Privacy Wiki

ACCESS CONTROLS

• Standard user IDs shall be given to each staff whose work entails the need to access or process heath information.
  
• There shall be a three way process for authentication of users: something they know (password), something they have (secure token), and something they are (biometrics).
  
• Passwords shall have the following characteristics: minimum of eight characters in length, have an upper case, lower case and special character in it.
  
• The last user ID that logged in must not be displayed on the log-in screen.
  
• There shall be an automatic screen or keyboard locking after 5 minutes of inactivity.
  

Leave of Absence

• User IDs of employees/staff who are on extended leave of absence shall be disabled until they return for work.
  

DATA PROTECTION

• Data on many computer devices can be damaged by being moved, knocked or even when turned off. If there is a hard disk, the heads on the drive should be “parked” before moving the system to avoid destroying stored information (devices with solid state drives have a different system and are less vulnerable to movement).
  
• Due to the different variations of computers and types of connections, it is important to seize all the different cables and chargers for the seized equipment.
  
• Antivirus software must be loaded in every computer possible. The software needs to be configured regularly and automatically download updates for the latest threats.
  
• Complete back-ups of the system shall be done periodically- once a month or every few months.
  
• Back-up data tapes shall not be stored near a computer monitor or uninterruptible power supply-the electromagnetic interference coming from these devices can corrupt data on them or completely delete them.
  

CONFIGURATION MANAGEMENT

• It is important to document how the computer system is organized to know when and how to disconnect additional pieces of equipment such as telephone modems, auto-dialers, and printers from the system. Otherwise, important information can be lost.
  
• There shall be a regular monitoring and maintenance of database and networks of health facilities to be conducted by the Database and Network administrator of the PHIE group.
  

POINTS TO CONSIDER

• The minimum server configuration shall be specified.
  
• Provide detailed and specific protocols on encryption (e.g. encryption of data at rest).
  

(Specific technical requirements should ideally be developed by DOST-ICTO.)

• Security features shall be incorporated in the system requirements.
  
• HIS should only be for recording and record keeping, but access to the medical records should be under the MRS.
  

Notes re: cloud computing

• Cloud computing risks can be divided into six areas:
  

(1) Data Security and Controls- Providers must assess the strength of cloud vendor's internal controls to protect the confidentialty, integrity and availability of the electronic personal health information.
(2)Data Transmission- Data may be transmitted via the Internet or wireless networks. Is there adequate encryption? Is there a defined service level agreement for data transmission, and does your organization have the correct tools in place to assess compliance?
(3) Multitenancy- This requires health care organization to consider the possible comingling of data on shared hardware. Auditors should determine if data is properly segregated on the cloud and if the cloud operator has adequate controls to protect data both in storage and during transmission.
(4) Location- Auditors should be aware of all locations maintained or contracted for by the cloud operator and guard against the risk a cloud operator could unilaterally move the data to another location without first informing the health care organization.
(5) Reliability- Health care organizations face the risk that resources may not be available when they're needed. Auditors should assess a cloud company's ability to scale its systems to meet short-term surges in demand, as well as long-term growth. They also should determine when the cloud operator typically conducts system maintenance and installs upgrades to ensure data is available during peak business hours.
(6) Sustainability- Auditors should determine the adequacy of a cloud provider's disaster recovery and business continuity plans to understand how operations will continue if the cloud is out of service. Health care organizations should also have a plan for moving data if the cloud provider goes out of business or for when the contract ends. They should also assess the risk of the cloud provider being unwilling or unable to return data.

References:

• Herold R., Beaver K. (2015) The Practical Guide to HIPAA Privacy and Security Compliance. 2nd edition. Boca Raton, FL: CRC Press.

  • Grant Thornton. (2013) Third Party Relationships and Your Confidential Data. Assessing Risks and Management Oversight Processes. Retrieved from https://www.grantthornton.com/~/media/content-page-files/health-care/pdfs/2013/HC-2013-AIHA-wp-HIPAA-rule-data-control-concerns.ashx

  —-
  ##See Also

• Consolidated Workshop Outputs