Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book (0 page(s))
 Help

**This is an old revision of the document!**

TECHNICAL SAFEGUARDS

ACCESS CONTROLS

  • Standard user IDs shall be given to each staff whose work entails the need to access or process heath information.
  • There shall be a three way process for authentication of users: something they know (password), something they have (secure token), and something they are (biometrics).
  • Passwords shall have the following characteristics: minimum of eight characters in length, have an upper case, lower case and special character in it.
  • The last user ID that logged in must not be displayed on the log-in screen.
  • There shall be an automatic screen or keyboard locking after 5 minutes of inactivity.

Leave of Absence

  • User IDs of employees/staff who are on extended leave of absence shall be disabled until they return for work.

DATA PROTECTION

  • Data on many computer devices can be damaged by being moved, knocked or even when turned off. If there is a hard disk, the heads on the drive should be “parked” before moving the system to avoid destroying stored information (devices with solid state drives have a different system and are less vulnerable to movement).
  • Due to the different variations of computers and types of connections, it is important to seize all the different cables and chargers for the seized equipment.
  • Antivirus software must be loaded in every computer possible. The software needs to be configured regularly and automatically download updates for the latest threats.
  • Complete back-ups of the system shall be done periodically- once a month or every few months.
  • Back-up data tapes shall not be stored near a computer monitor or uninterruptible power supply-the electromagnetic interference coming from these devices can corrupt data on them or completely delete them.

CONFIGURATION MANAGEMENT

  • It is important to document how the computer system is organized to know when and how to disconnect additional pieces of equipment such as telephone modems, auto-dialers, and printers from the system. Otherwise, important information can be lost.
  • There shall be a regular monitoring and maintenance of database and networks of health facilities to be conducted by the Database and Network administrator of the PHIE group.

POINTS TO CONSIDER

  • The minimum server configuration shall be specified.
  • Provide detailed and specific protocols on encryption (e.g. encryption of data at rest).

(Specific technical requirements should ideally be developed by DOST-ICTO.)

  • Security features shall be incorporated in the system requirements.
  • HIS should only be for recording and record keeping, but access to the medical records should be under the MRS.

Cloud Services

Proposed Rules for Cloud Services

  • For cloud service providers, appropriate audit mechanisms and tools should be in place to determine how data is stored, protected, and used, to validate services and to verify policy enforcement. A risk management program should also be in place that is flexible enough to deal with the continuously evolving and shifting risk landscape.
  • The cloud provider's electronic discovery capabilities and processes must not compromise the privacy or security of the data and applications of the health facility.
  • Health facilities shall ensure that they have knowledge of a cloud provider's security measures to conduct risk management.
  • Health facilities should understand the privacy and security controls of the cloud service, establish adequate arrangements in the service agreement, making any needed adjustments, and monitor compliance of the service controls with the terms of the agreement.
  • Adequate and secure network communications infrastructure shall be in place.

Contract/ agreement between health facility and cloud provider:

  • The health care facility's ownership rights over the data must be firmly established in the service contract to enable the basis of trust and privacy of data. In so far as practicable, the contract between the health care facility and cloud service provider should state clearly that the health facility retains ownership over all its data; that the cloud provider acquires not rights or licenses throughout the agreement, including intellectual property rights or licenses, to use the health facility's data for its own purposes; and that the cloud provider does not acquire and may not claim any interest in the data due to security.
  • Service agreements should include some means for the health facility to gain visibility into the security controls and processes employed by the cloud provider and their performance over time. Ideally, the health facility will have control over aspects of the means of visibility to accommodate its needs, such as the threshold for alerts and notifications, and the level of detail and schedule of reports.
  • Contracts/agreements shall clarify the types of metadata collected by the cloud provider, the protection afforded the metadata, and the organization's rights over metadata, including ownership, opting out of collection or distribution and fair use.
  • Health care providers must understand the technologies the cloud provider uses to provision services and the implications the technical controls involved have on security and privacy of the system throughout its lifecycle. The underlying system architecture of a cloud can be decomposed and mapped to a framework of security and privacy controls that can be used to assess and manage risk.

Composite Services

  • Cloud services that use third-party cloud providers to outsource or subcontract some of their services should specify the scope of control of the third party, responsibilities involved, and the remedies and recourse available should problems occur.

Notes re: cloud computing

  • Cloud computing risks can be divided into six areas:

(1) Data Security and Controls- Providers must assess the strength of cloud vendor's internal controls to protect the confidentialty, integrity and availability of the electronic personal health information.
(2)Data Transmission- Data may be transmitted via the Internet or wireless networks. Is there adequate encryption? Is there a defined service level agreement for data transmission, and does your organization have the correct tools in place to assess compliance?
(3) Multitenancy- This requires health care organization to consider the possible comingling of data on shared hardware. Auditors should determine if data is properly segregated on the cloud and if the cloud operator has adequate controls to protect data both in storage and during transmission.
(4) Location- Auditors should be aware of all locations maintained or contracted for by the cloud operator and guard against the risk a cloud operator could unilaterally move the data to another location without first informing the health care organization.
(5) Reliability- Health care organizations face the risk that resources may not be available when they're needed. Auditors should assess a cloud company's ability to scale its systems to meet short-term surges in demand, as well as long-term growth. They also should determine when the cloud operator typically conducts system maintenance and installs upgrades to ensure data is available during peak business hours.
(6) Sustainability- Auditors should determine the adequacy of a cloud provider's disaster recovery and business continuity plans to understand how operations will continue if the cloud is out of service. Health care organizations should also have a plan for moving data if the cloud provider goes out of business or for when the contract ends. They should also assess the risk of the cloud provider being unwilling or unable to return data.


References: