Standards and Guidelines for Electronic Medical Record Systems in ...

More documents

Recommendations

Info

The recommendations in this section are derived from the ISO 27799 15 and ISO/IEC 27002 16 standards. Both offer guidance on how best to protect the confidentiality of personal health information. Reference is made to the UNAIDS interim guidelines. 6 This document, Volume 1 of the Standards and Guidelines for EMR Systems in Kenya, is limited to defining how information security can be in-built into EMR systems. Requirements EMR systems must have in-built security controls including: 1. Access Control 2. Audit Trails and 3. Back up procedures Implementation Guidance Access Control This is a system of controlling entry and use of the EMR system, in part or in its entirety. Depending on one’s assigned roles and responsibilities, access can be limited to specific areas such as reports or the performance of specific functions, such as viewing, editing or deleting patient data. · EMR systems must provide a means to authenticate user identity using a user name and password before enabling the user to perform any functions. The system should allow for the allocation of area-specific access rights. . · Password length should be a minimum of six characters. Where feasible, 10-12 characters strengthen password security. The length of the password shall be enforced by the system. · User account passwords should be changed every ninety days at minimum. The system shall automatically enforce the regular changing of passwords. 15 Health informatics — Information security management in health using ISO/IEC 27002 16 Information technology — Security techniques — Code of practice for information security management Standards and Guidelines for Electronic Medical Records Systems in Kenya 29
· Users on special function accounts that perform privileged functions (system administrator, security administrator, etc.) should change their password at least every 30 days. · The EMR system should have a timed lock-out/screen blanking mechanism, which automatically engages after no more than ten minutes of inactivity or when manually invoked. · Confidential information residing on a fixed disk should exist in encrypted form to avoid compromise by unauthorized persons. EMR systems may have built-in encryption protocols. · The system may enforce that the same password is not reused by a given account for a period of one year. · The EMR system shall terminate a login session and disable a user account after a maximum of three consecutive invalid login attempts. Audit Trails An audit trail/audit log is a chronological sequence of audit records, each of which contains evidence directly pertaining to and resulting from the execution of a business process or system function. The EMR systems must log audit trails as evidence of user transactions within the system. Audit trail records should be captured for all levels of access. These records, at a minimum, must include the following: 1. Date and time of the event 2. User ID or name 3. Type of event and the success or failure of that event Defined significant security events must be logged and include: 1. Multiple failed logons; 2. Access at unusual times or from unusual locations 3. Sudden unexpected increases in volume 4. Significant computer system events (e.g., configuration updates, system crashes) Audit logs will be reviewed frequently to allow detection of unauthorized events before a significant loss has occurred. Standards and Guidelines for Electronic Medical Records Systems in Kenya 30
Page 1 and 2: Ministry of Medical Services Minist
Page 4 and 5: Acknowledgements This initial publi
Page 6 and 7: Change Management Process .........
Page 8 and 9: Architecture Enterprise Architectur
Page 10 and 11: and without the ability to share pa
Page 12 and 13: Purpose of this document This docum
Page 14 and 15: Globally, several organizations hav
Page 16 and 17: will be reviewed by the technical w
Page 18 and 19: Section Introduction The section de
Page 20 and 21: The above listed documentation requ
Page 22 and 23: Clinical Decision Support This refe
Page 24 and 25: H = Requirements. These items tare
Page 26 and 27: 4.3. System has the capability to r
Page 28 and 29: 10.2. System has the capability of
Page 30 and 31: 16. Children’s Health 16.1. Syste
Page 34 and 35: Backup Backup is the procedure for
Page 36 and 37: Case Example: Building an EMR syste
Page 38 and 39: o Date medically eligible to start
Page 40 and 41: o Height o Blood pressure o BMI Whe
Page 42 and 43: · Form 711 - Cross-sectional quart
Page 44 and 45: Section Introduction Within the hea
Page 46 and 47: Data Transmission Protocols There a
Page 48 and 49: i. EMR systems ii. Patient Identifi
Page 50 and 51: Summary Primary Actor Secondary Act
Page 52 and 53: Use Case Title Summary Primary Acto
Page 54 and 55: Business Rules Pre-condition(s) Cor
Page 56 and 57: Section Introduction The implementa
Page 58 and 59: Requirements 1. Servers and worksta
Page 60 and 61: informatics skills in order to effe
Page 62 and 63: competencies will be of greater use
Page 64 and 65: esponsible for utilizing the inform
Page 66 and 67: expertise, this cadre is also likel
Page 68 and 69: Data Quality and Confidentiality Id
Page 70 and 71: Demonstrate use of mouse functions
Page 72 and 73: Health facility management plays a
Page 74 and 75: A locally stored backup log should
Page 76 and 77: · User related issues could also b
Page 78 and 79: Upgrade Scheduling The EMR system n
Page 80 and 81: Monitoring is an ongoing, continuou
Page 82 and 83:
down these alerts on a notification
Page 84 and 85:
Hardware requirements Other infrast
Page 86 and 87:
System Costs, Ownership and Sustain
Page 88 and 89:
their health records upon request o
Page 90 and 91:
A. Sample EMR Implementation Plan E
Page 92 and 93:
deployment of the EMR (i.e. change
Page 94 and 95:
C. EMR Readiness Assessment Checkli
Page 96 and 97:
Is there a computer at each point o
Page 98 and 99:
D. Security Policy Template Documen
Page 100 and 101:
1.9 Employees shall not access, sto
Page 102 and 103:
E. Information Asset Inventory Name
Page 104 and 105:
G. Sample Service Level Agreement T
Page 106 and 107:
• Determine appropriate incident
Page 108 and 109:
H. Sample EMR Monitoring and Evalua
Page 110 and 111:
Strongly agree Agree Disagree Stron
Page 112 and 113:
Functional areas Attributes Compone
Page 114 and 115:
Functional areas Attributes Compone
show all

Standards and Guidelines for Electronic Medical Record Systems in ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?