Transcript Technology and Addiction Services

*
*
*It’s
no secret that technology
has become the fulcrum upon
which much of society has been
leveraged.
*From
printers to computers to
the Internet to cellphones to
answering machines to fax
machines, and on and on.
* It’s highly likely that you got into this industry
because you wanted to help people
* It’s highly likely that you didn’t get into this
industry to have to deal with technology and
its challenges
* But that’s where your industry went
We’re going to
spend the
next while
taking a look
at technology
as it relates to
the A&D field
*
* What are some of the ways this transformation
into technology immersion has:
* Helped or facilitated your job?
* Hindered it, created new challenges or
frustrated you?
*
* The Health Information Technology for Economic and Clinical
Health Act, abbreviated HITECH Act, was enacted under Title XIII
of the American recovery and Reinvestment Act of 2009.
* Set meaningful use of interoperable EHR adoption in the health
care system as a critical national goal and incentivized EHR
adoption.
* Starting in 2015, hospitals and doctors will be subject to financial
penalties under Medicare if they are not using electronic health
records.
* The main components of Meaningful Use are:
* The use of a certified EHR in a meaningful manner, such as e-
prescribing.
* The use of certified EHR technology for electronic exchange of
health information to improve quality of health care.
* The use of certified EHR technology to submit clinical quality and
other measures.
*
*Core Requirements:
* Use computerized order entry for medication orders.
* Implement drug-drug, drug-allergy checks.
* Generate and transmit permissible prescriptions electronically.
* Record demographics.
* Maintain an up-to-date problem list of current and active diagnoses.
* Maintain active medication list.
* Maintain active medication allergy list.
* Record and chart changes in vital signs.
* Record smoking status for patients 13 years old or older.
* Implement one clinical decision support rule.
* Report ambulatory quality measures to CMS or the States.
* Provide patients with an electronic copy of their health information upon
request.
* Provide clinical summaries to patients for each office visit.
* Capability to exchange key clinical information electronically among providers
and patient authorized entities.
* Protect electronic health information (privacy & security)
*
*Menu Requirements:
* Implement drug-formulary checks.
* Incorporate clinical lab-test results into certified EHR as structured data.
* Generate lists of patients by specific conditions to use for quality
improvement, reduction of disparities, research, and outreach.
* Send reminders to patients per patient preference for preventive/ followup care
* Provide patients with timely electronic access to their health information
(including lab results, problem list, medication lists, allergies)
* Use certified EHR to identify patient-specific education resources and
provide to patient if appropriate.
* Perform medication reconciliation as relevant
* Provide summary care record for transitions in care or referrals.
* Capability to submit electronic data to immunization registries and actual
submission.
* Capability to provide electronic syndromic surveillance data to public
health agencies and actual transmission.
*
* Before texting, email became the most ubiquitous method of
communication on the Internet—maybe even on the planet.
* It’s
built into almost everything: phones, tablets, home
appliances, and cars to name a few.
* Email addresses have become our IDs; it’s how we sign up for
things, receive notices, and occasionally communicate with
each other
* But it was not designed with any privacy or security in mind.
* It was not designed to be the center of our digital lives; it
was designed when the Internet was a much smaller place to
store and forward messaging between people using different
kinds of computers.
*
* There 4 basic places where your email can be
compromised:
* On your device(s)
* On the network you’re using
* On the server you’re using
* On your recipient’s device(s)
* The
first and last seem obvious in a variety of ways;
networks offer a little tougher means of keeping people
out, but if you’re sending email to someone who uses the
same service as you, say Outlook.com, you are still easily
compromised.
* If you send the email to someone on a different network,
then where the two networks connect is the vulnerable
point.
* Servers are where your email is stored. All of your email.
As plain text.
* If a hacker gets in there, they’ve pretty much got
everything, plus all attachments.
*
* Email is stored in multiple places around the
Internet. It gets copied to:
* Sender’s computer in the “Sent Mail” box
* To the server that sends the email
* To the server that receives the email
* To the recipients computer when he/she
downloads the email.
* The backups to the email
* Burned to CD
* Backup servers
*Encryption to the rescue!
(Sort of…)
* Encryption basically scrambles the
plain text into gobbledegook that is
unscrambled at the other end.
* Encrypting messages
* Encrypting network connections
* While your text and attachments are
scrambled, your header info (address,
recipient address, subject, date, and
more) are not. This still paints a
pretty detailed description of the
email
* While secure email can still be
hacked, it provides much more
protection than unsecured
*
HIPAA and Email
*
* HIPAA email security applies specifically to
protected health information (PHI), not just
personal information
* PHI is health information of an identifiable
individual that is transmitted by electronic media,
maintained by any electronic medium, or
transmitted or maintained by any other form or
medium.
* All administrative, financial and clinical information
on a patient is considered PHI.
* Privacy key point: Controlling use/disclosure of
oral, written and electronic PHI in any form
* Security key point: Controlling the access to
electronic forms of protected health information
* It’s important to note that there are no policemen
for HIPAA; the only way HIPAA gets policed is
through litigation (and nobody wants that).
* One of the best ways to protect yourself/your
agency is to have a good written Technology Plan
*
* Encrypted email clients (Pro versions):
* Hushmail
PC only
$35/year per person
* VauntletMail PC/Mac/Linux
Free
* ShazzleMail PC/Mac/Linux
Negotiated
* Enigmail
Thunderbird plugin Free
* CryptoHeaven PC/Mac?Linux
Varies by # of users
* SendINC
PC/Mac/Linux
Varies by # of users
*
* Telephonic
transmission of scanned printed
material (both text and images), normally to a
telephone number connected to a printer or
other output device.
*
* The original document is scanned with a fax machine (or
a telecopier), which processes the contents (text or
images) as a single fixed graphic image, converting it into
a bitmap, and then transmitting it through the telephone
system in the form of audio-frequency tones.
* Since the 1980s most machines modulate the transmitted
audio frequencies using a digital representation of the
page which is compressed to quickly transmit areas which
are all-white or all-black.
* In many business environments, freestanding fax machines
have been replaced by fax servers and other
computerized systems capable of receiving and storing
incoming faxes electronically, and then routing them to
users on paper or via an email.
* All forms of faxing must adhere to the same HIPAA PHI
rules as email.
*
* Advantages of old-style
faxing:
* Speed of transfer and
receipt
* Sends as a PDF, so no
viruses
* Less vulnerable to
interception
* Sender gets notice of
receipt
* Receiver has a physical
copy
* Don’t need to know how to
use a computer
* Disadvantages of old-style
faxing:
* Must have a fax machine
and/or scanner
* Fax machine
maintenance costs
* Lack of mobility
* Need for paper
*
* Internet
faxing, efax, or online faxing uses the
Internet Protocol to send a fax, rather than using
only phone networks with a fax machine.
* As
modems came into wider use with personal
computers, the computer was used to send faxes
directly using faxing software. Instead of first
printing a hard copy and then sent via fax machine,
the document can now be printed directly to the
software fax and sent via the computer’s modem;
receiving an efax is basically the same.
* Efaxing
can
also
occur
via
VoIP,
fax
servers/gateways, and using email (although a newer
fax machine is needed to receive an email-sent fax).
*Advantages of Efaxing:
*
* Although Internet-delivered, the messages is converted to a PDF file
and so are less likely to harbor viruses.
* Faxes don’t get blocked by spam filters like email does.
* No busy signal with which to contend
* Faxes are natively encrypted and can’t be hacked or decoded.
Emails on the other hand can be intercepted and read if not
encrypted.
* Email and file attachments can be great for every day
communication but are not generally accepted for legal
documentation because attached files do not provide a timestamped image of a document.
* It’s easier to send large files through online fax than email because
online fax does not fall under any file size caps put in place by email
hosts.
* Paperless; can send multiple faxes simultaneously; no additional
machine needed; can send and receive from anywhere with Internet
access, with mobile phones and tablets.
* It goes to the email box of a computer, so it can get noticed faster.
*
*Disadvantages of Efaxing:
* It has no inherent technology advantage over email,
scanner, or graphic file formats.
* Scanner required to convert paper documents to
digital.
* Computer of the receiver must be turned on.
* Document is no longer readable by computer
applications.
* Monthly subscription fees to efaxing companies.
* Time-limited storage capacity.
* Switching from traditional fax machine to Internet fax
machines can be problematic for some.
*
* Physicians, nurse practitioners, and others allowed to
prescribe medications have traditionally used a pad to
illegibly write out a person’s prescription. The person
could then take it to a pharmacy to have it filled. Or
lose it. Or copy it.
* The future seems to be Eprescribing, especially since the
HITECH ACT promotes adoption be defining eprescribing
as one meaningful use of an Electronic Medical Record
(EMR).
* Standards for transmitting, recording, and describing
prescriptions have been developed by the National
Council for Prescription Drug Programs, in particular the
SCRIPT standard, which describes data formats.
*
* Adoption of e-prescribing technology has accelerated
in the United States, in large part, due to the arrival
of Stage 2 of meaningful use. One of the Stage 2 core
measures is: "Generate and transmit permissible
prescriptions electronically (e-Rx.)"
* In order to meet this measure, practices must
prescribe and transmit at least 50 percent of
permissible prescriptions electronically.
* A June, 2012 report from the National Coordinator
for Health IT found that 48 percent of U.S. physicians
use e-prescribing systems. National growth in eprescribing over the period September 2008 through
June 2012 increased over 40 percent, with individual
states increasing adoption anywhere from 28 percent
to 70 percent
*
* The basic components of an electronic prescribing
system are:
* Prescriber - typically a physician
* Transaction hub
* Pharmacy with implemented electronic prescribing
software
* Pharmacy Benefit Manager (PBM)
* The
PBM and transaction hub work closely together.
The PBM works as an intermediate actor to ensure
accuracy of information, although other models may
not include this to streamline the communication
process.
*
* A "qualified" e-prescribing system must be capable of
performing all of the following functions:
* Generating a complete active medication list incorporating
electronic data received from applicable drug plan(s) if
available
* Selecting medications, printing prescriptions, electronically
transmitting prescriptions, and conducting all safety checks
using integrated decision support systems (safety checks
include: automated prompts that offer information on the drug
being prescribed, potential inappropriate dose or route of
administration, drug-drug interactions, allergy concerns, or
warnings of caution)
* Providing information related to the availability of lower cost,
therapeutically appropriate alternatives (if any)
* Providing information on formulary or tiered formulary
medications, patient eligibility, and authorization requirements
received electronically from the patient's drug plan
*
* Review
patients' current medication list and medication history
information within the practice.
* Work with an existing medication within the practice, this can involve
viewing details of a medication, remove a medication from the active
medication list, change dose, etc., for a medication or renew one or
more medications
* Prescribe
or add new medication and select the pharmacy where the
prescription will be filled.
* The
information is then sent to the Transaction Hub, where
information on the patient eligibility, formulary, and medication
history/fill status is sent back to the prescriber.
* Patient-specific
information capabilities (e.g., current
medication list, access to patient historical data,
identification)
patient
patient
*
* System
integration
capabilities
(e.g.,
connection with various databases, connection
with pharmacy and pharmacy benefit manager
systems)
* Educational
capabilities
(e.g.,
education, provider feedback)
patient
*
* E-prescribing
offers clinicians a powerful tool for safely
and efficiently managing their patient's medications.
Compared to paper-based prescribing, e-prescribing can
enhance patient safety and medication compliance,
improve prescribing accuracy and efficiency, and reduce
health care costs through averted adverse drug events and
substitution of less expensive drug alternatives.
* This is of key importance because in 2000, the Institute of
Medicine identified medication errors as the most common
type of medical errors in health care.
*
* Benefits to Eprescribing:
* Powerful tool for safely and efficiently managing their
patient's medications.
* Enhances patient safety and medication compliance
* Improves patient safety and quality of care
* Illegibility from handwritten prescriptions is eliminated,
decreasing risk of med errors
* Decreased time on clarifying phone calls
* Reduced time faxing prescriptions to pharmacies
* Automated renewal request and authorization
* Increased patience convenience and med compliance
* Better cost drug substitutions
* Greater prescriber mobility
* Improved drug surveillance/recall ability
*
* Limitations:
* Costs associated with purchasing, implementing, supporting and
maintaining such a system may be beyond the means of most small
clinical practices, and noted to be one of the greatest
implementation barriers.
* Many underestimate the challenges pertaining to change
management when transitioning from paper-based prescriptions to
e-prescribing.
* The inability to effectively use clinical decision support systems
due to the erroneous triggering of pop-up alerts with ill-defined
software.
* Integrity of data input - accidental data entry errors.
* Security and privacy errors/concerns
* System downtime
*
‘I am not a case, and you are not my manager’
* If
you’ve been doing addiction counseling for a while,
you’re probably attempting to manage a fairly large
caseload, and have spent more time than you like
maintaining case files in a paper format.
* You go to the file drawer, look up the file (hoping you
filed it alphabetically), and pull it out of the drawer.
* You open the file with a flick of the tab
* Do a quick review hoping you’re getting
all the info you
need for your next encounter with this person
* And BOOM! You’re off.
* You
have to really hope that you’ve accessed
everything you need, that you actually remembered to
go back in and include the notes from the last
encounter because you were too busy to last time, and
that anyone else who has interacted with this person
also included everything in the file.
* But this is the only way you’ve done it; it’s familiar…
*
* Imagine
a complex puzzle. Imagine having to
remember how each piece fits, over and over. And
imagine that the solution to the puzzle is
constantly changing. If you could feed all of that
puzzle information into a computer program, you
wouldn’t have to figure it out each time. Everyone
who looks at the puzzle would know how to
assemble it, the puzzle would be put together
faster, and the chance for errors would be greatly
decreased.
*
* Health
history is like a complex puzzle.
Every time you have to remember health
information for doctors’ offices, insurers,
emergency rooms, pharmacies, etc., it’s
like trying to reconstruct a changing
puzzle over and over again. Information
that you have to repeatedly recall and
write down is inherently inaccurate. No
matter your age, your recall is not
perfect.
* Take
going to the doctor, for instance.
The more doctors you see, the greater
the chance of inaccuracy. With paper
charts, each of your doctors may have
slightly different information that they
are basing your treatments on.
*
*To
quote one Harvard Medical School
publication, "Such a structure [paper] is
inherently costly to administer--the share
of
US
expenditures
devoted
to
administration is variously estimated at
one-fourth to one-fifth of the health
dollar."
*
* EMRs are changing the healthcare paradigm. Are you fighting the
future?
* The
successful implementation of an EMR allows a provider to
operate on a new plateau. New-found efficiency includes:
* Reduction of documentation time
* Immediate access to patient data
* Improved cash flow
* Streamlined clinical work flow
* Increased reimbursement
* Detailed real-time aggregate reporting
* Inpatient facilities experience automated
medication ordering
and administration that drastically improve safety processes.
* Believe
it or not, despite all the techno-garble, EMRs truly
enhance quality of care and ultimately reduce the cost of care
delivery.
*
* An
EMR allows organizations to collect data only once. The
impact of this on a once paper-based system is profound.
*A
well-designed, EMR-based clinical work flow moves a
patient through the preadmission, intake, treatment, and
discharge processes without requiring data entry to be
repeated.
*A
major service to addiction treatment providers is group
therapy: EMRs allow entry of group notes in a process that
populates all group attendee notes with required
documentation. Clinicians no longer are forced to hunt for
all attendee charts or to open each chart to make the note.
*
* EMRs mitigate the risk of required or essential data being
missing or buried within progress notes.
* EMRs require clinicians to collect important data elements
prior to closing a document. This automated function
allows for increased charting supervision without further
human intervention, ensuring data will be complete and
available when needed.
* The data can be used in standardized instruments to
provide measurable outcomes.
* Clinicians ultimately view the EMR as a tool for their
services, rather than as an obstacle.
*
*Components of an excellent EMR:
* Outpatient Front Desk Staff:
* Able to do fee collection, print receipt, and check in to
group within one minute per client
* Check-in generates group roster and batch of auto-filled
service notes for the clinician
* Easy scheduling function
* Able to quickly look up:
* Client info by name, by client number, by health plan
number
* Client payer source
* How much client owes, including co-pays
* Dates of previous service episodes
*
*Components of an excellent EMR (cont.):
* Clinical Forms:
* Forms you use and/or State’s forms
* Easy to access and use
* Enforces the Golden Thread
* Information entered into the assessment automatically flows
into the service plan, which feeds the service notes and
discharge summary
* Automated documentation audit checks
* Documentation compliance reporting
* Automatic prompt for service plan and assessment updates
* Message sent to direct supervisor on non-compliant records
(past due date, incomplete)
*
*Components of an excellent EMR (cont.):
* Clinical Audits:
* Able to easily call up files from a specific program and
time period for internal audits
* Ease of access for county, state, federal, managed care,
and CARF auditors
* Able to permission access only those files auditors are
allowed to see: permission by specific files, by program,
by payer source, by time period.
* Eprescribing:
* Integrated with the rest of the EHR
* Drug-to-drug interactions and allergy warnings
*
*Components of an excellent EMR (cont.):
* Billing and Revenue Management:
* Documentation linked to billing
* Eligibility verification
* Authorization management
* 837 Processing and 835 Remittance
* Billing suspense mechanism if billing does not meet standard
criteria (billable diagnosis, exceeding pre-authorized limits,
no service note, etc.)
* Able to talk with billing vendor
* Full billing reports by cost center,
including aged accounts
receivable report, 3rd party payments report
*
*Components of an excellent EMR (cont.):
* Reporting Capabilities
* Utilization by program by month/year by payer source
* Outpatient Show/No Show by individual session, by group, by
clinical contact, by clinician
* Length of stay
* Productivity report by clinician by month/year
* Productivity report by cost center by month/year
* Case load report by clinician and by program
* Referral source by program by month/year by payer source
* Reports linked to charting capability
* Able to easily/create write new reports
*
*Components of an excellent EMR (cont.):
* Scheduling:
* Outpatient:
* View multiple schedules in the same window
* Rapid scheduling of reoccurring events like groups
* Color coding to easily see openings, appointments, and
tentative schedules
* Residential/Detox:
* Current clients admit, planned discharge date, actual
discharge date
* “White board” for scheduled clients, by payer group
* Technology
* Cloud based
* Certified as meeting meaningful use criteria
*
*Components of an excellent EMR (cont.):
* Cost Accounting:
* Cost Center
* Type of Staff
* Service Class
* Program
* Individual/Group
* Staff
* Type of Service
* Client
* Hourly, monthly, and annual
*
* Components of an excellent EMR (cont.):
* Implementation & Training:
* Includes structured training and implementation plan
* At least initial training and follow-up training for all staff
* Help desk functions: FAQ’s, tutorial, on-line training,
monitored users group
* Training plan for new staff
* Plan for uploading current database
* Expense
* Initial Instillation and Training Expense
* On-going charges
* Lost productivity
* Hardware costs
* Disruptions in billing
*
* Telemedicine
is the use of telecommunication and
information technologies to provide clinical health
care at a distance.
* The definition sometimes includes all aspects of
healthcare, including preventative care, while other
definitions use it for clinical services only.
* Sometimes referred to as “telehealth” or “eHealth.”
* These technologies eliminate distance barriers and
can improve access to services that might not
otherwise be consistently available otherwise.
* Permits communications between patient/client and
staff with both convenience and fidelity as well as
allowing the transmission of medical, imaging, health
informatics data from one site to another.
* A growing number of HIPAA-compliant technologies
are available.
*
* The use of telemedicine can assist in reducing such
barriers as:
* Clinician shortages
* Misdistribution of providers
* Rural/urban underserved populations
* Aging population
* Travel time, cost, and hardship
* Delayed treatment
* Language barriers
* Clinical education programs
* Administrative meetings
*
* For the person receiving counseling services, this can
mean:
* Reducing barriers to access
* Reducing delays in receiving services
* Able to stay in touch briefly and frequently
* Increase positive healthcare outcomes
* Can take a more active role in their recovery
* Able to attend online 12-step and other meetings
*
* For the A&D Professional, telemedicine can:
* Make themselves more available to clients at
different hours
* Increases efficiency
* Reduce delay in providing services
* Increase the number of positive outcomes
* Receive ongoing training and education
* Allow counseling to multiple locations
*
* Potential barriers:
* Telecommunication Costs
* Telecommunications training
* Clinicians not championing distance counseling
* Clients not having proper equipment
* Might not be convenient
* Program sustainability
* Interstate licensing
* Potential PHI compromised via electronic
storage and transmission
*
* Not
only does your data fall under HIPAA
regulations, it also falls under 42 CFR, Part 2,
which we will cover in a session tomorrow. If it’s
digitized, it also falls under 21 CFR, Part 11.
* 42 CFR, Part 2, covers records of the identity,
diagnosis, prognosis, or treatment of any patient,
which are maintained in connection with the
performance of any program or activity relating to drug
abuse, alcoholism or alcohol abuse education that is
conducted, regulated or assisted by the Federal
government must be confidential.
* 21 CFR, Part 11, covers the security and validation of a
healthcare entity’s data system using and storing
Personal Health Information PHI.
* We will be covering 42 CFR, Part 2, in a session
tomorrow, so let’s look at 21 CFR, Part 11.
*
* The FDA regulates 21 CFR, Part 11.
* In 2006, the FDA did about 4200 inspections worldwide
and sent out 500 warning letters
* It sued many companies
* It was sued by many companies
* The FDA loses approximately 50% of all suits in which
it engages concerning 21 CFR, Part 11, so it doesn’t
necessarily like to go to court
*
* What has been happening:
* Increased FDA inspections
* Increased use of electronic signatures
* Increased use of hybrid systems
* Confusion leading to too much/inappropriate validation
* Replacement of legacy systems
* System not in use today or not validated to today’s
standards
* Increased security
* Industry standards for 21 CFR, Part 11, have evolved
*
* You need to be aware of:
* Code of Federal Regulations (CFR)
* Published by the Government Printing Office and in the
Federal Register
* They are equal to federal laws
* They take a long time to create or change
* Court rulings
* Interpretations change over time
* Guidance documents
* Not binding
* More specific than regulations
* Do not specifically detail regulations
* May actually differ from regulations
*
* For an entity’s compliance:
* There needs to be SOPs
* Policies
* Work instructions
* All must be controlled documents
* Companies must adhere to their own documents even more
than the federal regulations
*
* What triggers an FDA inspection of an entity’s system:
* Part of a regularly scheduled inspection
* Insufficient validation documentation
* Failures
* Problems with similar systems at other companies
* Attitudes
* Complaints
* Use of electronic records, including hybrid systems
* Electronic submissions
*
* Part 11 compliance has an excellent return on investment
(ROI):
* Cost of compliance is low compared to costs for potential
losses; Allows for Disaster Recovery
* Reduces labor costs by increasing employee efficiency and
effectiveness
* Cost of compliance saves money by making the organization
more productive
* Use of eRecords is less expensive than the use of paper
records: creation, organization, searching, retention…
* Use of eSignatures is much more secure than handwritten
signatures
*
* Electronic Records can be used in place of paper records
provided they are trustworthy and reliable.
* All electronic data is an electronic record. “Electronic
record means any combination of text, graphics, data,
audio, pictorial, or other information representation in
digital form that is created, modified, maintained,
archived, retrieved, or distributed by a computer
system.” Subpart A 11.3
* Part 11 applies to newly installed and existing legacy
systems. There is no “grandfather” exemption.
* If it isn’t documented it didn’t happen!
* Interpretation is based on industry standards
*
* Security: Current Concepts:
* Authentication: fraud - you are not who you said you are.
* Authorization: unauthorized access - you should not have
access because you have not been granted access.
* Privacy: observation and snooping - someone can see
what you are working on.
* Data Integrity: Alteration - someone has changed the
data.
*
* Security Threats:
* Natural disasters: hurricanes, floods, earthquakes,
tornadoes, lightening…
* Environmental: long-term power outages, accidents, fire…
* Hacker-Cracker
* Terrorist
* Industrial espionage
* Insiders
*
* Security Threats—Motivations:
* Unintended mistakes
* Challenge
* Ego
* Rebellion
* Monetary
* Revenge
* Blackmail
* Exploitation
*
* Security Threats—Results:
* Destruction
* Improper Disclosure
* Alteration
* Regulatory
* Legal
* Negative publicity
* Highly expensive
*
* Security:
* Access limited to authorized individuals (roles and
privileges defined by data owners)
* No users with “God” role, no IT people with user system
administrator role
* Password minimum length (8 characters)
* Password makeup requirements (no words in dictionary,
alphanumeric)
* Password change frequency (90 days)
* Password reuse frequency (1 year)
*
* Security (cont.):
* Passwords are not displayed when entered, **
* Passwords are not remembered by browsers and
applications
* Password only known by individual user, not shared
* Password encryption (upon entry, storage)
* Password cannot be copy and pasted
* Passwords are not emailed or written down
* Temporary passwords are unique
* Temporary passwords must be changed at next login
* Temporary password expires (24 hours)
*
* Security (cont.):
* User name appears on screen
* User name is unique
* User name identifies a person, not generic
* User name is not deleted, just inactivated. Therefore,
it cannot be reused.
* Automatic logout after inactivity (10-20 min)
* OS screen saver with password (10-20 min)
* Auto lockout after too many failed login attempts;
email notification to system administrator/security
staff (3-5 attempts)
* Logging of all user access activity; login, logout, lockout
* When logging into a system from a second location both
users are notified
*
* Security (cont.):
* Auto lockout of inactive accounts (30 days)
* Last login displayed when logging in
* The network is secure with respect to user
access, Internet access, malware protection, and
physical security
* Removable media, including laptops and PDAs,
have confidential data encrypted
* Device checks confirm that once data starts from
a device, another device doesn’t take over
*
* Data Transfer:
* Limited and controlled delete capabilities
* Data transferred outside of the intranet firewall is
encrypted
* Data taken off site is encrypted (laptops, removable
media)
* The system must include operational system checks to
enforce correct sequencing of events and validity of input
data
* Date format dd-MMM-yyyy (10-Jan-2015)
*
* Audit Trails:
* Audit trail records the creation, modification, or
deletion of electronic records
* Record user name, date, time, previous data, new
data, and reason for change (if required by predicate
rules)
* Users can access audit trail
* Indication of changed data is known to the user by on
screen indication, not just in audit trail
* All computers must be synchronized to a standard
time source
* Application aware that data integrity has been
compromised; database encryption, record
checksums, backend changes written to audit trail.
*