Content

1
Disease Treatment Registry Thru The Web, The
Way Forward
Dr. Lim Teck Onn Ms Lim Jie Ying Clinical
Research Centre, Hospital Kuala Lumpur Ministry
Of Health Malaysia
www.crc.gov.my
2
Content

• CRC and Disease Registers
• Traditional operation vs web-based operation
• Pros and Cons
• Minimizing security risk of Web based operation
  (Ms Lim Jie Ying)

3
We do 4 types of clinical research
1. Clinical Trials. 2. Clinical Registers
/Epidemiological and Health outcomes research 3.
Clinical Economics Research 4. Evidence based
medicine
4
Disease Registers in CRC

• National Renal Registry
• National Cancer Registry
• National Cataract Surgery Registry
• National Neonatal Registry
• National Mental Health Registry
• National HIV/AIDS Treatment Registry
• National Transplant Registry
• In the pipeline CKD (GN/SLE), CVD (Stroke, AMI,
  Angioplasty) Rheumatic (RA)

5
(No Transcript)
6
Purpose of Disease Registry

• Quantify disease burden (morbidity and mortality)
  and its geographic and temporal trends.
• Early warning of rapid increase in disease
  incidence eg in infectious disease.
• Identify sub-groups most at risk of disease.
• Identify potential risk factors of disease.
• Evaluate treatment programme / Clinical audit
• Evaluate control and prevention programme.
• Facilitate research, eg disease aetiology, Rx
  effectiveness, outcomes research, prognosis
• Epidemiological vs Treatment Register

7
Uses of Registry data

• Disease epidemiology
• Treatment availability accessibility
• Outcomes research
• Technology assessment
• Clinical economics
• Clinical audit
• Support clinical trial/ clinical research

8
Data capture and reporting A core function of a
Disease Registry
9
Traditional Operation vs Web-based Operation
SDP
SITE
SITE
Report data (paper)
Return processed data
Internet
No data return
EDC
Data Processing
CRC
CRC
Report only
Real time analysis report
No prim. data
Online data access
Internet
Data Reporting
USERS
USERS
10
Process comparison
11
Pros and Cons (1)
12
Pros and Cons (2)
13
Pros and Cons (3)
14
We think the pros outweigh the cons.But what
about the security risk?

• Ms Lim Jie Ying

15
Risks (1)
16
Risks (2)
17
Risks (3)
18
Risks (4)
19
Risks (5)
20
Technological Mechanisms to Counter Security Risk

• Authentication
• Access control
• Encryption
• Audit trail
• Physical security
• Control of external communication links and
  access
• System backup and disaster recovery

21
Authentication (1)

• Authentication is a process of verifying the
  identity of an entity that is the source of a
  request or response for information in a
  computing environment
• Categories
• Web Application owner authentication
• User authentication

22
Authentication (2)

• Web application owner authentication
• VeriSigns Server ID apply state of the art SSL
• (Secure Sockets Layer) technology to conduct
  an authenticated, strongly encrypted online
  transaction.
• VeriSign ensures
• the web site belongs to NRR and not an impostors
• Message privacy - information cannot be viewed if
  it is intercepted by unauthorized parties.

23
Authentication (3)

• User authentication is based on two criteria
• Something that user know
• User ID and Password user is required to change
  password every 3 months and the password cannot
  be reused within 3 cycles.
• Something that user have
• Mobile phone authentication

24
Authentication (4)

• Mobile phone authentication
• Eg. Mobile phone authentication. After user logs
  in using UserID and password, server sends an SMS
  containing additional password to users mobile
  phone. User then types in the additional
  password before gaining access to system

25
Mobile Phone Authentication
26
Access control

• Only authorized users, for authorized purposes,
  can gain access to a system
• Authorised users are grouped into Access Control
  List
• Users rights are assigned based on role
• User session management when user left the
  application idle for more than 15 minutes, the
  application will be logged off automatically

27
Encryption

• Definition convert ordinary language into code
  so as to be unintelligible to unauthorized
  parties.
• Field encryption for PHI (Personal Health
  Information) such as Name, IC within SQL database
• Data transmission and synchronisation encrypted

Internet
Data Centre
DTRU
asdadadada5gsdafAsdjkn2543550nasdafasjfl5kjhfasfl5
345l23 asdlkjldkjasjdalkdjladjl34435347593757asdk
as6324sadadaad
VPN 128-bit connection
28
Audit trail

• Audit trail on
• Information access to allow identification of
  unauthorised access to system / network
• data manipulation when users create, modify or
  delete records
• Tracks the following

29
Physical and Environmental Security 1

• Physical security entails appropriate controls to
  prevent unauthorised people from gaining access
  so that they cannot tamper with or derive
  information from the equipment
• Access to data centre is limited to authorised
  personnel only. Access to data centre will only
  be granted if the person is in the authorised
  list, identification information is presented and
  password is correct. Staffs within data centre
  are authenticated using biometrics technology.
• Access to DTRU office is secured by access card
  system and each personnel has limitation of
  accessible area/room
• Workstation will be logged off if left idle for 5
  minute.
• Web application will be logged off if left idle
  for 15 minutes

30
Physical and Environmental Security 2

• Access card system, Fire and alarm system, data
  storage space

31
Web Application Infrastructure Layout
Physical and Environmental Security 3
32
Control of external Communication Links and
Access (1)

• Firewall - acts as a sentry (guard) that filters
  out insecure traffic from the Internet to
  ensure the security of an internal network in
  DTRU.
• Intrusion Detection System (IDS) - built into
  firewall to detect and block suspicious
  activities.
• Segmented network - User workstations are
  physically and logically separated from the
  servers. Thus, compromised workstations can be
  isolated from the servers and thus minimising
  damage.

33
Control of external Communication Links and
Access (2)

• Antivirus
• TrendMicro Antivirus Installed on all
  workstations and servers
• Daily virus signature update
• Real-time scan and cannot be disabled.
• Patch Management
• Automatically download, deploy and install latest
  approved patches to all servers and workstations
  without any user interaction.
• Ensure that latest patches are applied to
  operating systems.

34
System Backup and Disaster Recovery

• Backup
• Daily, weekly and monthly backup of data to
  tapes.
• Weekly and monthly backup tapes stored offsite to
  ensure business continuity if anything happens.
• Automatic schedule of backup conducted at night
  using Veritas Backup software.

7- Day backup Tape Loader

• Disaster Recovery Data may be recovered from
  backup tapes. Security consultant works with CRC
  team to prepare Business Continuity Plan
  Procedure.

35
Organizational Practice

• Security and confidentiality policies
• Prepared by CIS team of CRC with joint effort of
  Security Consultant
• Each CRC staff has to sign Non Disclosure
  Agreement
• Information security officers (ISO)
• To enforce policies
• To ensure staffs abide by the policies
• Responsibilities include but not limited to
  Personnel security, IT security, Physical
  environmental Security, Information Processing
  Practices, Business Continuity Management
• Education and training programs
• Awareness training program on information
  security for all CRC personnel is held every
  month.
• Ongoing emphasis
• Sanction
• Sanction for breaches of confidentiality

36
Thank You