Electronic Health Information Exchange. Volume 3: Business Rules General All Points of Service

Transcription

1 British Clumbia Prfessinal and Sftware Cnfrmance Standards Electrnic Health Infrmatin Exchange Vlume 3: Business Rules General All Pints f Service Versin Security Classificatin: Lw Sensitivity

2 Cpyright Ntice Cpyright 2014 Prvince f British Clumbia All rights reserved. This material is wned by the Gvernment f British Clumbia and prtected by cpyright law. It may nt be reprduced r redistributed withut the prir written permissin f the Prvince f British Clumbia. Disclaimer and Limitatin f Liabilities This dcument and all f the infrmatin it cntains is prvided "as is" withut warranty f any kind, whether express r implied. All implied warranties, including, withut limitatin, implied warranties f merchantability, fitness fr a particular purpse, and nn-infringement, are hereby expressly disclaimed. Under n circumstances will the Gvernment f British Clumbia be liable t any persn r business entity fr any direct, indirect, special, incidental, cnsequential, r ther damages based n any use f this dcument, including, withut limitatin, any lst prfits, business interruptin, r lss f prgrams r infrmatin, even if the Gvernment f British Clumbia has been specifically advised f the pssibility f such damages. Authr: Ministry f Health Cnfrmance and Integratin Services Date Created: Last Updated: Versin: 0.2

3 Table f Cntents 1.0 Intrductin Cnfrmance Standards Vlume Set Key t Dcument Terminlgy Purpse f Dcument Intended Audience Ministry f Health Cnfrmance Standards Cntact General Rules Access Rules General Access Rules HIAL Users Clinical Data and Educatin Privacy and Security Accunt Management Hardware and Peripherals Netwrk Lcal...17 Tables Table 1 General Business Rules... 6 Table 2 Access Rules - General... 7 Table 3 Access Rules HIAL users... 8 Table 4 Clinical Data Business Rules... 9 Table 5 and Educatin Rules... 9 Table 6 Privacy and Security - Patient Recrds...12 Table 7 Privacy and Security - Accunt Management...14 Table 8 Privacy and Security - Hardware and Peripherals...14 Table 9 Privacy and Security - Netwrk...15 Table 10 Privacy and Security - Lcal...17

4 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin Intrductin Organizatins develping interfaces t health infrmatin exchange (HIE) systems ffered by the Ministry f Health (the Ministry ) must meet the British Clumbia Prfessinal and Sftware Cnfrmance Standards (the Cnfrmance Standards ) which the ministry publishes. The Ministry s Cnfrmance and Integratin Services team will facilitate the registratin, cnnectin, cnfrmance testing and certificatin prcesses required fr applicatins t cnnect t the Ministry HIE systems. 1.1 Cnfrmance Standards Vlume Set The Cnfrmance Standards are the central reference fr rganizatins wanting t integrate their Pints f Service (POS) applicatins with Ministry HIE systems. This integratin will allw their users t exchange imprtant demgraphic and clinical infrmatin with ther health care prfessinals in supprt f efficient and safe patient care. The Cnfrmance Standards cntain multiple vlumes and must be reviewed as a cmplete set. The vlumes in the Cnfrmance Standards are divided int tpics such as: business rules, applicatin-enfrced rules, change management rules, privacy and security rules, and technial message and transprt specificatins. The Cnfrmance Standards are available n the Cnfrmance and Integratin Services website: Key t Dcument Terminlgy The Cnfrmance Standards in this vlume use a cnsistent language cnventin: The wrd shuld is used t indicate a recmmended requirement meaning that the standard is ptinal (i.e., nt cmpulsry yet encuraged). Cnfrmance testing, service n-barding activities and/ r applicatin testing will cnfirm that this standard is crrectly implemented where apprpriate. All ther standards r rules as stated are a cmpulsry functin r requirement. The wrds must will, minimum, r mandatry are used t indicate this. Cnfrmance testing, service n-barding activities and/ r applicatin testing will cnfirm that this standard is crrectly implemented. Acrnyms and abbreviatins are used fr repetitins f sme system and rganizatin names. The first time an acrnym r abbreviatin appears in the dcument it is accmpanied by the full name. A Glssary f Terms is prvided in a separate vlume f the Cnfrmance Standards. Each defined term, acrnym and abbreviatin that is included in the glssary is italicized in the Cnfrmance Standards the first time it appears in the vlume. Security Classificatin: Lw Sensitivity Page 4 f 18

5 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin Purpse f Dcument This dcument describes the business rules fr the users at a pint f service (POS) wh are access/exchange ministry electrnic health infrmatin with Ministry infrmatin exchange systems. 1.4 Intended Audience The intended audience fr this dcument is: Infrmatin Cnsumers wh access electrnic health infrmatin frm a Ministry r prvincial data repsitry (e.g., end users); Infrmatin Custdians wh maintain r administer electrnic health infrmatin (EHI) resurces n behalf f the Infrmatin Authrity; Infrmatin Authrity wh have the respnsibility and decisin making authrity fr EHI thrughut its lifecycle, including creating, classifying, restricting, regulating, and administering its use r disclsure; Data Prviders wh prvide data t, r exchange data with a Ministry data repsitry (e.g., system t system uplad); Sftware Organizatins rganizatins (including in-huse system develpment teams) wh develp interfaces t health infrmatin exchange systems and/r supprt thse interfaces; Cnfrmance Team(s) wh are respnsible fr evaluating and testing cnfrmance, including rganizatinal security practices and business prcesses; and Audit Team(s) wh are respnsible fr independent examinatin and evaluatin f cmpliance including rganizatinal security practices and business prcesses. 1.5 Ministry f Health Cnfrmance Standards Cntact Fr mr infrmatin r questins regarding the Cnfrmance Standards shuld be directed t Cnfrmance and Integratin Services at: HLTH.CISSupprt@gv.bc.ca Security Classificatin: Lw Sensitivity Page 5 f 18

6 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin General Rules The fllwing general business rules apply t all pints f service where infrmatin is accessed and exchanged with Ministry health infrmatin exchange systems. Table 1 General Business Rules # Rule Educatin and Bus1.0 Bus1.1 Bus1.2 Bus1.3 Review f Trusted Identity Dcumentatin Trusted identity dcumentatin must be reviewed t ensure names, birth dates, and gender are crrectly entered. Trusted identity dcumentatin includes: BC Services Card Birth Certificate Canadian Citizenship ID Card Canadian Frces ID Card Canadian Recrd f Landing r Cnfirmatin f Permanent Residence r Permanent Resident Card Change f Name Dcument Driver's License Marriage Certificate Certificate f Indian Status Card (Abriginal Affairs and Nrthern Develpment Canada AANDC) Passprt Other Prvincial Health Insurance Cards (i.e. nt BC) Alignment with EHR Standards Users shuld wrk with their vendrs t identify where their lcal data may nt align with data in a ministry system ( e.g., address frmat, preferred name strage, phne number frmat) and remedy the discrepancies. Ntes: 1. If this is nt dne prir t using the ministry systems, the Pint f Service may experience a difficult transitin. Envirnments Acceptable Use The terms specified in the Acceptable Use Plicy fr Nnprductin Envirnments must be read and abided by. Cnfirm Patient Identity Befre prviding treatment the client s identity must be cnfirmed using prper dcumentatin. BC health card with pht If the client has a BC health card with a pht it must be used t cnfirm their identity and the PHN used t find the client in the PharmaNet. ECR.02 Cnfirm Client Identity TCR.02 Cnfirm Client Identity TGEN.02 Alignment with EHR Standards EGEN.01 EHR User Access EGEN.01 EHR User Access ECR.02 Cnfirm a Patient s Identity TCR.02 Cnfirm Client Identity TCR.03 Cnfirm a Security Classificatin: Lw Sensitivity Page 6 f 18

7 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin # Rule Educatin and BC health card n pht If the client presents a nn-pht BC health card their identity must be cnfirmed by viewing a trusted identity dcument (e.g., a Drivers Licence) - refer t the Review f Trusted Identity Dcuments rule abve. N health card, n PHN If the patient des nt have their BC health card, r claims that they d nt have a PHN, use the demgraphic infrmatin they prvide and verify their identify using a trusted identity dcument t lcate them in PharmaNet. Patient s Identity: BC Health Card with Pht Presented (Match) TCR.04 Cnfirm a Patient s Identity: BC Health Card with Pht Presented (Mismatch) TCR.05 Cnfirm a Patient s Identity: BC Health Card withut Pht Presented (Match) TCR.06 Cnfirm a Patient s Identity: N BC Health Card r PHN Presented (Match Bus1.4 User Supprt Users must cntact their vendr as primary supprt t assist with any cncern related t using their applicatin, prvincial netwrk and ministry systems. Ntes: 1. There are a few situatins where an EHR Helpdesk shuld be cntacted directly. When this is dne, the vendr will nt be included in any cmmunicatin regarding that incident. These situatins are described in the educatin materials. EGEN.02 User Supprt TGEN.03 User Supprt 2.1 Access Rules General Table 2 Access Rules - General # Rule Educatin and Bus2.1 Bus2.2 Cnfrmant Sftware The Pint f Service must use cnfrmant sftware t access ministry systems. Ntes: 1. A list f cnfrmant sftware is available frm the ministry s Cnfrmance and Integratin Services. Legal Agreement Every user wh accesses a ministry system must first sign a legal agreement acknwledging their bligatins. NA Nt yet written Security Classificatin: Lw Sensitivity Page 7 f 18

8 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin # Rule Educatin and Bus2.2 Key Administrative rles Resurces cnducting key POS administrative rles must be identified and apprpriate training directed t each as part f the readiness assessment prcess. These rles must be defined fr each POS, regardless f size. Nt yet written Ntes: 1. An emplyee may be dedicated t a single rle r fulfill the functins f mre than ne rle. 2. The pint f service, regardless f its size, must have ne r mre emplyees specifically assigned t the fllwing activities: implementing and perating apprpriate privacy and security standards fr the POS, including, but nt limited t: training staff n privacy and security requirements, reviewing business prcesses fr cmpliance with rules as specified by the Ministry, receiving and respnding t privacy and security related ntificatins. establishing and redesigning business prcesses as required upn the intrductin f new functinality fr the Ministry interface. managing staff accunt access. ensuring that all staff receive required training. technically supprting the POS applicatin: receiving and reviewing release ntes frm the sftware prvider, and receiving and cmmunicating system messages frm the sftware prvider (e.g., utages). wrking with the sftware prvider t ensure that the Business Cntinuity Plan is in place fr the POS. An emplyee may be dedicated t a single activity r fulfill the functins f mre than ne activity. 2.2 Access Rules HIAL Users Table 3 Access Rules HIAL users # Rule Educatin and Bus3.1 Authrized Access All users (bth health prfessinals and supprt staff) requiring EGEN.01 EHR User Access Security Classificatin: Lw Sensitivity Page 8 f 18

9 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin # Rule Educatin and Bus3.3 access t ministry systems must be authrized. Ntes: 1. A frmal applicatin prcess must be initiated several days befre the user requires access t allw technical cnfiguratin changes implemented by the POS sftware prvider and the ministry. Requesting Access be Remved When a user n lnger requires access t ministry systems (e.g., change in jb functin, jb terminatin, end f lcum, extended leave) the rganizatin must submit a request t the Ministry t have the access deactiviated. Ntes: 1. This functin must be assigned t an individual at the POS. See Key Administrative Activities rule. Nt yet written 2.3 Clinical Data Table 4 Clinical Data Business Rules # Rule Educatin and Bus4.1 Bus4.2 N General Brwsing There must be a business r clinical prerequisite t search fr clients and client data. General brwsing is nt permitted and may be harshly penalized. Anntatins 1. EHI data cannt be mdified but may be anntated when stred in the POS applicatin. EGEN.01 EHR User Access ECR.03 Find Patient EGEN.03 EHR Data TGEN.06 Anntatins 2.4 and Educatin Table 5 and Educatin Rules # Rule Educatin and Bus5.1 User All users must receive training prir t accessing ministry systems. must cver sftware functin and features, and related plicy, prcedures and business rules as indicated in the applicable Change Management and vlumes. Ntes: EGEN.02 User Supprt EBus.02 TBUS1.02 Security Classificatin: Lw Sensitivity Page 9 f 18

10 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin # Rule Educatin and Bus5.2 Bus5.3 Bus All sftware prviders are required t prvide training t their users. Subsequent training may be prvided by smene at the POS trained fr this purpse (e.g., a superuser). 2. The training requirements are prvided in the Cnfrmance Standards, Vlume 6 Change Management and. User Educatin Materials Users must read the educatin materials applicable t their jb functins prir t accessing ministry systems. Educatin materials must nt be duplicated withut permissin frm the Ministry f Health. Ntes: 1. All educatin materials will be referenced in user training materials. 2. All educatin materials will be available cntinuusly n the ministry web site. Ntificatin f Updates t User Educatin Materials T be ntified when there are changes t ministry-prvided educatin materials, the POS must subscribe t updates n the Cnfrmance and Integratin Services website. Key Administrative Activities The POS, regardless f its size, must have ne r mre emplyees specifically assigned t the fllwing activities: a) Implementing and perating apprpriate privacy and security standards fr the POS, including, but nt limited t: training staff n privacy and security requirements; reviewing business prcesses fr cmpliance with rules as specified by the ministry; receiving and respnding t privacy- and securityrelated ntificatins; answering privacy and security questins (e.g., frm patients); respnding t cmplaints, incidents, breaches, audits; and updating plicies/prcedures. b) Establishing and redesigning business prcesses as required upn the intrductin f new functinality fr the ministry interface; c) Managing staff accunt access, including: user enrlment and access management (e.g., new user set up); changes t user privileges; and deactivatin f ld user accunts. d) Ensuring that all POS staff receive required training; and EBus.03 Educatin TBUS1.03 Educatin EBus.03 Educatin TBUS1.03 Educatin EBus.01 Key Admin Activities TBUS1.01 Key Admin Activities Security Classificatin: Lw Sensitivity Page 10 f 18

11 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin # Rule Educatin and Bus5.5 Bus5.6 e) Technically supprting the POS applicatin: Ntes: receiving and reviewing release ntes frm their sftware prvider; receiving and cmmunicating system messages frm the sftware prvider (e.g., utages); and wrking with the sftware prvider t ensure that the Business Cntinuity Plan is in place fr the POS. 1. An emplyee may be dedicated t a single activity r fulfill the functins f mre than ne activity. Trainer Replacement If the POS relies n trainers internal t their rganizatin (e.g., super users trained by the sftware prvider), such trainers must be fully trained in the sftware s functin and features, and related plicy, prcedures and business rules. Ntes: 1. Users may request vendr-prvided training fr all POS trainers (e.g., super users) and their replacements. Evaluatin All users wh receive training, including thse trained by a POS trainer (super user), will receive a training evaluatin feedback frm frm their sftware prvider. Ebus.02 TBUS1.02 Ebus.02 TBUS1.02 Security Classificatin: Lw Sensitivity Page 11 f 18

12 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin Privacy and Security This sectin defines the cmmn business-related infrmatin privacy and security rules that must be implemented fr accessing the ministry s Health Infrmatin Exchange (HIE) Services. Table 6 Privacy and Security - Patient Recrds # Rule Bus6.1 Bus6.2 Bus6.3 Bus6.4 Establish Plicies and Prcedures Privacy and security plicies and prcedures must be established and include the fllwing: a) Cnfidentiality f persnal health infrmatin; b) Maintaining patient recrds: Printing, secure strage, retentin, transprt, and dispsal. c) Faxing dcuments cntaining persnal infrmatin; d) Using curiers t send dcuments cntaining persnal infrmatin; e) Reviewing audit lgs at scheduled intervals; and f) Maintaining user accunts, including deactivating thse n lnger required. Plicies and Prcedures Maintenance The plicies and prcedures must be regularly reviewed and updated as required, either at planned intervals and/r when significant changes ccur. User Access Audit A schedule and prcedures must be in place fr a designated individual t rutinely and peridically (i.e., spt audit) mnitr user access audit trails fr unusual patterns r anmalies. Any ptential security weaknesses r breaches must be reprted t the POS management. Restricted Audit Lg Access Access t the audit lgs and audit tls must be restricted t authrized persnnel t prevent misuse r cmprmise. Educatin & Recrds Patient Recrds Recrds Patient Recrds Recrds Patient Recrds Recrds Patient Recrds Security Classificatin: Lw Sensitivity Page 12 f 18

13 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin # Rule Bus6.5 Privacy and Security Incidents r Breach Prcedures that meet, at a minimum, requirements recmmended by the Office f Infrmatin Privacy Cmmissiner fr British Clumbia must be established fr managing suspected and actual privacy and security incidents and breaches. Educatin & Recrds Patient Recrds When a privacy r security incident invlves access t r data received frm ministry systems, yu must prmptly ntify the prvince accrding t yur systems access agreement. Bus6.6 Bus6.7 Bus6.8 Bus6.9 Bus6.10 Bus6.11 Nte: 1. Privacy Breaches: Tls and Resurces by the Office f the Infrmatin Prevacy Cmmissiner fr British Clumbia - Patient Privacy Ntificatin A patient privacy ntice r ther cmmunicatin materials that infrm patients abut infrmatin privacy practices must be made readily available. Patient Privacy Requests Prcedures fr dealing with patient requests fr infrmatin, crrectins, and cmplaints must be established and penly cmmunicated (e.g., via pster r pamphlet). Dispsal f Cmputer Equipment Befre dispsing f cmputer equipment, all persnal health infrmatin must be permanently remved frm the equipment in a manner that ensures the infrmatin cannt be recnstructed. Cntract Privacy Prtectin Clause Cntracts with third parties that invlve persnal infrmatin (e.g., technlgy supprt service) must cntain privacy prtectin bligatins. Cnfidentiality Agreement Anyne wh may be privy t cnfidential clinical r patient infrmatin (e.g., emplyees, cntractrs and third parties) must sign a cnfidentiality agreement that: a) specifies bligatins and expectatins including repercussins fr inapprpriately cllecting, using, r disclsing persnal infrmatin; and b) are reviewed/renewed annually with the rganizatin. Annual Privacy and Security All persnnel (emplyees and cntractrs) must receive annual privacy and security training. The training must include: a) Hw t maintain privacy and cnfidentially f persnal health infrmatin; and b) Hw users safeguard their user IDs and passwrds, keys, tkens and ther access credentials. Recrds Patient Recrds Recrds Patient Recrds Recrds Patient Recrds Recrds Patient Recrds Recrds Patient Recrds Recrds Patient Recrds Security Classificatin: Lw Sensitivity Page 13 f 18

14 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin # Rule Bus6.12 Electrnic Health Infrmatin Cnfidentiality All persnnel (emplyees and cntractrs) must be infrmed that EHI received frm the ministry is part f the patient s recrd and it is the duty f the rganizatin t prtect its cnfidentiality. Educatin & Recrds Patient Recrds 3.1 Accunt Management Table 7 Privacy and Security - Accunt Management # Rule Bus7.1 Bus7.2 Bus7.3 Bus7.4 User ID Requirements Each user must have: Ntes: a) A unique user ID and passwrd; r b) A tw factr tken when tw-factr authenticatin is used. 1. Passwrd and tkens must nt be shared. Apprpriate Access Level The level f access prvided fr each user must match the user's need t knw and prvide the least privilege necessary based n the user's jb functin. Transmissin f Passwrds Passwrds, passphrases and passcdes must be securely cmmunicated and separated frm the user ID when transmitted electrnically. Inactive User Accunts A user accunt inactive (r nt activated) fr 90 days r greater is cnsidered drmant and must be: a) Remved frm the system; r b) Disabled t prhibit lgin t the system. Educatin & EBus.05 P&S Accunt Management TBUS2.02 P&S Accunt Management EBus.05 P&S Accunt Management TBUS2.02 P&S Accunt Management EBus.05 P&S Accunt Management TBUS2.02 P&S Accunt Management EBus.05 P&S Accunt Management TBUS2.02 P&S Accunt Management 3.2 Hardware and Peripherals Table 8 Privacy and Security - Hardware and Peripherals # Rule Educatin & Security Classificatin: Lw Sensitivity Page 14 f 18

15 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin # Rule Bus8.1 Bus8.2 Bus8.3 Bus8.4 Bus8.5 Bus8.6 Bus8.7 Bus8.8 Current Security Patches Operating system and applicatin security patches n cmputers must be kept current using scheduled updates r real-time update prtcls. Anti-virus sftware Anti-virus sftware must be deplyed n all systems (particularly persnal cmputers and servers). Current Anti-virus Mechanisms Anti-virus mechanisms must be current, actively running, and generating audit lgs. Firewalls Persnal (end-pint prtectin) firewalls must be installed and running n cmputers. Unattended Wrk Statins After a defined perid f inactivity (maximum f 15 minutes) cmputers left unattended must autmatically lck ut all users (e.g., use a screensaver requiring the authrized user t lg n again). Mnitr Placement Cmputer mnitrs must be situated in a manner that prevents unauthrized viewing. Safeguard Mbile Devices Mbile devices (e.g., laptps, smartphnes and ipds) and remvable media (e.g., USB drives) cntaining persnal health infrmatin must be passwrd prtected and encrypted. When these devices are nt in the user s direct cntrl, measures must be taken (e.g., by using lcking devices with physical lcks r equivalent) t prtect the device frm theft r misuse. Peripheral Device Security Peripheral devices (e.g., printers, fax machines) must be lcated in secure (nn-patient accessible) areas t prevent unauthrized access. Educatin & EBus.07 P&S Netwrk TBUS2.04 P&S Netwrk EBus.07 P&S Netwrk TBUS2.04 P&S Netwrk EBus.07 P&S Netwrk TBUS2.04 P&S Netwrk EBus.07 P&S Netwrk TBUS2.04 P&S Netwrk EBus.06 P&S Hardware and Peripherals TBUS2.03 P&S Hardware and Peripherals EBus.06 P&S Hardware and Peripherals TBUS2.03 P&S Hardware and Peripherals EBus.06 P&S Hardware and Peripherals TBUS2.03 P&S Hardware and Peripherals EBus.06 P&S Hardware and Peripherals TBUS2.03 P&S Hardware and Peripherals 3.3 Netwrk Table 9 Privacy and Security - Netwrk Security Classificatin: Lw Sensitivity Page 15 f 18

16 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin # Rule Bus9.1 Bus9.2 Security f Infrmatin Technlgy Equipment Areas that huse infrmatin technlgy equipment (e.g., server rms, netwrk r telecmmunicatins clsets) must be prtected against unauthrized access by using physical security measures such as: a) Lcked rm with slid wall (flr-t-ceiling) cnstructin r specialized lcked cabinet r equivalent; b) Restricted key access t (a); c) Lcks, blts (r equivalent) n vulnerable drs and windws; and d) Mtin detectrs and intrusin alarm systems. WLAN Encryptin And Security Measures Wireless lcal area netwrks (WLAN) must be encrypted and have security measures that, at a minimum, are equivalent t the Secure Wireless Lcal Area Netwrk Cnnectivity Standard as defined by the Ministry: Educatin & EBus.07 P&S Netwrk TBUS2.04 P&S Netwrk EBus.07 P&S Netwrk TBUS2.04 P&S Netwrk Bus9.3 Bus.30 a) Physically secure wireless access pints; b) Wi-Fi Prtected Access II (WPA2) Enterprise; Authenticatin: EAP-TLS; Encryptin: AES-CCMP (128 bits minimum); c) Wi-Fi Prtected Access II (WPA2) Persnal; Authenticatin Pre-shared keys (PSK) with a minimum 13 characters randm passphrase; PSK must be secured and changed n a regular basis; PSK must be changed whenever emplyees/cntractrs that have access t the netwrk leave the rganizatin; and Encryptin: AES-CCMP (128 bits minimum). Ntes: 1. Persnal mde must nly be used fr small netwrk installatins that d nt have authenticatin servers available. Managed Perimeter Defence Safeguards The lcal area netwrk (LAN) must implement managed perimeter defence safeguards t mediate all traffic and t prtect systems frm ver the netwrk attacks and attempts at security breaches. Direct Cnnectin t SPANBC r PPN There must be n crss cnnectin t an external netwrk (e.g., a cmmercial internet prvider like Shaw) when yur lcal area netwrk (LAN) is directly cnnected t the Shared Prvincial Netwrk (SPANBC) r Private Physician Netwrk (PPN). EBus.07 P&S Netwrk TBUS2.04 P&S Netwrk EBus.07 P&S Netwrk TBUS2.04 P&S Netwrk Security Classificatin: Lw Sensitivity Page 16 f 18

17 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin Lcal The rules in the next table apply t a POS that stres ministry EHI n a lcal server. Nte: Medical Practice applicatins are hused in applicatin and data hsting centres; therefre the rules in this table d nt apply t thse lcatins. Table 10 Privacy and Security - Lcal # Rule Bus10.1 Bus10.2 Bus10.3 Bus10.4 Bus10.5 Secure Area The lcal server must be hused in a physically secure area with prper envirnmental cnditins (temperature, humidity and pwer surces) and prtected against unauthrized access by using the fllwing physical security measures: a) Lcked rm with slid wall (flr-t-ceiling) cnstructin r specialized lcked cabinet r equivalent; b) Restricted key access t (a); c) Lcks, blts (r equivalent) n vulnerable drs and windws; and Mtin detectrs and intrusin alarm systems. N Unauthrized Access Unauthrized persnnel must nt be permitted int the server area. Restricted Netwrk Access The fllwing must be implemented in the server envirnment: Operating system and applicatin security patches must be kept current using scheduled updates r realtime update prtcls. Anti-virus sftware must be deplyed, current, actively running, and generating audit lgs. Firewalls must be installed and running. Managed perimeter defence safeguards must be used t mediate all traffic and t prtect systems frm ver the netwrk attacks and attempts at security breaches. Business Cntinuity and Disaster Recvery All lcal servers with peratinally critical data must have dcumented back-up, system and applicatin restratin (including cnfiguratins), and data restratin prcedures t supprt business cntinuity and disaster recvery planning. Files Backup Strage Backup files must be stred in a secure lcatin, preferably ffsite. If backup files are stred ff-site, they must be encrypted t a minimum f AES-256. Educatin & EBus.08 P&S Lcal TBUS2.05 P&S Lcal EBus.08 P&S Lcal TBUS2.05 P&S Lcal EBus.08 P&S Lcal TBUS2.05 P&S Lcal EBus.08 P&S Lcal TBUS2.05 P&S Lcal EBus.08 P&S Lcal TBUS2.05 P&S Lcal Security Classificatin: Lw Sensitivity Page 17 f 18

18 Cnfrmance Standards Vlume 3: Business Rules General All Pints f Service Versin # Rule Bus10.6 Bus10.7 Bus 10.8 Regular System Lg Review The lcal server must have system lgging capabilities enabled and lgs must be reviewed regularly. A schedule and prcedures must be in place fr a designated individual t rutinely mnitr system lgs fr unusual patterns r anmalies. Any ptential security weaknesses r breaches must be reprted t the POS management. Update Prcedures Prcedures and accuntability fr evaluating and applying perating system and applicatin updates, ht fixes, and patches must be implemented fr the lcal server. Envirnmental Cntrls Envirnmental cntrls must be prvisined and prperly maintained, including but nt limited t: 1. uninterrupted pwer supply t facilitate an rderly shutdwn prcess; 2. fire detectin and suppressin; 3. temperature and humidity cntrls; and 4. water damage detectin and mitigatin. Educatin & EBus.08 P&S Lcal TBUS2.05 P&S Lcal EBus.08 P&S Lcal TBUS2.05 P&S Lcal TBD Security Classificatin: Lw Sensitivity Page 18 f 18