With social distancing measures affecting all functions and operational areas, how can you continue to operate successfully? Our five key steps guide you through different actions you can consider.
Many functions and operational areas are being affected, from HR policies to IT security. We suggest the following five key steps that public sector organisations can take in order to continue operating successfully in the current environment.
1. Establish a COVID-19 response team
Local authorities, NHS trusts and clinical commissioning groups (CCGs) should identify and gather a team of leaders and internal stakeholders to form a ‘response team’ with representation from all front line and support services. The role of the response team will be to develop, and regularly monitor and update, a plan tailored to your key services. The team will need to perform a comprehensive critical assessment to determine the business processes with highest priority, and evaluate the remote working options available to relevant staff. Resilience plans already in place will need to be tested to ensure that servers can cope with the increase in stress and load as more staff transition to remote working. Capacity planning and the purchase of additional bandwidth may need to be approved by the team if your organisation normally has a limited number of remote users.
2. Develop a clear communications programme
Public sector organisations need robust communication channels to provide customers, staff and suppliers with accurate and meaningful information. Local authorities, NHS trusts and CCGs should therefore establish a COVID-19 communications programme to ensure the right information is sent to the right people at the right time. Automated messages (pre-approved) can be used where appropriate to increase efficiency. Training staff on the use of alternative communication channels such as video conferencing and virtual meeting software can help to maximise the benefits they offer.
3. Review HR policies and processes
Establish policies for sick-leave absences specific to the COVID-19 situation. These should include policies on when a previously ill person is no longer infectious and the return-to-work protocol after illness. These policies must be aligned to the latest UK Government advice.
4. Ensure security measures for IT and data are sufficient
The number of phishing emails received by public sector organisations has increased. Phishing emails purport to come from credible sources (e.g. NHS, DWP or WHO) and when opened by users can either initiate the execution of malware, or encourage users to disclose private information. Clear and regular user awareness training is the most effective way to prevent this. Network and infrastructure teams should also ensure Domain-based Message Authentication, Reporting & Conformance (DMARC) policies have been set on email servers, or that other filtering and blocking services are being used. It is also important to back up business data regularly, using servers not accessible to your network for storage.
As more staff start to work from home, the use of new applications to enable remote working (use of VPNs) is likely to increase, with an accompanying rise in the number of user accounts. Strong new user account creation protocols will be needed to ensure verification of identity and validation of required access. Two-factor authentication for privileged users is recommended in all instances. Patch management of VPNs will also need to be maintained.
Invoking major incident plans can result in new data processing streams. Public sector organisations will need to document these streams in line with normal legislative expectations to ensure there is a lawful basis for processing. Access controls for temporary data repositories or new systems will need to be assessed to safeguard against unauthorised access and disclosure.
Working remotely and from home increases the risk of lost and/or stolen devices. It’s essential to ensure adequate hard drive encryption on any devices being used remotely by staff members. Emergency procurement of mobile device management tools may be necessary to provide accountable officers with the assurance that devices can be remotely wiped, locked or backed up if need be.
5. Stay alert to fraud risk
Across the NHS and wider public sector, people are working together to treat patients and protect the most vulnerable in our communities from COVID-19. Sadly, however, we have already seen that some individuals will take advantage of this situation to commit fraud.
As the NHS focuses on the huge task in hand, maintaining strict adherence to the usual policies, systems and processes will inevitably take second place to supporting service delivery and saving lives. Operational pressures may result in the weakening of some checks and controls, particularly around procurement.
Where practicable, we encourage organisations to review their existing fraud risk assessments in the light of COVID-19 and the measures being introduced by the government. Business continuity plans need to consider potential fraud risks in relation to areas such as procurement, agency staffing and Disclosure and Barring (DBS) checks.
For helpful advice, see ‘Fraud Control in Emergency Management: COVID-19 UK Government Guidance’. This details imminent threats to the public sector and the various principles for effective fraud control.
Further specialist NHS fraud prevention advice on buying goods and services, due diligence and applying the suppliers’ code of practice is also available via the NHS Counter Fraud Authority (NHS CFA) website.
Suspected instances of fraud, bribery or corruption within NHS organisations can be reported to your Local Counter Fraud Specialist or via the NHS CFA hotline and online reporting tool. Alternatively, if you are outside the NHS, you can contact a member of our team of Counter Fraud Specialists, who would be happy to advise you further.
If you’d like more information about how to respond to COVID-19, please contact Greg Rubins.
View our COVID-19 hub