assets and the removal of access rights.
OH Assist | Application Refresh FAQs 14
3.2.4 Security of Accounts (published Issue 1 -11/11/16) Question The HR Advisors have higher privilege admin accounts than line managers. Please
advise who controls the admin accounts?
Response
Unique user accounts are created for each user using a strict role based security model. This determines
what data the user can see and the functionality they have access to. On creation of an account, a user is given the lowest privilege level. Higher access can only be granted by a user administrator.
For some client organisations, HR Advisors have higher privilege accounts and can activate or deactivate user accounts on behalf of their organisation. To enable higher privilege accounts, the client will need to enlist the support of an OH Assist System Administrator. Higher privilege accounts will be created in line with protocols agreed between the Client OH Contract team and OH Assist.
Administrator Account creation and change activities are stored in an audit log.
3.2.5 Security of Accounts (published Issue 1 -11/11/16) Question How will users of the system be authenticated?
Response
All client users will have their own individual, unique username and password based accounts. All authentication and identity management will be done using industry-standard secure access management
procedures. Extensive access permission features are built into the new application and will ensure that access to features will be implemented on a 'least privilege' basis.
3.2.6 Security of Accounts (published Issue 1 -11/11/16) Question Could OH Assist provide clients with an access control policy which should cover
what users can view, amend and what the different levels of access are
Response
This is comprehensively addressed by the new applications security framework and the application of OH
Assist's logical access management policy. This is implemented, as is the industry-standard, on the basis of the 'least privilege' principle. Please note that this also includes fully auditable logs of all system and
data changes that can be used as part of an audit or indeed forensic investigations. OH Assist would be pleased to provide clients with access to policy documentation as part of an on site visit.
3.2.7 Security of Data (published Issue 1 -11/11/16) Question What levels of security are offered by the new IT platform to ensure the protection
OH Assist | Application Refresh FAQs 15
of Data and compliance with the DPA?
Response
The new application contains comprehensive, industry-leading data security features that would be expected from an ISO27001 certified company such as OH Assist. This is documented in great detail
within OH Assist's ISO27001 certified information security policy and procedures framework. While OH Assist, as a matter of policy, cannot share the full details of the relevant security controls, we would be happy to provide clients access to the policy documentation as part of an on site visit. Furthermore, our ISO27001 Statement of Applicability document, which outlines at a high level the security topics and
relevant polices and controls, can be made available to clients upon request.
3.2.8 Security of Data (published Issue 1 -11/11/16) Question Cookies are sent via http. Does this mean they're susceptible to a man in the
middle attack and if so, how is this risk mitigated?
Response
Vulnerability to 'man in the middle' attacks can exist due to a variety of system features and configurations. Penetration and vulnerability testing will be conducted ahead of go-live which will
explicitly test for this security risk and, if present, corrective actions will be implemented ahead of launch.
3.2.9 Security of Data (published Issue 1 -11/11/16) Question Have psHEALTH gained Cyber Essentials?
Response
Not at present though psHEALTH would be willing to consider this upon request.
3.2.10 Security of Data (published Issue 1 -11/11/16) Question Could OH Assist provide assurance that;
- Services intended for the transmission of protectively marked material or for the protection of systems accredited to store or process protectively marked material
shall be protected and delivered to the standards set out in the Manual of Protective Security (MPS) or equivalent. - Services comply with the Information Age Government Security Framework or
equivalent - A Risk Management Accreditation Document Set (RMADS) (as defined in HMG Infosec Standard 2) is provided covering the scope of the Services in the Catalogue and shall maintain said RMADS throughout the term of this Agreement. The
RMADS shall be subject to the approval Accreditor?
OH Assist | Application Refresh FAQs 16
Response
OH Assist provides assurances that all activities relating to the development, deployment and
management of the new application, including those aimed at data transmission, retention and destruction, are fully in line with the highest industry standards, applicable legislation and the ISO27001 standard. Specific evaluation against stated requirements and policies is being carried out and suitable assurances will be formally offered as soon as practically possible and in full cooperation with relevant
clients.
3.2.11 Security of Data (published Issue 1 -11/11/16) Question Will you implement appropriate technical and organisational measures to protect
the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure? These measures shall be appropriate to the harm which might result from any unauthorised or
unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and shall comply with the specific procedural requirements for the protection and
handling of personal data as set out in HMG IA Standard Number 6 (Protecting Personal Data and Managing Information Risk).
Response
This is a wide-ranging topic that spans several physical and technical security policies and procedures
that are part of OH Assist's ISO27001 certified information security framework. All industry-standard requirements relating to unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure of sensitive personal data will be addressed by appropriate
organisational and application security features and controls, proportional to the outcomes of formal privacy impact assessments that are being conducted as part of OH Assist's secure development policy and risk management framework.
3.2.12 Security of Data (published Issue 1 -11/11/16) Question Provide clear details on what information is recorded on each system
Response
The new application will require the gathering of the same type and quantity of information as our
current system. OH Assist would be happy to share this detailed documentation upon request.
3.2.13 Security of Data (published Issue 1 -11/11/16) Question What software programmes are being used and what servers/ platforms they would
be on?
OH Assist | Application Refresh FAQs 17
Response
Full technical specification of this is available in a separate document that can be shared with clients upon
request.
3.2.14 Security of Data (published Issue 1 -11/11/16) Question Could OH Assist provide an audit control policy/ strategy to demonstrate how
people access the systems, whether access is monitored or recorded? This ties in with the data protection principles;
Response
This is comprehensively addressed by OH Assist's ISO27001 certified information security framework.
Details of all relevant policies, procedures and controls can be provided to clients during an on-site visit.
3.2.15 Security and Transfer of Data (published Issue 1 -11/11/16) Question Please provide details of plans for moving/migrating live data from the old system
to the new system, as this is sensitive data it will need to be risk assessed.
Response
Data Migration is one of the key work streams in the OH Assist's application refresh project. The design
work relating to this subject is currently underway. OH Assist is compelled to carry this out using highest security standards, in terms of both secure data transfer to the new platform and secure data destruction in the old platform, as part of its ISO27001 accredited information security policy as well as applicable
law. Details plans can be shared with clients once the full solution is in place.
3.2.16 Security and Transfer of Data (published Issue 1 -11/11/16) Question How will existing data held on the ATOS IT systems be transferred to the new IT
provider?
Response
Data will be transferred via Secure FTP (SFTP).
3.2.17 Security and Transfer of Data (published Issue 1 -11/11/16) Question The security document states data in transit is protected by https TLS. Does this
apply to all attachments?
OH Assist | Application Refresh FAQs 18
Response
Yes, TLS encryption will include all attached files.
3.2.18 Destruction of Data (published Issue 1 -11/11/16) Question At the end of the contractual agreement, how will staff data be destroyed or
cleansed to make data irretrievable and unreadable in line with the Security Policy Framework?
Response
Both OH Assist and Atos IT Services UK are ISO27001 accredited. All data destruction activities will be
conducted using industry standard secure data disposal procedures, in line with the relevant policies that cover data erasure techniques and processes, full audit trails and certificates of secure destruction.
3.2.19 Security and 3rd Parties (published Issue 1 -11/11/16) Question How will OH Assist ensure 3rd party compliance with security requirements?
Response
Subcontractors are required to complete a contract containing relevant confidentiality clauses.
OH Assist quality assure and robustly manage all of our strategic partners to ensure their service, security arrangements and quality reach the same high standards we expect of ourselves.
We carry out monthly performance reviews with subcontractors to ensure that performance is in line with the expectations both we and our customers hold.
Our supplier management approach is based on:
• Clarity of performance, security and quality expectations, with monthly reviews based on robust
data; • Ownership of the Customer-Supplier relationship on both sides with transparent, mature
engagement at multiple levels; and • Joint action planning and forecasting of future needs, including regular innovation sessions where
suppliers present the latest trends/opportunities in their area of expertise.
Our relationship with all suppliers is managed in a structured, open and collaborative way. Clear communication to ensure subcontractors understand what is required of them is critical and the
objectives set for the provision of services is a key element of the formal governance procedures we have in place.
3.2.20 Security Incident Process (published Issue 1 -11/11/16) Question Can you outline the security incident process for OHAssist/PSHealth?
OH Assist | Application Refresh FAQs 19
Response
Comprehensive security incident management process policy and procedures are in place, as part of OH
Assist's ISO27001 certified information security framework. Much of this documentation is considered confidential and sensitive, as it contains information that can potentially be exploited by 3rd parties. Hence, OH Assist cannot openly share such documentation but would be happy to provide access to it as part of an on-site visit.
3.2.21 Security Training (published Issue 1 -11/11/16) Question Can you provide details of the staff training provided to OH Assist employees to
ensure that staff are aware of the confidential nature of the data?
Response
OH Assist fully endorses the principles of the Data Protection Act 1998, and ensures that all of our staff are aware of the company’s and their own responsibilities under the Act.
Data Protection registration: OH Assist is registered with the Information Commissioner’s Office for
multiple instances of Data Processor and Data Owner. Our registration number is ZA142562.
OH Assist has an appointed Data Protection Manager and a Data Protection policy that documents how
data should be handled and treated by employees within the organisation. Data shall only be held, processed and communicated in accordance with the terms of our entry on the Data Protection Register.
OH Assist users are made aware of the various risks associated with using laptops outside of the office through information security awareness and training. This includes what information should and should not be stored on the laptop, protection of the asset against loss, theft or damage, preventing breaches of confidentiality, and other security risks of which users should be aware.
The company’s UK Information Security Policy contains clear statements about the responsibilities of employees, including those who manage other staff and those with other specific roles.
New, amended and retired policies are communicated to members of staff through the company’s weekly
bulletin which all members of staff receive. Policies are also highlighted and discussed at regular scheduled Site Security Forums.
Adherence to company policies is a contractual requirement and is also included in our contracts with our subcontractors. At induction new members of staff are required to sign to say that they have read and
understood the company’s security policy.
All reported security breaches are properly investigated and disciplinary action is taken when appropriate. Security policies make it clear that failure to comply may be treated as a disciplinary offence.
The company’s HR department follow a formal process for handling changes to employment. In addition there is a separate procedure for handling all leavers. This includes the recovery of assets and the removal of access rights.
3.2.22 Security Testing (published Issue 1 -11/11/16) Question Is it possible for OH Assist to provide a copy of the penetration test report for the
OH Assist | Application Refresh FAQs 20
new system?
Response
The IT Transformation project is still in the development phase and it is therefore not possible to conduct
an independent penetration test of the new system at this time. Upon completion of the development phase, a penetration test will be scheduled into the project plan and will take place ahead of the launch date. An Executive Summary with information about the penetration and vulnerability tests will be made available to clients upon request.
3.2.23 Data Protection (published Issue 2 -15/12/16)
Question Please confirm your plans to meet the robust challenges of the new EU – General Data Protection Regulation in May 2018
Response
OH Assist has commissioned an independent Data Protection expert to provide an overview of current levels of adherence with the Data Protection Act (1998). The methodology undertaken to produce the
review was based upon the Information Commissioner’s (ICO) Data Privacy toolkit and adherence with the Data Privacy Principles. This review also took into account the current understanding of the GDPR.
The review focussed upon the key areas as stipulated by the ICO Data Privacy Toolkit and enshrined in the Data Privacy Principles, with the exception of marketing requirements as this is not undertaken by OH Assist:
• Data Protection Assurance
• Records Management
• Information Security • Data Sharing and Subject Access.
The review found that all of the above areas are compliant with the provisions as stipulated within the current Data Protection Act 1998. The Information Commissioner’s Office has stated that organisations
that have a high level of compliance with Data Privacy will have an easier transition to meet the requirements of the GDPR.
OH Assist acknowledges that changes will be needed to comply fully with the GDPR in terms of updating ‘fair processing notices’, updating Data Protection policies, changes to the Subject Access Request procedures, the introduction of the Privacy by Design and Default provisions. This is currently the case with many EU organisations.
A detailed plan for implementation is in the pipeline following the undertaking of this initial Data Privacy Review. However, OH Assist already has strong governance and leadership in place overseeing Data
Privacy and Security compliance which is a prerequisite of GDPR implementation that is necessary in order to drive the changes that are needed for compliance in this area. OH Assist has confidence that GDPR compliance will be achieved by the time the GDPR regulation comes into force in May 2018.
3.2.24 Technical Specification (published Issue 2 -15/12/16)
Question Please provide the technical specification for the new system
OH Assist | Application Refresh FAQs 21
Response
A document providing details of the system upgrade requirements and high level specification is available to clients upon request. Please email [email protected] to obtain a copy of the document.
3.2.25 Data Storage (published Issue 2 -15/12/16)
Question What type of information will be recorded within the IT system?
Response
The information held within the upgraded IT system to support the management of referrals to OH Assist will be the same information that is required to process referrals today.
The following types of data are held within the system:
• Employee personal data; • Employee medical records;
• Customer data; • Customer user account data;
• Referral data for active customers; • Referral history i.e. Timeline tool and key point information;
• File notes for referrals; • Interventions and associated appointment details;
• Sessions; • Activities/requests that may relate to a referral.
3.2.26 Local Access Policy (published Issue 2 -15/12/16)
Question Please provide a copy of your Local Access Policy
Response
OH Assist would be pleased to provide clients with access to policy documentation as part of an on site
visit.
3.2.27 Security Incidents (published Issue 2 -15/12/16)
Question In the event of a security incident, how would this be reported to Clients by OH Assist?
OH Assist | Application Refresh FAQs 22
Response
In the event of a security incident, OH Assist will immediately notify the named information security
contact within the client organisation. An assessment will take place to understand the severity of the incident and the actions required. Regular updates will be provided to the client to inform them of the progress made throughout the investigation process and to advise upon the remedial action undertaken.
Alternatively, where a specific process has been stipulated as part of a contractual agreement with OH Assist, the agreed process will commence immediately following the identification of an incident.
3.2.28 Security of Data (published Issue 3 -25/01/17)
Question Please provide details about the content of the new portal website, so that we can be reassured that the content is unlikely to be blocked by our web gateway or we
can put any work in place beforehand to get the site added as an exception if needed.
Response
OH Assist will provide clients with information about the new URL as soon as possible. This will be in the
near future. The distribution of the information will provide organisations with an opportunity to share details with their IT providers to ensure that the site is white listed and hence not blocked by client
firewalls etc. OH Assist will engage in discussions about any concerns clients may have about 'site content' following the distribution and testing of the URL and further information about client requirements.
3.2.29 Security of Data (published Issue 3 -25/01/17)
Question All suppliers for contracts involving ICT, personal and sensitive information handling contracts are required to be Cyber Essentials Certified. Could you please ask
psHEALTH to look at the guidance on GOV.UK and consider working towards achieving Cyber Essentials?
Response
OH Assist will discuss Cyber Essentials with psHEALTH and will encourage them to work towards the
Cyber Essentials certification. We cannot fully anticipate the outcome of such conversations but a likely scenario is that a plan is put in place to achieve this certificate within a reasonable time period.
3.2.30 Security of Data (published Issue 3 -25/01/17)
Question How long will personal information be retained by OH Assist?
OH Assist | Application Refresh FAQs 23
Response
Personal medical information is retained by OH Assist for an appropriate amount of time in accordance
with legal requirements and guidance.
Type of Records Current Retention Period
Occupational Health (sick absence etc...) 10 years
Immunisation Records 40 years
Health Surveillance Records 40 years
Fitness For Work 10 years
Ionising Radiation 50 years
The medical records retention policy is applied to records that are held by OH Assist for the period of
time that OH Assist has a contractual arrangement with an organisation or where there is no forwarding occupational health provider following the exit of a contract.
Personal information such as name, date of birth etc is associated with the medical record and therefore
is retained for the period of time that the record is active.
OH Assist retention policies are not affected by the IT Transformation Project, but will remain under
review as industry practice and legal requirements evolve.
Question Is there a retention period built into the IT system?
Response
The IT system upgrade has been designed to the capture the date that individual medical records are
created and updated. This will support OH Assist to apply the current Medical Record Retention Policy at the appropriate time.
3.2.31 Security of Data (published Issue 3 -25/01/17)
Question How will OH Assist review and securely destroy personal information when it is no longer required?
OH Assist | Application Refresh FAQs 24
Response
OH Assist will review and securely destroy all personal information when it is no longer required as this
forms part of our ISO27001 certified information security framework and practice. The task will be completed using industry-standard, on-site secure data destruction techniques that include auditable destruction logs and formal certificates of secure deletion/destruction.
3.2.32 Security of Data (published Issue 3 -25/01/17)
Question How will the personal information be stored securely? Include details of where the personal information will be stored and how will it be protected against unauthorised or unlawful disclosure, access, use or modification loss, destruction or
damage of data?
Response
Secure storage of client data is a mandatory requirement for the application and the underlying
infrastructure. There are many security controls in place that ensure this, for example multi-tier hosting design with IP-restricted firewalls between servers, network perimeter security controls, NIDS / HIDS features, logical access policy management, encryption of data in transit and at the storage level etc.
The system will also be pen tested at least once per year. All parties involved in the provision and operation of the application (OH Assist, psHEALTH and Rackspace) are fully ISO27001 certified.
3.2.33 Security of Data (published Issue 3 -25/01/17)
Question Is any data sent to any non EEA destination?
Response
No data is sent to any non EEA destination. OH Assist and partners provide UK-based support for the system and software used to provide it. There is no hardware supplied to clients. Any hardware that OH
Assist uses to provide the system is supported by UK based contractors.
Technical support is provided that covers the provision of the system, its backend systems, processes and databases and all systems that enable the application to be accessible via the internet.
Procedural Support for use of the service will be provided by OH Assist.
Second Line and Third Line support will be provided by psHEALTH and Rackspace in the UK.
psHEALTH will manage the solution remotely from their UK offices using remote support via desktop technologies.
3.2.34 Security of Data (published Issue 3 -25/01/17)
Question Rackspace is the data centre. Where is this based in the UK?
OH Assist | Application Refresh FAQs 25
Response
Rackspace is the hosting provider. Customer data will be stored in the UK, in Rackspace Data Centres in
London.
3.2.35 Security of Data (published Issue 3 -25/01/17)
Question Are usernames and password accounts used and changed regularly?
Response
The application requires a username which is comprised of the user’s email address. A strong, complex password is required.
Passwords require the minimum complexity requirements:
• Passwords be a mixture of Alpha and Numeric characters
• Passwords have a minimum of 8 characters
• Passwords make use of upper and lower case characters
• Passwords make use of non-alphanumeric characters
• The last previous 5 passwords cannot be re-used
The user is required to have a 6 digit numberic pin, of which the application will ask for 2 random digits during the log on process.
Passwords are hashed using an industry standard hashing algorithm and are stored using the hashed values only. When passwords are entered, they are similarly hashed using the same algorithm, and the
result is compared against the stored value.
OH Assist network passwords have an enforced change at 60 days. For the referral portal, password change is not enforced as modern best practice suggests that this harms, rather than enhances security.
Please see CESG password guidance: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guida
nce_-_simplifying_your_approach.pdf
“Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.”
3.2.36 Security of Data (published Issue 3 -25/01/17)
Question Please provide the supplier’s data Protection Registration Number.
Response
The data Protection registration numbers are as follows;
• OH Assist: ZA142562
• Rackspace: Z5176267
• psHEALTH: ZA002514
OH Assist | Application Refresh FAQs 26
3.2.37 Security of Data (published Issue 3 -25/01/17)
Question Have any penetration tests been done on the Rackspace data centre?
Response
Yes, each major platform release is independently tested by the NCC Group. An annual Penetration test is performed on the solution. Any risks identified are rectified or mitigated. Test results can be made available to clients on request.
As the solution is not yet live, it has not been subjected to a penetration test. The platform and similar
implementations, provided by psHEALTH and hosted at Rackspace have been subjected to these tests. The platform will be tested prior to implementation and any risks rectified or mitigated.
3.2.38 Security of Data (published Issue 3 -25/01/17)
Question Is data stored within the OH Assist Data centres encrypted?
Response
Data is encrypted at rest to AES-256 standards and can only be accessed with HTTPS using TLS 1.1 or
1.2.
SMTP server is used to send outgoing email including system notifications and email messages sent by
process instances. SMTP is secured with SSL/TLS and server authentication.
3.2.39 Security of Data (published Issue 3 -25/01/17)
Question Are the OH Assist Data centres shared or only used by OH Assist?
Response
Hosting for the application will be in a shared data centre provided by Rackspace. The physical servers used are dedicated to OH Assist.
Rackspace is the global leader in enterprise-level hosting services to businesses of all sizes and kinds around the world since 1998 and have grown to serve more than 205,000 customers. Data centres for
hosting OH Assist data will be on-shore in the UK. For further information, please refer to www.rackspace.co.uk
3.2.40 Security of Data (published Issue 3 -25/01/17)
Question Will the new OH Assist IT system be a multi-tenancy based solution? If so, how is data kept separate for each client?
OH Assist | Application Refresh FAQs 27
Response
The solution has a role based access control security model that allows relevant users to access client
data. Each client is set up as a separate logical entity in the system and all records for that client are registered against that entity.
In addition;
• Clients can only access their own data. Each client account is registered against the relevant
client in the system;
• A line manager for a client can only see the referrals they have created or where they are the defined line manager of an employee;
• OH Assist users can see client data for the contracts they are assigned to;
• OH Assist super users will have access to the administration console to change settings e.g. add
a new service. This role does not have access to client data; and
• Audit logs and reports are available to review user access and changes.
3.3 Communications
3.3.1 Client Engagement (published Issue 1 -11/11/16) Question How do you intend to communicate the changes and engage with your clients?
Response
An initial communication regarding the IT transformation has been issued to all clients, providing
information about why the change is required, the benefits of the transformation and the proposed deployment plan. In addition to the initial communication, clients have also been provided with a technical brief regarding the security of data.
Following on from the initial communication, OH Assist intend to issue a Frequently Asked Questions document (FAQ) to clients on a monthly basis. OH Assist would like to invite clients to submit any questions that they may have about the new IT platform via the FAQ mailbox [email protected]. Questions that have been raised and the answers provided will be published
in the document on a monthly basis.
Communications will increase in frequency as we approach the launch date of the new system. It is our intention to keep all of our clients fully informed of progress as we progress through this transition
period.
To support the OH Assist continuous improvement programme and to inform future development of the IT platform, OH Assist would like to invite clients to participate in a working group forum. The working
group will be established, with a cross section of client stakeholder and will be provided with an opportunity to provide feedback on the existing IT referral system to help inform future development of the new referral portal, see an advanced demonstration of the new IT referral portal and feedback any initial observations about the new referral portal.
If your organisation would like to participate in the Working Group Forum, please register your interest via an email to [email protected]. A high level demonstration of the new system will be initially delivered to client representatives at a contract level. The new electronic system will be simple and easy
to navigate through, however a range of electronic training aids will be available to share with portal users.
OH Assist | Application Refresh FAQs 28
3.4 Training and Testing
3.4.1 Training (published Issue 1 -11/11/16) Question Could you tell me more about the training that users of the portal will receive prior
to go live?
Response
We anticipate that the new system will be intuitive and easy to use and therefore training for users of the portal will not actually be required. We plan to provide clients with a video demonstration about how to navigate through the system, desk aids with prompts about how to make the most of your referral and a user guide. Upon viewing the training aids available, should you feel that you require any additional
support; please send your request to [email protected]. You will be contacted to discuss the options available.
3.4.2 System Testing (published Issue 1 -11/11/16) Question Does OH Assist intend to provide clients with an opportunity to conduct field
acceptance testing for the new IT portal?
Response
Detailed user acceptance testing of the new application is subject to a formal plan that is being implemented and managed very closely. This predominantly involves OH Assist staff and users testing
the delivered functionality on an ongoing, iterative basis. Formal user acceptance test cycles are also scheduled and these will comprise full end-to-end testing, in at least 2 full cycles, ahead of launch. Selected external users can also be invited to participate in the acceptance testing of the client-facing
features. This can be discussed directly with relevant parties.
3.4.3 Training (published Issue 2 -15/12/16) Question Are you able to provide a time line for the distribution of new guidance and
communications?
Response
Yes, the OH Assist training strategy is currently being developed as we refine our project plans and
develop the materials to support the upgrade. It is likely that training for clients will be delivered in the weeks leading up to the go live of the upgrade as it is not expected that there will be much training required. However, a number of steps will need to be completed to ensure effective logging onto the new system prior to go live. At the appropriate time, instructions will be circulated, to provide clients
with guidance about how to do this.
OH Assist | Application Refresh FAQs 29
Confirmation of the timeline for the distribution of guidance and communications will be issued in the near future and there will be a number of tools available to support any additional activities at that time.
3.4.4 User Acceptance Testing (published Issue 2 -15/12/16) Question Are you able to provide details of the user acceptance testing schedule?
Response
User Acceptance Testing (UAT) has commenced within the OH Assist Design Team to ensure that the new system features are aligned with the requirements specified. Testing is ongoing and will be continuous following the design and build of each of the service modules. We anticipate that testing will
continue until 3rd March 2017. Formal user acceptance test cycles are also scheduled and these will comprise of full end-to-end testing throughout March and early April.
Selected external users may also be invited to participate in the testing of client-facing features. This will
be discussed directly with relevant parties.
3.4.5 Client Access (published Issue 2 -15/12/16) Question How will I know if the upgraded referral portal will be accessible from my current
system?
Response
If you can currently gain access to the World Wide Web, then you will be able to access the upgraded applications.
OH Assist | Application Refresh FAQs 30
3.5 System Design
3.5.1 Additional Managers (published Issue 1 -11/11/16) Question In the new system will there be the facility to add an additional manager to the
referral and will the additional manager be able to view the outcome report?
Response
Yes. The new system will ask the referring manager whether they would like add an alternative manager to support the referral. The system default will assume that an additional manager is required and where this option is declined a reminder will be provided to the referrer of the benefits in selecting this option.
3.5.2 Future System Changes (published Issue 1 -11/11/16) Question Is there an opportunity to make changes the system once implemented?
Response
The initial phase of the IT development will focus on ensuring that the new system will support current processes and protocols for the delivery of services for our clients, but will also offer substantial
improvements to enhance the client experience.
Continuous improvement is important to OH Assist. We will continue to work in partnership with our IT partners following the launch of the service to enhance and improve the IT platform for our clients.
Clients with specific requirements for change should make contact with their Strategic Relationship
Manager or Service Manager in the first instance. Any system changes that are required as the result of the discussions will be analysed, designed and implemented within the agreed timescales for change.
3.5.3 Single Sign-on (published Issue 1 -11/11/16) Question I would like to ask whether my organisation is able to request use of the single sign
on functionality at the end of Q1.
Response
Although the new system will provide us with the functionality for single sign on, it is not intended that this functionality will be available to clients in preparation for the launch date. It is our intention to
replicate current sign on functionality in the first instance, however development of single sign on will commence post launch an will become available in the near future.
Following on from the launch date, clients with specific requirements for change should make contact with their Strategic Relationship Manager or Service Manager in the first instance. Any system changes
that are required as the result of the discussions will be analysed, designed and implemented within the agreed timescales for change.
OH Assist | Application Refresh FAQs 31
4 Appendix A Updated ISO Certification for psHEALTH