Privacy Wiki

ACCESS CONTROLS

• Standard user IDs shall be given to each staff whose work entails the need to access or process heath information
• User IDs of employees/staff who are on extended leave of absence shall be disabled until they return for work.
  
• There shall be a three way process for authentication of users: something they know (password), something they have (secure token), and something they are (biometrics).
  
• The last user ID that logged in must not be displayed on the log-in screen.
  
• There shall be an automatic screen or keyboard locking after 5 minutes of inactivity.
  

DATA PROTECTION

• Data on many computer devices can be damaged by being moved, knocked or even when turned off. If there is a hard disk, the heads on the drive should be “parked” before moving the system to avoid destroying stored information (devices with solid state drives have a different system and are less vulnerable to movement).
  
• Due to the different variations of computers and types of connections, it is important to seize all the different cables and chargers for the seized equipment.
  
• Antivirus software must be loaded in every computer possible. The software needs to be configured regularly and automatically download updates for the latest threats.
  
• Complete back-ups of the system shall be done periodically- once a month or every few months.
  
• Back-up data tapes shall not be stored near a computer monitor or uninterruptible power supply-the electromagnetic interference coming from these devices can corrupt data on them or completely delete them.
  

CONFIGURATION MANAGEMENT

• It is important to document how the computer system is organized to know when and how to disconnect additional pieces of equipment such as telephone modems, auto-dialers, and printers from the system. Otherwise, important information can be lost.
  
• Database maintenance and administration shall only be done by database experts or users that received formal training.
  
• The Database and Network Administrator of the PHIE group shall conduct a regular monitoring of the database and networks of health facilities ensuring that health facilities shall comply with the following:
  

a. Information uploaded shall be limited for the intended purpose only.
b. Data back-up both off-site and in the cloud are done twice a day and must have multiple back-up mechanisms. Data during back-up shall be encrypted and password protected.
c. Password shall be changed every 3 to 6 months and shall have a minimum of 8 alphanumeric characters.
d. An activity history of users shall be maintained and audited regularly.
e. When a computer system is not accessed within minutes, there shall be interface auto-closure.

POINTS TO CONSIDER

• The minimum server configuration shall be specified.
  
• Provide detailed and specific protocols on encryption (e.g. encryption of data at rest).
  

(Specific technical requirements should ideally be developed by DOST-ICTO.)

• Security features shall be incorporated in the system requirements.
  
• HIS should only be for recording and record keeping, but access to the medical records should be under the MRS.
  

References:

• Herold R., Beaver K. (2015) The Practical Guide to HIPAA Privacy and Security Compliance. 2nd edition. Boca Raton, FL: CRC Press.

  ---

  
  ##See Also

• Consolidated Workshop Outputs