Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book (0 page(s))
 Help

**This is an old revision of the document!**

TECHNICAL SAFEGUARDS

ACCESS CONTROLS

  • Standard user IDs shall be given to each staff whose work entails the need to access or process heath information.
  • Passwords shall have the following characteristics: minimum of eight characters in length, have an upper case, lower case and special characters in it.
  • User IDs of employees/staff who are on extended leave of absence shall be disabled until they return for work.
  • There shall be a three way process for authentication of users: something they know (password), something they have (secure token), and something they are (biometrics).
  • The last user ID that logged in must not be displayed on the log-in screen.
  • There shall be an automatic screen or keyboard locking after 5 minutes of inactivity.

DATA PROTECTION

  • Data on many computer devices can be damaged by being moved, knocked or even when turned off. If there is a hard disk, the heads on the drive should be “parked” before moving the system to avoid destroying stored information (devices with solid state drives have a different system and are less vulnerable to movement).
  • Due to the different variations of computers and types of connections, it is important to seize all the different cables and chargers for the seized equipment.
  • Antivirus software must be loaded in every computer possible. The software needs to be configured regularly and automatically download updates for the latest threats.
  • Complete back-ups of the system shall be done periodically- once a month or every few months.
  • Back-up data tapes shall not be stored near a computer monitor or uninterruptible power supply-the electromagnetic interference coming from these devices can corrupt data on them or completely delete them.

CONFIGURATION MANAGEMENT

  • It is important to document how the computer system is organized to know when and how to disconnect additional pieces of equipment such as telephone modems, auto-dialers, and printers from the system. Otherwise, important information can be lost.
  • There shall be a regular monitoring and maintenance of database and networks of health facilities to be conducted by the Database and Network administrator of the PHIE group.

POINTS TO CONSIDER

  • The minimum server configuration shall be specified.
  • Provide detailed and specific protocols on encryption (e.g. encryption of data at rest).

(Specific technical requirements should ideally be developed by DOST-ICTO.)

  • Security features shall be incorporated in the system requirements.
  • HIS should only be for recording and record keeping, but access to the medical records should be under the MRS.

Cloud Services


References:

  • Herold R., Beaver K. (2015) The Practical Guide to HIPAA Privacy and Security Compliance. 2nd edition. Boca Raton, FL: CRC Press.


    ##See Also

  • Consolidated Workshop Outputs