The LIS for a POL, like any other clinical application, needs to have the ability to provide security for its data to HIPAA standards and beyond, with protection of PHI of primary concern. This includes a number of areas, from data encryption to controlled user access to auto-log off after a designated period of inactivity, with safeguards against hacking. Any system considered for use where private or sensitive information may be present needs to be designed to meet these and related requirements.
[Template fetch failed for https://www.limspec.com/index.php/Template:Specification_POL_S0040_Data_and_Access_Security?action=render: HTTP 500]Data security is an integral characteristic of HealthCloudPOL, and exists on two levels: (1) HealthCloudPOL (the LIS app itself) and (2) our state-of-the-art secure cloud-hosting infrastructure.
HealthCloudPOL's design interacts with the security mechanisms inherent to its SQL Server database. This includes the ability to define individual database logins with encrypted passwords which grant a variety of levels of security on the entire database or individual database objects such as tables and stored procedures. Case-sensitive passwords may be configured to accept defined character types/lengths. The ELab database may be accessed through the application's SQL Server login and password security. Its predication on Microsoft IIS includes those inherent security protocols, including SSL encryption.
Automatic inactivity logout can be set to a desired length of time. Suspension of a user is set by default after three unsuccessful login attempts. This is configurable by the customer. The system pops up a message to the user, upon their third successive unsuccessful attempt to login, that they have been suspended and need to see the System Administrator. Should a user be inactive for a period of time the system logs them out and the screen displays the message that they have been logged out.
User Password/Timeout Configuration
Because users are required to login to gain access to the application, all data modifications are documented. Users are also tracked by primary location so that information available to the individual user is also limited to information belonging to the user’s location or laboratory, creating an audit trail fulfilling both standards and regulatory compliance criteria.
Additionally, standard access-level profiles are provided for assignment to users, based on job function.
Assign Role Profile to User
- All sites are secured through HTTPS which is SSL Encrypted
- Customers have their own individual secure databases that are not shared
- All hosting servers are protected with the latest Antivirus and Anti-Malware protection
- The complete system is backed up each and every night and we keep 10 days rolling backup and offsite backup in a second secure data center
- The data centers we are located in are SSAE 16 (previously SAS 70) tier 4, and audited to SOC 2 standard.
- Additionally, our data centers have multi-level physical security, including razor wire-topped brick wall around the entire premises, patrolling armed guards, biometric security, mag card security, combination lock security and caged servers, with 10” thick cement ceilings, independent water tanks for cooling, backup generators, redundant systems throughout and smart building monitoring, offering 100% uptime and meeting TIA-942 ANS standard.
LabLynx has many clients with sensitive data, including pharma, county medical examiners offices, competitive food, electronics and other manufacturing companies, clinical (HIPAA-regulated) and government, who are hosted by LabLynx on completely secure dedicated servers.
Additionally here are some links to other documents:
- Primary Datacenter: http://www.qualitytech.com/data-centers/southeast/atlanta-ga
- Secondary Datacenter for backup and Disaster Recovery: http://gnax.net/data_centers/atlantanap.html
- LabLynx End User Hosting Agreement: http://euha.lablynx.com
All data transfer and management in HealthCloudPOL complies with applicable standards and regulations, including HIPAA, CLIA and 42 CFR part 493/HITECH. HL7 is used for any data transfer, in line with healthcare industry standards.
For more information on system security, please see:
Security/screen/profile management in HealthCloudPOL's parent application, ELab. 2:50 http://files.mylablynx.com/share/ebooks/movies/d34/d34.html ______
Individual Specifications were transcluded from limspecwiki__________
- "HIPAA ‘Protected Health Information': What Does PHI Include?". HIPAA ‘Protected Health Information': What Does PHI Include?. HIPAA.com. http://www.hipaa.com/hipaa-protected-health-information-what-does-phi-include. Retrieved 30 July 2015.
- "Horizons: Security". Magazine. Bio-IT World. http://www.bio-itworld.com/archive/091103/horizons_security.html. Retrieved 3 Aug 2015.