Can I Use Personal Devices for Work and With Patient Information?

 

Since remote working is not the general practices, it will often be the case that there are not enough laptops to support all practice staff to work from home.

NHSX Confirm that you can use your own devices to support video conferencing for consultations, mobile messaging and home working where there is no practical alternative.

What Alternatives Are There to Using Personal Devices?

Some CCGs (Norfolk and Waveney) are supporting practices to take CSU issued desktop PCs home and some guidance on this can be found here.

How Can I Ensure that I Am Using My Personal Laptop or Computer Safely and Securely?

  • By setting a strong password

  • By using secure channels to communicate e.g. tools/apps that use encryption

  • Not storing personal/confidential patient information on the device unless absolutely necessary and appropriate security is in place.

  • Information should be safely transferred to the appropriate health and care record as soon as it is practical to do so.

  • Avoid downloading software or videos / open suspicious links

  • Undertake all system / software updates

  • Ensure that the device has up to date antivirus software: Avast / AVG and malware bytes

  • Do not use a communal laptop 

  • Where provided use software such as Away from my desk / VPN

  • Do not print out documents on home printer, instead store in shared drive

  • Log out of all software and systems, including emails, when not in use

  • Within NHS Mail, only view documents in browser and do not download

  • Where possible create a normal “user” account on the laptop without admin capabilities to undertake the work

  • Additionally, no documents should be downloaded to the laptop unless absolutely necessary, attachments to emails can be viewed in browser but there may other systems or portals accessed that permit the download of documents.

  • If documents can be viewed online staff should only do so

  • If it is necessary to download, staff should delete their download history and empty their recycling bin at the end of each work session.

How Can I Ensure that I Am Using My Personal Mobile Phone Safely and Securely?

Where limiting or prohibiting face to face appointments, it may be necessary for staff to conduct telephone appointments with their patients or for administrative staff to triage patients; both using their personal telephones.

In this example, the only information input into the phone would be the patients’ number with no correlating personal data. Therefore, the risk to the data is relatively low.

Practice should issue the following instructions to support secure working on personal laptops.

  1. Do not store patients’ names against phone numbers

  2. Delete call log daily / weekly (maintain an audit trail of activities within the clinical system or elsewhere)

  3. Do not allow anyone else to use phone (unless cleared of work-related data)

  4. If accessing emails download a free antivirus – Avast / AVG

  5. Check permissions settings on all apps downloaded onto phone and turn off access to phonebook / call log (Facebook / WhatsApp)

  6. Do not undertake phone calls with family in the same room, if possible, use headphones instead of speakerphone.

I Need to Take Paper Files Home - What Do I Need to Do?

It may be necessary for staff to take paper files home with them or have them delivered to undertake tasks. 

Therefore, the following measures should be taken:

  1. Provide staff with lock boxes to keep files in

  2. Make a log of all paper records removed from the practice and track their location / return throughout

  3. Do not make copies of paper records without a legitimate business reason and obtaining permission

  4. Maintain paperless desk protocol and lock away when not in use

  5. Do not scan into PC using own scanner without a legitimate business reason and obtaining permission and ensuring that scanner memory is cleared regularly

What About Issuing Smartcards Remotely?

NHS Digital have confirmed a process for registering new users where face to face meeting is not possible.

https://digital.nhs.uk/services/registration-authorities-and-smartcards/remote-smartcard-registration-emergency-guidance