Practitioners and patients using the eHRô.ZA system rely upon the information held, managed and accessed on computers, networks and electronic media. They need ready access to the information that they depend on. They also need to know that the information is what it is intended to be ó that it has not been tampered with ó and they need reasonable assurances that confidential information has remained confidential.
We are also conscious however of the threats to the availability, integrity and confidentiality of electronic information. These threats derive from failures of computer hardware or software, from harmful computer viruses or similar malicious pieces of software, or from malevolent human acts. The potential for such damage, particularly malicious damage, means that controls need to be placed on the use of and access to information on the eHRô.ZA.
On the other hand it is important that the eHRô.ZA system be made as easy to use as is possible. We need to strike a balance between openness and ease of use on the one hand, and the need for reasonable guarantees of security on the other.
There is much that can be done centrally to provide a reasonable level of security. However not everything can be done by us. Facilities and individuals need to take some responsibility themselves for security of information they manage and for adopting a reasonably security-conscious approach to handling electronic information.
This policy summarises information security controls that are imposed, outlines responsibilities, and gives guidance on getting further information. It also states our policy on the monitoring of electronic information on computers and networks. It is accompanied by guidelines on best practice in maintaining electronic information security.
- EPR is Electronic Patient Records (Proprietary) Limited, (Registration Number 2002/000009/07), a company duly registered and incorporated according to the company laws of the Republic of South Africa.
- User means any individual who has enrolled and wishes to have or has a record of information about his own personal medical encounters held at EPR's web site.
- User-Practitioner means a medical practitioner, registered by the Health Professionals Council of South Africa, who has enrolled at EPR and wishes to store and retrieve electronic patient records at EPR's web site, or his/her nominee.
- Private health information means any information that is created or received by EPR, which identifies an individual and relates to the past, present or future physical or mental health or condition of that individual.
- Information security is understood to mean the preservation of:
- the availability of information: ensuring that information is available to authorised users when required;
- the integrity of information: ensuring the completeness and accuracy of information;
- the confidentiality of information: protecting information from unauthorised access.
IV. SECURITY MECHANISMS
- EPR is responsible for:
- ensuring the security of central information, and of the basic hardware and operating system software on these systems ;
- ensuring a secure environment for the location of the servers
- backing up data on central systems;
- providing advice and guidance on information security;
- ensuring the physical security of systems and networks.
- Users of the eHRô.ZA system are responsible for:
- taking reasonable steps to ensure security on their desktop machines including anti-virus software and keyboard-logging programs;
- taking reasonable steps to ensure there is no unauthorised access to systems they are responsible for;
- preserving the confidentiality of passwords;
V. PERSONAL DATA
- Secure Socket Layer
Access to the eHRô.ZA website is via a secure socket layer, which employs 128-bit encryption, the same level of encryption employed by the banking industry.
A firewall is a system that controls and limits access from one part of a data network to another or from a network to a computer. The network where the eHRô.ZA system is hosted maintains a firewall at the point at which the secure network connects to the internet.
The firewall in use by EPR is set to "default deny", that is, a given type of network protocol has to be enabled explicitly before it is allowed through the firewall.
A firewall imposes controls on traffic and routes web access via a caching proxy.
Access to the system is by biometric verification. Where this is not possible to be used, the system requires the use of a password and an explanation of why the biometric login was not employed.
The system allows users to change their passwords at regular intervals, and forbids passwords which are easily "guessed" by password-cracking software.
Access to restricted web pages is controlled either by password or by biometric validation.
- Data backup and recovery
The data and operating systems held on the eHRô.ZA system, including central database, statistical database and web pages, are backed up daily and copies held remotely. The primary purpose is to allow for recovery in case of loss through malfunction, physical damage or other disaster.
- Virus protection
Viruses currently represent one of the most visible threats to information security, not so much through breach of confidentially as by denial of access or destruction. The eHRô.ZA system maintains virus protection on a series of levels.
However it remains a responsibility of individuals to maintain virus protection on their own machines, in particular private computers, and to exercise caution in dealing with suspect files.
- Other security mechanisms
Additional security mechanisms will be implemented in a timely manner as the need arises, for example as part of the implementation of new technologies.
Other security mechanisms may be implemented at short notice should new security threats emerge, though in practice as much notice will be given as possible.
VI. SECURITY CONTACTS
Please address any queries about EPR's security policy and practices, or use of the web site, to email@example.com. Or, write to Electronic Patient Records (Pty) Ltd, P O Box 26184, Hout Bay, 7872, South Africa.
This policy shall be provided to any user, body, group, administrator, user-practitioner or individual upon request.
==end of Security policy==