No. Question Answer IT Qualification Statement 1 SITE CONTACT

Transcription

1 SITE: Alfred Health Clinical Information System Summary of Key Questions in regards to Electronic Medical Records and Clinical Trials 1 SITE CONTACT 1.1 Name of Systems Administrator/ Security Contact/ Coordinator 2 PHYSICAL SECURITY 2.1 Is the system located in a secure area? 2.2 Are there procedures and controls for physical security, ensuring a controlled environment? 3 ACCESS SECURITY 3.1 Is access limited to authorised staff only? 3.2 Is the system passwordprotected? 3.3 Does each authorised individual have their own unique password? 3.4 Are there procedures and controls for user access security? 3.5 Is there a list of individuals authorised to access each function? Anne Mwagiru Chris Liew Manager, Application Development & Support (tel: a.mwagiru@alfred.org.au), responsible to meet with CernerWorks weekly to discuss operational performance. Information Technology Services (ITS) manages the system, and for the purpose of this audit, is represented by the Manager, Technology Risk & Information Security (tel: c.liew@alfred.org.au) The clinical information system that houses the patient data is remote-hosted in an offsite robust and secure data centre facilities. Physical access is managed by the remote host organisation, CernerWorks. See response to Q 2.1 above. Only authorised users are allowed into the system. Authorisation is via written request approved by department managers. The type of access commensurate with job duties. Access is also granted to honorary appointees authorised by the organisation. Only authorised users can access the system with their unique user name and password. Limited use of generic accounts is only to areas with compensating controls in place, after a risk assessment and special approval is provided. Each user is provided with an individual unique user name and password. The first time one logs in, the system prompts the user to change their password. See response to Q 3.1 to 3.3 above. The system also retains an audit trail of access to system components. A reporting tool can generate the list of individuals authorised for each position type. Date: Version 4.0 (28 Nov 2013) Page 1 of 6

2 3.6 Will the sponsor CRA (clinical research associate) be able to access the data for monitoring? A unique account can be created for the CRA to gain access to the data. Only consenting patients data can be accessed by the CRA. The process is managed by the clinical research coordinator, with a formal request form 3.7 Is the system capable of restricting the CRA s access to ONLY those patient records of sponsor trial participants? 4 BACKUPS & RECOVERY accompanied by an ethics certificate. The assignment of records to the CRA is carried out by the sponsoring department representative (clinical research coordinator). 4.1 Is the system backed up at regular intervals? 4.2 Are there adequate backup, recovery and contingency procedures for data and metadata? 4.3 Is the data in the system backed up (either via a network connection or external hard drive, for example) in case of system failure or loss of data at an appropriate frequency? 4.4 Are the backups kept in a separate, secure location? 4.5 Has the retrieval system been tested and is satisfactory? 4.6 Can this backup data be restored? 4.7 Has the restoration of backup data been tested? 4.8 How often are backups made? How long are they retained by the site? 5 AUDIT TRAIL 5.1 Does the computer system capture changes made to the data? Does an audit trail exist? na System backups including offsite storage to a secured environment. A standby database is synchronized to the production database approximately every 15 minutes. Recovery: Restore Computing System data as required. Testing: Test Cerner Technology Centre recovery procedures. Backups are also stored off-site. A DRP test was carried out in Dec-2012 as part of the Cerner Upgrade completion phase. Testing is part of the Testing: Test Cerner Technology Centre recovery procedures. See response to Q 4.6 above. To date, no clinical records have been purged from the system. All activities to the clinical information system including viewing and modifying records are logged. Reports are available to interrogate user access to specific patient information and system configuration changes. Old audit trail logs can be recovered from backup but requires a longer period to do so. Date: Version 4.0 (28 Nov 2013) Page 2 of 6

3 5.2 Is there a system-generated See response to Q 5.1 above. audit trail? 5.3 Is there an audit trail for See response to Q 5.1 above. capturing changes to information in the system? 5.4 Is the original information as well as the new information still available after the change is made? (Attach example if appropriate) 5.5 Are the audit trail entries date and time-stamped? See response to Q 5.1 above. (sample available) Clinical documentation into Powerforms retains a complete history of old and new data. All audit trail entries are logged based on activity with date and time stamp. 5.6 Does the audit trail indicate who made a change? 5.7 Is the audit trail protected from modification by users? 5.8 Are the audit trail and other security settings protected from being turned off? 5.9 Does the system contain complete records (data, metadata, audit trail, and, as applicable, e-signatures)? 5.10 Can the audit trail be easily viewed and copied? 5.11 If the software version changes, how will historical data be read? 5.12 Can data be modified once saved in the system? 5.13 Can anyone modify data after it is saved in the system? 5.14 Does the audit trail contain? o Old data value o New data value o Name of person making the change o Date & time of change 5.15 Are all changes retained by the system? No All transactions recorded in the audit trail have at least a user name, date/ time stamp and action. Only authorised personnel are allowed to access/ read the audit trail. It is a system function that is built by the software and protected even from the system administrators. This question is partially answered in A 5.1 above. As for e-signatures, the system log records the individual user name, date, and purpose for the signature. Some audit trails are viewable to end-users but only authorised personnel have access to the backend audit trail. Patient-specific audit tools are available to Health Information Services as they are responsible for the patient records. Software version changes do not impact the historical data. Historical data is still accessible. This requirement is important, as we keep all patient information from the commencement of the system (1999). An audit trail is maintained for all activity including modifications and a copy of the original data value is retained. See response to Q 5.12 above A sample can be provided on request. Date: Version 4.0 (28 Nov 2013) Page 3 of 6

4 6 DOCUMENTATION & TRAINING 6.1 If applicable, are operating instructions in place? 6.2 Is there documentation maintained on installation and training? 6.3 Is there documented training for persons that use and maintain the system? 6.4 Is the system documentation maintained appropriately? 6.5 If applicable, has validation been performed and documented. 6.6 Do you have system validation documentation? 6.7 Is there documentation maintained on system maintenance and upgrades? 7 RECORD COLLECTION, STORAGE & RETENTION Usage instructions and training material for end-users (documents and video format) are available in the intranet. Support instructions are available to the IT support staff in the internal department folders and wiki and on the vendor s website. The system also has an online Help Menu for end-users. Classroom training and one-on-one training sessions are scheduled regularly for end-users. Staff can book their training by phone or online. See response to Q 6.1 above. See response to Q 6.1 above. See response to Q 6.1 above. System testing is normally carried out in the development environment prior to implementation in the production environment. Change management is used to control changes made to production overseen by the Change Advisory Board (CAB). Data validation (eg, range checks, etc) is carried out during entry by end-users for data integrity. Validation is also conducted by Health Information Services as part of the batch scanning workflow. Regular reviews are conducted to ensure that end user access accounts are cleaned up and risk assessments are conducted. There are test plans and documentation for validation and user acceptance tests carried out for new systems and major system upgrades. This is to ensure the systems meet the required functional objectives. See response to Q above. 7.1 Is there a process to copy records for regulatory agency inspections? 7.2 What are your electronic record collection and retention practices? 7.3 Is there a policy for addressing the availability of data for a defined retention period? There is a process to allow auditor access to specific patients records. External Auditor access is managed by Health Information Services. As per Alfred Health Records Management and Archiving Policy (compliant with various Public Record Office Victoria VERS and Health Records Act). All patient records have been retained since See response to Q 7.2 above. Date: Version 4.0 (28 Nov 2013) Page 4 of 6

5 8 SYSTEMS & OPERATIONS SECURITY 8.1 Are the computer [system] date and time-controlled? 8.2 Are there procedures to manage and document changes to the system? 8.3 Is there protection from viruses, hackers, etc.? 8.4 Are there Device and/ or Operational Checks as appropriate? 9 ELECTRONIC SIGNATURE 9.1 Are electronic signatures used in the system? 9.2 Does the system allow signing of documents electronically? 9.3 If yes, how is the signing done? (eg, ID & password, electronic pen, fingerprint, ID card swipe, etc) 9.4 When a signature is applied to a record, is it protected from cutting and pasting to other records? 9.5 If e-signatures are used, are there written procedures to hold people accountable for their signature? 9.6 If e-signatures are used, do e-signatures include individual's name, date, and meaning of signature? 9.7 Are there unique identifiers and passwords to access the system? 9.8 Are there measures in place to keep passwords confidential (not shared)? See comments Time synchronisation exists across all integrated systems to ensure time-stamps are correct, and database records are sequenced correctly. This is also required for correct timestamp in the audit trail. There is a formal change management system that receives, manages, rejects or approves changes. Operational practices include version control and documentation within the codes. A robust industry-grade solution is in place with Intrusion Detection/ Protection System, and layered anti-malware security infrastructure. Operational checks, monitors and alerts are on-going to ensure the system is operational 24x7. We have a maintenance window once a month for two to four hours. Electronic signatures are required for electronic order management, referrals, point-of-care scanning and clinical documentation. Users are prompted to validate these actions by entering their password. See response to Q 9.1 above. User name & password See response to Q 9.1 above. This is deemed to be encapsulated in their employment contract, professional ethics and their acceptance of IT Acceptable Use Policy screen which places responsibility in the use of their individual User ID and password. The system logs records the individual's name, date, and meaning of signature. Each user is provided with an individual unique user name and password. The first time one logs in, the system prompts the user to change their password. The IT Security Policy mandates that passwords must not be shared. Password management policy and controls are enforced, eg, regular password change, lock-out on a number of unsuccessful attempts, etc. Date: Version 4.0 (28 Nov 2013) Page 5 of 6

6 9.9 Does the system automatically suspend or log off a user after a specified period of inactivity? This function is available in all areas, and is set to longer periods in physically secured locations, eg, ICU and E&TC and ED to facilitate operations Is access to certain functions controlled based upon the user's role (e.g., read, write, change, delete)? 9.11 Are electronic signatures protected from intentional or unintentional misuse? 9.12 Are the name of the signer and the meaning of the signature displayed? 9.13 When a signed record is altered, is the signature made invalid? 9.14 Is the signature printed (with signer s name, date & time when signature was done) on the document when it is printed? 10 OTHERS System access positions are aligned with job roles and a system access matrix is maintained for this purpose Account applications must stipulate the job position and discipline and be authorised by the end-user s department manager. Electronic signatures require the end-user to enter their unique user name and password. The action by the signer is stored in the system (using name and password) as a record of who carried out the action. The altered record must be re-signed. However, the system retains a complete audit trail of all electronic signatures. The system has several printing options including an option to print an audit trail including the author s details What source data is held on a computer for patients likely to participate in the study? na Original record within the clinical system is the source data. No data is extracted to an external computer for the purpose of the study. Consultation: Anne Mwagiru (Manager, Application Development & Support) David Field (Manager, IT Training) Gajan Varatharajan (Manager, Infrastructure) Chrisa Alexiou (Manager, Senior Operations HIS) Review prepared by Name: CHRIS LIEW Date 15/11/13 Designation: Manager, Technology Risk & Information Security Verified as correct based on the IT qualification statements <by > Name: ROSS BUCHANAN Designation: Director HIS <by > Name: EMILIO POZO Designation: Director ITS & CIO 15/11/13 Date 28/11/13 Date Date: Version 4.0 (28 Nov 2013) Page 6 of 6