Cyber Awareness (RDaSH) Model Answers

1. You are asked to create a secure and memorable password. Which of the below would make the best password for your everyday use? 

  • joebloggs
  • x92nk$5Aa67@zpw%1?9
  • Red!Summ3rD0g
  • Password123

The strongest password is almost certainly x92nk$5Aa67@zpw%1?9 – but it is so complex you couldn’t expect to remember it, so you would have to write it down. The best password here is Red!Summ3rD0g. It uses three random words so is easier to remember, but because you avoid a common phrase it is unlikely to be ‘cracked’. If you routinely swap certain letters for characters (change e to 3, o to 0 etc) you can create a really safe password that you will remember quite easily. You should avoid names and simply adding numbers to a password is not recommended as good practice.

 

2. You need to do some online banking with your bank, Your Bank Ltd. Which one of these addresses would you use:

  • www.yourbank.co.uk
  • https://www.yourbank.co.uk ✔
  • http://www.yourbank.co.uk
  • any of the above – they are all the same

The key point here is to look for a web address that includes https. This means that the site is secure – depending on your browser you may also see a padlock icon.

This means that all information you type is scrambled before being sent and then unscrambled at the other end of the connection – anyone snooping on your website will only see gibberish. Lots of websites don’t need to be secure if they are just displaying non-confidential information, so don’t worry if you visit a site that just shows http…

But never enter any sensitive, confidential or personal information unless you see the padlock or https – everything you type is being sent in plain text and could be seen by a hacker ‘sniffing website traffic’.

If in doubt, don’t follow links in emails – use a reputable search engine to look for the site you are interested in and follow the link from the search engine.

 

3. You receive an email asking you to click the link shown (in the survey) – What should you do?

  • Click the link – It looks safe
  • Copy the link and paste it into my browser
  • Do not click the link – It looks unsafe ✔
  • I don’t know

This link is not safe – when you click over a link most browsers will display the destination that you will be taken to when you click your mouse. In this case the innocent looking surveymonkey link is going to take you to a suspicious looking Russian website (.ru).

You may also receive email addresses where the true identity of the sender is hidden – for example, if you bank with Barclays, you may receive an email that looks like it is from Barclays, but the full email address is help@barclaysbank.nastyscammers.com. Read the link from right to left – the true sender in this example is nastyscammers.com, not Barclays Bank.

Be careful to read the full link or email address and if you are ever in doubt regarding a link, don’t click it.

 

4. To help us understand if you have ever had to work-around the rules to get your work completed, have you ever done the following? Please tick any that apply – and please be honest. If you are having to find workarounds to get the job done, it is important that the Trust is aware of this – remember this survey is anonymous.

5. Please use this text box to include details of any other activities you wish you disclose, or anything else you’d like to mention – Remember this quiz is anonymous, and will only be used to improve the Trust.

These questions are designed to identify where staff feel that they have no option but to circumvent the rules. It is recognised that staff will focus on doing what they need to do to get the job done – and if there are barriers in their way (including lack of equipment or unwieldy systems and processes) it is human nature to look for workarounds. We are grateful to all staff that completed this question honestly.

 

6. You are asked to write a clinical report for Mavis and Doris’ diagnosis and treatment. The report is expected by the end of the day, and you have other duties to complete. You don’t have enough time to complete them all– what should you do? 

  • Spend the day writing the report and ignore your other duties until you have completed the task
  • Use Artificial Intelligence (AI) such as ChatGPT to write the report for you
  • Complete your other assigned tasks first, before starting the new task of the report for Mavis and Doris’ patient data
  • Speak to your Line Manager about your workload and seek advice on what work to prioritise ✔

The correct answer is to speak to your Line Manager – It may seem tempting to use generative AI (such as ChatGPT) to assist in summarising data and writing reports for you, however patient data or any commercially sensitive data should not be input into AI software. We have no control over where the data will be stored and who can see and use it. Any information you feed into the AI can be used to teach the AI in the future, increasing likelihood that it will be used in other users’ answers, causing a data security breach. AI is also unreliable for information, as it does not ‘fact check’ and can give responses which may look reasonable but are factually incorrect.

 

7. Outside of the Clinical system, which location would be most appropriate to store work related Patient / Person Identifiable Data (PID)?

  • U: Drive
  • Within appropriately protected folders in L: Drive ✔
  • OneDrive

The correct answer is L: Drive, within the appropriately protected folders. PID applicable to you (timesheets, expenses etc.) should be kept within either your personal OneDrive, or U: Drive.

 

8. Which of the list of statements below are correct about use of Social Media in the workplace– Please tick any statements below you think are TRUE: 

  • I am allowed to take selfies and videos of myself in work, as long as none of my colleagues or patients/customers are included in the media
  • I should use strong privacy settings to prevent any patients from potentially finding me ✔
  • If I accidentally upload patient/customer identifiable data to my Facebook/Instagram/Snapchat account I must quickly delete it. I do NOT need to report it as a Data Security Incident if I act quickly.
  • I should be mindful of the potential impact of my personal Social Media activity on reputation of the Trust ✔

You should not take any media within the workplace for your personal Social Media accounts; dependent on your workplace, any patient/customer identifiable could be included in documents/on your laptop screen and could easily be missed before sharing a video or selfie. This is especially important for staff who work in areas off-limits to the public.

You should regularly review your privacy settings on your social media accounts to ensure how much of your information is accessible to any other users, not only patients/customers who you have interacted with.

You should always report this as a Data Security Incident, even if you think nobody saw the picture or video. In general, once a photo/video is uploaded to a Social Media account, it is then considered acceptable use by the Social Media company to use, distribute and display your content.

Even on your own personal Social Media account, what you share reflects on your profession reputation and should always be considered.

 

9. You receive an email from an NHS Account associated with another organisation. The email suggests that your account will be disabled unless you log in. You follow the link and are then presented with a page that appears to be a Microsoft login screen – what do you do?

  • Forward it to colleagues for advice
  • Enter your credentials as you do not want to lose access to your account
  • Reply to the email requesting further advice
  • Report this to the IT Service Desk/ Use the ‘Report Phishing’ button in Outlook ✔

The correct answer is to report this to your IT Service Desk, either by contacting them or using the ‘Reporting Phishing’ button in Outlook. NHSmail accounts can become compromised by staff entering their details into a phishing link. Once they have those details messages can be sent from a genuine NHSmail account but used by a malicious actor. They will embed links in the email to fake websites attempting to harvest credentials such as email passwords.

 

Important information: What to do if you think that a cyber-attack or security breach may be underway, or the organisation may be at immediate risk of an attack:

During standard office hours – 8AM – 6PM (Monday to Friday)

  • Contact the IT Service Desk on 01302 798118 / 03000 218118 and select option 2.

Outside of these hours including weekends and bank holidays

  • Contact the bronze on-call manager and advise them of the concern – this will then be escalated to the IT Out of Hours Service

For general enquiries or non-urgent concerns calls and requests to the IT Services Team can be logged on our Self-Service Portal using this link: https://support.rdash.nhs.uk/asmlive/portal.aspx