**This is an old revision of the document!**
TECHNICAL SAFEGUARDS
ACCESS CONTROLS
- Standard user IDs shall be given to each staff whose work entails the need to access or process heath information.
- Passwords shall have the following characteristics: minimum of eight characters in length, have an upper case, lower case and special characters in it.
- User IDs of employees/staff who are on extended leave of absence shall be disabled until they return for work.
- There shall be a three way process for authentication of users: something they know (password), something they have (secure token), and something they are (biometrics).
- The last user ID that logged in must not be displayed on the log-in screen.
- There shall be an automatic screen or keyboard locking after 5 minutes of inactivity.
DATA PROTECTION
- Data on many computer devices can be damaged by being moved, knocked or even when turned off. If there is a hard disk, the heads on the drive should be “parked” before moving the system to avoid destroying stored information (devices with solid state drives have a different system and are less vulnerable to movement).
- Due to the different variations of computers and types of connections, it is important to seize all the different cables and chargers for the seized equipment.
- Antivirus software must be loaded in every computer possible. The software needs to be configured regularly and automatically download updates for the latest threats.
- Complete back-ups of the system shall be done periodically- once a month or every few months.
- Back-up data tapes shall not be stored near a computer monitor or uninterruptible power supply-the electromagnetic interference coming from these devices can corrupt data on them or completely delete them.
CONFIGURATION MANAGEMENT
- It is important to document how the computer system is organized to know when and how to disconnect additional pieces of equipment such as telephone modems, auto-dialers, and printers from the system. Otherwise, important information can be lost.
- There shall be a regular monitoring and maintenance of database and networks of health facilities to be conducted by the Database and Network administrator of the PHIE group.
POINTS TO CONSIDER
- The minimum server configuration shall be specified.
- Provide detailed and specific protocols on encryption (e.g. encryption of data at rest).
(Specific technical requirements should ideally be developed by DOST-ICTO.)
- Security features shall be incorporated in the system requirements.
- HIS should only be for recording and record keeping, but access to the medical records should be under the MRS.
Cloud Services
References:
- Herold R., Beaver K. (2015) The Practical Guide to HIPAA Privacy and Security Compliance. 2nd edition. Boca Raton, FL: CRC Press.
##See Also