CRIS Security
|
CRIS Security |
| Introduction On-Line Manual Patient Brochures |
|
CRIS |
CRIS meets the requirements of the federal code of regulations 21 part
11. These regulations require a very high standard of validation, including:
documentation of standard operating procedures, validation protocols, both
physical and technical security, use case testing and documentation,
architecture documentation, strict version control, and source control policies
and procedures.
Authentication:
The
design of CRIS requires a mandatory User login to ensure system security and integrity.
The User logins provide authentication and authorization
of each user according the rights assigned. User
Rights Management: The
CRIS System is used by various users ranging from Receptionists at the front
desk to Social workers to PhD’s to Security officers for information capture
and updating information. This necessitates the security and integrity of the
information being stored and their access be controlled, structured and well
managed. The design of CRIS allows management of privileges by functional
modules with every user’s access to these functional modules determined by the
privileges assigned to them. Automatic
Log-Offs/Time-outs: By
design, CRIS automatically logs the user off of CRIS after 10 minutes of
inactivity, and requires the user to follow the login procedure to sign back
onto the application. Remote
Access (Thin Client Approach): remote
access to the remote CRIS application will be over the Internet via a secure
socket layer with encryption to assure a secure web interface. This allows for a
variety of PC hardware platforms and operating systems that the end-user may be
currently utilizing. A web enabled ICA/RDP (Independent Computing
Architecture/Remote Display Program) plug-in will provide the capabilities for
secure access.
CRIS
provides audit trails with complete specification requirements for all
encounters including: user identify, time and date stamps, data delta values
(start and end value), and user action (create, update, delete).
By
design and through policies and procedures CRIS provides an application that
allows customers to meet all patient security and confidentiality requirements
(e.g. HIPAA, Common Rule, IRB regulations).
Of course, customers must also develop and follow their own patient security and
confidentiality procedures in order to fully satisfy regulatory requirements. Health Insurance Portability and Accountability Act (HIPAA)In
compliance with HIPAA CRIS provides the following: 1) technical security: access
control, audit controls,
authorization control, data
authentication, entity
authentication 2) technical mechanisms: digital signature and network control.
The development and support teams follow the Duke HIPAA administrative
policies and procedures and physical safeguards (e.g., assigned security
responsibility, media controls, physical access controls, guideline on
workstation use, secure work station location , security Awareness training). De-identifying Process: CRIS requires storage of all identified data collected in a relational database at the coordinating center. CRIS encrypts all patient identifying tables of the clinical dataset and allows access only by the database administrator and the security officer. CRIS creates a physical and logical partition exists between the clinical and research data management team., and requires separate security profiles for each user.
The CRIS research core uses only the de-identified dataset created from the on-going electronic medical record. CRIS de-identifies data in compliance with the “Common Rule” of Title 45, Code of Federal Regulations, part 46, 102(f) and HIPAA guidelines on regular intervals and places the data into SAS (statistical software) for research purposes. The SAS database protects the temporal relationships of the data while de-identifying any association with an individual.
The de-identification process holds historical keys and ID links, which the Coordinating Center security officer maintains (only person with access to the clinical data).
|