6.1 PURPOSE
The purpose of this policy is to ensure that systems and individuals interacting with the Saudi Health Information Exchange systems are known through the process of reliable security identification of subjects by incorporating an identifier and its authenticator.
6.2 SCOPE/APPLICABILITY
This policy applies to the Saudi Health Information Exchange, and to all individuals and organizations that have access to Saudi Health Information Exchange managed health records, including:
• Participating Healthcare Subscriber (PHCSs),
• their business associates,
• any subcontractors of business associates that perform functions or provide services involving the use and disclosure of personal health information,
• any Saudi Health Information Exchange Infrastructure Service Provider, and
• any other subcontractor of Saudi Health Information Exchange.
This policy applies to all personal health information provided to or retrieved from Saudi Health Information Exchange systems.
6.3 POLICY
1. Emergency Access SHALL be supported by all HIE node systems accessing the Saudi Health Information Exchange as a break-glass with audit and review of these actions, in accordance with the Audit Policy. Notification to the subject of care in the event of break-glass access SHOULD be provided by the Security and Privacy Officer of the Saudi Health Information Exchange.
2. Automatic user logoff SHALL be supported by all HIE nodes accessing the Saudi Health Information Exchange. The user sessions of the HIE node SHOULD be automatically logged off after no more than 30 minutes of inactivity.
3. All HIE Nodes exchanging personal health information SHALL implement a node authentication mechanism compliant with Transport Layer Security (TLS) [Internet Engineering Task Force (IETF): Transport Layer Security (TLS) 1.0 (RFC 2246)].
4. All Saudi Health Information Exchange system remote access by individual users SHALL require multi-factor authentication.
5. PHCSs SHOULD assert multi-factor authentication for remote access to their systems (from outside of the physical control of the organization), if the accessed system enables access to the Saudi Health Information Exchange.
6. A directory of PHCSs within the Saudi Health Information Exchange MAY include primary contact information of registered members, roles/privilege information, and identity attributes of providers, organizations, and systems. The primary contact information for the data in the directories supplied to the directory SHOULD minimally include a primary contact name and any associated contact phone numbers.
6.1. For Saudi Regulated Health Professionals, this information SHALL be sourced through the Saudi Commission for Health Specialties database.
6.2. The Saudi Commission for Health Specialties SHALL be the authoritative source for health practitioner’s license revocation.
6.3. For Healthcare Organizations, this information SHALL be provided by the corresponding sector-regulating body (Council of Health Services).
6.4. For employees and staff of Healthcare Organizations and Supporting Organizations, this information SHALL be provided by the designated contact within the PHCS.
6.5. All non-regulated health professionals SHALL be managed as employees of healthcare organizations.
7. The Saudi Health Information Exchange SHALL require unique identification of the individuals (employees, care providers, subjects of care, subjects of care agents), systems (HIE node, HIE system, or the Application), and Organizations accessing the information in the Saudi Health Information Exchange.
8. The user identity, role, and affiliation must be checked for both revocation and expiration at the time of logon to the system. If any have been revoked or have expired, use would be denied.
9. Any system providing access to the Saudi Health Information Exchange SHALL be responsible for verification of credentials. Verification implies that:
9.1. the credential is issued by a trusted third party,
9.2. the credential is current,
9.3. the credential is not suspended or revoked, and
9.4. the credential type is appropriate (for example, physician or pharmacist).
6.4 POLICY MAINTENANCE
The Saudi Ministry of Health (MOH) is responsible for monitoring and maintenance of policies.
|