360 likes | 466 Views
Disease & Treatment Registry Thru The Web, The Way Forward. Dr. Lim Teck Onn Ms Lim Jie Ying Clinical Research Centre, Hospital Kuala Lumpur Ministry Of Health Malaysia. www.crc.gov.my. Content. CRC and Disease Registers Traditional operation vs web-based operation Pros and Cons
E N D
Disease & Treatment Registry Thru The Web, The Way Forward Dr. Lim Teck Onn Ms Lim Jie Ying Clinical Research Centre, Hospital Kuala Lumpur Ministry Of Health Malaysia www.crc.gov.my
Content • CRC and Disease Registers • Traditional operation vs web-based operation • Pros and Cons • Minimizing security risk of Web based operation (Ms Lim Jie Ying)
We do 4 types of clinical research 1. Clinical Trials. 2. Clinical Registers /Epidemiological and Health outcomes research 3. Clinical Economics Research 4. Evidence based medicine
Disease Registers in CRC • National Renal Registry • National Cancer Registry • National Cataract Surgery Registry • National Neonatal Registry • National Mental Health Registry • National HIV/AIDS Treatment Registry • National Transplant Registry • In the pipeline: CKD (GN/SLE), CVD (Stroke, AMI, Angioplasty) Rheumatic (RA)
Purpose of Disease Registry • Quantify disease burden (morbidity and mortality) and its geographic and temporal trends. • Early warning of rapid increase in disease incidence eg in infectious disease. • Identify sub-groups most at risk of disease. • Identify potential risk factors of disease. • Evaluate treatment programme / Clinical audit • Evaluate control and prevention programme. • Facilitate research, eg disease aetiology, Rx effectiveness, outcomes research, prognosis Epidemiological vs Treatment Register
Uses of Registry data • Disease epidemiology • Treatment availability & accessibility • Outcomes research • Technology assessment • Clinical economics • Clinical audit • Support clinical trial/ clinical research
Traditional Operation vs Web-based Operation SDP SITE SITE Report data (paper) Return processed data Internet No data return EDC Data Processing CRC CRC Report only Real time analysis & report No prim. data Online data access Internet Data Reporting USERS USERS
We think the pros outweigh the cons.But what about the security risk? Ms Lim Jie Ying
Technological Mechanisms to Counter Security Risk • Authentication • Access control • Encryption • Audit trail • Physical security • Control of external communication links and access • System backup and disaster recovery
Authentication (1) • Authentication is a process of verifying the identity of an entity that is the source of a request or response for information in a computing environment • Categories: • Web Application owner authentication • User authentication
Authentication (2) • Web application owner authentication • VeriSign’s Server ID apply state of the art SSL (Secure Sockets Layer) technology to conduct an authenticated, strongly encrypted online transaction. • VeriSign ensures: • the web site belongs to NRR and not an impostor’s • Message privacy - information cannot be viewed if it is intercepted by unauthorized parties.
Authentication (3) • User authentication is based on two criteria: • Something that user know • User ID and Password – user is required to change password every 3 months and the password cannot be reused within 3 cycles. • Something that user have • Mobile phone authentication
Authentication (4) • Mobile phone authentication • Eg. Mobile phone authentication. After user logs in using UserID and password, server sends an SMS containing additional password to user’s mobile phone. User then types in the additional password before gaining access to system
Access control • Only authorized users, for authorized purposes, can gain access to a system • Authorised users are grouped into Access Control List • User’s rights are assigned based on role • User session management – when user left the application idle for more than 15 minutes, the application will be logged off automatically
Encryption • Definition: convert ordinary language into codeso as to be unintelligible to unauthorized parties. • Field encryption for PHI (Personal Health Information) such as Name, IC within SQL database • Data transmission and synchronisation encrypted Internet Data Centre DTRU asdadadada5gsdafAsdjkn2543550nasdafasjfl5kjhfasfl5345l23 asdlkjldkjasjdalkdjladjl34435347593757asdkas6324sadadaad VPN 128-bit connection
Audit trail • Audit trail on • Information access – to allow identification of unauthorised access to system / network • data manipulation when users create, modify or delete records • Tracks the following
Physical and Environmental Security 1 • Physical security entails appropriate controls to prevent unauthorised people from gaining access so that they cannot tamper with or derive information from the equipment • Access to data centre is limited to authorised personnel only. Access to data centre will only be granted if the person is in the authorised list, identification information is presented and password is correct. Staffs within data centre are authenticated using biometrics technology. • Access to DTRU office is secured by access card system and each personnel has limitation of accessible area/room • Workstation will be logged off if left idle for 5 minute. • Web application will be logged off if left idle for 15 minutes
Physical and Environmental Security 2 • Access card system, Fire and alarm system, data storage space
Physical and Environmental Security 3 Web Application Infrastructure Layout
Control of external Communication Links and Access (1) • Firewall - acts as a sentry (guard) that filters out ‘insecure’ traffic from the Internet to ensure the security of an internal network in DTRU. • Intrusion Detection System (IDS) - built into firewall to detect and block suspicious activities. • Segmented network - User workstations are physically and logically separated from the servers. Thus, compromised workstations can be isolated from the servers and thus minimising damage.
Control of external Communication Links and Access (2) • Antivirus • TrendMicro Antivirus Installed on all workstations and servers • Daily virus signature update • Real-time scan and cannot be disabled. • Patch Management • Automatically download, deploy and install latest approved patches to all servers and workstations without any user interaction. • Ensure that latest patches are applied to operating systems.
System Backup and Disaster Recovery • Backup • Daily, weekly and monthly backup of data to tapes. • Weekly and monthly backup tapes stored offsite to ensure business continuity if anything happens. • Automatic schedule of backup conducted at night using Veritas Backup software. 7- Day backup Tape Loader • Disaster Recovery – Data may be recovered from backup tapes. Security consultant works with CRC team to prepare Business Continuity Plan Procedure.
Organizational Practice • Security and confidentiality policies • Prepared by CIS team of CRC with joint effort of Security Consultant • Each CRC staff has to sign Non Disclosure Agreement • Information security officers (ISO) • To enforce policies • To ensure staffs abide by the policies • Responsibilities include but not limited to: Personnel security, IT security, Physical & environmental Security, Information Processing Practices, Business Continuity Management • Education and training programs • Awareness training program on information security for all CRC personnel is held every month. • Ongoing emphasis • Sanction • Sanction for breaches of confidentiality