Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
physical_security [2015/12/31 15:54] jillian_nadette_de_leon |
physical_security [2016/06/15 15:34] jillian_nadette_de_leon |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | 1. Only persons identified should have access to a certain computer. There should be permission to access a certain computer. There should be permission to access system from the original user. \\ | + | ##PHYSICAL SECURITY |
| - | 1a. Role-based access control shall be implemented.\\ | + | |
| - | 1b. No form is being filled-out when requesting for access of the server.\\ | + | |
| - | 2. Some hospitals are implementing a 1 user is to 1 account policy.\\ | + | |
| - | 2a. Limited access to station should be implemented.\\ | + | |
| - | 3. Only specific application intended for use should be stored in the computer.\\ | + | |
| - | 4. The computer to be used must be fixed in one place and not portable.\\ | + | |
| - | 5. Only selected offices can use USB. Some hospitals disable use of USB.\\ | + | |
| - | 6. Server should be located in a dedicated room. \\ | + | |
| - | 6a. Office of IT people should be separate from the server room.\\ | + | |
| - | 6b. A dedicated facility shall be put in place for data center.\\ | + | |
| - | 6c. A dedicated infrastructure in the hospital which has restricted and limited access to be used for the purpose of housing the servers or data centers shall be put up. At the minimum, a data cabinet shall be installed in lieu of a server room. Clinics may use cloud computing while hospitals may use servers and put up server rooms.\\ | + | |
| - | 7. Any electronic device should be confined and cannot be taken outside the hospital premises and should only be dedicated for hospital use. Exceptions shall include disaster, vaccination, among others.\\ | + | |
| - | 7a. Phone for official use is allocated for communication with healthcare providers relating to patient's treatment.\\ | + | |
| - | 7b. Bringing of smart phones, laptops, tablets and other electronic gadget should be prohibited inside the medical records area.\\ | + | |
| - | 7c. Capturing of patient data using camera, etc. should not be permitted.\\ | + | |
| - | 7d. Systems not dedicated to handle patient information e.g. mobile phones should not be allowed to be used. | + | |
| - | 8. Budget allocation for the IT infrastructure of the hospitals contained in the annual financial plan.\\ | + | |
| - | 8a. A budget for the setting up of physical infrastructure for the IT equipment for PhilHealth use shall be allocated as part of the capitation fund being provided by PhilHealth.\\ | + | |
| - | 9. CCTV, audit trails are put in place to monitor access of IT investments.\\ | + | |
| - | 10. Only one person is in charge of handling the servers.\\ | + | |
| - | 10a. There must be identified personnel who can access the IT room, e.g. Q.A. for investigations, HICC for monitoring.\\ | + | |
| - | 11. Workstation for data collection and processing should be located in a separate area.\\ | + | |
| - | 12. Conduct pre-deployment site assessment.\\ | + | |
| - | 13. In the event that the machine is lost or stolen, deactivate account until retrieved or reported. However, it is best to reset credentials.\\ | + | |
| - | 14. State provisions regarding setting up of infrastructure where physical servers or data center of hospital information system shall be located. Applicability of the existing administrative order containing provisions on IHOMP shall be considered. Implementation of an off-site back-up shall be done if the aforementioned administrative order shall be affected by this proposed set of rule. Information that is backed up shall be encrypted.\\ | + | |
| + | **COMPUTER ACCESS**\\ | ||
| + | * Pre-deployment site assessment shall be conducted and computers to be installed shall be non-portable and fixed in one place. Computers shall be accessible to authorized personnel only and role-based system access shall be implemented. Each user shall have one account only. Multiple accounts per user are not allowed. A person requesting for access to a computer shall fill-out a request form. \\ | ||
| + | * Anti-glare filters on computer monitors shall be installed. This will not only help reduce glare, but also prevent anyone from seeing what is on the screen unless directly in front of the computer.\\ | ||
| + | //Applications.// Only applications for the hospital information system shall be installed in the computer system. Other applications, most especially social media applications are strictly not allowed. | ||
| + | |||
| + | **SERVERS**\\ | ||
| + | *The health facility shall provide a designated area for the housing of servers/data centers. It shall be a separate area from the data collection and processing as well as from the IT office. The server room shall be marked as "Restricted" and shall only be accessible to authorized personnel. If the health facility cannot allot a space for the server room, at the minimum, a data cabinet shall be installed and restrictions in terms of access shall be provided.\\ | ||
| + | |||
| + | //IT Room.// The IT room shall only be accessible to authorized personnel and to personnel involved during quality assurance monitoring. A designated IT personnel shall be tasked to handle the servers.\\ | ||
| + | |||
| + | **OTHER DEVICES**\\ | ||
| + | * Facility-registered electronic devices shall not be brought outside the premises of the health facility except under circumstances such as disasters and vaccinations or unless otherwise approved by the head of the facility. USB devices shall be limited to office use but as may be practical, shall not be used.\\ | ||
| + | * Mobile devices used for job responsibilities are subject to audits even if an employee owns it.\\ | ||
| + | |||
| + | * Capturing of patient data using camera phones and bringing of electronic devices such as cellular phones, laptops, tablets, and cameras inside the medical records area is strictly not allowed.\\ | ||
| + | |||
| + | **POINTS TO CONSIDER** | ||
| + | * State provisions regarding setting-up of infrastructure where physical servers or data center of hospital information system shall be located. Applicability of the existing administrative order containing provisions on IHOMP shall be considered. Implementation of an off-site back-up shall be done if the aforementioned AO shall be affected by this proposed set of rules.\\ | ||
| + | (//We have to discuss whether we really want to specify in the IRR that setting up of infrastructure is required. I think it is sufficient to just specify the conditions that must be complied with. Part of this has already been developed by Kit's group.-IP//)\\ | ||