SyOps for myrecovery

Introduction

  1. This document will provide users with clear guidance on the secure operation of the myrecovery platform, which consists of the myrecovery application and myrecovery web portal/dashboard.

Scope of SyOps

  1. These SyOps relate to the myrecovery clinician accessible web portal/dashboard, herein known as 'myrecovery dashboard' and myrecovery patient accessible mobile device application, herein known as 'myrecovery app'.

  2. The myrecovery app may be installed on:

a. An entitled user's personal device (herein known as BYOD) if the following criteria are met:

(1) They are entitled to access Defence Medical Rehab services and have an active problem. As access to the platform is controlled at point of appointment booking, only entitled personnel will be invited to use the application.

(2) The owner of the BYOD is willing and content to do so. There is no obligation for a user to commit their personal device for MOD use, and Commanders at all levels should not pressurise personnel to do so. Should the owner of the BYOD be unwilling to have the application installed and use their device for MOD purposes, alternative arrangements must be sought.

(3) The device must meet the minimum performance specification to effectively run the application, as advised by MSK.AI (the distributors and owners of the myrecovery application).

(4) The use of the BYOD does not break Chief Joint Operations (CJO) Personal Electronic Device (PED) policy for the location of use.

(5) The use of the BYOD does not break any local zoning policy restricting the use of PEDs.

(6) The owner of the BYOD signs and acknowledges full acceptance of these SyOps.

  1. The myrecovery dashboard MUST only be accessed through an accredited system such as MODNET or DII(F).

Compliance

  1. All users of myrecovery, regardless of device, must acknowledge acceptance that they will only operate as detailed in this document, by agreeing to the MOD SyOps User acceptance on first registration of the application or on first access to the dashboard.

  2. These SyOps are to be adhered to when using myrecovery and may not be deviated from without explicit permission from the system Accreditor, Security Assurance Coordinator or Information Asset Owner (IAO).

  3. Unauthorised deviation from these SyOps may result in disciplinary action being taken against the user.

Classification

  1. Classification of data. The myrecovery platform is accredited and authorised to store, process and generate information classified at OFFICIAL (including SENSITIVE) in accordance with the Government Security Classifications.

  2. While the myrecovery platform is permitted to process this classification of data, the host BYOD device may not be. Accessible information via the myrecovery app pertains only to the individual who owns the device; however, it is strongly recommended that users do not transfer information onto the host device. The myrecvovery dashboard is only to be accessed through MODNET Chrome.

  3. The highest classification to be processed on the system is OFFICIAL-SENSITIVE PERSONAL.

  4. Information with the classification of SECRET (including variations of Mission SECRET and NATO SECRET) or higher is not permitted to be processed and/or stored on myrecovery or host devices. If information classified as such is found on the system, a security incident must be raised by the fastest secure means.

  5. JSP 440 remains the authority for guidance on security markings for the MOD. Where doubt resides, JSP 440 should be consulted and the information contained within will supersede these SyOps.

  6. Clinical users are to ensure that they are not overlooked when accessing classified information on a display screen and especially when entering any password associated with myrecovery.

Physical Security

  1. Access to the myrecovery app via BYOD, the personal security of which is down to individual users.

  2. Access to the myrecovery dashboard is through MODNET enabled computers/laptops. Physical security surrounding the use and operation these devices is covered in MODNET SyOps.

  3. Patient users should ensure there is adequate physical security for the environment the host device is in. Users are accountable and responsible for the physical protection and care of the device being used to access myrecovery. Users should take appropriate action to minimise the risks of the device becoming lost, stolen or tampered with. Therefore, users should take reasonable and appropriate precautions to secure their device when in use or if left unattended.

  4. As personal property, users are free to control access to their BOYD as they see fit. As myrecovery contains personal health information, users are advised not allow the host device used to access myrecovery, to be accessed by an anyone they do not wish to see their personal information.

  5. Users are advised to remove the myrecovery app prior to disposal of the BOYD. They should carry out a full factory reset of the device – ensuring that all applications and user accounts are un-associated from the device.

  6. Operation. Users must comply with local security zoning policy, which will dictate where the transmitting devices (including smartphones and tablets) are permitted to be used within a MOD establishment, ship, boat or aircraft. Users must comply with any notices prohibiting emitting devices such as host devices for myrecovery.

  7. When using myrecovery outside a secured location, users must consider the security of the environment where they are working, ensuring that operational, patient or sensitive information is not subject to oversight or shoulder surfing. Clinical/admin users of the myrecovery dashboard must also remain cognisant of their surroundings when accessing the platform through their MODNET enabled devices.

Acceptable Use

  1. Users must comply with JSP 740 the Acceptable Use Policy (AUP) for Information and Communications Technology (ICT), when using any MOD information technology equipment. This includes the myrecovery platform.

  2. All users must comply with the MOD Acceptable Use Policy specified in JSP 740 and applicable legislation.

  3. Improper use of MOD ICT or telecommunications comprises a range of activities and behaviour, contrary to SyOps, good practice, or common sense, and is defined as "the deliberate, inappropriate or illegal use of any part of the MOD IT or Telecoms", within JSP 740.

  4. The AUP defines what is unacceptable use, any breach of which may result in disciplinary or administrative action. Serious offences may lead to dismissal and possible prosecution, the penalties of which may include a custodial sentence.

  5. The following activities are strictly prohibited when using the myrecovery platform on any host device:

a. User must not use the system to offend, insult, harass, threaten or deceive other people.

b. Users must not use the system to request, create, access, store, or send offensive, pornographic, indecent or illegal material.

c. Users must not breach copyright or licence agreements.

d. Users must not download, use or distribute unauthorised software or applications.

e. Users must not remove, disable or nullify operational components, safety or security measures within the app or dashboard.

f. Users must not try to misuse, gain unauthorised access to, or prevent legitimate access to, any ICT equipment, network, system, service or account.

g. Users must not try to gain unauthorised access to information, or release information without proper authority.

h. Users must not bring the MOD into dis-repute or obstruct its business.

i. Users must not be negligent in protecting the ICT and services, or the information you can access from it.

  1. myrecovery end user licence agreement (EULA) and terms of service (TOS). In addition to complying with JSP740, all users of myrecovery must comply with the myrecovery EULA and TOS, which can be found at the following links.

https://appsupport.team/terms-uk-en/

https://appsupport.team/eula-uk-en/

  1. By using the myrecovery platform, users are accepting that they have read and will abide by the myrecovery EULA and TOS.

  2. Data Protection. Users of the myrecovery platform must ensure that their use remains compliant with all applicable legislation, namely DPA 18, GDPR and the Caldicott Principles. Data Protection Act 2018 (DPA 18) which can also be referred to as General Data Protection Regulations. DPA 18 is UK legislation. All MoD personnel, contractors or others who process personal data are bound by its provisions, which confer certain rights and responsibilities. As users of the system you are responsible for ensuring that any personal information generated or accessible to you is handled in accordance with the provisions of the Act.

myrecovery account management

  1. Access to myrecovery for clinicians will be managed by the Project WIRA Project Officer. Access myrecovery for patients will be controlled by rehab admin and clinical staff. 30. All patient users are free to download the myrecovery application, however access to its functionality will only be granted if the patient user has been sent an invitation code by their primary care rehabilitation facility admin or clinical staff. The invitation is generated through the myrecovery dashboard.

  2. Access require 2FA and invitation details are sent to personal emails and via SMS to personal mobile devices. These details ensure that the correct patient is accessing the correct pathway within the platform for their problem.

  3. Clinician/admin user accounts MUST be registered to a mod.gov.uk email account. 33. The Project WIRA Project Officer has responsibility for:

a. Initiating clinician/admin user accounts.

b. Removing obsolete clinician/admin accounts and account

housekeeping.

myrecovery user accounts

  1. Clinical and admin staff must not attempt to generate a patient user with a MODNET email address. Personal email addresses and mobile telephones should be used.

  2. Users are to be aware that system logging is enabled within myrecovery and that user activity can be tracked and identified through timestamped system and event logs.

  3. Users must not share user accounts.

  4. In the unfortunate event that a registered user becomes deceased or terminated from the MOD, the parent unit is to contact the Project WIRA Project Officer who will ensure the account is archived appropriately. Under no circumstances is the parent unit to engage with the service provider.

myrecovery passwords

  1. When a myrecovery account is first created, you will be required to use a PIN and to create a password. This password will be used to open the myrecovery application. The following rules apply to all future passwords associated with the system:

a. Do not use the same password for any part of myrecovery as for any other system.

b. Do not use the same password for myrecovery as any personal accounts, social media or applications.

c. Never, for any reason, disclose your or password to anyone (including administrators and commanders) who you no not consent to share your personal information

d. Under no circumstances should a written copy of the password be carried with the host device.

e. If you have any reason to believe that the password has been compromised, you should report it immediately. An immediate password reset is to be implemented.

myrecovery software security

  1. The myrecovery platform is MOD approved and has been configured in accordance with an agreed contract. Users must not attempt to alter or change security configurations, failure to comply could result in disciplinary action.

  2. Application updates. Where required, Future Health Works (the providers of myrecovery) will issue software updates for the application. Users must update the

application at the earliest opportunity. If the user is required to restart the myrecovery app due to an update being deployed, they should do so at the earliest opportunity.

  1. Operating system updates (host device). Every effort should be made to ensure the device is updated as soon as is practicably possible. Software updates are often critical to managing and negating vulnerabilities, hence the time sensitive nature of applying them.

myrecovery data import and export

  1. the myrecovery platform is designed to allow the passage of data and is therefore the myrecovery dashboard is open to data export. Users must however only export the necessary information to allow them to effectively undertake their medical roles. Patient exercise summaries and goals can be exported as CSV files or can be copied for direct entry into medical records.

  2. The following rules regarding data export will be adhered to by users of myrecovery:

a. Exported data must be handled, stored, processed, managed and archived in accordance with JSP440 and JSP441.

b. Data may only be exported onto an accredited system approved for the storage and processing of information at OFFICIAL – SENSITIVE.

  1. myrecovery users are reminded of the Caldicott Principles regarding limiting the transfer of medical information to only that which is necessary:

"Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian."

  1. DMICP remains the MOD's primary medical record archiving system. Information that would normally form part of a patient record should not be archived in myrecovery. If in doubt, the information should be exported and archived into DMICP.

Prohibited Use

  1. There is to be no personal use of the myrecovery platform. It should only be used for its primary purpose on entitled patients.

myrecovery monitoring

  1. The MOD reserves the rights to carry out monitoring on issued information systems and applications for the purpose of security. All user activity is logged and auditable within myrecovery AWS servers.

  2. Should a user be identified as breaching the rules documented within these SyOps, the IAO and System Owner may authorise that the user account is deleted remotely by Future Heath Works (the providers of myrecovery).

Incident management, reporting and response

  1. General incidents. Security incidents are defined as any event that impacts the confidentiality, integrity or availability of the service/system and may be instigated with or without malicious intent. All incidents must be reported to the SPOC and your ITSO.

  2. If your device shows signs of tampering, you should stop using the device and inform your ITSO immediately, notwithstanding medical necessity.

  3. As a minimum, users must immediately report the following incidents to their ITSO: a. If the host device is lost or stolen.

b. If you believe your device or associated myrecovery account has been hacked or accessed by an unauthorised individual.

c. If you believe the confidentially or integrity of the information, you're working on has been compromised.

d. If you believe patient confidentiality has been comprised.

  1. Should your device become lost or stolen outside MOD establishments, the following urgent actions are to be taken by the user.

a. Take all reasonable steps to affect recovery, for example by reporting the loss to the local security officer, the civil police, transport authority and lost property office as appropriate.

b. When alerting the authorities to the loss of a device, users should emphasise that the device contains / can access classified material up to OFFICIAL – SENSITIVE and may also contain / have access to sensitive medical information.

c. Notify by the quickest secure means your ITSO.

  1. Cyber security incidents. In the first instance of suspecting a cyber security incident; do not turn your machine off, as you may lose valuable forensic evidence, but you must disconnect from any network in line with JSP440 Leaflet 15.

  2. If you believe your device is infected with malware, stop using the device, disconnect from any connected network, do not log off or shut down. Make no attempt to remedy the situation. Await further instructions from your ITSO or MODCERT.

  3. Reporting can be done in several ways:

a. Contact MODCERT directly at:

MODNET: MODCERT (MULTIUSER)

Mil: 94396 7678

Civ: 01225 847678

SSS: 9298 4396 5885

b. Contact the Warning Advisory Reporting Point (WARP) for your TLB. They are the point of contact for any security questions and will report any security incidents to MODCERT. Please see Table 1 for WARP contact details for associated TLBs:

TLB Email Phone Army Army WARP-Mailbox (MULTIUSER) 94393 6804 Navy NAVY-WARP (MULTIUSER) 9380 22588 RAF Air-RAF WARP (MULTIUSER) 95221 7178 JFC JFC-Sy-Warp-Group (Multiuser) 9360 58429 HOCS HOCS Sy-WARP Grp Mailbox (MULTIUSER) 9621 89717

PJHQ PJHQ-WARP (MULTIUSER) 9360 55293 DE&S DES PSyA-WARP (MULTIUSER) 9352 33834 DIO DIO IPO-WARP (MULTIUSER) 07976 846398 DSTL DSTL-Dstl – WARP 01980 955583 UKHO UKHO-icts-tsg 182300 x3368

  1. Following the initial reporting of an incident, a MOD Security Incident Reporting Scheme (MSIRS) must be submitted using the online submission form within 1 hour. This form must be completed with as much detail as possible about the incident.

  2. The MSIRS can be found here: https://blackthorn.ahe.r.mil.uk/msirs/.