Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
physical_security [2016/01/25 14:02] jillian_nadette_de_leon |
physical_security [2016/06/15 15:34] jillian_nadette_de_leon |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ##PHYSICAL SECURITY | ##PHYSICAL SECURITY | ||
| - | * The location of the computer must be fixed in one place and not portable. \\ | ||
| - | * Workstation for data collection and processing shall be in a separate area from the server room.\\ | ||
| - | * Pre-deployment site assessment shall be conducted.\\ | ||
| - | * The IT room can only be accessed by authorized personnel and shall be accessible to approved personnel during Q.A for monitoring, HICC for monitoring.\\ | ||
| **COMPUTER ACCESS**\\ | **COMPUTER ACCESS**\\ | ||
| - | * Only authorized personnel will have access to stations/computers and there shall be role-based system access.\\ | + | * Pre-deployment site assessment shall be conducted and computers to be installed shall be non-portable and fixed in one place. Computers shall be accessible to authorized personnel only and role-based system access shall be implemented. Each user shall have one account only. Multiple accounts per user are not allowed. A person requesting for access to a computer shall fill-out a request form. \\ |
| - | * There shall be no multiple accounts per user. One user is to one account policy.\\ | + | * Anti-glare filters on computer monitors shall be installed. This will not only help reduce glare, but also prevent anyone from seeing what is on the screen unless directly in front of the computer.\\ |
| - | * A person requesting for access to a computer shall fill-out a request form.\\ | + | |
| - | * Applications installed in the computer must only be the ones necessary for the hospital information system. Other applications, most especially social media applications are strictly not allowed.\\ | + | //Applications.// Only applications for the hospital information system shall be installed in the computer system. Other applications, most especially social media applications are strictly not allowed. |
| **SERVERS**\\ | **SERVERS**\\ | ||
| - | * A designated area in the hospital shall be used for housing servers or data centers. This area shall be marked as restricted and shall be of limited access to personnel.\\ | + | *The health facility shall provide a designated area for the housing of servers/data centers. It shall be a separate area from the data collection and processing as well as from the IT office. The server room shall be marked as "Restricted" and shall only be accessible to authorized personnel. If the health facility cannot allot a space for the server room, at the minimum, a data cabinet shall be installed and restrictions in terms of access shall be provided.\\ |
| - | * The IT office shall be a separate room from the server room.\\ | + | |
| - | * If hospital/health facility cannot allot a place for a server room, at the minimum, a data cabinet shall be installed in lieu of the server room.\\ | + | //IT Room.// The IT room shall only be accessible to authorized personnel and to personnel involved during quality assurance monitoring. A designated IT personnel shall be tasked to handle the servers.\\ |
| - | * Clinics may use cloud computing while hospitals may use servers and put up server rooms.\\ | + | |
| - | * Only one person shall be in-charge of handling the servers.\\ | + | |
| **OTHER DEVICES**\\ | **OTHER DEVICES**\\ | ||
| - | * USB devices can only be used by limited offices. If possible, they should be prohibited.\\ | + | * Facility-registered electronic devices shall not be brought outside the premises of the health facility except under circumstances such as disasters and vaccinations or unless otherwise approved by the head of the facility. USB devices shall be limited to office use but as may be practical, shall not be used.\\ |
| - | * Any facility-registered electronic devices (USB,Cellular/Smart phones, laptops, cameras, etc) shall be confined and cannot be taken outside the hospital premises and should only be dedicated for hospital use. Exceptions include disaster, vaccination, among others.\\ | + | * Mobile devices used for job responsibilities are subject to audits even if an employee owns it.\\ |
| - | * Bringing of electronic devices (cellular/smart phones, laptops, tablets, etc) inside the medical records area is strictly prohibited.\\ | + | |
| - | * Devices not intended for handling patient information is not allowed to be used.\\ | + | |
| - | * Capturing patient data via camera phones/cameras shall not be permitted.\\ | + | |
| - | **OTHERS**\\ | + | * Capturing of patient data using camera phones and bringing of electronic devices such as cellular phones, laptops, tablets, and cameras inside the medical records area is strictly not allowed.\\ |
| - | * In case of machine/computer loss, the accounts in the computer system shall be deactivated until it is retrieved or reported. However, it would be best if the credentials in the system shall be reset.\\ | + | |
| **POINTS TO CONSIDER** | **POINTS TO CONSIDER** | ||
| * State provisions regarding setting-up of infrastructure where physical servers or data center of hospital information system shall be located. Applicability of the existing administrative order containing provisions on IHOMP shall be considered. Implementation of an off-site back-up shall be done if the aforementioned AO shall be affected by this proposed set of rules.\\ | * State provisions regarding setting-up of infrastructure where physical servers or data center of hospital information system shall be located. Applicability of the existing administrative order containing provisions on IHOMP shall be considered. Implementation of an off-site back-up shall be done if the aforementioned AO shall be affected by this proposed set of rules.\\ | ||
| + | (//We have to discuss whether we really want to specify in the IRR that setting up of infrastructure is required. I think it is sufficient to just specify the conditions that must be complied with. Part of this has already been developed by Kit's group.-IP//)\\ | ||