9.7 PharmaNet Security
General Policy Description
PharmaNet has many built-in security features to prevent unauthorized access to patient information—including data encryption, a “firewall” to prevent outside access to restricted files, and a system of tightly monitored access privileges.
PharmaNet was developed to address the diverse needs of individuals and organizations using it. Some users need “update” access to specific parts; others may require “read-only” access to specific information.
PharmaNet has several levels or layers of access security. Each user and organization has been granted the level of access required to perform their role in managing and using the system.
Access to PharmaNet requires adherence to security requirements of the applicable PharmaNet Professional and Software Conformance Standards. Refer to the Conformance Standards website for further details.
The levels of security are as follows:
- Physical security
- Operating system security
- Network security
- Transaction security
- Screen security
Physical security addresses physical access to the hardware components of PharmaNet. Physical security includes:
- Restricted access to premises in which the hardware resides
- Logging of all access to the PharmaNet equipment
- Inventory checking
- Security procedures for handling and storage of backup and storage media (tapes, discs, flash and hard drives, etc.)
Operating-system security regulates the security of the operating system, for example, by controlling user access and associated privileges, and by allocating PharmaNet system resources to allow PharmaNet to meet performance levels.
Included in operating-system security are
- The assignment of required user IDs
- The establishment and administration of user password standards and policies
- The assignment of system resources to users with appropriate security clearance
Network security prevents access to the network by unauthorized users and unauthorized interception of data traveling to and from the network.
PharmaNet’s core system is behind a firewall on SPAN/BC, the provincial government’s shared, province-wide data network. Most pharmacies are connected via the SPAN/BC network.
Information or messages being transmitted are monitored and authenticated to ensure they are from authorized users. In addition, all personal information that may identify an individual is encrypted to prevent monitoring of the transaction data.
Transaction security grants or limits services to authorized individuals or groups. Each organization connected to PharmaNet is assigned a group of privileges based on the type of PharmaNet transactions it will use. This group of transactions represents the precise services that a specific organization is eligible to use.
Screen security controls internal user or group access to specified PharmaNet database screens and the ability to perform specific functions on those screens.
This description applies to internal screens that are part of PharmaNet, not the vendor-supplied screens that are located externally at pharmacies.
Based on each internal user’s security profile, certain menu items, functions, screens, etc., may be made inaccessible. Some groups may be allowed to change or add information, other groups may only be able to read or view the information and others may have no access at all.