Information Security Policy
INFORMATION SECURITY POLICY
Statement of Intent
Patients Know Best (PKB) prides itself on being a leader in the provision of an online Personal Health Record where patients can manage their healthcare needs. As part of this, we recognise that we have a responsibility to protect all of the information that we process, whether it belongs, to our employees, patients, customers, partners, or suppliers. By protecting this information we can ensure that we maintain our reputation as a trusted organisation, employer and partner, enabling us to grow as an organisation and deliver exceptional service to our customers.
To demonstrate our commitment to information security, PKB has implemented industry best practice security controls and assured the effectiveness of the controls through the implementation of the Information Security Management System (ISMS) and how this complies with the ISO 27001:2013 standard, the global standard for managing information security.
It is the responsibility of all PKB staff to become familiar with our information security and data privacy management processes and to comply with all information security and data privacy policies together with the procedures and standards that underpin them. In turn, we commit to ensuring that our information security and data privacy management systems and processes are efficient, effective and continuously improving to protect our information assets while avoiding the reputational, legal and financial harm that would result from a data breach.
The Executive Board fully support the information security management system and require all our staff, whether permanent, temporary, partner organisations, suppliers and contractors to do the same.
Approval and review
PKB-ISDPP v1.2 was approved by the Executive Board on the 1st of October 2022. |  |
|---|
Summary
Patients Know Best is committed to safeguarding its information assets by ensuring the confidentiality, integrity, and availability of all data it processes. This policy outlines measures to protect systems and data from threats, unauthorised access, and disruption, ensuring compliance with legal, regulatory, and contractual obligations. All employees, contractors, and third parties must follow this policy to maintain a secure environment. Key principles include secure access control, data classification, encryption, and incident response. Regular training, audits, and monitoring ensure continuous improvement and adherence to security standards, supporting PKB’s mission to deliver reliable, secure healthcare solutions.
1. Purpose
Patients Know Best is committed to protecting its information assets by ensuring the confidentiality, integrity, and availability of all data it processes. As a provider of healthcare solutions, Patients Know Best understands the importance of securing the information entrusted to us by patients, customers, employees, and partners. This Information Security Policy outlines the principles and measures that safeguard our systems, data, and infrastructure against threats and unauthorised access.
Patients Know Best ensures compliance with legal, regulatory, and contractual obligations by implementing effective security controls and regularly reviewing its information security practices. This policy provides the framework for secure operations, supports the delivery of reliable services, and minimises risks to data and systems.
All staff, contractors, and third parties are required to comply with this policy and support Patients Know Best’s efforts to maintain a secure and resilient information environment.
2. Scope
This policy applies to all information processed, stored, or transmitted by Patients Know Best. It encompasses all systems, networks, and infrastructure used to support Patients Know Best’s operations, as well as any third-party services or platforms integrated into our organisational workflows.
The policy is applicable to:
All employees, contractors, temporary staff, and third-party providers with access to Patients Know Best systems or data.
All information resources created, managed, or entrusted to Patients Know Best by customers, patients, employees, or partners.
All activities involving Patients Know Best’s systems, or data, regardless of the user’s location.
This policy covers information security practices for the lifecycle of data within Patients Know Best, ensuring compliance with legal, regulatory, and contractual obligations.
3. Information Security Principles and Objectives
Patients Know Best is committed to safeguarding its information assets by applying key principles of information security: confidentiality, integrity, and availability. These principles guide the company’s approach to protecting information and supporting secure operations.
Principles
Confidentiality: Ensure that data is accessible only to authorised individuals and is protected from unauthorised access or disclosure.
Integrity: Maintain the accuracy and completeness of data by protecting it from unauthorised modification or corruption.
Availability: Ensure that data, systems, and services are available to authorised users when needed, supporting uninterrupted operations.
Objectives
Patients Know Best’s information security objectives reflect its commitment to protecting data and systems while ensuring that its information security practices remain effective, aligned with industry standards, and responsive to evolving risks.
Protect Information Assets: Safeguard information from internal and external threats, whether accidental or deliberate.
Enable Secure Information Sharing: Facilitate the secure exchange of information between authorised parties while minimising risks.
Ensure Compliance: Adhere to all relevant legal, regulatory, and contractual requirements.
Promote Accountability: Define clear roles and responsibilities for information security across the organisation.
Support Business Continuity: Implement measures to minimise disruptions and ensure the continued availability of critical systems.
Mitigate Risks: Identify, assess, and manage security risks to protect the company’s reputation and prevent harm to stakeholders.
4. Roles and Responsibilities
Effective information security at Patients Know Best relies on the clear delegation of roles and responsibilities across all levels of the organisation. Each individual and team plays a vital role in ensuring that information assets are protected and that security measures are consistently applied.
The Executive Team holds ultimate accountability for the security of information systems and assets. They are responsible for setting the strategic direction for information security, allocating necessary resources, and ensuring compliance with legal, regulatory, and contractual obligations.
The Chief Information Security Officer oversees the design, implementation, and maintenance of Patients Know Best’s information security framework. Responsibilities include:
Developing and enforcing security policies, procedures, and standards.
Monitoring compliance with the Information Security Policy.
Identifying and addressing information security risks.
Leading investigations into security incidents and ensuring appropriate remediation actions.
Managers are responsible for ensuring that their teams understand and comply with the Information Security Policy which includes:
Promoting awareness of information security responsibilities.
Ensuring team members complete required training.
Reporting security incidents or potential risks to the Chief Information Security Officer promptly.
The Information Security Team implements and maintains the technical and procedural controls necessary to protect Patients Know Best’s information assets. Key responsibilities include:
Managing access controls, encryption, and monitoring systems.
Conducting regular risk assessments and audits.
Responding to and resolving security incidents.
Continuously improving security measures to address emerging threats.
Every individual with access to Patients Know Best’s systems and information has a responsibility to:
Follow the principles outlined in this policy and all related procedures.
Protect information assets from unauthorised access, alteration, or loss.
Report any suspected or actual security incidents to the Security Officer or Information Security Team without delay.
Third-party vendors and service providers who process or access information on behalf of Patients Know Best are required to comply with the company’s security standards. Vendors must:
Enter into agreements that specify security and confidentiality requirements.
Implement appropriate security measures to protect Patients Know Best’s data.
Notify the company of any incidents or breaches involving its information.
Failure to comply with the Information Security Policy may result in disciplinary action for employees, up to and including termination. For contractors and third parties, non-compliance may lead to contract termination or legal action. Serious breaches may also be reported to regulatory authorities or law enforcement.
Key Security Controls
Patients Know Best has implemented a comprehensive framework of security controls to protect its information assets and systems. These controls address critical areas of information security, ensuring compliance with legal, regulatory, and contractual obligations.
Key areas of focus include:
Access Control: Access to information systems is restricted to authorised personnel based on defined roles and responsibilities. Detailed requirements for system access are outlined in the System Access Control Policy.
Data Classification and Protection: All information is classified according to its sensitivity and is protected in line with its classification level. The Data Classification Policy and Data Protection Policy provide further guidance.
Incident Management: A robust incident response process ensures that security incidents are promptly identified, reported, and resolved. For more information, refer to the Incident Response Plan.
Data Retention and Disposal:Information is retained only as long as necessary and securely disposed of in accordance with the Data Retention Policy.
Encryption and Network Security: Data is encrypted during storage and transmission, and network security measures are in place to prevent unauthorised access. Details are available in the Encryption Policy and Network Security Policy.
Physical and Environmental Security: Physical facilities housing critical systems are protected against unauthorised access and environmental risks. See the Physical Security Policy for further details.
Risk Management and Continuous Improvement: Regular risk assessments are conducted to identify and mitigate potential threats. The Risk Assessment Policy outlines the process for evaluating and addressing risks.
Vendor and Third-Party Management
Patients Know Best recognises the importance of maintaining strong security standards when working with third-party vendors and service providers. All external entities that process, store, or transmit data on behalf of the organisation must comply with Patients Know Best’s security and confidentiality requirements, as outlined in its Vendor Management Policy.
Patients Know Best ensures that third parties meet these obligations through rigorous assessments, formal contractual agreements, and ongoing oversight. Vendors are required to report security incidents promptly and to take appropriate action to mitigate risks and prevent recurrence. At the conclusion of a vendor relationship, Patients Know Best ensures that all data shared with the vendor is securely returned or destroyed.
Training and Awareness
Management will ensure that employees, contractors and third party users:
Are properly briefed on their information security roles and responsibilities prior to being granted access to covered information or information systems;
Are provided with guidelines which state security expectations of their role within the organisation;
Are regularly notified of security changes and updates, as well as reminded of security responsibilities to be undertaken, via annual security awareness training and annual policy acknowledgements;
Are motivated and comply with the security policies of the organisation;
Achieve a level of awareness on security relevant to their roles and responsibilities within the organisation;
Conform to the terms and conditions of employment, which includes the organisation's information security policy and appropriate methods of working.
All new hires are required to complete information security awareness training as part of their new employee onboarding process and annually thereafter. Ongoing training will include security and privacy requirements as well as training in the correct use of information assets and facilities. Records to evidence completion of training for all personnel will be retained. The periodic security awareness training will be supplemented with multiple methods of communicating awareness and educating personnel as deemed necessary by management, such as newsletters, web-based training, in-person training, periodic phishing simulations, etc.
The organisation will properly communicate to its workforce and, if appropriate, contractors:
Security updates, changes, and incidents, as needed, via email or appropriate Slack channels.
Reminders for security responsibilities as part of the annual security awareness training.
In addition, consistent with assigned roles and responsibilities, incident response and contingency training to personnel will be provided annually.
5. Monitoring and Review
Patients Know Best is committed to ensuring that its Information Security Policy remains effective and aligned with evolving risks, regulatory requirements, and operational needs. To achieve this, the organisation has implemented a structured process for monitoring compliance and regularly reviewing the policy and its associated practices.
Monitoring Activities
Patients Know Best conducts ongoing monitoring of its systems, processes, and controls to identify potential vulnerabilities and ensure compliance with the Information Security Policy. Key monitoring activities include:
Reviewing system logs to detect unauthorised access or anomalous activities.
Performing regular vulnerability assessments and penetration tests to evaluate the resilience of information systems.
Tracking incidents and breaches to identify patterns and areas for improvement.
Monitoring the implementation and effectiveness of security controls across the organisation.
Policy Review and Updates
The Information Security Policy is reviewed on an annual basis, or sooner if significant changes in technology, operations, or regulations occur. The Chief Information Security Officer, in collaboration with key stakeholders, is responsible for:
Evaluating the policy’s effectiveness in addressing current and emerging security risks.
Incorporating findings from audits, risk assessments, and incident investigations.
Updating the policy to reflect changes in legal or regulatory requirements, such as updates to GDPR or other applicable standards.
Any updates to the policy are approved by senior management and communicated to all employees, contractors, and third-party providers to ensure continued compliance and understanding.
Audits and Assessments
Patients Know Best conducts regular internal and external audits to verify adherence to its security policies and identify opportunities for improvement. These audits include:
Assessing compliance with contractual, legal, and regulatory obligations.
Evaluating the effectiveness of implemented security measures.
Identifying gaps or weaknesses that require corrective action.
The results of these reviews and assessments are documented, and appropriate measures are taken to address any identified risks or deficiencies.
Revision History
Version | Date | Editor | Reviewer | Approver | Description |
1.0 | 19.11.25 | Sarah Roberts | Selina Davis-Edwards | David Grange | Reviewed in line with SOC2 requirement. |
Appendix: Reference Materials and Associated Documents
Information Governance and Information Security Policies and Guidance can be found on the internal staff handbook wiki.Internal Intranet
Data Security & Protection Toolkit: https://www.dsptoolkit.nhs.uk/
Information Commissioners’ Office: https://ico.org.uk/
Legislation and Regulations
General Data Protection Regulation 2016: https://gdpr-info.eu/
Computer Misuse Act 1990: https://www.legislation.gov.uk/ukpga/1990/18/contents
Confidentiality Code of Practice:
https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice
Article 8 Human Rights Act 1998: http://www.legislation.gov.uk/ukpga/1998/42/contents
Records Management Code of Practice: https://transform.england.nhs.uk/information-governance/guidance/records-management-code/
ISO 27001 (ISO/IEC 27001:2013) is the international standard that provides the specification for an information security management system (ISMS)
ISO/IEC 27002 code of practice for information security controls
ISO 27799:2016 information security management in health
NHS Digital Data Security Centre: https://digital.nhs.uk/services/data-security-centre
Patients Know Best Wiki Hub | Deploy | Developer | Trust Centre | Manual | Research | Education | Release Notes
© Patients Know Best, Ltd. Registered in England and Wales Number: 6517382. VAT Number: GB 944 9739 67.