Post audit review: Dr Foster
This report provides the formal closure of the data sharing audit at Dr Foster in October 2019.
Audit summary
This report provides the formal closure of the data sharing audit of Dr Foster on 30 and 31 October 2019 against the requirements of both:
- the data sharing framework contract (DSFC) CON-321664-Q8L0R
- the data sharing agreement (DSA) NIC-368020-R5L2K-v6.11
This DSA covers the provision of the following datasets:
| Dataset | Classification of data | Dataset period |
|---|---|---|
| Summary Hospital level Mortality Indicator (SHMI) | Anonymised/Pseudonymised |
April 2016 – January 2020 |
The Controller is Dr Foster.
Further guidance on the terms used in this post audit review report can be found in version 3 of the NHS Digital Data Sharing Audit Guide.
Post audit review
This post audit review comprised a desk-based assessment of the action plan and supporting evidence supplied by Dr Foster between August 2020 and March 2021.
Post audit review outcome
Based on the evidence provided by Dr Foster, the Audit Team has closed all the findings. Therefore, no further action is required by the Audit Team and Dr Foster.
Updated risk statement
Based on the results of the post audit review the risk statement has been reassessed against the options of Critical - High - Medium – Low.
Original risk statement: Low
Current risk statement: Low
Data recipient’s acceptance statement
Dr Foster has reviewed this report and confirmed that it is accurate.
Status
The following table identifies 3 agreement nonconformities and 3 organisation nonconformities raised as part of the original audit.
| Ref | Finding | Link to area | Update | Designation | Status |
|---|---|---|---|---|---|
| 1 | The antivirus database file on one of the sampled laptops was out of date and had not been identified through the management console. It was reported by Dr Foster that an initial investigation had shown this issue was limited to a small number of machines that were not used to process data provided by NHS Digital. | Access control | Dr Foster stated that the issue identified in the audit was related to a new antivirus (AV) server which was in testing and was managing only those laptops identified as having an out-of-date definition. The AV vendor has restored protection to the AV server and to the 3 affected laptops. A screenshot of the current AV dashboard, provided to the Audit Team, showed 8 non-compliant workstations. However, Dr Foster reported that these workstations are currently turned off as users are either on leave or off-sick and these workstations will auto-update when next turned on. Dr Foster reported that it is migrating to a new AV provider. Screenshots for the new AV management dashboard were also provided to the Audit Team. Dr Foster stated that twice-weekly checks are in place for both AV solutions, in addition to ad-hoc alerting and monitoring. |
Agreement nonconformity | Closed |
| 2 | The SEFT access credentials are being shared across a small number of staff members who have approval to access the data supplied by NHS Digital. Currently SEFT only allows an organisation to have a single set of credentials that are not to be shared. | Access control | Following the audit, the SEFT credentials were re-issued by NHS Digital to the named contact. Dr Foster confirmed that these credentials are now held only by the named contact. | Agreement nonconformity | Closed |
| 3 | Processed SHMI data transferred between two Dr Foster datacentres is not being encrypted as the organisation has a dedicated secure private connection. Clause 4.6 of the DSFC states that data transferred electronically is encrypted using the Advanced Encryption Standard (AES) 256 bits specification. | Information transfer |
Dr Foster has installed an encrypted link between its two datacentres which conforms to the requirements of the DSFC. A copy of the high-level design and screenshots showing the encryption settings of the endpoints were provided to the Audit Team. |
Agreement nonconformity | Closed |
| 4 | An old version of the Information Security Policy was on the SharePoint site. | Operational management |
The latest version of the Information Security Policy, v5.0, was published on 28 May 2020. Dr Foster supplied a screenshot of its SharePoint site which showed that this new version was available to staff. |
Organisation nonconformity | Closed |
| 5 |
The patching of critical updates as referenced in the Network Operations Policy does not reflect current practice. The same statement is reproduced in the current draft of the policy. |
Operational management |
The requirements around patching have been amended in the latest version of the Network and System Security Policy, v4.0 which was published on 10 July 2020. This new policy is consistent with the organisation’s approach around patching cycles and that patches which are not applied in accordance with the patching policy will trigger a security incident. |
Organisation nonconformity | Closed |
| 6 |
A small number of policies are beyond their review date. This is a known issue and is being tracked through the reporting system and updated policies are in draft. |
Operational management |
Dr Foster provided an extract from its Information Security Management System Document Control record to the Audit Team. This extract showed all the policies were currently within their review date. |
Organisation nonconformity | Closed |
Disclaimer
NHS Digital takes all reasonable care to ensure that this audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. NHS Digital cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report.
Last edited: 25 June 2021 3:14 pm