COI Report – Part VII
Page
356 of
425 control helps to restrict EMRs to users who are made members of a certain role according to their responsibilities (
e.g. doctor, nurse,
clinician etc) or corporate position. Role-based access is already in place, but the classes of persons to whom access is granted, the extent of the access granted, should be reviewed as part of the wider post-Cyber Attack review. The Committee notes SingHealth’s perspective that the “
implementation of IT projects is meant to serve, support and improve patient care, and that an appropriate balance will have to be struck when assessing the feasibility of IT projects”.
1030. The policy must establish clear access controls including a)
Role-based security that restricts access to information based on pre-established categories of patients, duties and documents based on specific job requirements of the user and b) Tagging of sensitive data with status indicators that enable restriction of identified patients and encounters to only those with permissions to access such data.
1031. In short, the policy should follow the principle of
least access – that is, staff should have access only to the resources they need
to perform their daily tasks, and no more. Access to confidential data should be on a strict, need-to- know basis. Further, there should be no
general access to patient data – staff should only be able to access the data when they need it fora specific purpose, and the scope of the data accessed should be tightly controlled to include only data essential to the completion of the task.
44.1.2 Database-level access by administrators, developers and support team 1032. Security measures should not only be geared towards external attackers – there is areal risk of patient data being compromised by insiders too. We recommend that the need for administrators, developers and support team to access patient data be reviewed. IHiS should aim for the least number of people possible to have access to the database. To the maximum extent possible,
