Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
physical_security [2016/02/17 13:53] jillian_nadette_de_leon |
physical_security [2016/07/02 17:29] (current) jillian_nadette_de_leon |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ##PHYSICAL SECURITY | ##PHYSICAL SECURITY | ||
| - | *Pre-deployment site assessment shall be conducted and the computers to be installed shall be fixed in one place and not portable.\\ | ||
| - | *The area for data collection and processing shall be separate from the server room.\\ | ||
| - | *The IT room shall only be accessible to authorized personnel and to personnel involved during quality assurance monitoring and HICC for monitoring.\\ | ||
| - | **COMPUTER ACCESS**\\ | + | **1. Inventory of Information Technology Physical Devices.**\\ |
| - | * Computer access shall be limited to authorized personnel only. Role-based system access shall be implemented and there shall only be one account per user. Having multiple accounts are not allowed.\\ | + | The IT personnel shall maintain and update an inventory of all information technology physical devices being used in the facility. The inventory shall include but not be limited to, on premise server equipment, firewall and security devices, client workstations, network devices, mobile devices, biometric and authentication devices, as well as other present and future information technology devices that may be relevant for the purposes of PHIE. \\ |
| - | * A person requesting for access to a computer shall fill-out a request form.\\ | + | |
| - | * Only applications for the hospital information system shall be installed in the computer system. Other applications, most especially social media applications are strictly not allowed.\\ | + | |
| - | **SERVERS**\\ | + | **2. Access to Physical Infrastructure**\\ Access to the IT physical infrastructure of the health facility shall be limited to authorized personnel, which will be defined by the participating health care provider. Any special access to the physical infrastructure shall be documented thoroughly. Any unauthorized access to the IT physical infrastructure shall also be documented and escalated to the appropriate decision makers for further investigation and action. \\ |
| - | *The server room shall be a separate room from the IT office and a designated person shall be tasked to handle the servers.\\ | + | |
| - | * The health facility/hospital shall provide a designated area for the housing of servers or data centers. This area is to be marked as "Restricted" and shall only be accessible to authorized personnel. If the health facility/hospital cannot allot a space for the server room, at the minimum, a data cabinet shall be installed.\\ | + | |
| - | * For smaller health facilities/clinics, they may use cloud computing while hospitals use servers.\\ | + | |
| - | **OTHER DEVICES**\\ | + | **2.1. Server Access.** The health facility may choose to have either an on premise server, a cloud server environment, or a combination of the two. Cloud technology is discussed separately under the cloud services section of this document. Should the health facility choose an on premise server, it shall provide a designated area for the housing of servers or data centers. It shall be a separate room from the data collection and processing as well as from the office of the IT personnel. The server room shall be marked as "Restricted" and shall only be accessible to authorized personnel. The server room shall comply with the physical security ISO 27001 standards.\\ |
| - | * USB devices can only be used by limited offices. If possible, they should be prohibited.\\ | + | |
| - | * Any facility-registered electronic devices (USB,Cellular/Smart phones, laptops, cameras, etc) shall be confined and cannot be taken outside the hospital premises and should only be dedicated for hospital use. Exceptions include disaster, vaccination, among others.\\ | + | |
| - | * Bringing of electronic devices (cellular/smart phones, laptops, tablets, etc) inside the medical records area is strictly prohibited.\\ | + | |
| - | * Devices not intended for handling patient information is not allowed to be used.\\ | + | |
| - | * Capturing patient data via camera phones/cameras shall not be permitted.\\ | + | |
| - | **OTHERS**\\ | + | **2.2. Computer Access.** Pre-deployment site assessment shall be conducted prior to installation of computer workstations in the health facility. Computers shall be accessible to authorized personnel only and role-based system access shall be implemented. Each user shall have on account only. Multiple accounts per user are not allowed. A person requesting for access to a computer shall fill-out a request form. \\ |
| - | * In case of machine/computer loss, the accounts in the computer system shall be deactivated until it is retrieved or reported. However, it would be best if the credentials in the system shall be reset.\\ | + | |
| - | **POINTS TO CONSIDER** | + | Anti-glare filters on computer monitors shall be installed. This will not only help reduce glare, but also prevent anyone from seeing what is on the screen unless directly in front of the computer.\\ |
| - | * State provisions regarding setting-up of infrastructure where physical servers or data center of hospital information system shall be located. Applicability of the existing administrative order containing provisions on IHOMP shall be considered. Implementation of an off-site back-up shall be done if the aforementioned AO shall be affected by this proposed set of rules.\\ | + | |
| - | (//We have to discuss whether we really want to specify in the IRR that setting up of infrastructure is required. I think it is sufficient to just specify the conditions that must be complied with. Part of this has already been developed by Kit's group.-IP//)\\ | + | |
| + | **2.3. Computer Loss.** In case of computer loss, the accounts in the computer system shall be reset and deactivated until it is retrieved or reported. The privacy officer shall implement security incident procedures and contingency plans for such events.\\ | ||
| - | - | + | **3. Bringing of devices outside the health facility. ** Facility-registered devices shall not be brought outside the premises of the health facility except under circumstances where the point of patient encounter is outside the health facility, such as but not limited to, vaccinations, remote visits, and other community-oriented activities outside the health facility. In such cases where the devices are brought out of the health facility, proper documentation and security check shall be ensured. At the minimum, the following security components should be in place for the device brought out of the facility:\\ |
| + | 1. Hard disk encryption.\\ | ||
| + | 2. Data encryption.\\ | ||
| + | 3. Wireless network encryption.\\ | ||
| + | 4. Role-based access control.\\ | ||
| + | 5. Anti-virus software for vulnerable operating systems.\\ | ||
| + | 6. Password-protected user access that complies with facility password policies.\\ | ||
| + | 7. Encrypted portable devices such as but not limited to, USB drives, secure digital (SD) card drives, re-writable CD, and other present and future devices.\\ | ||
| + | |||
| + | **4. Bring-your-own-device (BYOD).** Mobile and portable devices that are property of the health facility personnel may be allowed by the health facility, provided that the facility implements strict policies for access, processing, storage, transmission and output of information that may have implications over patient privacy and health information security.\\ | ||
| + | |||
| + | **4.1. Agreement.** A signed usage agreement has to be submitted by the owner of the BYOD prior to using the device for handling health data and information.\\ | ||
| + | |||
| + | **4.2. Training.** BYOD users shall undergo annual security training.\\ | ||
| + | |||
| + | **4.3. Configuration.** The health facility IT personnel shall implement a mechanism that would create an audit trail of system activity by the BYOD user, including log-in attempts, security incidents, and attempts to access files containing personally identifiable information. The mechanism shall also have a provision for remote access by the IT personnel, in such events that privacy of health data and information are compromised. \\ | ||
| + | |||
| + | **4.4. Device Requirements.** The privacy officer shall approve a checklist of requirements for the BYOD to comply before being certified as usable for the access of health information. At the minimum, the device shall have the following:\\ | ||
| + | 1. Hard disk encryption.\\ | ||
| + | 2. Data encryption.\\ | ||
| + | 3. Wireless network encryption.\\ | ||
| + | 4. Role-based access control.\\ | ||
| + | 5. Anti-virus software for vulnerable operating systems.\\ | ||
| + | 6. Password-protected user access that complies with facility password policies.\\ | ||
| + | 7. Encrypted portable devices such as but not limited to, Flash Drives, secure digital (SD) card drives, re-writable CD, and other present and future devices.\\ | ||
| + | |||
| + | Mobile devices used for job responsibilities are subject to audits even if an employee owns it.\\ | ||
| + | |||
| + | Capturing of patient data using camera phones and bringing of unauthorized electronic devices such as cellular phones, laptops, tablets, and cameras inside the medical records area is strictly not allowed.\\ | ||
| + | |||
| + | **5. Business continuity and Disaster recovery.** The health facility shall implement policies for business continuity and disaster recovery.\\ | ||
| + | |||
| + | **5.1. Physical backup.**A data backup plan has to be implemented to create and maintain exact copies of the system for handling health information. The backup medium must be defined, and the interval of backup stated. The backup must also be tested for data validity and integrity. Physical backups shall be encrypted and stored outside the health facility and additional physical security measures shall be in place for accessing and securing the physical backups. In such case that a disaster occurs, the privacy officer shall have a disaster recovery team that can be organized quickly and have a protocol in place for data recovery. \\ | ||
| + | |||
| + | **5.2. Business Continuity.** Business continuity has to be ensured even in place of disasters. The privacy officer shall have identified a minimum set of data requirements for maintaining the health facility processes for their services. The health facility shall also have the ability to transition from “emergency-mode” services, to full services. Hence, the policies for encoding data outside the full services mode shall be in place. \\ | ||
| + | |||
| + | Events that took place in times of disaster recovery and business continuity shall be documented and reviewed, with updates implemented according to best practices and lessons learned during the disaster period.\\ | ||
| ##See Also | ##See Also | ||
| * [[consolidated_workshop_outputs|Consolidated Workshop Outputs]] | * [[consolidated_workshop_outputs|Consolidated Workshop Outputs]] | ||