Access Control & Data Security Policy
This chapter covers how SystmOne enforces data privacy, patient confidentiality, system access control, and technical safeguards in accordance with ISO 27001 — and its health-sector application ISO 27799 — and the MOH ICT Security Policy DKICT-V5.
Access Control at a Glance
Roles and Responsibilities
| Role | Responsibilities |
|---|---|
| Clinic ICT Security Officer (ICTSO) | Oversees user provisioning and deactivation, enforces access rights, coordinates with BKD, conducts periodic access reviews |
| Clinic Administrator | Authorizes role assignments, enforces policy, escalates violations, manages internal audit preparation |
| Bahagian Kesihatan Digital (BKD) | Backend infrastructure, centralized backups, server-level access logs, restoration support |
| All System Users | Safeguard individual login credentials, comply with logout and screen-lock protocols, report suspicious access immediately |
Key Principle:
Access control is a shared responsibility. System administrators configure the rules; every user follows them.
Account Provisioning and RBAC
1. Account Provisioning Rules
- Every staff member receives a unique login ID and password
- Accounts must never be shared under any circumstance
- All account creations, modifications, and deactivations require Clinic Administrator approval and are handled by the ICTSO
- Staff with multiple clinical roles may have separate login profiles per function to ensure clear separation of responsibilities for auditing
- Accounts are archived when staff leave or change roles — never deleted, to preserve audit continuity
2. Permission Levels
| Level | Capability |
|---|---|
| Read-only | View information without modifying |
| Read + write | View and add new entries, but cannot modify existing data |
| Full control | View, add, modify, and delete within authorized scope |
| Administrative | System configuration and user management |
| Supervisory | Review and override capabilities for quality assurance |
3. RBAC by Role
Access is granted based on staff portfolio, function, and clinical responsibility. Users receive the minimum permissions needed to do their job — this is the principle of least privilege.
Full EMR access: clinical documentation, diagnostics, medications, confidential notes, prescribing, and diagnosis entry
Full clinical access plus supervisory functions: documentation review, template customization, supervisory audits
View full records. Enter vitals, nursing notes, patient education. View labs and medications. Limited prescribing if applicable
Registration and demographic management, vitals recording, basic clinical tasks within MA scope. Restricted access to full clinical data
Medication record access, pharmacy module functions, PHIS interaction, MTAC counselling documentation. Limited clinical view focused on medication context
Dietitian, nutritionist, physiotherapist: view records, vitals, labs; enter session notes in assigned templates; access within relevant scope
Registration + demographics, appointment scheduling, billing, queue management. No access to clinical notes or sensitive clinical data
Backend configuration, account provisioning, server-level audit logs, technical support. Limited clinical data access only for support needs
Confidentiality Methods
Beyond standard RBAC, SystmOne provides three additional methods to protect highly sensitive information (e.g., domestic abuse, sexual assault, mental health, STIs including HIV):
1. Restricted Record
Completely locks the patient record from all staff except those explicitly granted access.
- Use for: extreme confidentiality (VIP, protected identity, court-mandated)
- Limitation: Registration staff cannot register or book appointments, which can break operational workflow
- Managed by: Clinic Administrator or ICTSO
2. Confidential Notes (Journal Entry)
Clinicians can create confidential notes and assign access to specific users, teams, or groups.
- Users with access see a red-coloured journal entry
- Users without access see that an entry exists, but cannot open the content
- Best for: sensitive clinical information shared among a care team
3. Safeguarding-Relevant Flag
A journal entry can be marked Safeguarding-Relevant to limit visibility to users with safeguarding access.
- Advantage: Does not block registration or appointments. Best balance between confidentiality and workflow
- Typically enabled for clinical roles such as doctors, MAs & nurses
- Managed by: Users with safeguarding permissions or Clinic Administrator
Authentication and Session Control
1. Password Requirements
These are the technical rules enforced by SystmOne:
| Requirement | Standard |
|---|---|
| Minimum length | 8 characters |
| Character types | Uppercase, lowercase, and numbers |
| Change frequency | Every 90 days (or sooner if compromise is suspected) |
| First login | Default password must be changed immediately |
| Reuse prevention | Previous 3 passwords cannot be reused (system-enforced) |
2. Session Management
| Control | Behaviour |
|---|---|
| Automatic timeout | After period of inactivity |
| Manual logout | Required when leaving workstation |
| Screen lock | Staff must lock screen when temporarily absent |
| Re-authentication | Required after timeout or unlock |
| Session termination | Complete on logout |
3. Account Lockout Protection
- Accounts lock automatically after 3–4 failed login attempts
- All lockouts are logged and reviewable
- Users can view lockout incidents: Home → Tasks → Task Lists → Password Lockout
- Unlock requests go to Clinic Administrator or ICTSO
Common causes of lockouts: forgotten passwords, Caps Lock enabled, faulty keyboards, wrong username used. Many are preventable with proper training and workstation checks.
4. Inactive Account Management
- Accounts with no login activity for 30+ days are reviewed quarterly by ICTSO
- Long-term leave accounts are temporarily suspended
- Reactivation requires Administrator approval
- Departed staff accounts are deactivated immediately
- Periodic access reviews confirm accounts are still needed
Workstation and Device Security
1. Screen Lock & Timeout
- All clinic workstations must auto-lock after 5 minutes of inactivity
- Visual reminder labels should be placed above terminals in registration and clinical rooms
2. Shared Device Protocol
- Shared computers (triage counters, pharmacy, PACS viewers) must not retain user sessions between shifts
- Each user must log in using their own credentials, and logout procedures must be followed strictly
3. Portable Device Policy
Any clinic-owned devices used off-premises:
- Must have encryption enabled
- Must require password or biometric authentication
- Loss or theft must be reported within 2 hours to the Clinic Administrator and ICTSO
- Check-in/check-out logs must be maintained and reviewed periodically
Break-Glass and Audit
SystmOne captures every meaningful system interaction:
- Login and logout events
- Patient record access and viewing
- Documentation created, modified, or marked in error
- Prescriptions issued or amended
- Appointment changes
- Demographic changes
- System configuration changes (administrators)
- Break-glass overrides
Full audit reports are role-based and restricted to authorized reviewers. For details, see Audit Trail.
Contributor
Dr Fuad Jaafar
Facilitator, CCMS • KK Bandar Maharani