Frequently Asked Questions2024-10-09T15:53:02+01:00

PERL

BIOS do not have a data processing agreement in place with Vimeo.

BIOS have produced a sharing agreement which can be shared with each of the trusts for approval.

Yes, evidence can be provided of the last penetration test that was performed on 23/12/2022.

Yes. Most live streamed patient assessments will be projected directly into a university lecture theatre and will be controlled by the lecturer in charge. Students will have access to the PERL from their personal device and there may be instances where students are allowed to join a live streamed session from their own device, however there have been no breaches to date and the following mitigations are in place to ensure risk is kept to a minimum:

  • Students receive data security training from the university.
  • Students complete the online data security assessment and must pass this before they can attend clinical placements or gain personal access to the PERL or live streamed sessions.
  • Students receive a standard protocol on how they should conduct themselves during a live streamed session and whilst accessing the PERL.
  • Students must sign a disclaimer to acknowledge the terms and conditions of this access.
  • Universities sign a disclaimer to confirm they will manage and maintain student access to live streamed sessions and the PERL.
  • Before accessing the PERL a disclaimer is presented to the end user to remind them of the terms and conditions they have signed up to.

The servers are with WPEngine. The physical servers are their’s, as this is a cloud service.

Yes, the site has SSL.

No, videos on PERL can only be streamed, they cannot be downloaded. Also, a disclaimer is presented to the end user every time they access the PERL to remind them of the terms and conditions of use.

Patient consent is maintained by the trust, however in our pseudonymised process, details of the time, date, hospital, clinical tutor name is recorded and a VideoID is generated to replace the filename of the patient video. This videoID is  noted on the printed consent documentation maintained by the trust and a copy of the videoID and consent is provided to the patient. This will enable the patient to withdraw their consent at any point of the process. If the VideoId is not known by the patient, then BIOS will contact the trust to help them identify the patient’s video.

The BIOS website has a dedicated form set up for patients to withdraw their consent.

Hololens

Yes, HoloLens 2 enables BitLocker Device Encryption (BDE) by default to protect data from any unauthorised physical access to the device. Always evolving to meet the needs of the future, Microsoft continues to invest and enhance this technology.

BDE is a data protection feature that employs AES-XTS-256 encryption on all volumes in the state-separated layout of the device. BDE provides device level encryption in a state-separated layout. BitLocker Device Encryption is enabled automatically on operating system and fixed data volumes and cannot be turned off, even by IT administrators, so that the device is always protected.

Encryption and Data Protection | Microsoft Learn

Yes, HoloLens 2 enables Bitlocker Device Encryption (BDE) by default to protect data from any unauthorized physical access to the device. Always evolving to meet the needs of the future, Microsoft continues to invest and enhance this technology. 

For further information please see Encryption and Data Protection | Microsoft Docs

Yes, the Hololens has been used successfully under a visor.

The Hololens2 can be set up with a personal Microsoft account. This provides the security features of biometric (iris), PIN, and password authentication. It also enables BitLocker Device Encryption (BDE) to protect the device from unauthorised access. The department can create a free Microsoft account here. BIOS recommends setting up a generic account for shared access by multiple clinical tutors. Once set up, BIOS should be informed of the email address to procure a 365 license.

Alternatively, your local IT department may require that the Hololens be set up on the trust’s Microsoft Azure account. This process could take longer, depending on IT’s capacity to complete the setup. Additionally, BIOS will need to coordinate with IT to arrange funding for the 365 licenses on the trust-managed account, enabling live streaming via Microsoft Teams.

Below are quotes taken from Microsoft. The highest level of security is for the Hololens2 to be setup on the trusts Microsoft Platform, see option 1 below. The device would then inherit the local trusts security requirements of the environment in which it operates:

Identity type Accounts per device Authentication options
Microsoft Entra ID 63
  • Azure web credential provider
  • Azure Authenticator App
  • Biometric (Iris) – HoloLens 2 only2
  • FIDO2 Security key
  • PIN – Optional for HoloLens (1st gen), required for HoloLens 2
  • Password
Microsoft Account (MSA) 1
  • Biometric (Iris) – HoloLens 2 only
  • PIN – Optional for HoloLens (1st gen), required for HoloLens 2
  • Password
Local account 1
  • Password
Shared Microsoft Entra ID 1
  • Certificate-Based Authentication (CBA)

By default, the HoloLens 2 devices are encrypted so if the device breaks and the hard drive was inaccessible then the data is also inaccessible. Repairing the device would likely involve wiping the data and re-building the device from factory default with no data on it and with the repair organisation (Microsoft) never having any access to that data.

Additionally, if a device were stolen it would be the same scenario. The device would be inaccessible and so would any data on the device.

The Hololens is provided as an indefinite loan to the Trust, under the condition that it is regularly used. A minimum level of usage is expected, such as offering frequent recorded or live video consultations during term time.

Local IT support should be contacted initially. If the device cannot be repaired locally, BIOS will seek repairs through its insurance coverage.

The Trust must immediately report any lost or stolen devices to BIOS, who will then raise the incident with their insurance provider.

Software issues should first be addressed by Local IT (e.g., resetting the device).

The device must be stored behind two locked doors—such as in a locked filing cabinet within a locked room.

BIOS will monitor the number of uploads to the Placement Expansion Resource Area (PERL), while universities will track the number of live-streamed sessions offered regularly.

If there is a demand for the Hololens from another Trust and the current device has not been used for 3 months (with consideration of any extenuating circumstances), BIOS reserves the right to recall the device for reassignment. Delivery costs for reassignment will be covered by BIOS.

If your clinical leads are logging into RemoteAssist with their nhs.net accounts, then your data and access is under full control of NHS Digital. So, in the case you outlined it would be stored in the nhs.net Microsoft Stream service (just like Teams meeting recordings when you are logged into your nhs.net accounts are)

It is worth mentioning that NHSD are still working on their support for allowing organisations to connect HoloLens devices into the Central NHS tenant.