Previous PageNext Page

Printer Friendly Version

Security and Accessibility

Clinical Laboratory Information System Client Server (CLICS)

I. PRINCIPLE:

Security and accessibility to UCL’s LIS is accomplished via CLICS workstations connected to a local private intranet running custom, in-house developed software.

In general UCL subscribes to the open systems, distributed computing model for information systems. This principle defines the role of the network as a reliable transport medium for flow of information, not a security device. Security is the responsibility of each system that is connected to the network, e.g. firewalls, gateways, servers, etc. The level of security active on each component is determined by the LIS Director in consideration of the degree of confidentiality, need for access, etc. (e.g.: test results, diagnosis…etc.).

Unauthorized or incidental access by non-healthcare individuals to functions, data or specific applications resident in each system is obviated because the network is a private, local area intranet i.e. not connected to the Internet or any other public network; UCL does not publish its website to the Internet.

UCL uses several levels of security:

  1. Access cannot be gained without specific knowledge of connected systems, connectivity software and access methods, user name and passwords.
  2. Users must be running the custom in-house developed software or have specific knowledge of the database design, i.e. its schema, content, etc.
  3. Local Private Network, i.e. not available for public access.
    Note: All external connectivity is accomplished via virtual private network (VPN) or SSL links that are pre-approved and authorized by the LIS Director or Technical Director/CIO. VPN access is granted to select, outside technicians from known entities for the purpose of development, trouble-shooting, support and maintenance. This permission is limited to defined projects or issues within specific time frames. Authorization is formal and permitted only by the Technical Director/CIO, LIS Director and DB Administrator.
  4. When needed, modems are connected to unlisted telephone numbers and require special access software, as well as active user names and passwords.
  5. Connected systems require authorized user name and password approval and before access is granted.

II. POLICY:

  1. For all of the data-handling functions described immediately below (Access to Results, Results Entry/Modification and Billing/Crediting) authorized personnel must create their own session with the LIS; i.e., they must sign onto a workstation using their own user I.D. and password.
    Personnel may NOT access the LIS system for any of these functions under someone else’s session. To do so is grounds for immediate dismissal.

    Staff should log off the system when the job they are performing is done or if they will be away from the workstation for more than 2 – 3 minutes. This makes it a little easier for the next person to log on.
    Note: CLICS auto-logoff function will terminate a given session after a pre-determined period of inactivity.

    In any event, if staff requires a workstation where someone else already has a session open, that session needs to be terminated and the staff member needing the workstation is to log on under their own User I.D. and password. Within the context of the functions described immediately above, there are no exceptions to this policy.
  2. Access to Results: All UCL employees have access to results on a need to know basis only. Results can be viewed by using the Inquiry screen of the in-house developed CLICS application or Web Inquiry. Access is controlled by user name and password.
  3. Results Entry or Modification of Released Results: Only UCL employees with the appropriate security level have access to Results Entry screens. Access is controlled by user name, password and security level, and is limited to CLICS workstations only. The name of the person entering or modifying any result is recorded in the CLICS audit log.
  4. Billing and Crediting: Access to UCL’s Billing and Crediting system is limited to employees in the insurance and data entry departments located at the Cathedral Square site. This system is a commercial billing system that also requires a valid user name, password and specific client software.

       

    1. 2/23/96 R. Theobald
    2. 10/9/97 R. Theobald (clarification of principle, format)
    3. 8/6/2002 S. Raymond (II A)
    4. August 2009 S. Raymond, R. Theobald (Revised: I.; II.1-4.)

       

    Reviewer:

    L.I.S. Director:

    Technical Director:

Printer Friendly Version