**This is an old revision of the document!**
TECHNICAL SAFEGUARDS
ACCESS CONTROLS
- Standard user IDs shall be given to each staff whose work entails the need to access or process heath information
- User IDs of employees/staff who are on extended leave of absence shall be disabled until they return for work.
- There shall be a three way process for authentication of users: something they know (password), something they have (secure token), and something they are (biometrics).
- The last user ID that logged in must not be displayed on the log-in screen.
- There shall be an automatic screen or keyboard locking after 5 minutes of inactivity.
DATA PROTECTION
- Data on many computer devices can be damaged by being moved, knocked or even when turned off. If there is a hard disk, the heads on the drive should be “parked” before moving the system to avoid destroying stored information (devices with solid state drives have a different system and are less vulnerable to movement).
- Due to the different variations of computers and types of connections, it is important to seize all the different cables and chargers for the seized equipment.
- Antivirus software must be loaded in every computer possible. The software needs to be configured regularly and automatically download updates for the latest threats.
- Complete back-ups of the system shall be done periodically- once a month or every few months.
- Back-up data tapes shall not be stored near a computer monitor or uninterruptible power supply-the electromagnetic interference coming from these devices can corrupt data on them or completely delete them.
CONFIGURATION MANAGEMENT
- It is important to document how the computer system is organized to know when and how to disconnect additional pieces of equipment such as telephone modems, auto-dialers, and printers from the system. Otherwise, important information can be lost.
- Database maintenance and administration shall only be done by database experts or users that received formal training.
- The Database and Network Administrator of the PHIE group shall conduct a regular monitoring of the database and networks of health facilities ensuring that health facilities shall comply with the following:
a. Information uploaded shall be limited for the intended purpose only.
b. Data back-up both off-site and in the cloud are done twice a day and must have multiple back-up mechanisms. Data during back-up shall be encrypted and password protected.
c. Password shall be changed every 3 to 6 months and shall have a minimum of 8 alphanumeric characters.
d. An activity history of users shall be maintained and audited regularly.
e. When a computer system is not accessed within minutes, there shall be interface auto-closure.
POINTS TO CONSIDER
- The minimum server configuration shall be specified.
- Provide detailed and specific protocols on encryption (e.g. encryption of data at rest).
(Specific technical requirements should ideally be developed by DOST-ICTO.)
- Security features shall be incorporated in the system requirements.
- HIS should only be for recording and record keeping, but access to the medical records should be under the MRS.
Cloud Services
References:
- Herold R., Beaver K. (2015) The Practical Guide to HIPAA Privacy and Security Compliance. 2nd edition. Boca Raton, FL: CRC Press.
##See Also