Security & Data Protection Implementation

KKBM's approach to data protection relies on a layered model: system safeguards provided by SystmOne, reinforced by clinic-specific infrastructure at the network and device levels, and sustained by staff vigilance.

For the foundational CCMS security architecture, see the Access Control & Data Security Policy↴.

---

1. System-Level Foundation

SystmOne provides three built-in security layers that KKBM relies on as our foundation:

Thick Client Architecture

SystmOne runs as proprietary software, not a browser-based EMR. This isolates clinical data from web-based vulnerabilities.

Centralized Data Storage

No patient data is stored permanently on local clinic computers. All records are centralized on secure KKM servers.

Comprehensive Audit Logging

Every access, modification, and deletion is logged with user ID, timestamp, and IP address for full accountability.

These are standard CCMS capabilities. What KKBM has built on top of them is detailed below.

---

2. Network Security (KK Level)

KKBM has implemented a multi-layer network security architecture:

2.1 Secure Gateway & Infrastructure

• GITN Network Restriction — Primary internet access is exclusively provided and restricted by GITN.
• Omada Managed Switches — Deployed to actively monitor network traffic and anomalies in real-time through the Omada ecosystem.
• Physical Port Lockdown — Strict port security enforced. Devices connected to clinic wall ports or switches are denied network access unless explicitly approved

2.2 Access Control

• Wired LAN Priority — Physical LAN cables are prioritized over wireless to localize access and restrict network load.
• MAC Address Registration — Any device requiring Wi-Fi access must have its MAC address explicitly registered to the network beforehand.
• Enterprise Wireless Encryption — Wi-Fi network requires secure credential authentication beyond MAC registration to prevent spoofing (via Omada).
• Network Isolation — Personal staff devices and guest networks are strictly separated from the main clinical network handling SystmOne data.

2.3 Backup Connectivity

• TM Unifi Backup — Strictly designated as a backup connection, used only during Business Continuity Planning (BCP) scenarios.

---

3. Device-Level Security

KKBM has implemented the following device security protocols across all clinical workstations:

3.1 Operating System & Software

• OS Updates — All Windows devices are monitored and updated to the latest secure versions - periodical work.
• Standard User Accounts — Staff are assigned standard user accounts without Administrator privileges to prevent unauthorized installations.
• Software Restrictions — Staff must not download or install unnecessary or personal software onto clinic devices.
• Active Antivirus — Every clinical device runs active, updated endpoint protection to block malicious software in real-time.

3.2 Hardware Controls

• USB Device Restriction — External USB flash drives are strictly prohibited on clinic devices unless explicitly authorized. Unauthorized USBs have been identified as a primary cause of past virus infections and hardware failures.
• Screen Lock Policy — PCs are configured to auto-lock after a short period of inactivity. Staff must actively lock their computers (Press Windows Key + L) whenever stepping away.

---

4. Staff Awareness & Training

4.1 Training Program

• Continuous Security Training — Security and CCMS briefing is conducted regularly for all staff members.
• Onboarding Briefings — New staff receive data security orientation covering password management, role-based access & prohibited actions.

4.2 Behavioral Policies

• Credential Hygiene — Staff must never share SystmOne credentials into unattended machines.
• Phishing Vigilance — Staff stay alert for suspicious emails and links, and do not click or share credentials unless the source is verified.
• Clear Screen & Clear Desk — Physical patient documents must be secured. Monitors must be angled away from waiting areas to prevent shoulder surfing.

4.3 Visual Reminders

• Security Posters — A4/A6 security reminder posters are displayed in consultation rooms and at high-traffic terminals.
• Digital References — Security protocols are accessible via this documentation site and digital references on clinic PCs.

4.4 Incident Reporting

• Active Reporting — Staff must immediately report security issues, glitches, or suspicious activity to the IT/administrative team.
• Helpdesk Integration — Security incidents can be logged through the Muar ICT Helpdesk App↴ for tracking and follow-up.