Page 1

Guidelines for safety management of medical information systems
5th edition

May 2017
Ministry of Health, Labor and Welfare

Page 2

Revision history

Version number

date

First Edition March 2005

Contents
April 1999 "Medical examination whose preservation obligation is stipulated by law
Communication regarding the storage of medical records and medical records in electronic media
"Knowledge" and March 2002 notification "Place to save medical records, etc."
Integrate each guideline created based on "About".
New medical records and medical examinations that are required to be preserved by law
Guidelines for electronic storage of medical records (paper)
Including external storage by media such as. ) And medical / long-term care related machines
Information system operation management for personal information protection in Seki
Created as a guideline including the guideline.

2nd edition

March 2007

Advanced Information and Communication Technology Strategy Headquarters (IT Strategy Book) in January 2006
Department) announced "IT New Reform Strategy" (January 2006)
"Establishment of a secure network infrastructure" was raised in
And the Information Security Policy Conference in September 2005
"Information security measures for critical infrastructure" determined by
In "Basic Concept of IT", medical care is important for IT infrastructure.
If a disability causes a decline or suspension of services, the lives of the people
Positioned as an "important infrastructure" that has a serious impact on life, medical doctors
Responding to IT-based disasters, cyber attacks, etc. in medical treatment
Based on the need to systematize and clarify
(1) Regarding networks suitable for use in medical institutions, etc.
Assumed use of security requirement definition
On the way, threats that exist on the network, to those threats
Medical doctors from various perspectives such as countermeasures, dissemination measures and their issues
A network suitable for connecting institutions related to medical treatment
Define your requirements and include "6.10 External and Personal Information"
Taken as "safety management when exchanging medical information"
Implemented revisions such as stopping.
(2) Measures against IT failures caused by natural disasters and cyber attacks
Therefore, the degree of medical dependence on IT should be evaluated appropriately.
Against medical disasters and cyber attack countermeasures
"6.9 Emergency response such as disaster" is newly established as a guideline.
And carry out revisions such as summarizing.

Page 3

3rd edition

March 2008

After the revision of the 2nd edition, we will handle personal information related to medical care.
Based on the situation where discussions on various measures are in progress
(1) Regarding "Matters related to the handling of medical information", medical treatment
Responsibility and rules for handling health information
Determined, "4 Responsible for handling electronic medical information
Implemented revisions such as compiling in "People". Also, this thought
Based on the arrangement of how to collect, "8.1.2 Machine for entrusting external storage"
Revised "Seki Selection Criteria and Information Handling Criteria"
Fixed.
(2) "Regarding the technical requirements for using wireless / mobile
Points to keep in mind when dealing with wireless LAN
Network connection type used for mobile access
Based on threat analysis for each state, response guidelines are provided in Chapters 6 and 10.
Added to related parts. Especially the net used on mobile
For work, see "6.11 External and Doctors with Personal Information"
Added a requirement to "Safety management when exchanging medical information".
In addition, new information when storing information and taking it out
For risks, "6.9 Taking out information and information equipment
About "was newly established and the points to be noted are described.

4th edition

March 2009

After the revision of the 3rd edition, "Medical care for medical institutions and medical professionals, etc."
Information security management requires specialized knowledge of information technology
It also entails a large financial burden such as capital investment. "
"Given the strict medical care provision system these days, there are limited human resources.
Economic medical resources are the primary business of medical institutions and medical staff
Should be spent on providing good quality medical care
Excessive effort and resources should not be spent on reporting
"I", "On the other hand, with the progress of medical informatization in recent years, individuals themselves
By browsing, collecting, and presenting medical information
It is expected to be useful for improving health. "
Based on the fact that it was done, a more appropriate information infrastructure structure in the medical field, etc.
For construction
・ "The ideal way of electronic information management in the medical field
Regarding "Matters related to", medical information from various places
It is required to align the guidelines
And, how to handle medical information in line with technological progress
Based on medical information as well as physical location

Page 4

Further systematically consider safety management and operational measures, etc.
In consideration of readability, "3.3 Handling
Established "Documents that require attention" and clarified points to keep in mind, Chapter 5
General review "5 Information interoperability and standardization
Full revision, "6.1 Announcement of policy establishment",
"6.2 Information Security Management in Medical Institutions"
Item C and D in "Practice of Information Security Management (ISMS)"
Installation, "6.11 Exchange medical information including personal information with the outside
Regarding access from the outside to "Safety management when doing"
Added items, B of "7 Requirements for electronic storage"
Sections C and D have been significantly revised throughout Chapter 7 and "8.1.2"
Selection criteria for institutions entrusted with external storage and handling of information
Where the information trustee is a private business operator
In that case, a guide issued by the Ministry of Economy, Trade and Industry and the Ministry of Internal Affairs and Communications.
Clarified to comply with the line, and other technical requirements
Review, arrangement of relationships between various ministerial ordinances / notifications, etc. and item A, etc.
Implemented a general revision.
Version 4.1 February 2010

At the Medical Information Network Infrastructure Study Group in November 2009
Each guideline is about where to save medical records, etc.
"Contract with a private business operator, etc."
Should be revised to "a safe place secured based on"
Revision of external storage notification in response to the compilation of recommendations
Do the right thing, and the chapters 4 and 8 that are relevant in this guideline,
The revision was implemented focusing on a part of Chapter 10.
In Chapter 4, "4.3 Arrangement of the concept of the demarcation point of responsibility by example"
Added "(4) When entrusting online external storage" to.
In Chapter 8, "8.1.2 Criteria for selecting an institution that outsources external preservation and
And "3. Consignment of medical institutions, etc." in "Standards for Handling Information"
Receive and store information Save in private data centers
"Case" based on "③ Medical institution, etc. contracts with private business operators, etc."
If you want to save it in a safe place that you have secured, "and notify the contents.
Revised according to.
Chapter 10 is intended to be consistent with these revisions.
There is.

Page 5

Version 4.2 October 2013

Partial amendment of external storage notice was made in March 2013, and dispensing
Is external storage of completed prescriptions and dispensing records approved?
In Chapters 3, 8 and 9, which are also relevant in this guideline.
Partially revised.
Also, in view of the spread of mobile terminals, the handling of devices
In addition to clarifying, regarding emergency response such as disasters
Chapter 6 to add to the idea of ​assuming a large-scale disaster
Revised a part of.
In addition, the latest on interoperability and standardization of medical information
Revised Chapter 5 as a response to the technology of.
In Chapter 3, "3.3 Digitization of Dispensed Prescriptions and Dispensing Records / Outside"
About saving part "was added.
In Chapter 5, "5.1.1 Ministry of Health, Labor and Welfare Standards" was added.
In Chapter 6, "6.9 About taking out information and information equipment"
In addition to clarifying "6.10 Emergency response such as disasters"
Added the idea assuming a large-scale disaster.
Chapter 8 adds a description of external storage of dispensed prescriptions
Added.
In Chapter 9, "9.4 Digitized prescriptions with a scanner, etc."
And save it "was added.

4.3th Edition March 2016

"Operational guidelines for electronic prescriptions" was published in March 2016
Based on the fact that it was issued, Chapter 3 related to this guideline,
Part of Chapters 8 and 9 was revised.

5th edition

May 2017

Diversification and sophistication of cyber attacks targeting medical institutions, etc.
Promotion of regional medical cooperation and medical care cooperation, new technologies such as IoT,
As a response to the spread of services, etc., related chapters 1 and 6 etc.
Standard gauges that have been revised and added since the publication of the 4.2th edition
Corresponding to the case etc.
In addition, the revised Personal Information Protection Law and "Medical / Nursing Care Business Operators"
Guidance for proper handling of personal information in Japan "etc.
Was dealt with. (Chapter 6 and 8 of this guideline, Supplementary Provision 1 and
Regarding the items described in Supplementary Provision 2, please refer to "Medical / Nursing Care Business Operators.
Guidance for the proper handling of personal information ”Ⅲ-4
(4) "Introduction of medical information system and other information associated with it"
In "Handling when saving parts", this guideline
It is supposed to be due to. )

Page 6

In Chapter 1, the guidelines cover hospitals, general clinics, and dentistry.
Clinics, midwives, pharmacies, home-visit nursing stations, long-term care business
Electronic users, medical information cooperation network operators, etc.
Clarified that the person in charge of handling medical information is included
did. In addition, the revised Personal Information Protection Law and "Medical / Nursing Care Related Business"
Guidance for the proper handling of personal information by a person "
We made corrections based on such factors.
Chapter 3 is subject to Chapters 7 and 9 based on the revision of Chapter 1.
Added the documents of possible long-term care providers.
In Chapter 4, the related revised Personal Information Protection Law and "Medical / Nursing Care"
Gaida for the proper handling of personal information by the business operator
Refer to the regulations such as "S".
In Chapter 5, the Ministry of Health, Labor and Welfare standards and JAHIS standards are added.
In addition, the necessary revisions were made.
In Chapter 6, following the update of the standard, "6.1 Establishment and publication of policy"
And "6.2 Information Security Management in Medical Institutions, etc."
Make the necessary revisions in "Practice of Information Security Management (ISMS)"
It was. In Chapter 6.2, "" Medical Information Security Opening by Manufacturers "
Added the "Guide". In addition, "6.5 technical safety
In "All Measures", about user identification / authentication, items B, C,
In addition to revising the content of Section D, regarding the above-mentioned IoT, "(6)
Use of IoT devices in fields such as medical care ”was established, and items C and D
Added a term. "6.6 Human Safety Measures" and "6.10 Disasters, Services"
In "Emergency Response such as Ever Attack", advance to cyber attack
We revised the response after the fact. In addition to this
The chapter title of Chapter 6.10 has also been revised. "6.9 Information and information equipment
In "About taking out", public wireless LAN or privately owned or individual
Handling of business use (BYOD) of terminals under human control, etc.
Revised the regulations when using mobile terminals. "6.11 outside
Safety management when exchanging medical information including personal information with the department "
Now for SSL / TLS connections over open networks
And added the C term. "6.12 Signature / Seal stipulated by law
About doing with an electronic signature ”, the proof of national qualification is
Addition about the way of thinking and handling of required documents
went.
In Chapter 7, the roles and responsibilities of the parties involved in the input of electronic medical records, etc.

Page 7

In addition to clarifying the duties, regarding the handling related to proxy input
Revised "7.1 Ensuring Authenticity". Also in the future
Regarding ensuring compatibility in Japan, "7.3 Ensuring Preservation"
Revised.
Chapter 10 made the necessary revisions in line with these revisions.
From the viewpoint of comprehensibility, the general expression has been corrected.

Page 8

【table of contents】
1.First of all ................................................ ................... 3
2 How to read this guideline ..................................................... ............... 13
3 Target systems and target information of this guideline ..................... 15
3.1 Documents covered by Chapters 7 and 9 ................................... 15
3.2 Documents subject to Chapter 8 .................................................. . 18
3.3 Digitization and external storage of pre-dispensed prescriptions and dispensing records on paper .................. 19
3.4 Documents that require careful handling ..................................................... ... 19
4 Responsibility when handling electronic medical information .................................................. . twenty one
4.1 Information protection responsibility of managers of medical institutions, etc .......................... 22
4.2 Demarcation of responsibilities in entrustment and provision to third parties .................................. 23
4.2.1 Demarcation of responsibility in entrustment ..................................................... .... twenty four
4.2.2 Demarcation of responsibility in provision to a third party .................................................. . 26
4.3 Arrangement of the way of thinking of the demarcation point of responsibility by example ..................... 26
4.4 Demarcation point of responsibility in technical measures and operational measures ........................... 31
5 Information interoperability and standardization ..................................... . 32
5.1 Use of basic datasets, standard glossaries, code sets ................... 33
5.1.1 Ministry of Health, Labor and Welfare Standards ..................................................... ...... 33
5.1.2 Basic data set ...................................................... ....... 34
5.1.3 Glossary / Code Set ..................................... ..... 35
5.2 Compliance with international standards for data exchange ........................ 35
5.3 Other matters related to the application of standards .................................. 36
6 Basic safety management of information systems ..................................... ... 38
6.1 Establishment and publication of policy ...................................................... ........... 38
6.2 Practice of Information Security Management System (ISMS) in medical institutions, etc .. 38
6.2.1

ISMS construction procedure ........................................................ .... 40

6.2.2 Understanding handling information ..................................................... ........ 42
6.2.3 Risk analysis .................................................. ............ 42
6.3 Organizational safety management measures (system, operation management rules) ..................... 45
6.4 Physical safety measures .................................................. ............ 47
6.5 Technical safety measures ...................................................... ............ 48
6.6 Human safety measures .................................................. .............. 59
6.7 Discarding information ........................................................ ............... 61
6.8 Modification and maintenance of information system ........................................................ .... 62

Page 9

6.9 About taking out information and information equipment ..................................... 64
6.10 Emergency response such as disasters and cyber attacks .................................. 68
6.11 Safety management when exchanging medical information including personal information with the outside .................. 72
6.12 Regarding the electronic signature of the name and seal stipulated by law ... 91
7 Requirements for electronic storage ..................................................... ..... 94
7.1 Ensuring Authenticity ...................................................... ....... 94
7.2 Ensuring readability ...................................................... ....... 103
7.3 Ensuring storage stability ...................................................... ...... 106
8 Criteria for storing medical records and medical records externally ........................ 111
8.1 When external storage by electronic media is performed via a network .................. 111
8.1.1 Compliance with 3 standards for electronic storage .................................................. .... 111
8.1.2 Criteria for selecting institutions that outsource external storage and criteria for handling information ...... 113
8.1.3 Protection of personal information ..................................................... ......... 121
8.1.4 Clarification of responsibilities ..................................................... ...........one two Three
8.1.5 Precautions ....................................................... .............one two Three
8.2 When external storage using electronic media is performed using portable media ...................... 123
8.3 When saving externally on paper media .................................. 123
8.4 Precautions for external storage in general .................................................. 124
8.4.1 Operation Management Regulations ...................................................... .......... 124
8.4.2 Processing at the end of the external storage contract .................................. 124
8.4.3 External storage of medical records, etc. that are not obliged to be stored ..................... 125
9 When storing medical records, etc. electronically with a scanner, etc .................. 126
9.1 Common requirements ........................................................ .............. 126
9.2 When digitizing and saving with a scanner etc. at each medical examination etc ........................ 129
9.3 When digitizing and storing paper media, etc. accumulated in the past with a scanner, etc .............. 130
9.4 When storing pre-prepared paper prescriptions electronically with a scanner, etc ........ 131
9.5 (Supplement) For convenience of operation, digitization is performed with a scanner, etc., but media such as paper remains the same.
When saving ..................................... ............. 131
10 Operation management ........................................................ .......... 133
Supplementary Provision 1 When external storage using electronic media is performed using portable media ..................... 142
Supplementary Provision 2 When saving externally on paper media ..................... 150
Appendix 1 Example of operation management items in general management
Appendix 2 Examples of operation management items for electronic storage
Appendix 3 Example of operation management in external storage
appendix (Reference) Contents to be agreed upon when linking medical information with an external institution

Page 10

1.First of all
Notification of April 1999 "About storage of medical records in electronic media" (April 22, 1999)
Tsukekensei No. 517, Pharmaceutical No. 587, Hosho No. 82, Director of Health Policy Bureau, Ministry of Health and Welfare, Director of Pharmaceutical Safety Bureau,
Notification of joint name of the director of the insurance bureau), notification of March 2002 "Places where medical records, etc. are stored" (2002
Issued by Medical Affairs No. 0329003 and Issued by Insurance No. 0329001 dated March 29, 2014
Name notification, revised on March 31, 2005, issued by Medical Affairs No. 0331010, issued by Hosho No. 0331006)
Requirements for electronic storage of medical records, etc. and storage locations have been clarified. After that, the progress of information technology
The steps are remarkable, and socially, the demand for computerization such as e-Japan strategies and plans is increasing.
It's getting better. "Information communication in the preservation of documents performed by private businesses, etc." established in November 2004
According to the "Act on the Use of Shin Technology" (Act No. 149 of 2004; hereinafter referred to as the "e-Document Act")
As a general rule, documents that are required to be prepared or preserved by law should be handled electronically.
It has become possible. Regarding medical information, "Private business based on the provisions of laws and regulations under the jurisdiction of the Ministry of Health, Labor and Welfare"
"Ministerial Ordinance on the Use of Information and Communication Technology for Preservation of Documents, etc." (March 25, 2005)
Ministry of Health, Labor and Welfare Ordinance No. 44. Hereinafter referred to as "e-Ministerial Ordinance of Document Law". ) Was issued.
"Medical Information Network Infrastructure Study Group" established in the Medical Affairs Bureau of the Ministry of Health, Labor and Welfare from June 2003
In the section, solving and promoting the technical aspects and operational management issues regarding the digitization of medical information.
The final report was compiled in September 2004 after examining the institutional infrastructure for the project.
In order to respond to the above situation, the previous "diagnosis that the obligation to preserve is stipulated by law"
Guidelines for electronic storage of medical records and medical records ”(April 22, 1999)
Ke Kensei No. 517, Pharmaceutical No. 587, Hosho No. 82 Director of Health Policy Bureau, Ministry of Health and Welfare, Director of Pharmaceutical Safety Bureau, Ho
Attached to the joint name notification of the director of the bureau. ), "Guidelines for external storage of medical records, etc." (May 31, 2002)
Revised the dated medical administration No. 0531005 (Notice of Director of Medical Affairs Bureau, Ministry of Health, Labor and Welfare), and further to protect personal information
Guidelines for operation management of contributing information systems and guidelines for appropriate response to the e-Document Law
Was decided to be created in an integrated manner. In December 2004, "Individuals in medical / nursing-related businesses"
"Guidelines for the proper handling of personal information" was published, and in April 2005, "Personal information"
Full-scale implementation of "Protection Law" (Law No. 57 of 2003, hereinafter referred to as "Personal Information Protection Law")
Guidance for the treatment was given. Based on these circumstances, the first edition of this guideline was published in March 2005.
Published on the moon.
In addition, the revised Personal Information Protection Law will be fully enforced in May 2017, and along with this,
Personal Information Protection Commission "Guidelines for Law Concerning Protection of Personal Information (General Rules)"
(2016 Personal Information Protection Commission Notification No. 6; hereinafter referred to as "General Guidelines")
It was. Tools related to the handling of personal information in the medical / nursing field based on these general guidelines
Physical points to keep in mind and examples are "For the proper handling of personal information by medical / nursing-related businesses.
Guidance ”(Personal Information Protection Commission, Ministry of Health, Labor and Welfare; April 14, 2017).
In this guidance, the handling when introducing a medical information system and performing external storage associated with it
Is based on this guideline. (Chapter 6 and 8 of this guideline, Supplementary Provision 1,

3

Page 11

And Supplementary Provision 2)
This guideline applies to hospitals, general clinics, dental clinics, midwives, pharmacies, and home-visit nursing stations.
, Nursing care providers, medical information linkage network operators, etc. (hereinafter referred to as "medical institutions, etc.")
For those responsible for handling electronic medical information in Japan, in consideration of ease of understanding
He also specifically mentioned the technologies that can be selected at present. Therefore, this guideline is a technical description.
The content will be reviewed regularly to avoid obsolescence. When using this guideline
Please note that is the latest version.
This guideline is for safety management of medical information systems and appropriate response to the e-Document Law.
It shows the necessary measures from the viewpoint of technical and operational management. However, the suitability of medical information
From the point of view of careful handling, it is sufficient to take only measures related to information systems.
It is hard to say that it has been taken. Therefore, when using this guideline, the information system
Even if it is the person in charge, "Guy for proper handling of personal information in medical / long-term care related businesses"
Understand "dance" and handle medical information properly even in areas not related to information systems.
It is necessary to confirm that the measures have been taken.

Four

Page 12

Outline of revision
[2nd edition]
In January 2006, after the first edition of this guideline was released (March 2005), the Advanced Information and Communication Technology Battle
The "IT New Reform Strategy" was announced by the Abbreviation Headquarters (IT Strategy Headquarters). In the new IT reform strategy, "e-Japan
Utilization of medical information is more important than "strategy". Advantages of cooperation with various medical information
Various proposals have been made regarding the method of cooperation and its elemental technologies.

One of them is "establishment of a secure network infrastructure".
On the other hand, the "Important Infrastructure" decided by the Information Security Policy Council in September 2005
In "Basic Concept on Information Security Measures", medical care is due to a serious obstacle to the IT infrastructure.
"Important infrastructure" that will have a serious impact on people's lives if it causes a decline or suspension of services
Systematized and clarified the response to IT-based disasters in medical care, cyber attacks, etc.
I was asked to do it.
Based on these situations, the Medical Information Network Infrastructure Study Group stated that "(1) For medical institutions, etc."
Definition of security requirements for networks suitable for use ”,“ (2) Natural disasters / cyber
We examined "Countermeasures against IT failures caused by attacks, etc." and revised this guideline.
In "(1) Definition of security requirements for networks suitable for use in medical institutions, etc."
Is the expected use, threats existing on the network, countermeasures against the threats, and dissemination measures.
Requirements for networks suitable for connecting medical institutions from various perspectives, such as issues
Is defined and taken as "6.10 Safety management when exchanging medical information including personal information with the outside"
It is summarized. Furthermore, as related parts, "8 Medical records and medical records are stored externally."
See Chapter 6.10 for network-related requirements in Criteria for Medical Institutions
Partial revision of "10 Operation Management", which is a guideline for the operation of the network in
It is being carried out.
In addition, in "(2) Countermeasures against IT failures caused by natural disasters and cyber attacks," medical dependence on IT
As a guideline for disaster and cyber attack countermeasures in medical care while appropriately evaluating the degree etc.
"6.9 Emergency response such as disaster" was newly established and summarized, and information security is practically lucked.
As a way of thinking to use it, "6.2 Information Security Management in Medical Institutions"
Incorporating the concept of "Practice of ISMS", "10 Operation management" is also partially added.
Was done.
In addition, the ministerial ordinances and notifications issued or amended after the publication of this guideline are also institutionalized.
The replacement is being implemented as a requirement of. There is no change in the basic requirements, but it is necessary for the system
Please note that the required laws and regulations have changed.

Five

Page 13

[3rd edition]
With the release of the second edition of this guideline, a finger for ensuring security in network infrastructure
Although the mark was shown, after that, discussions on various measures to handle personal information related to medical care, etc.
Is in progress. Under these circumstances, as in the past, only healthcare professionals are limited.
It is assumed that the information may not always be touched. For example, medical information through a network
Information processing-related businesses that temporarily accumulate information when exchanging information are assumed. this
Clear information handling rules are required when such businesses are involved.
In addition, due to the diversification of business systems, not only within facilities such as medical institutions, but also through networks
It is becoming more realistic to work outside of medical institutions.
Based on these situations, the Medical Information Network Infrastructure Study Group said, "(1) For handling medical information.
Matters related to "(2) Matters related to digitization of prescriptions", "(3) When using wireless / mobile
Examining "Matters related to technical requirements of", and reviewing the examination results of (1) and (3) in Guideline No. 3
It was included as a version.
In "(1) Matters concerning the handling of medical information", confidentiality obligations have been imposed in accordance with license qualifications, etc.
The medical / health information handled by the medical staff who had been used is not always due to the progress of information technology.
In response to the fact that there are situations that are not always handled by those qualification holders,
A study was conducted to formulate the rules.
Of course, medical / health information is analyzed by a person other than the person himself / herself or a doctor who is allowed to handle it.
It is not permissible to give it, but as long as various parties are involved in computerization, each relation
It is necessary to clarify the responsibility of the person in charge and the demarcation point of responsibility that is the turning point of the responsibility.
In this study, the results of the study on how to take responsibility are described in "4 Handling electronic medical information."
It is summarized in "Responsibility at the time". In addition, based on this idea, "8.1.2 External storage"
The criteria for selecting institutions and the criteria for handling information have been revised.
On the other hand, "(3) Use wireless / mobile" so that we can respond to the diversification of business systems these days.
We are also studying "Matters related to technical requirements for such cases".
While wireless LAN can be used by connecting to a network using radio waves without being restricted by location,
Depending on how it is used, there are threats such as eavesdropping, unauthorized access, and communication failure due to radio wave interference.
In addition, the mobile network can connect to the information system of the own facility from outside the facility, and outside the facility.
Convenience is enhanced, such as being able to carry out business. However, the internet available for mobile access
Since there are various types of devices, we analyzed the threats for each type of connection.
A response guideline based on these considerations was added to the relevant parts of Chapter 6, especially for networks.
For the ideal way, take "6.11 Safety management when exchanging medical information including personal information with the outside"
I summarized it.
Furthermore, if information is stored in a mobile terminal or portable medium and taken out, it may be stolen or lost.
Since new risks are also expected, "6.9 About taking out information and information equipment" was newly established.
The points to keep in mind are stated.

6

Page 14

[4th Edition]
In the third edition of this guideline, for various occupations and businesses that handle medical information.
Clear rules for handling information were stipulated, and the demarcation point of responsibility was clarified in particular. Due to this
Further progress in reporting can be expected, but on the other hand, for medical institutions and medical professionals, medical information
Safety management requires specialized knowledge about information technology, and also requires a large amount of capital investment.
Given the strict medical care provision system these days, there are limited human and economic doctors.
Medical resources are spent to provide high-quality medical care, which is the original business of medical institutions and medical staff.
Should be, and not too much effort or resources should be spent on informatization, on the other hand
With the progress of medical informatization in recent years, individuals themselves can browse, collect, and present medical information.
Te, pointed out such as that be useful to their own health promotion are expected to be made, medical information network
At the Network Infrastructure Study Group, in order to build a more appropriate information infrastructure in the medical field, "(1) Medical field
Matters concerning the way of electronic information management in Japan "," (2) Individuals manage their own medical information
"Matters related to measures for reasoning and utilization" were examined.
Of these, (1) "It is required from various places to align the guidelines regarding medical information.
The physical location of medical information and how to handle medical information in line with technological progress
In addition, we will systematically examine safety management and operational measures based on medical information, and read them.
Guide the results of the examination on the matter of "Revising the medical information guidelines in consideration of the urgency"
Incorporated in the 4th edition of the line. The outline is as follows.
As part of the systematic review, "(1) Enforcement communication" that was not clear in the previous description in Chapter 3
Although it is not included in the knowledge, it is within the scope of the e-Document Law and contains the personal information of the patient.
Documents, etc. (drug books, etc.) ”,“ ② Documents, etc. that have passed the legal retention period ”,“ ③ Medical records, etc.
Records and images of physiological tests such as ultrasonic images that were referred to for description in "④ Calculation of medical fees
Various documents required on a regular basis (records of drug administration history at pharmacies, etc.) ”, etc.
"3.3 Documents that require careful handling, etc." have been newly established to handle documents in accordance with the above.
In addition, in view of the importance of interoperability and standardization of medical information, systematic review and latest technology
In response to such issues, the existing Chapter 5 was completely reviewed, "5 Information Interoperability and Standardization"
Has been completely revised.
In Chapter 6, it is publicly announced by quoting JIS Q 15001: 2006 in "6.1 Establishment and Publication of Policy".
Clarify the items of the basic policy that should be done, and specify the safety management policy by quoting JIS Q 27001: 2006.
After explaining, "C Minimum Guidelines" was newly established. Similarly, "6.2 in medical institutions
In "Practice of Information Security Management System (ISMS)", "C Minimum Guy"
"Drain" and "D Recommended Guidelines" are newly established. "6.11 External and personal information
In "Safety management when exchanging medical information including medical information", items B and D are not provided by the contractor.
Added items related to access from the department.
Chapter 7 adds a preamble to electronic storage, states requirements and principles of countermeasures, and in Section A of Chapter 7 as a whole.
Clarified the relationship between the Ordinance of the Ministry of Health, Labor and Welfare and the notification. In "7.1 Ensuring Authenticity", the description in Section B

7

Page 15

Was greatly simplified, item C was reviewed, and item D was deleted altogether. "7.2 Ensuring readability
However, the description in item B was simplified, the description by the storage location classification in item C was canceled, and after organizing, it was changed to item D.
We are adding cases that are expected to be urgently needed. "7.3 Ensuring storage stability"
Similarly, major revisions have been made in Sections C and D. Thus, for Chapter 7, Section C, D
Please note that many revisions and corrections have been made in the section.
In addition, various places are required to align the guidelines regarding medical information.
Crisis management when a private business operator implements external storage of medical information
There is no change in the requirement for the above purpose, but for the information trustee business operator, Chapter 8 “Medical Records and
It is issued by the Ministry of Economy, Trade and Industry and the Ministry of Internal Affairs and Communications in "Standards for external storage of medical records".
The way of operation and information management is clarified on condition that it complies with the guidelines.
In addition, revisions and readings that are in line with technological progress as a whole, such as changing the scanner requirements in Chapter 9.
The description is made in consideration of the ease of use, and is the 4th edition.

[Version 4.1]
After the release of the 4th edition of this guideline, in July 2009, the Ministry of Internal Affairs and Communications announced that "ASP / SaaS providers are medical.
"Guidelines for safety management when handling information" have been formulated. In addition, July 2008
"Guidelines for information processing companies that manage medical information on a contract basis" announced by the Ministry of Economy, Trade and Industry
How to deal with external preservation by improving the Ministry of Economy, Trade and Industry Notification No. 167) on July 24, 2008
It was pointed out that the criteria for external storage destinations were clarified at the Medical Information Network Infrastructure Study Group.
Was examined.
As a result of the examination, on the premise of observing the requirements of each guideline, "Contract with a private business operator, etc.
Regarding the place where medical records etc. are stored, it should be revised to "a safe place secured based on"
Proposals to be made ".
In response to this, the external storage notice was revised, and Chapters 4 and 8 related to this guideline are also revised.
Revised mainly in chapters and part of chapter 10.
In Chapter 4, "(4) Online external storage" is added to "4.3 Arrangement of the concept of the demarcation point of responsibility by example".
"When outsourcing" is added, and materials for medical institutions to fulfill their accountability as the subject of responsibility.
It is necessary to make efforts to understand as a medical institution, etc. by stipulating the provision of explanations and explanations in a consignment contract.
Note that the governor is mandatory and that the status of safety management needs to be reported on a regular basis.
It was posted.
In Chapter 8, "8.1.2 Criteria for selecting institutions that outsource external storage and criteria for handling information"
"③ When storing information in a private data center that is entrusted by a medical institution, etc."
"③ When the medical institution, etc. stores it in a safe place secured based on a contract with a private business operator, etc."
The content was revised according to the notification.
Chapter 10 made the necessary revisions in line with these revisions.
Since this revision is minor, it is not the 5th edition but the 4.1th edition.

8

Page 16

[4.2th Edition]
After the publication of the 4.1th edition of this guideline, in March 2013, "About the place to save medical records, etc."
(March 29, 2002, No. 0329003 issued by Medical Affairs, No. 0329001 issued by Hosho, Ministry of Health, Labor and Welfare, Medical Affairs Bureau
Partial amendment of (Notice of Joint Name of Director / Insurance Bureau Director) has been made, and external storage of dispensed prescriptions and dispensing records, etc.
Based on this, the relevant Chapters 3 and 8 are also included in this guideline.
Part of Chapter 9 was revised.
In addition, in view of the spread of mobile terminals, we will clarify the handling of devices and disasters, etc.
Part of Chapter 6 to add to the idea of ​assuming a large-scale disaster
Was revised, and the interoperability and standardization of medical information was changed to correspond to the latest technology.
Therefore, a part of Chapter 5 was revised.
In Chapter 3, the dispensing record (when it is not necessary to fill in the dispensing record based on Article 28, Paragraph 2 of the Pharmacists Act)
Includes pre-dispensed prescriptions. ) Is stored externally, as in the past, the pharmacy operator
It is necessary to do it responsibly, clearly separate it from the dispensing records of other pharmacies, and manage it individually for each pharmacy.
Described that it is necessary.
In addition, the item "3.3 Digitization of prescriptions and dispensing records / external storage" was added.
Currently, electronic issuance of prescriptions is not permitted, so prescriptions have been digitized.
As for, inevitably, the paper prescription is stamped or signed and dispensed, 9
Clarified that the method is to digitize and save using the scanner shown in the chapter.
Furthermore, since the target of electronic storage is only "prepared prescriptions", paper prescriptions are required.
Even after receiving it at the pharmacy, do not use the digitized version as the original until it has been dispensed.
Clarified not to.
If corrections occur after dispensing, the already digitized prescriptions will be treated.
It is possible to electronically modify and attach the pharmacist's electronic signature while the past electronic signature can be verified.
Clarified what is needed.
In Chapter 5, the items of "5.1.1 Ministry of Health, Labor and Welfare Standards" were added to support the latest technologies.
In addition to adding the standards of the Ministry of Health, Labor and Welfare, the necessary revisions were made.
In Chapter 6, "6.9 About taking out information and information equipment", smartphones and devices
A description that clarifies the requirements when handling devices in view of the spread of mobile terminals such as Brett
And to assume a large-scale disaster in the item "6.10 Emergency response such as disaster"
Described the concept of creating a business continuity plan (BCP).
In Chapter 8, prescriptions are currently not allowed to be issued electronically, so prescriptions have been dispensed.
In addition to the case of externally saving the paper as it is, it is digitized and saved by the scanner shown in Chapter 9.
In that case, it is described that external storage by electronic media is possible.
In Chapter 9, "9.4 When pre-prepared prescriptions are digitized and stored with a scanner, etc."
Added a section and added the required description in line with the revision of Chapter 3.

9

Page 17

Since this revision is minor, it is not the 5th edition but the 4.2th edition.

[4.3th Edition]
March 2016 "Protection of documents by private businesses, etc. based on the provisions of laws and regulations under the jurisdiction of the Ministry of Health, Labor and Welfare
Part of the "Ministerial Ordinance on the Use of Information and Communication Technology in Existence" (2005 Ministry of Health, Labor and Welfare Ordinance No. 44)
The department has been amended to enable the storage, creation and delivery of prescriptions by electromagnetic recording, as well as electricity.
Promote the operation of child prescriptions and efforts for regional medical cooperation, and the people will realize the benefits as soon as possible.
We have formulated "Electronic Prescription Operation Guidelines" so that you can enjoy it.
Based on this, the operation of handling the prescription by electromagnetic recording is "Electronic prescription operation guy"
Refer to "Drain", and there is a description related to prescription in this guideline, Chapters 3 and 8.
Part of Chapter 9 and Chapter 9 have been revised.
In Chapter 3, it was stated that electronic issuance of prescriptions was not permitted so far, but the Ministerial Ordinance
The relevant part was deleted in accordance with the revision of. Along with this, the handling of pre-dispensed prescriptions has been decided.
Clarified Chapter 3.3 as the treatment of "paper" pre-dispensed prescriptions. In addition, it has been electronically dispensed.
External storage of prescriptions is handled in Chapter 8, and when scanning and storing paper media, it is handled in Chapter 9.4.
Therefore, some descriptions have been revised and added to that effect.
This revision makes it possible to store, create, and issue prescriptions by electromagnetic records.
Since this is a limited revision due to the above, it is not the 5th edition but the 4.3th edition.

[Fifth Edition]
Since the publication of the 4th edition of this guideline, the medical field and the environment surrounding medical information systems
Has changed significantly. Cyber ​attacks aimed at stealing information and money about individuals and organizations
Attacks have become more diverse and sophisticated, and there are cases where medical institutions are targeted. Also,
With the promotion of regional medical cooperation and medical care cooperation, there have been few opportunities to come into contact with medical information.
Former organizations and groups are now handling electronic medical information on a daily basis. "IoT (Internet of Things)
The spread of new technologies and services called "Internet)" is remarkable, and future technological progress is progressing.
Although expected, the medical sector faces new security risks.
In light of these trends, the relevant chapters 1 and 6 have been revised in this guideline as well.
In addition to the standardization, we have responded to the standards added since the publication of the 4.2th edition.
In addition, the revised Personal Information Protection Law and related laws and regulations will be fully enforced in May 2017.
Based on this, the above-mentioned laws and regulations, such as amending the reference description in this guideline, and "medical / nursing care-related"
We responded to "Guidance for the proper handling of personal information by businesses".
In Chapter 1, the subjects of this guideline are hospitals, general clinics, dental clinics, maternity homes, pharmacies, and visits.
Q. Electronic at nursing stations, long-term care providers, medical information linkage network operators, etc.
Clarified that the person in charge of handling medical information is included. In addition, the revised personal information protection
The protection law and related laws and regulations, as well as "Appropriate handling of personal information by medical / nursing-related businesses"

Ten

Page 18

We will revise it based on "Guidance for".
In Chapter 3, based on the revision of Chapter 1, the documents handled by long-term care providers are within the scope of the e-Document Law.
If the content of the document contains medical information, add that it is subject to Chapters 7 and 9 and add that.
The documents that can be applied are listed.
In Chapter 4, refer to related materials for matters newly stipulated in the revised Personal Information Protection Law.
In addition, in "4.2.2 Demarcation of Responsibilities in Provision to Third Parties", the revised Personal Information Protection Law newly stipulates.
Refer to the relevant materials for the obligations made.
In Chapter 5, the newly added standards of the Ministry of Health, Labor and Welfare and JAHIS standards are added. "5.3 mark
In "Other matters related to the application of quasi-standards", "Information on regional medical cooperation" of the Japan IHE Association
A description was provided for "Collaboration Platform Technical Specifications".
In Chapter 6, following the update of the standard, "6.1 Establishment and publication of policy" and "6.2 Medical institutions, etc."
The necessary revisions were made in "Practice of Information Security Management System (ISMS)".
At the same time, in Chapter 6.2, as a reference for risk analysis, etc.
Added the description about "Book Guide". In addition, in "6.5 Technical Security Measures", the attack method is high.
Due to the degree, sufficient security cannot be ensured by authentication using only a combination of ID and password.
In view of the current situation, it is necessary to consider the implementation status of authentication technology on terminals, etc. as soon as possible.
In addition to requesting implementation of plain authentication and adding password requirements, the above-mentioned IoT
Regarding this, "(6) Use of IoT devices in the medical field" was established from the viewpoint of information security.
It stipulates matters that medical institutions should comply with.
In "6.6 Human Safety Measures" and "6.10 Emergency Responses such as Disasters and Cyber ​Attacks", medical treatment
As a response to the fact that the risk of cyber attacks targeting institutions has become apparent,
Provisions have been made regarding pre- and post-bar attacks and contact information. In addition to this
The chapter title of Chapter 6.10 has also been revised.
Opportunities for employees of medical institutions such as home medical care and home-visit nursing to use mobile terminals for work have increased.
Based on the fact that, in "6.9 About taking out information and information equipment", public radio
Mobile, such as LAN, Bring Your Own Device (BYOD) handling of terminals owned or under personal control, etc.
Clarified the items to be observed when using the terminal.
"6.11 Safety management when exchanging medical information including personal information with the outside" is open
The points to be observed and points to be noted in SSL / TLS connection via network are shown.
In "6.12 About performing the name and seal stipulated by law with an electronic signature", the national qualification
Added the concept and handling of documents that require proof.
In Chapter 7, in "7.1 Ensuring Authenticity", the parties involved in the input of electronic medical records, etc.
In addition to clarifying the roles and responsibilities of
I added the matters to be done. In addition, medical institutions, etc. documented in "7.3 Ensuring Preservation".
Provisions have been made regarding ensuring future compatibility when storing.
Chapter 10 made the necessary revisions in line with these revisions.

11

Page 19

In addition, from the viewpoint of comprehensibility, general expressions have been revised.

12

Page 20

2 How to read this guideline

This guideline has the following structure. Persons in charge of medical institutions, information system administrators, etc.
System introducers should take individual measures after understanding the relevant points.
I expect.
In this guideline, the terms medical information and medical information system are used, but this is medical treatment.
In the sense of information including patient information (personal identification information) and a system that handles that information
I am using it.

[Chapter 1-6]
It contains content that should be referred to by all medical institutions that handle data including personal information.

[Chapter 7]
It includes guidelines for electronically storing medical records, etc. that are obliged to be preserved.

[Chapter 8]
It includes guidelines for storing medical records, etc. that are obliged to be preserved outside medical institutions.

[Chapter 9]
Includes guidelines for storing electronically with a scanner, etc. based on the e-Document Law.

[Chapter 10]
It describes matters related to operation management rules.

Most of these guidelines take measures against requirements such as laws, notifications from the Ministry of Health, Labor and Welfare, and other guidelines.
The purpose is to show, and in such a part, the explanation is generally divided into the following items.
To

A. Institutional requirements
It describes requirements based on laws, notifications, other guidelines, etc.

B. Way of thinking
It describes the requirements and the basic measures.

C. Minimum guidelines
It describes the items that must be implemented in order to meet the requirements of A.

13

Page 21

Regarding the measures in this section, the actual measures may differ depending on the scale of the medical institution, etc.
One of several measures may be selected, but it is appropriate to utilize the operation management table in the attached table.
It must be implemented by adopting specific measures.

D. Recommended guidelines
It is possible to meet the requirements without implementing it, but it is implemented from the viewpoint of accountability.
It describes measures that are easier to understand.
In addition, it is a technology that is not used in the minimum system, and it is one of the ways to use that technology.
It also includes a description of cases where certain attention is required.

The three appendices at the end of the book show technical measures and operational measures to meet safety management requirements.
This is a summary of the relationship between the measures, and was created with the expectation that it will be used in the creation of operational management rules.
Safety management measures are effective only when both technical measures and operational measures are taken.
There are often multiple options for technical measures, and the appropriate luck for the technical measures adopted.
It is necessary to take appropriate measures. The attached table consists of the following items.

1. 1. Operation management items: Items that require some operational measures due to safety management requirements
2. Implementation items: The above management items are subdivided into implementation levels.
3. 3. Target: Estimated scale of medical institutions, etc.
Four. Technical measures: Technically possible measures (list the measures that can be selected for one action item
T)
Five. Operational measures: Above 4. Summary of operational measures required when technical measures are taken
6. Example of operation management rules: Example of sentences when operational measures are described in the rules

Each institution, etc. uses operational measures according to the technical measures adopted for the action items in the operational management rules.
By confirming that the regulations are actually observed and operated, including, the action items are achieved.
Will be. Also, consider each operational measure before selecting technical measures.
Therefore, it is possible to select technical measures within the range that can be operated by one's own institution. Generally luck
Increasing the weight of practical measures will reduce the cost of introducing information systems, but the weight of technical measures
The larger the value, the lighter the operational burden on the user. Therefore, seek an appropriate balance
Is very important, so I hope that you will make use of these appendices.

14

Page 22

3 Target system and target information of this guideline

This guideline is not limited to storage systems, but all information systems that handle medical information.
For people or organizations involved in the installation, operation, use, maintenance and disposal of systems and their systems.
It is said. However, "7 Requirements for electronic storage" and "8 Medical records and medical records are excluded."
"Standards for saving in departments" and "9 When medical records, etc. are digitized and saved by a scanner, etc."
About ", some of the target documents, etc. are limited.

3.1 Documents covered by Chapters 7 and 9
Documents related to medical treatment include documents that are required to be preserved, created, and delivered by laws and regulations.
It can be roughly divided into other documents. Documents covered by Chapters 7 and 9 are preserved, created, and prepared by law.
Medical treatment that is a part of the document for which delivery, etc. is stipulated, and is specifically covered by the e-Document Law.
As related documents, e-Document Law Ministerial Ordinance, "Information and communication in the preservation of documents performed by private businesses, etc."
Enforcement of laws related to the use of technology, etc. ”(March 31, 2016, issued by Medical Administration 0331 No. 31
No. 0331 No. 11 / Hosho 0331 No. 27 / Seisha 0331 No. 2 Director of Medical Affairs Bureau, Ministry of Health, Labor and Welfare,
Notification of joint names of the director of the Pharmaceutical and Life Sanitation Bureau, the director of the insurance bureau, and the policy director (in charge of social security). Below "Notice of Enforcement"
That is. ), The following documents, etc. are targeted.
For the prescriptions indicated by *, it is necessary to meet the requirements of Enforcement Notification No. 2 (4).

1

Medical records of Article 24 of the Medical Practitioners Act (Act No. 201 of 1948)

2

Medical records of Article 23 of the Dental Practitioners Act (Act No. 202 of 1948)

3

Midwifery record of Article 42 of the Public Health Nurse Midwifery Nurse Law (Law No. 203 of 1948)

Four Business report pursuant to the provisions of Article 51-2, Paragraphs 1 and 2 of the Medical Care Act (Act No. 205 of 1948)
Keeping reports and audit reports of auditors
Five Instructions for Article 19 of the Dental Technicians Act (Act No. 168 of 1955)
6

Dispensing record of Article 28 of the Pharmacists Act (Act No. 146 of 1960)

7

Article 17 of the Medical Practitioners Law and Article 17 of the Dental Practitioners Law concerning clinical training conducted by foreign doctors or foreign dentists
Medical records of Article 11 of the Act on Special Exceptions to Articles (Act No. 29 of 1987)

8

Paramedic Law (1991 Law No. 36) Article 46 Emergency Lifesaving Measures Record

9

Books of Article 30-23, Paragraphs 1 and 2 of the Medical Law Enforcement Regulations (Ministry of Health and Welfare Ordinance No. 50, 1948)

10 Medical records of Article 9 of the rules for insurance medical institutions and insurance medical care (Ministry of Health and Welfare Ordinance No. 15 of 1957)
Etc. (Regarding preparation, Article 22 of the same rule)
11 Dispensing record of Article 6 of the rules for medical treatment of insurance pharmacies and pharmacists (Ministry of Health and Welfare Ordinance No. 16 of 1957)
(Regarding preparation, Article 5 of the same rule)
12 Book of Law Enforcement Regulations on Clinical Laboratory Engineers, etc. (Ministry of Health and Welfare Ordinance No. 24, 1958) Article 12-3
Class (Regarding preparation, Article 12, No. 14 and No. 15 of the same rule)

15

Page 23

13 Medical Care Act (Act No. 205 of 1948) Record of Article 21, Paragraph 1 (Medical care prescribed in Item 9 of the same paragraph)
Of the records related to this, it is limited to the prescriptions stipulated in Article 20, Item 10 of the Medical Care Act Enforcement Regulations. ),
Records of Article 22 (Of the records related to medical treatment prescribed in Item 2 of the same Article, Medical Law Enforcement Regulations No. 21
Limited to the prescription prescribed in Article 5 No. 2. ), Record of Article 22-2 of the same law (regulated in item 3 of the same article)
Prescription prescribed in Article 22-3, Item 2 of the Medical Care Act Enforcement Regulations among various records related to medical treatment
Limited to ), And the record of Article 22-3 of the same law (for medical care and clinical research prescribed in item 3 of the same article).
Of the various records related to this, it is limited to the prescription prescribed in Article 22-7, Item 2 of the Medical Care Act Enforcement Regulations. )
*
14 Prescriptions for Articles 26 and 27 of the Pharmacists Act (Act No. 146 of 1960) *
15 Prescription of Article 6 of the Insurance Pharmacy and Insurance Pharmacist Medical Treatment Regulations (Ministry of Health and Welfare Ordinance No. 16 of 1957)
Hmm※
16 Records of Article 21, Paragraph 1 of the Medical Care Act (Act No. 205 of 1948) (Medical Care Act Enforcement Regulations, Article 20, Article 20)
Excludes the prescription specified in No. 10. ), Record of Article 22 of the same law (Article 21-5 of the Medical Care Law Enforcement Regulations)
Excludes the prescription specified in item 2. ), Article 22-2 of the same law (Medical Care Law Enforcement Regulations Article 22)
Excludes the prescription prescribed in Article 3 No. 2. ) And the record of Article 22-3 of the same law (enforcement of the Medical Care Act)
Excludes prescriptions prescribed in Rule 22-7, Item 2. )
17 Prescription of Article 27, Paragraph 6 of the Narcotics and Psychotropics Control Law (Law No. 14 of 1958) *
18 Dental Hygienist Law Enforcement Regulations (Ministry of Health and Welfare Ordinance No. 46, 1989) Article 18 Business Records of Dental Hygienists
19 Prescription of Article 22 of the Medical Practitioners Act (Act No. 201 of 1948) *
20 Prescription of Article 21 of the Dental Practitioners Act (Act No. 202 of 1948) *
21 Insurance Medical Institutions and Health Insurance Regulations (Ministry of Health and Welfare Ordinance No. 15 of 1957) Article 23, Paragraph 1
Prescription *
22 Irradiation record pursuant to the provisions of Article 28, Paragraph 1 of the Radiological Technicians Act (Act No. 226 of 1951)

In addition, the following documents handled by long-term care providers are the scope of e-documents, and the contents of the documents include medical care.

Information may be included. Not limited to the documents listed below, documents handled by long-term care providers are eIf medical information is included in the contents of the document within the scope of the Document Law, the rules of Chapters 7 and 9
It is necessary to comply with the rules.

1

Standards for personnel, equipment and operation of businesses such as designated home services (1999 Ministry of Health and Welfare Ordinance No.
No. 37) Home-visit nursing care plan and home-visit nursing report pursuant to the provisions of Article 73-2, Paragraph 2

2

Standards for personnel, equipment and operation of businesses such as designated home services (1999 Ministry of Health and Welfare Ordinance No.
37) In the provisions of Article 154-2, Paragraph 2 (including the cases where it is applied mutatis mutandis in Article 155-12)
Short-term admission medical care plan by

3

Standards for personnel, equipment and operation of businesses such as designated home services (1999 Ministry of Health and Welfare Ordinance No.
No. 37) Specified facility services pursuant to the provisions of Article 191-2, Paragraph 2 and Article 192-11, Paragraph 2

16

Page 24

plan
Four Standards for personnel, equipment and operation of designated long-term care welfare facilities for the elderly (1999 Ministry of Health and Welfare Ordinance No. 39)
No.) Facility service plan pursuant to the provisions of Article 37, Paragraph 2
Five Standards for personnel, facilities and equipment, and operation of Long-Term Care Health Facility (1999 Ministry of Health and Welfare Ordinance)
No. 40) Facility service plan pursuant to the provisions of Article 38, Paragraph 2
6

Standards for personnel and management of designated home-visit nursing services (Ministry of Health and Welfare Ordinance No. 80, 2000) No. 30
Home-visit nursing instructions, special home-visit nursing instructions, psychiatric home-visit nursing instructions, according to the provisions of Article 2
Psychiatry special home-visit nursing instructions and home-visit patient visit infusion instructions

7

Personnel, equipment and operation of businesses such as designated care prevention services, and designated care prevention services, etc.
Standards for effective support methods for preventive care related to (2006 Ministry of Health, Labor and Welfare Ordinance No.
No. 35) Nursing care preventive home-visit nursing care plan and long-term care preventive home-visit nursing care report pursuant to the provisions of Article 73, Paragraph 2
Declaration

8

Personnel, equipment and operation of businesses such as designated care prevention services, and designated care prevention services, etc.
Standards for effective support methods for preventive care related to (2006 Ministry of Health, Labor and Welfare Ordinance No.
No. 35) Nursing care pursuant to the provisions of Article 194, Paragraph 2 (including the cases where it is applied mutatis mutandis in Article 210)
Preventive short-term admission medical care plan

9

Personnel, equipment and operation of businesses such as designated care prevention services, and designated care prevention services, etc.
Standards for effective support methods for preventive care related to (2006 Ministry of Health, Labor and Welfare Ordinance No.
No. 35) Long-term care preventive specified facility service meter according to the provisions of Article 244, Paragraph 2 and Article 261 Paragraph 2.
Picture

10 Standards for personnel, equipment and operation of designated community-based service business (2006 Ministry of Health, Labor and Welfare)
Ministry of Labor Ordinance No. 34) Regular patrol and occasional home-visit nursing care pursuant to the provisions of Article 3-40, Paragraph 2
Planning and home-visit nursing report
11 Standards for personnel, equipment and operation of designated community-based service business (2006 Ministry of Health, Labor and Welfare)
Ministry of Labor Ordinance No. 34) Sanatorium nursing care plan pursuant to the provisions of Article 40-15, Paragraph 2
12 Standards for personnel, equipment and operation of designated community-based service business (2006 Ministry of Health, Labor and Welfare)
Ministry of Labor Ordinance No. 34) Community-based specific facility service plan pursuant to the provisions of Article 128, Paragraph 2
13 Standards for personnel, equipment and operation of designated community-based service business (2006 Ministry of Health, Labor and Welfare)
Ministry of Labor Ordinance No. 34) Article 156, Paragraph 2 (including the case where it is applied mutatis mutandis in Article 169)
Community-based facility service plan
14 Standards for personnel, equipment and operation of designated community-based service business (2006 Ministry of Health, Labor and Welfare)
Ministry of Labor Ordinance No. 34) Home service plan, nursing small-scale multifunctional type pursuant to the provisions of Article 181, Paragraph 2
Home Care Plan and Nursing Small-scale multifunctional home care report

Of the documents that are required to be created or preserved by law, etc., they are covered by the e-Document Law.
For medical documents that have not been digitized, even if they are digitized, the digitized documents, etc.

17

Page 25

Since it cannot be treated as a document that is required to be created or stored by law, it is created and maintained separately.
Existence is obligatory.

3.2 Documents subject to Chapter 8
Chapter 8 is "Partial Amendment of" Places for Preserving Medical Records, etc. "" (March 2013)
25th Medical Administration 0325 No. 15 / Yaksik 0325 No. 9 / Insurance 0325 No. 5 Ministry of Health, Labor and Welfare Medical Affairs Bureau
Notification of joint names of the director, the director of the Pharmaceutical and Food Safety Bureau, and the director of the insurance bureau. Hereinafter referred to as "external preservation revision notice". )
The following documents are targeted.

1

Medical records stipulated in Article 24 of the Medical Practitioners Act (Act No. 201 of 1948)

2

Medical records stipulated in Article 23 of the Dental Practitioners Act (Act No. 202 of 1948)

3

Midwifery record stipulated in Article 42 of the Public Health Nurse, Midwifery and Nurse Law (Law No. 203 of 1948)

Four Property list stipulated in Article 46, Paragraph 2 of the Medical Care Act (Act No. 205 of 1948), No.
Business reports, etc. stipulated in Article 51-2, Paragraph 1, audit reports of auditors, articles of incorporation, or donations
Acts, documents stipulated in Paragraph 2 of the same Article, audit reports of certified accountants, etc., and Article 2 of the same Act
Article 584, Article 684, Article 684 of the Companies Act (Act No. 86 of 2005), which is read and applied mutatis mutandis in Article 54-7.
The social medical corporation bond ledger stipulated in the paragraph and the discussion stipulated in Article 731, paragraph 2 of the same law.
Minutes
Five It is stipulated in Article 21, Article 22 and Article 22-2 of the Medical Care Act (Act No. 205 of 1948).
Records related to medical treatment and hospital management stipulated in Articles 22 and 22-2 of the same law
And various records related to operation
6

Irradiation record stipulated in Article 28 of the Radiological Technicians Act (Act No. 226 of 1951)

7

Instructions stipulated in Article 19 of the Dental Technicians Act (Act No. 168 of 1955)

8

Pre-dispensed prescriptions stipulated in Article 27 of the Pharmacists Act (Act No. 146 of 1960)

9

Dispensing record stipulated in Article 28 of the Pharmacists Act

10 Law Concerning Special Exceptions, etc., such as Article 17 of the Medical Practitioners Law concerning clinical training conducted by foreign doctors (1987)
Law No. 29) Medical records stipulated in Article 11
11 Paramedic stipulated in Article 46 of the Paramedic Law (Law No. 36 of 1991)
12 Medical Law Enforcement Regulations (Ministry of Health and Welfare Ordinance No. 50, 1948) Article 30-23, Paragraphs 1 and 2
Books that have been
13 stipulated in Article 9 of the Regulations for Insurance Medical Institutions and Insurance Medical Care (Ministry of Health and Welfare Ordinance No. 15 of 1957)
Medical records, etc.
14 stipulated in Article 6 of the Insurance Pharmacy and Insurance Pharmacist Medical Treatment Regulations (Ministry of Health and Welfare Ordinance No. 16 of 1957)
Pre-dispensed prescriptions and dispensing records
15 Regulations for Enforcement of Law Concerning Clinical Laboratory Engineers, etc. (Ministry of Health and Welfare Ordinance No. 24, 1958) Article 12-3
Fixed documents

18

Page 26

16 Dental Hygienist Law Enforcement Regulations (Ministry of Health and Welfare Ordinance No. 46, 1989) Article 18
Business record of a student
17 Regarding the handling and charge of medical treatment benefits pursuant to the provisions of the Act on Assurance of Medical Care for the Elderly
Medical records, etc. stipulated in Article 9 of the Standard (Ministry of Health and Welfare Notification No. 14 of 1983)
18 Regarding the handling and responsibility of medical treatment benefits pursuant to the provisions of the Act on Assurance of Medical Care for the Elderly
Pre-dispensed prescriptions and dispensing records as stipulated in Article 28 of the Standard

In addition, the dispensing record (preparation when it is not necessary to fill in the dispensing record based on Article 28, Paragraph 2 of the Pharmacists Act)
Includes prescriptions. ) Is the responsibility of the pharmacy operator, and external preservation is required.
It is the responsibility of the pharmacy operator to do this as before. Also, dispensing
The record is to be prepared for the pharmacy, and if the dispensing record of the pharmacy is stored externally, other information may be provided.
It is necessary to clearly separate it from the pharmacy's dispensing record and manage it individually for each pharmacy.

3.3 About digitization and external storage of pre-dispensed prescriptions and dispensing records on paper
Paper pre-dispensed prescription (based on Article 28, Paragraph 2 of the Pharmacists Act, it is no longer necessary to fill in the dispensing record.
Includes pre-dispensed prescriptions for cases. ) Is digitized, the name is stamped or signed on the paper prescription.
The prepared product will be digitized by the method shown in Chapter 9.
If you receive a paper prescription at a pharmacy, the original will be digitized until it has been dispensed.
Do not do (wrong operation example: digitize when a paper prescription is accepted at a pharmacy, and it
Is dispensed based on the original, and the pharmacist's electronic signature is used to make the dispensing completed.)
In addition, even if the prescription has passed without any particular problem until the end of dispensing, the content will be changed after that.
It cannot be completely denied that a correction will occur (example: I checked the items but forgot to correct it)
Etc.). Therefore, even if it is a pre-dispensed prescription of paper that has been digitized once, the correction will occur.
there's a possibility that.
In this case, verification of past electronic signatures is performed on pre-dispensed prescriptions of already digitized paper.
It is necessary to make electronic corrections and digitally sign the pharmacist in a way that maintains the possible state.
It becomes.
If the electronic prescription is an (electronic) pre-dispensed prescription, see Chapter 7 and further.
If you want to save it externally, refer to Chapter 8.

3.4 Documents that require careful handling
In addition to the documents shown in Chapter 3.1, care must be taken regarding the protection of personal information in medical treatment.
Documents that do not exist are as follows: (1) Although not included in the enforcement notice, they are within the scope of the e-Document Law and patients
Documents containing personal information (drug books, etc.), (2) documents that have passed the legal retention period, (3) medical examination
Records and images of physiological tests such as ultrasound images that were referred to for recording in medical records, etc. at each medical treatment
Image, ④ Various documents required for calculation of medical fees (record of drug administration history at pharmacies, etc.)

19

Page 27

is there.
Regarding the documents shown in (1) to (4), after fully understanding the purpose of each law related to personal information protection.
So, referring to various guidelines and safety management in Chapter 6 of this guideline, is it from the viewpoint of securing an information management system?
As long as they are saved without destroying them, including backup information, etc., in Chapters 7 and 9.
It is necessary to handle according to the same.
In addition, "9.5 (capture) For convenience of operation, digitization will be performed with a scanner, etc., but media such as paper will also be used.
Please refer to "When saving as it is" as appropriate.
In addition, due to reasons such as the documents shown in Chapter 3.2 having passed the statutory retention period, enforcement notices and
If you want to carry out (continue) external preservation even if you are not subject to the external preservation amendment notification, Chapter 8
Must be handled in accordance with.

20

Page 28

4 Responsibility when handling electronic medical information

All medical activities are required by the Medical Care Act, etc. to be performed under the responsibility of the manager of the medical institution, etc.
The same applies to the handling of medical information. For this reason, the criminal law through collection, storage and destruction
In addition to the confidentiality obligations stipulated in the above, various laws and guidelines regarding the protection of personal information, the handling of medical information
Appropriate handling to meet the requirements stipulated by laws, notifications, guidelines, etc.
Desired.
The revised Personal Information Protection Law, which came into effect in May 2017, clarifies the definition of personal information.
In addition, it is possible to identify "sensitive personal information" that requires special consideration in handling and specific individuals.
New regulations have been established for "anonymously processed information" that has been processed so that it does not exist. This thing
In response, the Personal Information Protection Commission published guidelines on the Personal Information Protection Law for medical treatment.
In the field of long-term care, "Gathering for the proper handling of personal information by medical / nursing-related businesses
Since "Idance" etc. are stipulated, please comply with the relevant regulations and take appropriate measures.
If you intentionally or grossly negligently commit an act that violates these requirements, you will be guilty of a secret disclosure under the criminal law.
Although it may be punished as a crime, medical information may be leaked due to negligence or used for other purposes.
Can be a big problem as well. It is necessary to manage appropriately so that such a situation does not occur
is there. For that purpose, it is necessary for the manager to fulfill the duty of care of a good manager (duty of care of a good manager).
The specific content required depends on the information to be handled and the situation.
Originally, the value and importance of medical information does not change depending on the medium, but medical institutions, etc.
In the first place, the administrator saves paper and film records in the hospital and electronically.
In some cases, it is considered to have at least the same duty of due care of a prudent manager.
However, digitized information also has the following unique peculiarities.

・ Compared to paper media and films, the movement is difficult for the general public to understand.
Ru
・ There is a high possibility that a large amount of information will be leaked in an instant in the event of a leak.
・ Furthermore, since medical staff are not necessarily specialists in handling information, they are accustomed to their safe protection.
There are many cases that do not

Therefore, each medical institution, etc. will be digitized in consideration of the merits and demerits depending on the circumstances.
Examine the scope of implementation and its method, select the function and operation method of the system to be introduced, and then select it.
It is necessary to decide how to comply with the safety standards required for the above.
In addition, the situation where digitized medical information exists only in facilities such as medical institutions.
Not only that, under the circumstances where exchange, sharing, consignment, etc. using the network are conceivable, the pipe
Medical institutions, etc. are not only responsible for their responsibilities, but also businesses that provide services on the network.
It will also span telecommunications carriers that provide networks.

twenty one

Page 29

In this chapter, regarding the handling of electronic medical information among these parties, "Medical institutions, etc.
"Contents and scope of information protection responsibility of scientists" and "Consignment of information processing to other medical institutions and businesses, etc."
Responsibility for "when outsourcing medical information and when providing it to a third party"
It was organized using the concept of responsibility demarcation.

4.1 Information protection responsibility of managers of medical institutions, etc.
In order for managers of medical institutions, etc. to fulfill the duty of due care of a prudent manager to properly manage medical information,
Responsibility in building and managing a medical information protection system during normal operation, and medical information
Responsibility to deal with any inconvenience (typically information leakage)
There is. For convenience, in this guideline, the former is "responsibility in normal operation" and the latter is "post-responsibility".
I will call it "Ritsu".

(1) Responsibility in normal operation
Responsibility in normal operation here means appropriate information for appropriate protection of medical information.
Although it is management, proper information management is not everything, as shown below 3
Must include one responsibility.

① Accountability
The functions and operation methods of systems that handle medical information electronically are the basis for their handling.
It is the responsibility to explain to the patient that the criteria are met. To achieve this,
Is necessary.
-Clearly document system specifications and operation methods
-Regularly audit whether specifications and operation methods are functioning according to the original policy.
That
-Document audit results in an unambiguous form
・ If there is a problem as a result of the audit, take it seriously.
-Document the response record so that it can be verified by a third party.

② Management responsibility
It is the responsibility to manage the operation of the system that handles medical information, and manage the system.
Leaving it to the contractor does not mean that this has been achieved.
In medical institutions, etc., the following is necessary.
・ At least receive regular reports on management status
・ Supervise such as clarifying the ultimate responsibility for management

Furthermore, under the Personal Information Protection Law, the following matters must be stipulated and it is necessary to deal with contractors.

twenty two

Page 30

There is a need.
・ Appoint a person in charge of personal information protection
・ Determine a person in charge who has a certain level of knowledge about the protection of digitized personal information.

③ Responsibility for regular review and improvement as necessary
Information protection technology is constantly advancing, so there is a risk that the information protection system will become obsolete.
Yes, the following responsibilities must be fulfilled in order to review and improve it as appropriate.
-Regularly audit the status of operation management of the information system.
・ Identify problems and improve if there are any points that need to be improved.

Therefore, managers of medical institutions, etc. always try to improve the medical information protection system.
It is necessary to regularly re-evaluate and reexamine the current operation management in general.

(2) Post-responsibility
In the event of any inconvenience (typically leakage) of medical information
It has the following responsibilities.
In addition, "Guidan for the proper handling of personal information in medical / nursing-related businesses"
In "Su III 4. (5)", it is suitable for preventing secondary damage when problems such as leakage of personal data occur.
Please refer to it because it stipulates single-digit efforts.

① Accountability
In particular, medical institutions have a certain degree of publicity, so they are accountable to individual patients.
Of course, it is also required to explain and publish to the administrative agencies and society that are the supervisory bodies.
To Therefore, the following is necessary.
・ The manager of a medical institution, etc. should announce the occurrence of the situation.
・ Explain the cause and what to do about it

② Responsibility to take good and bad measures
In addition, managers of medical institutions, etc. are also responsible for taking good measures. The responsibility is below
Divided.
・ Responsibility to investigate and clarify the cause
・ If you cause damage, you will be liable for the damage.
・ Responsibility to take measures to prevent recurrence

4.2 Demarcation of responsibilities in entrustment and provision to third parties
When transmitting medical information to an external medical institution or business operator, it should be in that form under the Personal Information Protection Law.

twenty three

Page 31

There are two types of consignment (consignment to a third party) and provision to a third party, so medical devices in each form
The information protection responsibilities of the managers of Seki, etc. are organized and shown in accordance with the preceding paragraph.

4.2.1 Demarcation of responsibility in entrustment
In the case of entrustment, the main body of management responsibility is the manager of a medical institution or the like. Tubes of medical institutions, etc.
Regarding the relationship with patients, the scholar, with the help of the contracted business operator, stated in the preceding paragraph, "Theory.
Obligation to fulfill "clear responsibility", "management responsibility", "responsibility to review regularly and make improvements as needed"
U.
In the unlikely event that something goes wrong, in cooperation with the contractor
It is necessary to fulfill "accountability" and "responsibility to take good and bad measures", and the consignee's righteousness in the consignment management contract
The duties should be clearly stated.
However, apart from this, if an inconvenient situation occurs due to the responsibility of the contracted business operator
Therefore, it is a committee on how to share the responsibility for taking good and bad measures between medical institutions and the contracted business operators.
This is a matter that should be specified in the contract.
The principles of contracts with contractors necessary for medical institutions to fulfill their management responsibilities are listed below.

(1) Responsibility in normal operation
① Accountability
What kind of medical information protection mechanism is built and how it works for patients, etc.
Needless to say, the accountability of the medical institution lies with the manager of the medical institution.
However, in order for managers of medical institutions, etc. to fulfill their accountability, it depends on the contracted business operator.
Information provision may be indispensable, and the contracted business operator is accountable to the manager of the medical institution, etc.
It can be said that it is in charge.
Therefore, the obligation to provide appropriate information and explanation to the contracted business operator is included in the consignment contract items.
Therefore, it is necessary to ensure its performance.

② Management responsibility
The entity responsible for management lies with the manager of the medical institution. But in reality information processing
It is thought that it is often the contractor's business that performs the safe maintenance work, etc.
Is done. As a administrator of medical institutions, etc., understand the actual state of management of contractors and supervise them.
It is necessary to create a mechanism to properly perform the above, and it should be included in the contract terms.

③ Responsibility for regular review and improvement as necessary
Problems are identified and revised by regular audits of the operation management status of the system.
Sharing responsibilities to improve if there are good points, and allocating to technological progress related to information protection
A medical institution that conducts regular re-evaluations and reexaminations in consideration and takes measures based on the results.

twenty four

Page 32

Talks with, etc. should be included in the contract items with the contractor.

(2) Post-responsibility
① Accountability
As mentioned in the previous section, if any inconvenience occurs with medical information, medical treatment
Announce the occurrence of the situation to the manager of the institution, etc., and decide on the cause and what measures to take.
Responsibility to explain is required.
However, in the case of information-related accidents, it is not possible to provide or analyze information from the business operator that is entrusted with the explanation.
It is considered that it is often indispensable. Therefore, anticipate as much as possible in advance and
The sharing of accountability with the contractor should be included in the contract terms.

② Responsibility to take good and bad measures
If any accident occurs regarding medical information, take good measures for managers of medical institutions, etc.
It was mentioned in the previous section that sly liability arises. However, the accident entrusted the processing of medical information
If it is the responsibility of the business operator, to appoint and supervise the business operator to be entrusted based on an appropriate consignment contract
If proper care is taken, the duty of due care of a prudent manager of medical institutions, etc. is legally fulfilled.
It is understood that it is.
However, as mentioned at the beginning of this chapter, medical institutions manage medical information.
It is required to be done at the responsibility of the manager. Therefore, of accidents related to medical information
At least part of the responsibility for investigating the cause, compensating for damage to the victim, and preventing recurrence.
I have to bear. Also, realistically, the contracted business operator manages all medical information.
Since it is not always the case, the entire medical information protection system was triggered by the accident.
The responsibility for taking good and bad measures must be borne by the manager of a medical institution or the like.

As mentioned above, the manager of a medical institution, etc., tells the patient, "Pursuing and clarifying the cause.
"Responsibility for damage", "Responsibility for compensation for damage caused", "Responsibility for taking measures to prevent recurrence"
It is not exempt from the responsibility of taking good and bad measures.
However, the managers of medical institutions, etc. are not exempt from all responsibility for patients, etc.
Even so, the division of responsibilities with the contracted business operator is another issue. in particular,
If the accident occurs at the responsibility of the contracted business operator, the manager of the medical institution, etc. bears all responsibility.
That is not possible in principle.
However, in the event of an accident regarding medical information, a business entrusted with a medical institution, etc.
Prioritize the dispute over the division of responsibilities among the persons, and first investigate and clarify the cause.
And it is important to take measures to prevent recurrence.
For that purpose, these measures are taken in cooperation with the medical institution, etc. and the contracted business operator in the consignment contract.
It is necessary to specify that priority should be given to.

twenty five

Page 33

Depending on the content of the consignment, it is the responsibility of the entrusted business operator to investigate the cause and prevent recurrence.
It is also conceivable to specify the obligation to propose.
Regarding the division of liability for damage compensation, if the cause of the accident lies with the contractor, the final
In principle, the contractor bears the burden. However, this point is the type and complexity of the cause.
Depending on the cause, it may be difficult to investigate the cause, and depending on how the division of liability for damage compensation is determined, it may be the cause.
Consideration that there is a risk of hindering the investigation of the cause, or the possibility of damage diversification by insurance, etc.
There are various factors to consider. Taking these into consideration, liability for damage compensation in the consignment contract
It is necessary to specify the division of.

4.2.2 Demarcation of responsibility in provision to a third party
When medical institutions provide medical information to third parties, the Personal Information Protection Law and related individuals
Guidelines for the Personal Information Protection Law and "Personal information in medical / long-term care businesses"
It is necessary to comply with "guidance for proper handling".
Provision to a third party is for a third party to use medical information for some purpose.
Therefore, as a general rule, only its legitimacy matters for managers of medical institutions. Appropriate third
As long as the information is provided by the person, the responsibility for the subsequent information protection will be separated from the manager of the medical institution etc.
It will occur to the third party who received the offer.
However, as an exception, information is provided knowing that the information is not handled properly by the provider.
In that case, the responsibility of the provider's medical institution, etc. may be pursued.
On the other hand, focusing on the peculiarities of digitized information, even if the information is provided to a third party, medical institutions, etc.
Unless the information is deleted on the side of, there is no difference from the state in which the information is saved. Obey
Needless to say, the appropriate information management responsibility for that information still remains.
When medical information is digitized and sent and received via a network, etc. to provide information, the third
Information is not directly provided to the receiving side from the medical institution, etc.
Related businesses may intervene. In this case, at what point will the third party offer be established?
In other words, the concept of clarifying the demarcation point of responsibility with information processing-related businesses arises.
The sending medical institution is not responsible for the medical information once provided appropriately and legally.
Is as mentioned above, but since the entity provided by the third party is the medical institution on the sending side, etc.
And in relation to the patient, in principle, the sender, at least until the information reaches the receiver.
It can be considered that the medical institution, etc. is responsible. On top of that, the good and bad measures mentioned in the previous section
How to share the responsibility to take the information is decided between the information processing business operator and the sender.
Therefore, it is desirable to discuss and clarify. Fulfilling the appointment and supervision obligation, specifically stated
If it is not due to the negligence of the information processing business operator, the information processing business operator
In principle, we take all responsibility.

4.3 Arrangement of the way of thinking of the demarcation point of responsibility by example

26

Page 34

This section describes the demarcation point of responsibility with some examples. However, this section uses the idea as an example.
Therefore, the safety management of medical information systems and the concept of networks when connecting externally,
Preservation of documents that are obliged to be preserved, selection criteria of institutions that can be entrusted with external preservation, etc.
You need to refer to chapters 6, 7, and 8 respectively.

(1) When "exchanging patient information" through regional medical cooperation
(A) Way of thinking in medical institutions, etc.
(1) Medical information provider medical care through "network provided by information processing related businesses"
Demarcation point of responsibility when exchanging patient information between an institution and the medical institution to which it is provided
The "network provided by information processing-related businesses" here is related to information processing.
This refers to the case where the security on the network route is guaranteed on the responsibility of the joint venture.
The provider medical institution, etc. and the provider medical institution, etc. are the demarcation points of responsibility in the network route.
And agree on a contract, etc., including measures to be taken in the event of a non-delivery or an accident.
On top of that, within the scope of their own responsibility, the division of management responsibility with the information processing related business operator
There are some obstacles to the scope of management responsibility and services that are outsourced by setting a demarcation point of responsibility.
Clarify which business operator will take the initiative in dealing with the situation.
However, in principle, liability and ex-post liability in normal operation are outsourced.
If the information is provided to a third party, the information will be provided appropriately.
As a general rule, it is located at the medical institution to which it is provided. If there is no defect in the information processing business,
It should be noted that only part of the management responsibility arises for information processing operators.
There is.

(2) Demarcation point of responsibility when the provider medical institution, etc. and the provider medical institution, etc. connect independently
The "unique connection" here is a network of information processing-related businesses.
However, the medical institutions that are trying to connect set up the connected devices such as routers by themselves, and one-to-one.
This refers to the case of connecting to each other on a one-to-N basis or the case of using a public network such as a telephone line.
In this case, specify the provision destination or the medical institution that may be the provision destination in advance.
If possible, both organizations must fulfill their responsibilities in accordance with the requirements of consignment or provision to a third party.
Must be.
There is no division of management responsibility for information processing-related businesses, and communication quality is ensured.
Even if it does occur, it is a general responsibility indicated in the terms and conditions presented by the information processing business operator.
There is only responsibility.
Furthermore, the provider medical institution, etc. and the provider medical institution, etc. have one-to-N communication with the provider medical institution, etc.
In principle, medical information cannot be provided if even one of the above cannot be specified. However,
Excludes exceptions such as those required by law.

27

Page 35

(B) Way of thinking about information processing related businesses
① Demarcation point of responsibility when medical information is properly encrypted / decrypted at the source / destination
In the information system of the medical institution (source) that intends to send patient information
Patient information is encrypted before transmission, and the information of the medical institution, etc. (destination) that received the information
Information processing operators are threatened with eavesdropping when patient information is decrypted in the stem
It has nothing to do with the responsibility for protecting personal information, and the responsibility is limited.
In this case, it is the management responsibility that exists in the information processing related business operator, and the network
Scope of management responsibility and network for threats of falsification, intrusion, and obstruction of the above information
Clarify the quality such as availability in the contract.
In addition, about the way of thinking about the network such as encryption and the minimum guideline
Refer to "6.11 Safety management when exchanging medical information including personal information with the outside"
I want to be.

(2) When medical information is properly encrypted at the starting point of the control range of the information processing business operator
Demarcation point of responsibility
Some information processing operators, for example, have encrypted secure network lines.
There are also businesses whose main service is to provide.
When using such a network line, the network line provided by the operator
Quality such as eavesdropping, falsification, intrusion, service availability, etc. of information from the outside above
As for, the business operator is responsible for management. Therefore, the contract for those responsibilities
I will clarify in.
However, management responsibility and network until reaching the network line provided by the operator
Since medical institutions, etc. are responsible for managing the information flowing through the network line, "I"
Concepts at medical institutions (1) Medical information providers, etc. and destination medical institutions, etc.
It is necessary to organize the way of thinking in accordance with the "demarcation point of responsibility".
In addition, the way of thinking about the information flowing on the network line and on the network line
For the minimum guidelines, see 6.11 Exchange medical information, including personal information, with the outside world.
Please refer to "Safety management when doing".

(C) Thinking about the case where an external storage organization intervenes
In this case, the information to be stored will be outsourced to an external storage organization, so it will be used for normal operation.
Medical institutions, etc. are responsible for taking responsibility and ex post responsibility.
If you intend to share this with other medical institutions, management at both medical institutions
It is necessary to clarify the division of responsibilities and obtain the patient's consent for sharing.
In addition, the external storage organization is in charge of dealing with any failure of the service.
I will clarify in about.

28

Page 36

In addition, medical institutions, etc. when exchanging patient information through external storage institutions, etc.
And the way of thinking about external storage institutions is "8.1.2 Selection criteria and information of institutions that outsource external storage".
"2. Handling of information" and "3. Information" for each storage organization specified in "Standards for handling information"
Please refer to Chapter 8.1.2 because it is stipulated in detail separately as "Provision of information".

(2) When "accessing the information system from outside the facility" such as a medical institution as necessary for business
About the overall concept of the network when accessing the information system from outside the facility
Is "6.11 Safety management when exchanging medical information including personal information with the outside", especially "B-2.
Network Security Concepts to Choose III. Medical equipment using mobile terminals, etc.
Please refer to "When connecting from outside such as Seki". Here, in particular, the idea of ​the demarcation point of responsibility
I will describe it.

(A) So-called telework, which accesses the information system of one's own institution and conducts business
Nowadays, even in medical institutions, from outside the facilities of medical institutions, etc., to the information system of their own institutions
So-called telework, which allows access and business, has also become commonplace.
In this case, from the viewpoint of demarcation of responsibility, it is closed to its own facility, but information processing related businesses are in between.
Employees such as medical institutions will be involved at both ends of the communication line.
Furthermore, in this case, the communication line is not only the Internet but also the mobile phone network and public line.
Various things such as etc. will be used, and a wide range of measures for personal information protection is required
Will be.
In particular, management responsibility is also questioned for employees of medical institutions, etc. who are not responsible for management of medical institutions, etc.
It is necessary to pay attention to the fact that the situation may occur.
In the case of this example, the demarcation point of responsibility is basically closed to the own facility, so it is responsible.
As a general rule, you should refer to "4.1 Responsibility for Information Protection of Administrators of Medical Institutions, etc."
It must be kept in mind.

(B) So-called remote maintenance accessed by a third party for maintenance purposes
Access for remote maintenance of maintenance vendors using remote login, as in this example
Can be considered. In this case, if proper information management and information access control are not done,
Unauthorized reading or falsification of medical information including personal information on the stored disk
There is also the possibility of being struck. On the other hand, if the remote login function is completely prohibited, it will be far away.
Separate maintenance becomes impossible, and maintenance costs such as the time required for maintenance increase.
Therefore, it is necessary to carry out the work while assessing the balance between the convenience of maintenance and the protection of information.
However, even in this case, of course, "responsibility in normal operation" and "things" for medical institutions, etc.
Due to the existence of "post-responsibility", we receive regular reports on management status and final responsibility for management.
It is necessary to carry out supervision such as clarifying the whereabouts of the appointment and fulfill the management responsibility.

29

Page 37

Regarding the concept of maintenance, including remote login, see "6.8 Information System Revision".
See "Building and Maintenance".

(3) Information is "temporarily stored outside" due to the outsourcing of part of the work of medical institutions, etc.
If
The consignment here is a third party who works for the purpose of medical treatment such as remote image diagnosis and clinical examination.
It is a consignment, and as a result, information will be stored by a third party, even temporarily.
The manager of a medical institution, etc. is responsible for selecting a business operator to be entrusted to the business consignee.
Responsible for management including security improvement instructions, and regulation of information retention period
It is necessary to manage and supervise such things.
However, the contracted business operator will take measures such as prevention of leakage and falsification of stored information.
It goes without saying that how to handle and store sensitive information such as infectious disease information and genetic information.
It is necessary to discuss the period, etc. with both parties and specify it.
In addition, medical information is outside even if it is not the so-called business consignment as described above as in clinical trials.
If it is provided to the department, it is the responsibility of both parties in advance with the sponsor in accordance with this.
It is necessary to make arrangements regarding the handling of information.

(4) When entrusting online external storage
Requirements differ depending on whether the outsourcer is a medical institution, an administrative agency, or a private business operator.
Therefore, in "8.1.2 Selection criteria and information handling of institutions entrusted with external storage" in this guideline
It is necessary to fully understand the "standards related to", select a contractor, and conclude an appropriate contract. For patients, etc.
The subject of responsibility for this is the medical institution, etc. that outsources the responsibility, and the medical institution, etc. fulfills its accountability.
It is necessary to make efforts to understand as a medical institution, etc. by stipulating the provision of materials and explanations for the purpose in the consignment contract.
is there. Furthermore, network operators and operators that outsource external storage are often different,
Medical institutions, etc. should make clear decisions about the scope of responsibility for dealing with disabilities.
I need to understand.
In addition, supervision of the contractor is essential, and the status of safety management is reported on a regular basis.
I need to receive it.

(5) When required by law
Encrypted by information processing business operators due to special circumstances such as when required by law
If medical information that is not available is sent, the information processing company or network
It is necessary to take measures against the threat of eavesdropping.
Therefore, the medical institution, etc., which is responsible for managing the medical information on the communication path, is responsible for the information.
Clarification must be made regarding the responsibility for managing medical information with processing-related businesses.
In addition, when entrusting part or all of the management responsibility to an information processing related business operator,

30

Page 38

It is necessary to properly conclude a consignment contract regarding personal information with each business operator and supervise it.
Absent.

4.4 Demarcation point of responsibility in technical measures and operational measures
"Technical response (countermeasure)" and "organizational response" to ensure the safety of information systems
(Measures by operation) ”need to be achieved by a comprehensive combination.
Technical measures (countermeasures) are mainly on the system provider side (vendor) under the comprehensive judgment of medical institutions, etc.
It is the responsibility of the user (medical institution, etc.) to take systematic measures (measures by operation).
Is done.
Comprehensive judgment is based on risk analysis, considering economic efficiency, and device specifications or systems.
Ensuring a certain level of safety according to requirements and operational management regulations. This choice is safe
Social environment including changes in the threat to medical institutions, technological changes in countermeasures, and changes in organizations such as medical institutions
It will be different depending on the boundary change, so it is necessary to pay attention to the trend.
Technical requirements required of vendors in order for medical institutions to make comprehensive judgments and fulfill their responsibilities
Alternatively, it is necessary to clarify the operating conditions required by the vendor and clarify the demarcation point of responsibility with the vendor.
There is a need.
Operation management rules are similar to those created comprehensively as a medical institution and electronic storage of medical images.
It may be created for each department or device. As a guide to judge whether or not it meets the criteria
Then, referring to Chapter 10 and the attached table, create and organize the "Standard Conformity Checklist" etc.
There is a need. Use such checklists as reference material when fulfilling accountability to third parties
it can.

31

Page 39

5 Information interoperability and standardization

Various information is exchanged in business at medical institutions, etc., and instructions, reports, etc. are given by them.
A series of operations is established by sharing intentions by contacting.
If you just want to digitize these exchanges, you need to enter information in your existing work.
It just adds work. However, if the digitized information can be reused,
It will reduce the work of inputting the same information many times and reduce the total amount of work. In addition, information such as paper
Medical treatment from the viewpoint of preventing mistakes when reading and re-entering information, and preventing typographical errors and misreading of instructions.
It also contributes to safety.
In fact, the introduction of a system that handles digitized information at medical institutions, etc. is initially a paperwork.
It originated from the rationalization of information, but now it promotes information sharing, medical safety, and eventually
It contributes to improving the quality of medical care.
Such electronic exchange of information was gradually introduced at medical institutions, etc.
Necessary when performing between stems or between systems provided by various system vendors for each department
It is said that interoperability is ensured.
On the other hand, the importance of information security is an important point of view in the safe management and operation of information systems.
One of the important factors is "availability". Availability here means specifically when needed.
It means that the information is available, and availability must be ensured at any time when the information is used.
Must be. This means "7.2 Ensuring readability" and "7.3 Ensuring storability".
As described in "", for example, when medical information is stored for a long period of time at a medical institution, etc., the system is updated.
Make sure that the medical information stored in the old system can be used even after the new system.
That is, it means ensuring interoperability.
Furthermore, in regional cooperation, information sharing, accumulation, analysis, reconstruction, etc. among medical institutions, etc.
The idea of ​interoperability is also important in situations such as replying and retransmitting.
In order to ensure the interoperability of such medical information, anyone can refer to and use it.
Standards (glossary and code set) that are expected to continue maintenance in the future
, Storage format, message exchange procedure, etc.) or in a state where it can be easily converted to them.
It is desirable to save. Therefore, they are described in this chapter.
As a private sector-led initiative for standards in medical information, the Medical Information Standardization Promotion Association
Parliament (Health Information and Communication Standards Board: HELICS Council)
To The purpose of use is the HELICS Council, of which various standardization organizations and standardization organizations are members.
It recommends the standards to be adopted and provides medical information standardization guidelines for their use.
The Ministry of Economy, Trade and Industry and the Ministry of Health, Labor and Welfare also recommend this in accordance with various international standards.
Etc. have been promoted.
In particular, among the standards set forth by the HELICS Council as guidelines, it is indispensable in Japan.
After deliberation at the Health and Medical Information Standardization Conference of the Ministry of Health, Labor and Welfare, "Thickness"

32

Page 40

It is regarded as "Ministry of Health, Labor and Welfare standard", and its implementation is strongly recommended, and further promotion of standardization is expected.
Is about to be done.
Maintenance of these terms and codes and implementation of standards at medical institutions, etc.
It is rare to do this, but to promote standards-based interoperability, the system
It is important to ask the vendor for these things as a requirement.
Therefore, when trying to introduce a medical information system, or when actually owning a medical information system
Even when operating, it is constant by receiving explanations from the system vendor about the following things etc.
It is necessary to have the same understanding of.
・ Basic stance on standardization
・ If it does not correspond to the standards listed in the next section, the reason
-Proposals for future system updates and interoperability in connecting to other companies' systems

Furthermore, when updating the system currently being introduced or introducing a new system, medical institutions, etc.
It is desirable to have a medium- to long-term vision for interoperability and to formulate a plan.
I.

5.1 Use of basic datasets, standard glossaries, and code sets
As mentioned earlier, standardization efforts are underway, but have already been established at a certain level.
High data compatibility for the following medical information by using standard information items, etc.
It is becoming possible to secure. These are the highest levels of medical information systems
Interoperability is required.

・ Medical institution information

・ Radiation image information

・ History of medical examination at the medical institution

・ Physiological examination graphic information

・ Patient basic information Disease name

・ Endoscopic image information

・ Insurance information

・ Injection

・ Prescription instructions (including usage)

・ Surgical procedure

・ Specimen test (instructions and results)

Various markers required to ensure interoperability of this information and established so far
The associates are shown below.

5.1.1 Ministry of Health, Labor and Welfare Standards
The Ministry of Health, Labor and Welfare issued a notice "About standards that should be recognized as standards in the field of health and medical information".
The Ministry of Health, Labor and Welfare has established standards in the field of health and medical information (“Ministry of Health, Labor and Welfare Standards”).
Implementation is recommended.

33

Page 41

As mentioned above, this is the "medical information" established by the HELICS Council, a private organization.
The standards adopted in the "Standardization Guidelines" are deliberated at the Health and Medical Information Standardization Conference of the Ministry of Health, Labor and Welfare.
It was decided based on the recommendations made as a result.
As of May 2017, the following standards have been adopted by the Ministry of Health, Labor and Welfare standards.
HS001 Pharmaceutical HOT Code Master
HS005 ICD10 compatible standard disease name master
HS007 Patient medical information provision form and electronic medical data provision form (information provision to patients)
HS008 Medical Information Provision Form (Electronic Referral Letter)
HS009 IHE Integrated Profile "Portable Medical Imaging" and Its Operational Guidelines
HS010 Healthcare Information-Medical Waveform Format-Part 92001: Coding Rules
HS011 Digital Imaging and Communication in Medical Care (DICOM)
HS012 JAHIS Laboratory Data Exchange Code
HS013 Standard Dental Disease Name Master
HS014 Laboratory Master
HS016 JAHIS Radiation Data Exchange Regulations
HS017 HIS, RIS, PACS, Reservation between modality, Accounting, Irradiation record information linkage guideline (JJ1017 guideline)
HS022 JAHIS Prescription Data Exchange Terms
HS024 Nursing Practice Term Standard Master
HS025 Information cooperation basic technical specifications in regional medical cooperation
HS026 SS-MIX2 Storage Specifications and Construction Guidelines
The Ministry of Health, Labor and Welfare standards will continue to be appropriate based on the recommendations of the Health and Medical Information Standardization Council.
Since it is a policy to be updated, please refer to the latest version as necessary. See below
It is possible.
http://www.mhlw.go.jp/seisakunitsuite/bunya/kenkou_iryou/iryou/johoka/index.html

5.1.2 Basic dataset
The Ministry of Economy, Trade and Industry announced in 2008 the "Demonstration Project for Interoperability in Medical Information Systems" (Ministry of Economy, Trade and Industry).
Data between basic datasets and systems using them in the interoperability demonstration project)
We have prepared guidelines for exporting and importing.
This basic dataset includes:
・ User information
・ Patient information (basic information)
・ Patient information (infectious disease, allergy information, hospitalization / discharge history, consultation history)
・ Order information (prescription, sample test, radiation)
・ Test result information (sample test)

34

Page 42

・ Disease name information
・ Instructions related to injections, implementation information, etc.
・ Treatment / Surgery

See below for guidelines on ensuring data compatibility with basic datasets
I want to be.
・ JAHIS basic data set application guidelines
https://www.jahis.jp/standard/contents_type=33

5.1.3 Glossary / Code Set
Prior to the establishment of the above-mentioned Ministry of Health, Labor and Welfare standards, the Ministry of Health, Labor and Welfare established the Medical Information System Development Center.
Created and maintained the following standard masters through a business commissioned to Tar (MEDIS-DC)
Management is continuing.
Some of these standard masters have also been adopted by the Ministry of Health, Labor and Welfare standards.
disease

Name: Disease name master (ICD10 compatible standard disease name master)

Surgery / Treatment: Surgery / Treatment Master
Laboratory test: Laboratory test master (including physiological function test)
Pharmaceuticals: Pharmaceuticals HOT Code Master
Medical device: Medical device database
Nursing Term: Standard Master of Nursing Practice Term
Symptom findings: Symptom findings master <Physical findings>
Dental disease name: Dental disease name master
Dental Surgery, etc .: Dental Surgery / Treatment Master
Image inspection: Image inspection master
J-MIX: Data item set for exchanging electronically stored medical record information
・ MEDIS standard masters
http://www.medis.or.jp/4_hyojyun/medis-master/index.html

At MEDIS-DC, in the above-mentioned interoperability demonstration project, each drug and clinical test will be conducted.
For mapping from unique terms / codes defined by medical institutions to standard terms / codes
We are developing a tool, so please use it as appropriate.

5.2 Compliance with international standards for data exchange
HL7 (Health Level Seven) and DICOM (Digital), which are international standards for medical information
Imaging and Communications in Medicine) to be available in Japan

35

Page 43

As defined in, standardization by the Health, Medical and Welfare Information System Industry Association (JAHIS)
Has been done.
The main ones are as follows (some of them have been adopted by the Ministry of Health, Labor and Welfare standards).
).
・ JAHIS Pathology / Clinical Cell DICOM Image Data Code
・ JAHIS Pathological Diagnosis Report Structured Description Rules
・ JAHIS prescription data exchange rules
・ JAHIS Physiological test data exchange rules
・ Electronic signature standard for medical documents using JAHIS Healthcare PKI
・ JAHIS Endoscope Data Exchange Regulations
・ JAHIS Endoscope DICOM Image Data Regulations
・ JAHIS Pathology / Clinical Cell Data Exchange Regulations
・ JAHIS Radiation Data Exchange Regulations
・ JAHIS Radiation Therapy Data Exchange Regulations
・ JAHIS clinical laboratory data exchange rules
・ JAHIS Physiological Function Test Report Structured Description Rules
・ JAHIS disease name information data exchange rules
・ JAHIS injection data exchange rules
・ JAHIS Healthcare Audit Trail Message Standard Regulations
・ JAHIS long-term care standard message specifications
・ Health examination result report standard
・ Remote service security guidelines
・ Security guide run for JAHIS single sign-on
・ JAHIS Cardiac Catheterization Report Structured Description Regulations
・ JAHIS Medical document structured description rules common edition
・ JAHIS data exchange agreement (common edition)
・ Electronic preservation guidelines for medical records, etc. that are obliged to preserve JAHIS
・ JAHIS HPKI Electronic Authentication Guidelines
・ HPKI compatible IC card guidelines

These terms can be obtained at the following URL.
https://www.jahis.jp/standard/contents_type=33

5.3 Other matters related to the application of standards
IHE (Integrating), an international project to promote interoperability of medical information systems
The Healthcare Enterprise) is due to the fact that the usage of the standard is not decided.

36

Page 44

Technical as a "guideline" for how to use the standard to solve the problem
We are proposing Framework. This is a general workf in the actual medical field for each field.
How to use the standards required to conduct a raw survey and then realize system linkage
It is a guideline showing. Details can be obtained from the following URL.
http://www.ihe-j.org/
In addition, the Japan IHE Association referred to the IHE Technical Framework in "Community Medical Cooperation.
Information cooperation basic technical specifications ”has been formulated and adopted as a standard by the Ministry of Health, Labor and Welfare.

In addition, there is a problem of external characters as a point to be noted. A system separate from external characters
It is a notation character defined independently in, but it is used in advance in the system using external characters.
Manage the list of external characters used, change the system, and exchange information with other systems
In that case, it is necessary to take measures so that there is no discrepancy in the notation.

37

Page 45

6 Basic safety management of information systems

The safety management of information systems includes confidentiality obligations for medical professionals stipulated by the Criminal Code, etc., and individuals.
Information protection related laws (Personal Information Protection Law, Administrative Agency Personal Information Protection Law, Incorporated Administrative Agencies, etc.
Required as a legal obligation by the provisions on safety management and assurance stipulated in the Information Protection Law)
ing. Confidentiality is for individuals such as medical professionals and government officials, and safety management and security is for personal information.
It is a duty imposed on the handling business operator and the head of the administrative agency. Neglecting safety management is above
Although it violates the law, the most important thing in medical treatment is the relationship of trust with patients, etc.
Explain that safety management is sufficient, not just indicating that no violation event has occurred
You need to be able to do it, that is, to be accountable. The institutional requirements in this chapter are
Illustrate the text of the Personal Information Protection Law.

A. Institutional requirements
(Safety management measures)
Businesses handling personal information prevent leakage, loss or damage of the personal data they handle.
Necessary and appropriate measures must be taken for the security management of other personal data.
(Employee supervision)
A business operator handling personal information is concerned when making its employees handle personal data.
Necessary and appropriate supervision of the employee so that personal data can be safely managed
There must be.
(Supervision of contractor)
When a business operator handling personal information outsources all or part of the handling of personal data,
Necessary for the outsourced person so that the personal data outsourced to be handled can be safely managed.
Necessary and appropriate supervision must be provided.

(Personal Information Protection Law, Article 20, Article 21, Article 22)

6.1 Policy establishment and publication
B. Way of thinking
Smell "Guidance for proper handling of personal information by medical / nursing-related businesses"
Therefore, it is required to establish and publish a policy regarding the protection of personal information. This guideline
The security management of the target information system can also be considered as part of the personal information protection measures.
Therefore, it is necessary to mention the security management of information systems in this policy.
Regarding the specific contents that should be included in the policy regarding personal information protection, "JIS Q 15001: 2006 (pieces)
"Personal Information Protection Management System-Requirements)" stipulates as follows.
a) Regarding the acquisition, use and provision of appropriate personal information in consideration of the content and scale of the business

38

Page 46

b) Comply with laws and regulations regarding the handling of personal information, guidelines set by the government, and other norms.
c) Thing about prevention and correction of leakage, loss or damage of personal information
d) Responding to complaints and consultations
e) Thing about continuous improvement of personal information protection management system
f) Name of representative

For information system safety management, see "JIS Q 27001: 2014 (Information Security Manager).
Jimento System-Requirements) ”5.2 The policy stipulates as follows.

Top management must establish an information security policy that meets the following requirements:
Absent.
a) Appropriate for the purpose of the organization.
b) Include information security objectives (see 6.2) or set information security objectives
Show the framework for.
c) Commitment to meet applicable information security requirements
Including

d) Includes commitment to continuous improvement of ISMS.

The information security policy must meet the following requirements.
e) Available as documented information.
f) Communicate within the organization.
g) Stakeholders are available as needed.

Organizations that operate information systems that handle personal information should take these requirements into consideration.
It is important to formulate a basic policy that suits the actual situation and publish it in an appropriate manner.

C. Minimum guidelines
1. Formulate and disclose a policy regarding the protection of personal information.
2. Have established a policy regarding the safety management of information systems that handle personal information. That
The policy includes at least the range of information handled by the information system, the method and period of handling and storage,
Responsibility for safety management, ensuring user identification and preventing unnecessary and illegal access
Include a person, a contact point for complaints / questions.

39

Page 47

6.2 Practice of Information Security Management System (ISMS) in medical institutions, etc.
B. Way of thinking
ISO (ISO / IEC) is the standard management system for proper safety management.
27001: 2013) and JIS (JIS Q 27001: 2014). Appropriate management
Adopting a ment system is useful in the practice of safety management.
In addition, in the list of information handled by the information system, risk analysis and countermeasures,
It is important to collect information such as technical measures from the vendor of the device. At that time, JAHIS
"" Medical information security by manufacturers, which is the standard and the standard of the Japan Imaging Medical System Industry Association
"Medical Information Security Disclosure by Manufacturer" shown in the "Lity Disclosure Guide"
"Checklist" will be helpful.
This checklist can be obtained at the following URL.
https://www.jahis.jp/standard/contents_type=33

6.2.1

ISMS construction procedure

The construction of ISMS is done by the PDCA model. According to JIS Q 27001: 2006, each PDCA cycle
The tep is defined as follows. *

* JIS Q 27001: 2014 does not use the description PDCA, but "Information Security Management"
As a "mental system," the organization establishes and implements an ISMS in accordance with the requirements of this standard.
It must be maintained, maintained, and continuously improved. Is described. That model
The old version is quoted because the PDCA cycle is easy to understand.

Overview of PDCA model applied to ISMS process
Risks for achieving results in line with the organization's general policies and objectives

Plan-Plan
(Establishment of ISMS)
Do-Implementation

ISMS related to improving management and information security
Establishing basic policies, objectives, processes and procedures
Introduction and operation of ISMS basic policies, control measures, processes and procedures

(Introduction and operation of ISMS)
Process process in the light of ISMS basic policy, purpose and actual experience
Check-Check
(ISMS monitoring and review)

Performance assessment (measured if applicable), and
Report to management for review of results
Internal audit of ISMS to achieve continuous improvement of ISMS

Act-Treatment
Based on the results of management reviews or other relevant information
(Maintenance and improvement of ISMS)
Implementation of corrective and preventive measures

In P, the documents (basic policy, operation management rules, etc.) that form the framework of ISMS construction and the documented ISMS
Establish a construction procedure.

40

Page 48

In D, ISMS is actually constructed using the documents and procedures prepared in P.
In C, the constructed ISMS is monitored and reviewed to see if it is operating properly.
In A, if there is a point to be improved, corrective action or preventive action will be considered and ISMS will be maintained.

Safety in medical practice to make the above steps more familiar
About how the management steps are carried out JIPDEC (Japan Institute for Promotion of Digital Information)
The following example is described in the "ISMS User's Guide for Medical Institutions" of the Sai Society Promotion Association).
It has been.

[Flow of medical safety management]

Finding and reporting accidents and mistakes
Discovery and reporting of accidents and mistakes by "Hiyari, Hat Case" and "Incident Report"

↓
Cause analysis
・ By "process approach", medical practice is regarded as a process, and accidents and mistakes occur.
The entire business is decomposed into individual processes (operations) and visible as a flow diagram.
Shape it.
(For example, if injection is broken down into a process, (1) the doctor will give a prescription, and (2) the prescription.
Is sent to the pharmacy department, ③ the prescription is delivered from the pharmacy department to the ward, and ④ the nurse corrects it in the ward.
Prepare well and ⑤ inject.)
・ Analyze the created flow chart to find out which process caused the cause.

↓
Preventive / corrective measures
・ Examining and implementing measures to prevent recurrence (change of procedure, introduction of error check mechanism,
Thorough education for staff, etc.)

Looking at the above, D → C → A is the main focus. This is a medical examination in the medical field, etc.
Since the procedures for diagnosis, treatment, nursing, etc. have already been established by accumulating from the past, the rest is
When you discover a mistake or a mistake, you can analyze the procedure to find out where to improve.
It can be said that this is because a mechanism has been created that makes it easier to see and enhances safety by executing it.
On the other hand, in information security, due to the remarkable development of IT technology, it is not enough to accumulate past experience.
There can always be new and unforeseen security issues and weaknesses. Therefore, information center
Curity's own management method is needed, and ISMS was devised for that purpose. ISMS is medical
It will be built and maintained in the PDCA cycle as in the case of safety management.
Conversely, for healthcare professionals, building an ISMS properly practices the steps of P and is an ISMS.

41

Page 49

Once the skeleton document system and procedures are established, the soil for ISMS to be built naturally will be created.
It can be said that there is.
Here's what it takes to put P's steps into practice.

6.2.2 Understanding handling information
List all the information handled by the information system and classify it according to its importance in safety management.
However, it is necessary to keep it up to date at all times. This list is a must for information system security managers
It must be managed in a state where it can be confirmed promptly as needed.
The importance of safety management is determined according to the magnitude of the impact if safety is compromised. Little
At the very least, the magnitude of the impact from the perspective of the patient, etc., and the magnitude of the impact from the perspective of continuing work
Need to be considered. In addition to this, management perspectives of medical institutions, personnel management perspectives, etc.
Classify the importance by adding the necessary viewpoints.
If there is a problem with the safety of personally identifiable medical information, it is extremely serious for patients, etc.
Medical information is classified as the most important information because it can have an impact.
To

6.2.3 Risk analysis
For each classified information, management error, equipment failure, intrusion from the outside, malicious intent of the user,
List threats caused by user errors. In medical institutions, etc., it is generally based on the trust of other staff members, etc.
Because he is working, he is reluctant to assume malicious intent or mistakes of his colleagues. But,
In order to achieve information security and be accountable, even if it is unlikely to happen
It is necessary to prepare measures just in case. Also, to be accountable, these squirrels
The results of the analysis need to be documented and managed. Against the threats obtained by this analysis
The measures in Chapters 6.3 to 6.12 will be taken.
In addition, the security management of information and the prevention of unintended use, which is prohibited in principle by the Personal Information Protection Law,
It should be kept in mind that system functions alone can never be achieved. As a system
What is possible is to operate safely while clearly recording who operated it if it was operated correctly by a person.
It is to guarantee that, and this is the limit. Therefore, we assume threats including human actions.
However, it is important to take measures including the operation management rules.
The point to keep in mind from the above viewpoint as a medical information system is the electronic stored in the system.
Not only for data protection, but also for input / output, there is a risk of being exposed to threats such as exposure.
It is also necessary to think about measures to protect personal information. Assumed in various situations below
List the threats that are

① Electronic data stored in the medical information system
(a) Unauthorized access, falsification, damage, loss, leakage by unauthorized persons

42

Page 50

(b) Unreasonable access, falsification, damage, loss, or leakage by an authorized person
(c) Access, falsification, damage, etc. by unauthorized software such as computer viruses
Lost, leaked

(2) Memo, manuscript, inspection data, etc. used for input
(a) Peeping memos, manuscripts, inspection data, etc.
(b) Taking out memos, manuscripts, inspection data, etc.
(c) Copy of memo, manuscript, inspection data, etc.
(d) Improper disposal of memos, manuscripts and inspection data

③ Information terminals such as laptop computers that store data such as personal information
(a) Taking out information terminals
(b) Due to malicious software such as computer virus due to network connection
Access, tampering, damage, loss, leakage
(c) Information due to improper handling of software (file exchange software such as Winny)
Leakage
(d) Information terminal stolen or lost
(e) Improper destruction of information terminals

④ Portable media that stores data, etc.
(a) Taking out portable media
(b) Copy of portable medium
(c) Improper disposal of portable media
(d) Theft or loss of portable media

⑤ Reference displayed terminal screen, etc.
(a) Peeping on the terminal screen

⑥ Paper, film, etc. on which data is printed
(a) Peeping on paper, film, etc.
(b) Taking out paper, film, etc.
(c) Copy of paper, film, etc.
(d) Improper disposal of paper, film, etc.

⑦ Medical information system
(a) IT failure due to cyber attack

43

Page 51

・ Unauthorized intrusion
・ Tampering
-Illegal command execution
・ Information disruption
・ Virus attack
・ Denial of Service (DoS) attack
・ Information leakage, etc.

(b) IT failure due to unintentional factors
-System specifications and program defects (bugs)
· Operation mistake
· malfunction
・ Information leakage, etc.

(c) IT failure due to disaster
・ Power supply disruption due to disasters such as earthquakes, floods, lightning strikes, and fires
・ Communication disruption due to disasters such as earthquakes, floods, lightning strikes, and fires
・ Damage to computer facilities due to disasters such as earthquakes, floods, lightning strikes, and fires
・ IT in important infrastructure companies due to disasters such as earthquakes, floods, lightning strikes, and fires
Dysfunctional

By taking countermeasures against these threats, the possibility of occurrence is reduced and the risk is practically questioned.
It needs to be reduced to an untitled level.

C. Minimum guidelines
1.

List all the information handled by the information system.

2.

The listed information is categorized according to its importance for safety management, and is always up-to-date.
Maintaining the state.

3.

This list can be quickly checked by the information system safety manager as needed.
It is managed by.

Four. Perform risk analysis on the listed information.
Five. The countermeasures shown in Chapters 6.3 to 6.12 are taken against the threats obtained by this analysis.
When.

D. Recommended guidelines
1.

Document and manage the above results.

44

Page 52

6.3 Organizational safety management measures (system, operation management rules)
B. Way of thinking
Regarding safety management, the responsibilities and authorities of employees are clearly defined, and rules and procedure manuals related to safety management.
Must be maintained and operated, and its implementation status must be confirmed by daily self-inspection. this
Is a matter to be observed regardless of whether or not the information system is used in the organization. Organizational security
All management measures include the following items.

(1) Establishing an organizational system for taking safety management measures
(2) Development of regulations, etc. that determine safety management measures and operation in accordance with the regulations, etc.
③ Maintenance of medical information handling ledger
④ Evaluation, review and improvement of safety management measures for medical information
⑤ Establishing rules regarding information and taking out information terminals to the outside
⑥ When remotely accessing a system such as a medical institution from the outside using an information terminal, etc.
Management rules for information terminals, etc.
⑦ Dealing with accidents or violations

Operational management rules are extremely important for fulfilling management responsibility and accountability, and must be established.
Must be.
In addition, in detail about the case where information and information equipment are taken out and handled by other than medical institutions, etc.
For details, refer to "6.9 Information and Taking Out Information Equipment" separately.
I want to be.

C. Minimum guidelines
1. 1. Establish an information system operation manager and limit the person in charge (including the system administrator)
Uto. However, if the role is obvious in a small medical institution, etc., clear rules will be established.
You don't have to.
2. In places where personal information can be referred to, visitor records / identification, entry / exit restrictions, etc.
Establish entry / exit management.
3. 3. Create access control rules that stipulate access restrictions, records, inspections, etc. to information systems
To do.
Four. When entrusting the handling of personal information, the consignment contract includes provisions regarding safety management
To squeeze.
Five. The following contents shall be stipulated in the operation management rules, etc.
(a) Philosophy (statement of basic policy and management purpose)
(b) System of medical institutions, etc.
(c) Management of documents such as contracts and manuals

45

Page 53

(d) Risk prevention and response methods
(e) When using equipment, manage the equipment
(f) Method of managing (storage, transfer, etc.) recording media of personal information
(g) How to obtain explanation and consent to patients, etc.
(h) Audit
(i) Reception desk for complaints and questions

46

Page 54

6.4 Physical safety measures
B. Way of thinking
Physical security measures are information terminals where personal information is input, referenced, and stored in information systems.
It is to protect the end, computers, information media, etc. by physical methods. In particular
Define some security zones according to the type, importance and usage of information, and do the following:
It is necessary to manage it appropriately in consideration of the terms.

・ Management of entry / exit (room) (management of entry authority according to business hours, midnight hours, etc.)
・ Prevention of theft, peeping, etc.
・ Physical protection and measures including prevention of theft and loss of equipment, devices, information media, etc.

In addition, in detail about the case where information and information equipment are taken out and handled by other than medical institutions, etc.
For details, refer to "6.9 Information and Taking Out Information Equipment" separately.
I want to be.

C. Minimum guidelines
1. 1. Lock the installation location of equipment where personal information is stored and the storage location of recording media
thing.
2. Areas where terminals that can enter and refer to personal information are installed are provided except during business hours.
Take measures such as locks that can only be entered by persons authorized based on the operation management regulations
To mess with. However, if there are other possible measures at the same level as this countermeasure item, this is the case.
Not as long as the.
3. 3. Carry out entry / exit management to the area where personal information is physically stored. For example
Do the following:
・ It is obligatory for entrants to wear name tags, etc., and entry and exit can be done by filling in the ledger, etc.
Record the fruit.
・ Regularly check the records of migrants and occupants to confirm their validity.
Four. Install an anti-theft chain on important devices such as PCs that contain personal information.
Five. Take measures to prevent peeping.

D. Recommended guidelines
1. Install security cameras, automatic intrusion monitoring devices, etc.

47

Page 55

6.5 Technical safety measures
B. Way of thinking
There is no guarantee that all threats can be countered only by technical measures, and generally measures by operation management
Combination with is essential.
However, if the effective range is recognized and appropriate application is made, the technical measures are strong safety measures.
Can be a means. It can be used here to counter the threats listed in 6.2.3 Risk Analysis.
The following items will be explained as technical measures.

(1) User identification and authentication
(2) Information classification management and access authority management
(3) Access record (access log)
(4) Countermeasures against malicious software
(5) Unauthorized access from the network
(6) Use of IoT devices in fields such as medical care

In addition, in detail about the case where information and information equipment are taken out and handled by other than medical institutions, etc.
For details, refer to "6.9 Information and Taking Out Information Equipment" separately.
I want to be.

(1) User identification and authentication
Information systems are used to limit access to information systems to legitimate users only.
It must have the ability to identify and authenticate a person.
When the users of the information system are limited in small medical institutions, etc., during daily work
In some cases, identification / authentication is not always considered essential, but in general
This feature is mandatory.
In order to carry out certification, all staff and related persons who have access to the information system must be addressed.
Hands used for personal identification / authentication such as ID / password, IC card, digital certificate, biometric authentication, etc.
It is necessary to prepare a stage and manage it in a unified manner. Also, every time an update occurs, the update work will be done promptly.
Must be done.
Only the person can know or have the information used for such identification / authentication of the person.
It is necessary to keep the state. For example, the information used to identify and authenticate the person is not leaked to a third party.
The following risks must be dealt with.

・ A piece of paper with an ID and password written on it is affixed so that a third party can easily know it.
I will end up.
-A password is not set and anyone can log in to the system.

48

Page 56

・ The ID and password are given to others for proxy work, etc., and are saved in the system.
The worker cannot be identified from the work history.
-One ID is used by multiple users.
・ A password that can be easily guessed or has a small number of characters is set, making it easy.
I can guess the password.
・ The password can be guessed because it is used without changing it regularly.
The possibility is high.
-Security device (IC card, USB key) that stores personal identification information for authentication
Etc.) can be specified by the user by lending it to another person or borrowing it without the permission of the owner.
I can't.
-You can log in with the ID of the retired employee still valid.
・ Passwords are stolen from forms that have been left unprinted at the medical information department.
-A computer virus steals and misuses IDs and passwords.

<Concept of certification strength>
The combination of ID and password is a method that has been widely used so far. However, ID ・
As mentioned above, password-only authentication poses a great risk depending on its operation.
Become. In order to maintain the authentication strength, the initial password at the time of issuance is changed by the person himself or regularly.
By devising the implementation and operation of the system, such as obliging to change the password, only the person knows
It is necessary to take measures to keep it in a state where it cannot be obtained.
Thorough implementation of such measures is generally considered difficult, and its feasibility perspective
Not recommended by.
As a means used for authentication, in the user's "memory" such as a combination of ID and password
"Biometrics" using the user's biological characteristics such as fingerprints, veins, and iris.
Ometrics), "physical media" (security devices) such as IC cards
Is generally due to. Considering the security strength in authentication, these are all
Even with these means, it is generally difficult to maintain sufficient authentication strength when used alone.
To Therefore, security devices such as IC cards + passwords and biometrics + IC
Those who use two independent elements such as card, ID / password + biometrics
It is desirable to adopt an expression (two-factor authentication).
Currently, two-factor authentication is additionally implemented for each terminal that accesses the medical information system.
This is thought to increase the burden on medical institutions. Such technology is originally a system
It should be implemented in advance, and in the future, we will consider the implementation status of authentication technology on terminals.
Consideration is required to respond as soon as possible. *
* Approximately 10 years after the publication of the 5th edition of this guideline, considering the implementation status of authentication technology on terminals, etc.
It is assumed that "C. Minimum guidelines" will be set as the target.

49

Page 57

Also, for example, handling modality in radiation controlled areas or referencing / inputting drug history at pharmacies.
If two-factor authentication is not implemented in the terminal that uses the information system, etc.
Even so, at the time of admission, the end is done by authenticating the user when entering the section where the terminal is operated.
Two or more elements (two or more of storage, biometrics, and physical media) are not authenticated, including when used at the end.
If so, it can be considered equivalent to two-factor authentication.
Operate multiple applications with a single authentication using the single sign-on method
Even if you do, if you perform two-factor authentication at the first login, you will be responsible for security.
It is considered to be preserved.
However, if you leave it for a long time while logged in, or just log in with a specific terminal, the hospital
Operations that allow you to log in to multiple terminals are not permitted.
When the input person leaves the terminal for a long time, the input by a person other than the legitimate input person is prevented.
Therefore, preventive measures such as clear screen should be taken.
By forcing the password to be changed regularly, "C. Minimum Guidelines"
Does not meet the requirement of "do not use passwords that are easy to guess" in
Sk is pointed out. However, the nature of the medical information system that handles patient information
However, it is necessary to make regular changes while using a password that cannot be easily guessed.
is there. However, if you're using two-factor authentication, you don't necessarily need to change your password regularly.
I can't get it.

<Points to keep in mind when distributing security devices such as IC cards>
For security devices such as IC cards for the purpose of user identification, authentication, signature, etc.
When storing and distributing personal identification information, encryption keys, digital certificates, etc., these security
It is necessary to take measures to prevent the tee device from accidentally falling into the hands of a third party other than the person himself / herself.
is there. Also, in the unlikely event that the security device is illegally obtained by a third party
However, it is important that it is not easily used.
Therefore, it is possible to identify, authenticate, and sign users with these security devices alone.
There is a big risk in such an operation, and it is always combined with information that only the user can know.
Therefore, it is necessary to adopt a mechanism and operation method that are effective only.
As an alternative method in an emergency, assuming that the person's identification information cannot be used due to damage to the IC card, etc.
Temporary access rules should be provided. At that time, easily change the level of safety management
Allow the use of alternative means after sufficient verification of identity so as not to lower it, and further
Log of the above emergency operation by the legitimate identification information of the person who was reissued at a later date, leaving the information etc.
It is desirable to perform confirmation operations such as.

<Points to keep in mind when using biometrics>

50

Page 58

When using biometrics such as fingerprints, irises, and voiceprints for identification / authentication, the measurement accuracy
Also need to be careful. Various existing types that are generally considered to be available in medical information systems
The measurement accuracy of the biometrics device is 1 to N collation (one input sample is registered.
It is not enough for which of the multiple samples that are being matched), and a one-to-one match (input)
Is the sample matched with one particular sample)?
Is done.
Therefore, when using biometrics, be sure to use the user without identifying and authenticating independently.
It should be used in combination with something that can identify an individual such as an ID.
In addition, there are the following problems peculiar to biometric information when authenticating based on biometric information.

・ Loss of parts used for certification due to accidents or illnesses, etc.
・ Changes in parts used for authentication due to growth, etc.
・ In the case of identical twins, the feature values ​may be similar.
・ "Spoofing" by infrared photography (equivalent to forgery of IC cards, etc.)

In consideration of the above, it is necessary to examine the characteristics of biometric information and use an appropriate method.
To deal with defects, use different methods and biometric information of different parts, to spoof
Two-factor authentication (combination of IC card or password and biometrics, etc.)
Is required to be used.
Based on these things, as a two-factor authentication method that is expected to be actually adopted, below
An example of the above is given.
Two-factor authentication adoption example
・ User ID + password + fingerprint authentication
・ IC card + password
・ IC card + vein authentication, etc.

(2) Information division management and access authority management
When using an information system, the information is divided according to the type, importance and usage pattern of the information.
For each information category, each user or user group (business unit, etc.) in the organization
It is necessary to specify the usage authority. What is important here is the minimum required usage authority to be granted.
Is to do.
Risk can be reduced by not giving information that you do not need to know and not granting unnecessary authority.
To A machine for setting detailed permissions such as reference, update, execution, addition, etc. in the information system
If you have the ability, you can further reduce the risk.
The access authority should be reviewed as appropriate according to changes in the user's duties due to personnel changes, etc.
It must be done and must be stipulated in the rules of the organization.

51

Page 59

(3) Access record (access log)
For resources including personal information, collect all access records (access logs) and set them.
It is necessary to check the contents on a regular basis to confirm that there is no unauthorized use.
The access log may contain personal information in itself, and even more
It is essential to protect it because it is very useful information for investigating when a curity accident occurs.
Is. Therefore, access to the access log is restricted, and unauthorized deletion of the access log /
Measures must be taken to prevent tampering / addition.
In addition, the time to record is important to ensure the evidence of the access log. Highly accurate
Must be used and synchronized on all managed systems.
In addition, access logs are collected in the medical information system handled by medical institutions, etc.
If there is no function, create a business diary related to system operation and record the operation (operator and
It is necessary to manage the operation details, etc.).

(4) Countermeasures against malicious software
Malware with various forms called viruses, worms, etc. is email,
There is a possibility of entering the information system through networks, portable media, etc. These fraudulent soft
If appropriate protective measures are not taken in the event of a security intrusion, the security mechanism will be destroyed.
Serious problems such as system down, information disclosure and falsification, information destruction, and unauthorized use of resources are caused.
Be awakened. And only when something goes wrong, you notice the intrusion of malicious software.
Will be.
The most effective countermeasure is to install software for scanning malicious software.
It is thought that this software is used for terminal devices, servers, and network devices in information systems.
By making it resident in such places, it can be expected to detect and remove malicious software. Also, this one
The same applies to information terminals and PCs used outside medical institutions, but the idea is
For information and countermeasures, refer to "6.9 About taking out information and information terminals".
However, these computer viruses are also constantly changing, and putters are used for detection.
It is essential to keep the files up to date.
All fraud, even with good scanning software installed and operated properly
The software cannot detect it. As a countermeasure, it is possible to make a vulnerability on the information system side.
It is important to keep it as small as possible, and security in the operating system etc.
For reported holes, the corresponding version (called a security patch)
Sequential update to, deactivation of unused services and communication ports, macro execution
Suppression is also very effective.

(5) Unauthorized access from the network

52

Page 60

Security from the network includes crackers, computer viruses and fraudulent attacks
Fire as a way to protect against software attacks aimed at Seth
There is the introduction of the wall.
Firewalls are "packet filtering", "application gateway", "s"
There are various methods such as "Tateful inspection". Also, depending on the setting, the operation function
However, simply installing a firewall is not a relief. Simple pa
Instead of thinking that ket filtering is sufficient, combine other methods and externally
It is desirable to deal with attacks from. System administrators know what and how the method protects
You should be aware of what you are doing. This means information about medical institutions from outside the medical institutions.
The same applies to information terminals such as PCs connected to the stem, but the concept and countermeasures
For more information, please refer to "6.9 About taking out information and information terminals".
There is also a system (IDS: Intrusion Detection System) that detects fraudulent attacks, and medical information
The adoption of IDS should also be considered, depending on the relationship between the information system and the external network. Also,
Diagnosis of security holes (vulnerabilities, etc.) in the system network environment
It is also important to carry out (curity diagnosis) regularly and take measures such as patches.
Wireless LAN and information outlets can be physically connected to the network by outsiders
If there is a problem, connect an unauthorized computer to infect a virus, etc., or use a server or network.
Attacks network devices (denial of service attack DoS: Denial of Service, etc.)
It is possible to illegally intercept or falsify data on the network. Against a rogue PC
When taking countermeasures, it is common to identify the PC by using the MAC address, but MAC
Since the address can be tampered with, it is necessary to take measures with that in mind.
To prevent unauthorized access, it is important to ensure the identification of the access destination, especially
Prevention of "spoofing" must be ensured. Also, the information that flows on the network
In order to prevent eavesdropping of information, it is necessary to take measures against "information leakage" such as encryption.

(6) Use of IoT devices in fields such as medical care
In recent years, "IoT" has realized new services by connecting various things to networks.
(Internet of Things) ”is becoming widespread, and its use in fields such as medical care is also advancing. Specifically
Is it a medical device used inside or outside a medical institution, a wearable terminal that measures vitals, etc.?
Collect patient data and use it for medical support and follow-up of doctors, and in medical institutions, etc.
Analyzing the location information and flow lines of staff in Japan, and improving the sickbeds and staffing, etc.
ing.
With such a mechanism and service, it becomes possible to capture the patient's condition in real time.
The introduction of IoT may bring benefits to both medical institutions and patients, but information security
From the perspective of morality, risks that were not previously envisioned may become apparent.
In this section, IoT devices (automatically acquire information with sensors, etc., or other devices automatically acquire information.

53

Page 61

A device that relays the acquired information and sends it to other medical information systems via the network)
Therefore, we will use a mechanism to acquire personal information related to medical care and collect it via a network.
In this case, the matters to be observed are stipulated.
In addition, in this guideline, for the purpose of appropriate preservation of medical information, IoT is as follows.
It stipulates requirements for proper handling of equipment, and states "Quality of pharmaceuticals, medical equipment, etc.,
Smell of "Act on Securing Effectiveness and Safety" (Act No. 145 of August 10, 1960)
Regarding the maintenance of cyber security of medical devices specified in the above, the Ministry of Health, Labor and Welfare, Pharmaceutical and Living Hygiene
"Ensuring cyber security in medical devices" issued by the bureau (Heisei
Based on April 28, 2015, Yaksik Machine No. 0428 No. 1, Yaksik Food Safety No. 0428 No. 1), etc.
We would like to see the necessary cooperation with the manufacturers and distributors of medical equipment.
For the criteria for connecting to the network from outside the facility, see "6.11 External and personal information.
Please refer to the provisions of "Safety management when exchanging medical information including medical information".
Regarding IoT security, "IoT Security Guideline ver1.0" (IoT Promotion Contest
The Society, Ministry of Internal Affairs and Communications, Ministry of Economy, Trade and Industry; July 2016) have been compiled for reference.
To

When handling patient information with IoT devices, manufacture regardless of medical or non-medical devices
Risk analysis is performed based on the information provided by the distributor, and operational management rules related to its handling are established.
Need to be.
In particular, when renting wearable terminals and IoT devices installed at home to patients, etc., the device machines
Depending on the function and performance, sufficient security may not be ensured. Therefore, wearer
When renting a bull terminal or equipment installed at home, be sure to discuss information security risks in advance.
It is necessary to explain to patients and obtain their consent. Also, if an abnormality or inconvenience occurs in the IoT device
It is necessary to explain to patients, etc. how to make inquiries.

Since vulnerabilities may be discovered in IoT devices after the introduction of devices and services, services
It is necessary to take measures at an appropriate time and method so that the provision to the service will not be hindered.
In addition, depending on the utilization status of IoT, it is assumed that a large number of IoT devices are connected at the same time.
However, in this case, it is difficult to accurately grasp the connection status of the device and the occurrence of an abnormality. IoT equipment
It is desirable that the system including the above can grasp the state of each independently, but the equipment / system
It is difficult to take measures such as managing a large amount of logs and encrypting logs.
In some cases. In this case, all systems and services, such as installing a monitoring device in the upper system
Physical measures will be considered.
Another risk of IoT is connecting devices that are no longer in use or stopped to the network.
If you leave it in this state, the device will be connected illegally without even the user noticing it.
There is a match. Measures such as monitoring the network connection status of IoT devices can be considered, but use it.

54

Page 62

Operational measures such as turning off the power of the finished or stopped equipment and cutting off the connection are also possible.

With the further spread of IoT, diversification of utilization methods, threats to safety, and techniques related to countermeasures
Technological changes may progress, which may have a significant impact on security in fields such as medical care. Medical device
It is also necessary to pay attention to future trends in the related fields.

(7) Others
Wireless LAN is used when nurses use information terminals to work at the patient's bedside.
Although it is highly convenient, there is a risk that communication may be blocked, which hinders the availability of information.
Care must be taken not to. In addition, machines that may be seriously affected by wireless radio waves.
Care must be taken when using it around vessels.
In addition, when using power line communication (PLC), medical equipment
The safety of the vessel has not been confirmed, and the Ministry of Health, Labor and Welfare's Pharmaceutical and Food Safety Bureau said, "Broadband power line carrier communication.
Responding to inquiries from medical personnel regarding the impact of credit devices on medical devices "
Availability due to the notification (No. 1109002 issued by Yakushoku Anshin dated November 9, 2006)
It is necessary to pay attention to both the securing of the medical device and the impact on other medical devices.

C. Minimum guidelines
1. 1. To identify and authenticate users when accessing information systems.
2. If a combination of user ID and password is used for personal identification / authentication, it should be used.
Take measures to keep these information in a state that only the person can know.
3. 3. When using a security device such as an IC card to identify and authenticate the person, IC
As an emergency alternative, assuming that the person's identification information cannot be used, such as when the card is damaged.
Prepare a temporary access rule by.
Four. When the input person leaves the terminal for a long time, the input by a person other than the legitimate input person is input.
If so, take preventive measures such as clear screen.
Five. When using data including personal information for operation check etc., pay sufficient attention to leakage etc.
thing.
6. Define the range of medical records, etc. that can be accessed for each medical worker and related occupation, and level them.
Access control according to the rules. In addition, the review of access authority is a personnel change.
It is stipulated in the operation management rules that it should be done as appropriate according to changes in the user's duties due to
What you are doing. Access by job type in a system accessed by users of multiple job types
System management function is required, but if there is no such function, the system
Until the update, determine the accessible range in the operation management rules and record the operation in the next section.
It is necessary to secure it by collateral.
7. 7. Record access and check logs regularly. There are few records of access

55

Page 63

Also, the login time and access time of the user, as well as the patient who operated during login are special.
What can be determined. It is assumed that the information system has an access recording function, but
If this is the case, be sure to record the operation (operator, operation details, etc.) in the business diary.
8. 8. Restrict access to access logs and illegally delete / tamper with / add access logs
Take measures to prevent damage.
9. The time information used to record access should be reliable. Among medical institutions, etc.
The time information used in the department must be synchronized and regularly match the standard time.
It is necessary to maintain the accuracy within the range where there is no problem as a record of standard time and medical facts by means such as making it.
There is a need.
10. When building a system, when using media that is not properly managed, when receiving information from the outside
Make sure that there is no malicious software such as a virus in the box. Properly
When using media that is considered to be unmanaged, make sure that you have sufficient safety confirmation.
Give it and use it with the utmost care. Malware such as viruses at all times
Take appropriate measures to prevent contamination. Also, confirm the effectiveness and safety of the measures.
Maintain (for example, check / maintain pattern file updates).
11. When using a password to identify a user
The system administrator should be aware of the following items.
(1) Be sure to encrypt the password in the password file in the system (irreversible if possible)
Conversion is desirable), and management and operation are performed in an appropriate manner. Also, profit
When using other means such as an IC card to identify the user, the password according to the system
The operation method of the device shall be specified in the operation management rules.
(2) When the user may forget or steal the password, the system
When the system administrator changes the password, the user's identity is confirmed and which one
Describe in the ledger whether the identity verification was performed by such a method (documents for which the identity verification was performed, etc.)
(Attach a copy) and re-register in a way that only the person can know.
(3) Prevent means that even a system administrator can estimate a user's password
(The password must not be included in the configuration file).
In addition, the user should pay attention to the following items.
(1) Change the password regularly (within 2 months at the longest * 2 elements specified in D.5
Except when certification is adopted. ), Do not use extremely short strings. Alphabet
A character string of 8 or more characters, which is a mixture of characters and symbols, is desirable.
(2) Do not use passwords that are easy to guess, and repeat similar passwords
Do not use. Passwords that are easy to guess include your name, date of birth, and dictionary.
Some of them include the words described in.
12. When using wireless LAN
The system administrator should be aware of the following items.

56

Page 64

(1) Make sure that the use of wireless LAN is not specified by anyone other than the user. For example, Ste
Take measures such as loose mode and ANY connection refusal.
(2) Take measures against unauthorized access. At least by SSID or MAC address
Limit access.
(3) Preventing the acquisition of unauthorized information. Encrypt communication with WPA2 / AES, for example
To protect information.
(4) Radio wave interference may occur due to devices that emit radio waves (portable game machines, etc.), so doctors
Be careful when making it available in facilities such as medical institutions.
(5) Regarding the application of wireless LAN, "Wireless LAN for general users with peace of mind" issued by the Ministry of Internal Affairs and Communications
"To use" and "For companies to install and operate wireless LAN with peace of mind"
Please refer to.
13. When using IoT devices
The system administrator should be aware of the following items.
(1) When handling patient information using IoT devices, this is provided by the manufacturer / distributor.
Risk analysis is performed based on the information on cyber security of the medical device, and then
Establish operation management rules related to the handling of.
(2) Wearable terminals and home-based installations where it is difficult to take sufficient security measures
Before lending IoT devices to patients, etc., there are risks related to information security.
Explain to patients and obtain their consent. In addition, an abnormality or inconvenience has occurred in the device.
Provide information to patients, etc. regarding contact information and how to contact medical institutions, etc.
That.
(3) In IoT devices, vulnerabilities related to firmware etc. are discovered after product shipment.
There is. Security of IoT devices based on the characteristics of systems and services
Consider and apply a method to properly carry out necessary updates at the required timing
That.
(4) Network IoT devices that have been discontinued or have been discontinued due to a malfunction.
If you leave it connected to, there is a risk of unauthorized connection, so take measures.
thing.

D. Recommended guidelines
1. 1. Implement information division management and access management for each division.
2. Perform closing processing when leaving the seat (clear screen: log off or
Passwordd screen saver, etc.).
3. 3. For important parts of safety management such as connection points with external networks and DB servers,
Established earwalls (including stateful inspection and equivalent functions)
Place it and set ACL (access control list) etc. appropriately.

57 57

Page 65

Four. When using passwords for user identification, comply with the following criteria.
(1) Allow a certain amount of refusal time for re-entry when password entry is unsuccessful
To set.
(2) If the password re-entry fails more than a certain number of times, the password will be re-entered for a certain period of time.
The mechanism should not be attached.
Five. The means used for authentication are ID / password + biometrics or IC car.
2 such as security devices such as passwords or biometrics
A method with higher authentication strength, such as a method using two independent elements (two-factor authentication)
To adopt. However, two-factor authentication is implemented on terminals that use information systems.
Even if it is not, the user is authenticated when entering the section where the terminal is operated.
Then, two or more elements (memory, biometrics, physical media) including when entering and using the terminal
If two or more of them are authenticated, it can be considered to be equivalent to two-factor authentication.
6. When installing and operating multiple wireless LAN access points, etc., manage
It adds complexity and can increase the risk of intrusion. The risk of such intrusion is high
For example, security that combines 802.1x and digital certificates
To strengthen the tee.
7. 7. IoT devices / systems to understand the connection status and abnormalities of systems including IoT devices
Collects and grasps each status and communication status with other devices, and appropriately logs
To record.

58

Page 66

6.6 Human safety measures
B. Way of thinking
Medical institutions, etc., in order to reduce the risk of information theft, fraudulent activity, unauthorized use of information equipment, etc.
It is necessary to formulate human safety measures aimed at preventing human error. Confidentiality for this
Includes provisions on penalties for violations and matters related to education and training.
The following five types are assumed as persons related to medical information systems.

(a) Persons who handle information related to medical treatment in the work of doctors, nurses, etc. and have a legal obligation of confidentiality.
(b) Engaged in the clerical work of medical institutions such as medical department staff and clerical contractors, and under the employment contract
Persons who handle medical information and have a duty of confidentiality
(c) Persons engaged in the work of medical institutions, etc. without concluding an employment contract with system maintenance companies, etc.
(d) Third parties who do not have the authority to access medical information such as visitors
(e) Persons involved in data management work for outsourcing of external storage of medical records, etc.

Of these, regarding (a) and (b), regarding human safety management measures as employees of medical institutions, etc., (c)
The explanation will be divided into two parts: personal safety management measures as a contractor with a non-disclosure agreement.
Regarding the third party in (d), you should not touch the medical information system of medical institutions in the first place.
Therefore, access to the system is provided by physical safety management measures and technical safety management measures.
It is necessary to ban it. In addition, in the system due to a cyber attack by a third party, etc.
In the event of information leakage, etc., the Act on Prohibition of Unauthorized Access, etc.
It is necessary to take appropriate measures as required by other laws and regulations.
Regarding (e), it corresponds to an institution that entrusts so-called "external storage", but regarding this
Details are given in Chapter 8.
In recent years, the risk of cyber attacks targeting medical institutions has increased.
Information processing promotion and "Countermeasures against targeted attack emails" published by the Japan Society for Medical Informatics
Responding to cyber attacks such as targeted emails by referring to the "Bookmark Series of Countermeasures" of the Organization
It is necessary to educate employees.

(1) Personal safety management measures for employees
C. Minimum guidelines
Managers of medical institutions, etc. take measures to properly implement measures related to the safety management of personal information
It is necessary to supervise the implementation status and take the following measures.

1. 1. Employment and employment when hiring persons other than those with legal confidentiality obligations as clerical staff, etc.
In addition, safety management shall be carried out by concluding a confidentiality / non-disclosure contract at the time of contract.
2. Regularly educate and train employees regarding the safety management of personal information.

59

Page 67

3. 3. Establish personal information protection regulations for employees after retirement.

D. Recommended guidelines
1. 1. Actions for employees by monitoring, etc. in places that are important for management such as server rooms
To manage.

(2) Supervision and non-disclosure agreement of business handling contractors
C. Minimum guidelines
1. 1. When outsourcing the office work and operation of a medical institution to an external business operator, the inside of the medical institution, etc.
Take the following measures to ensure the appropriate protection of personal information in Japan.

(1) Protection supported by work regulations, etc. that stipulate comprehensive penalties for contracted businesses
To conclude a secret contract
(2) When directly accessing the medical information system such as maintenance work, the worker
Check the work content and work results.
③ Even in the case of work that does not directly access the medical information system such as cleaning,
Perform regular post-work checks.
④ Clarify whether or not the consignment company will subcontract, and if subcontracting, consign
It is a condition that the same measures and contracts for personal information protection as those of the trader are made.
To be.

2. It is unavoidable when it is necessary to rescue the stored data due to a program abnormality, etc.
There are penalties for external maintenance personnel accessing personal information such as medical records due to circumstances.
Take measures to maintain confidentiality such as non-disclosure agreements supported by work regulations.

60

Page 68

6.7 Discard information
B. Way of thinking
It is necessary to ensure the safety of electronic information related to medical treatment even when it is destroyed. Make sure to destroy
There is a need. However, if the information exists in relation to each other, for example in a database,
Note that some information may become unavailable due to improper destruction of some information.
I have to be careful.
The procedure for destruction should be clarified in advance in preparation for actual destruction.

C. Minimum guidelines
1. 1. Establish the procedure for discarding each type of information identified in "6.1 Establishment and Publication of Policy".
The procedure includes conditions for discarding, identification of employees who can discard, and specific discarding.
Include the method of.
2. When destroying the information processing equipment itself, be sure to do it by someone with specialized knowledge.
And make sure that there is no remaining and readable information.
3. 3. If the destruction is outsourced to an organization that outsources storage, "6.6 Human Safety Measures (2)
According to the "Supervision and Confidentiality Agreement of Business Handling Contractors", medical institutions, etc. that further outsource
Make sure that the information has been destroyed.
Four. The following contents shall be stipulated in the operation management rules.
(a) Creation of rules stipulating the destruction of media containing personal information that is no longer needed

61

Page 69

6.8 Information system modification and maintenance
B. Way of thinking
Regular maintenance is required to maintain the availability of medical information systems. Me
Maintenance work mainly includes troubleshooting, preventive maintenance, software revision, etc., but especially for troubleshooting.
In response, data at the time of failure may be used for cause identification and analysis. This
In this case, system maintenance personnel may directly access medical information in administrator mode.
Therefore, sufficient measures are required. Specifically, the following threats exist.

・ In terms of personal information protection, exposure by taking out repair records, analysis at maintenance centers, etc.
Peeping or taking out the data by a third party
-In terms of authenticity, intentional data falsification and operation by abusing administrator privileges
Modification of data due to mistakes, etc.
-In terms of readability, the service is stopped due to intentional machine stop or operation error.
Stop etc.
-In terms of storage stability, media due to intentional destruction and initialization of media and operational mistakes.
Initialization of the body, overwriting of data, etc.

In order to protect data from these threats, maintenance work is actually carried out under appropriate management by medical institutions, etc.
Need to be given. That is, (1) conclude a confidentiality agreement with a maintenance company, and (2) register maintenance personnel.
And management, ③ management of work plan reports, ④ operational aspects such as supervision by related parties such as medical institutions during work
Central measures are needed.
Depending on the maintenance work, it is conceivable that the maintenance company will outsource repairs to an external company.
Therefore, when concluding a maintenance contract with a maintenance company, personal information protection to the subcontractor
It is important to seek the same contract as a maintenance company for thorough protection.

C. Minimum guidelines
1. 1. When using data including personal information in operation check, set clear confidentiality obligation
At the same time, it is required to perform processing such as surely erasing the data after the end.
2. When maintenance company workers access the server to perform maintenance
Whether or not there is access to personal information using the dedicated account of the maintenance personnel, and a.
In case of access, keep a work record including the target personal information. This is system usage
The same applies to identification / authentication for confirming operations by imitating a person.
3. 3. The account information is managed appropriately from the viewpoint of preventing unauthorized use due to external leakage, etc.
Asking for that.
Four. You can quickly delete the maintenance account when the maintenance staff leaves the job or changes the person in charge.
U, obligatory reports from maintenance companies, and an account management system that responds accordingly

62

Page 70

Keep it in order.
Five. When the maintenance company carries out maintenance, submit the work application in advance on a daily basis.
And request the prompt submission of a work report at the end. Those documents are doctors
Approval by the person in charge of the medical institution, etc.
6. Conclude a confidentiality agreement with a maintenance company and have it comply with it.
7. 7. Maintenance companies should avoid taking data, including personal information, out of the organization,
If you have to take it out of the organization in an unavoidable situation, leave it behind.
Requesting that operational management rules be established for handling including sufficient measures against medical treatment
Approval by the person in charge of the institution, etc. one by one.
8. 8. Whenever the system is modified or maintained by remote maintenance,
Collect the access log and promptly report the work contents to the medical institution after the work is completed.
The person in charge of such things should confirm.
9. If subcontracting is done, the maintenance company is responsible for the same obligation to the subcontracting business operator.
To impose.

D. Recommended guidelines
1. 1. Record detailed operation records as maintenance operation logs.
2. Perform maintenance work in the presence of related parties such as medical institutions.
3. 3. Request a non-disclosure agreement between each worker and the maintenance company.
Four. Maintenance companies should avoid taking data, including personal information, out of the organization,
If you have to take it out of the organization in unavoidable circumstances, detailed work notes
Asking to keep a record. Also, if necessary, we will respond to audits by medical institutions, etc.
To ask.
Five. As a means of checking logs related to maintenance work, identification information such as accessed medical records is sometimes used.
It is displayed in order of series, and which patient was accessed how many times within the specified time.
There is a mechanism to check whether or not.

63

Page 71

6.9 About taking out information and information equipment
B. Way of thinking
Recently, in medical institutions, etc., employees of medical institutions and maintenance companies have information and information equipment.
There have been cases in which information, including personal information, was leaked due to the release.
On the other hand, medical information is brought out due to the increase in home medical care, home-visit medical care, etc., and the development of mobile terminals.
It is also true that needs and opportunities are increasing.
When it comes to taking out information, it's like a laptop, smartphone or tablet.
Information recording portable media such as information terminals, CD-Rs, and USB memory can be considered. Also, get information
A terminal that handles information by accessing the server through the network without storing it (sink)
Information devices such as Liant) are also conceivable.
The first important thing is "6.2 Information security management system in medical institutions, etc."
Appropriately grasping information as described in "6.2.2 Understanding handling information" of "Practice of (ISMS)"
And carry out "6.2.3 Risk analysis".
After that, you may take out the information or information equipment that is known at medical institutions, etc.
It is necessary to distinguish whether it should be taken out or not. Carved out
After that, it is necessary to take measures against the information or information equipment that can be taken out.
If information is properly grasped and risk analysis is performed, management of such information and information equipment
The situation becomes clear. For example, permission is required for taking out information, and registration is required for information devices.
It is also a measure to grasp the management status.
On the other hand, it is stored in a portable medium and carried by a personal computer (information device) outside the jurisdiction of medical institutions such as homes.
Computer viruses and improperly configured software when handling the information
A (Winny, etc.), information may be leaked due to unauthorized access from the outside. This
In the case of, since the information device is basically the property of the individual, the handling of the information device is grasped.
It will be difficult to grasp and regulate, but it is the responsibility of the information manager of medical institutions etc. to handle the information.
There is a need to keep track of it.
For this reason, systematic measures are required for taking out information or information equipment.
And the policy of how to handle the taking out of information or information equipment as an organization
Can be said to be necessary. In addition, it is a small medical institution and has a systematic information management system.
Even if there is no information, it is expected that information will be taken out using portable media or information equipment, so there is a risk.
It is necessary to carry out an analysis and consider countermeasures.
However, it should be noted at this time that there are risks peculiar to taking out information by portable media and information devices.
Is. When taking out information, it should be done by someone who has stolen, lost, or misplaced portable media or information equipment.
The risk of carelessness and error is the vulnerability of the information system itself installed in medical institutions, etc.
Is relatively greater than the risk of.
Therefore, regarding the taking out of information or information equipment, after establishing an organizational policy, people
Further safety measures need to be taken.

64

Page 72

Log in to the information system using a laptop computer, tablet, smartphone, etc.
Even in such cases, it is desirable to use two-factor authentication. Explanations related to user identification / authentication
For points to keep in mind, refer to the description in "6.5 Technical Safety Measures".
For safety measures when using smartphones, see "Smartphone Cloud Security".
Final Report of the Liti Study Group-Measures to be implemented to use smartphones with peace of mind- "
(Ministry of Internal Affairs and Communications; June 2012) will be helpful.

In addition, although the content overlaps with the following guidelines, it is for tablet PCs and smartphones.
The following is a summary of the items to be observed when there is a problem.
-To manage the equipment itself by establishing operational management rules. Early detection of theft or loss
Of course, the existence of unnecessary apps and password settings are appropriate.
And so on must be confirmed regularly.
-It is essential to set the startup password of the terminal itself, and when using a password, the password
Do not be easily estimated and must be changed on a regular basis
I.
-If patient information is stored in the terminal, or if the patient exists at the access destination, etc.
If you can view or edit the information, set a password for the app itself that has that function.
However, if the information exists in the terminal, it must be encrypted.
・ Install other than the minimum required apps so as not to affect the functions used for business.
Don't do it. The memory management function of the OS isolates the memory so that it is not affected by other apps.
If the app can be built, it is necessary to make sure that memory isolation is possible.
is there.
-Do not use any network other than those that meet the criteria in Chapter 6.11. Especially public wireless
LAN is too risky to use. However, only public wireless LAN is available
Only in a poor environment, use in accordance with the criteria in Chapter 6.11 is permitted. Also, automatically public
Since some terminals connect to the wireless LAN, make sure to connect to the VPN when starting the business application.
If it does not stand, it is necessary to turn off the automatic connection function to the public wireless LAN.
-Business use of terminals owned or under the control of an individual (hereinafter "BYOD" (Bring)
Your Own Device). ) Should not be done in principle. Achieve the above requirements
In order to do so, it is necessary to change the OS settings of the terminal, but this function must be limited to the administrator.
Must be. Changes in settings by non-administrators can be prohibited technically or in terms of operational management.
Unless you can BYOD.
・ It is desirable to implement measures to prevent peeping.

C. Minimum guidelines

65

Page 73

1. Conduct risk analysis as an organization and carry out policies regarding the removal of information and information equipment
To be stipulated in the management rules.
2. The operation management rules shall stipulate the management method of the information and information equipment taken out.
3. Operation management rules for dealing with theft or loss of portable media or information equipment that stores information
To determine in.
4. Thoroughly inform employees, etc. of the theft and loss measures stipulated in the operation management rules, and provide education.
thing.
5. Medical institutions and information managers should be in the place of portable media or information equipment where information is stored.
To grasp the current situation by using a ledger.
6. Set a startup password, etc. for the information device. Estimate when setting
Take measures such as avoiding the use of passwords and changing passwords on a regular basis.
To do.
7. As a measure against theft, misplacement, etc., information is encrypted or accessed.
Make it difficult to read the contents, such as by setting a word.
8. When connecting the information device taken out to the network or connecting other external media
For installing computer antivirus software and personal firewall
Take measures to prevent information leakage, falsification, etc. from information terminals.
To do. When connecting to a network, "6.11 Medical care including external and personal information"
Comply with the provisions of "Safety management when exchanging information". Especially smartphones
Public wireless LAN may be available on mobile devices such as tablets and tablets
However, public wireless LANs are available because they may not meet the criteria in Chapter 6.5 C-11.
Absent. However, use is permitted only in an environment where only public wireless LAN can be used.
Melt. When using it, select a communication method that meets the criteria described in Chapter 6.11.
When.
9. For information devices that handle the information taken out, use only the minimum necessary applications.
To install. Remove applications and functions that are not used for business
Remove or stop, or confirm that there is no impact on business before using.
10. Even personally owned information devices (computers, smartphones, tablets, etc.)
When taking out and handling information on medical institutions, etc. in business, the administrator should take 1 to 5 measures.
In addition, it is the responsibility of the administrator to comply with the same requirements as 6, 7, 8 and 9 above.
That.

D. Recommended guidelines
1. Peep on the display to avoid revealing information by peeping at information devices outside
Put up an anti-sight filter, etc.

66

Page 74

2. Use a combination of multiple authentication factors when logging in to information devices and accessing information.
Being.

3. All portable media and information devices for storing information are registered, and information from unregistered devices
Prohibit taking out information.

4. If you take your smartphone or tablet out and use it, take the following measures.
・ BYOD is not performed in principle, and only the administrator can change the device settings.
When.
・ Do not put patient information in the terminal as much as possible, considering the possibility of loss or theft.
thing. If patient information exists in the terminal unavoidably, or if the terminal is used
If you can easily access the patient information, you may have entered the password incorrectly a certain number of times.
In that case, take measures such as initializing the terminal.

67

Page 75

6.10 Emergency response such as disasters and cyber attacks
B. Way of thinking
In the event of a disaster, especially in the event of a large-scale disaster, not only medical information systems but also various machines such as medical institutions
Changes occur in ability and human ability. On the other hand, in such a situation, the demand for medical care is increasing and it is flat.
In some cases, more than usual measures are required. In order to deal with such a situation as much as possible
Assuming abnormal times at all levels, formulating countermeasures, documenting, and repeating training
Is useful. Such measures are called a business continuity plan (BCP).
Large-scale natural disasters are relatively common in Japan, and many cases are accumulated. Therefore an appropriate BCP
Is possible and considered essential.
Since the BCP of all medical institutions, etc. is beyond the scope of this guideline, “6.2.3 Risk” is used here.
Emergency such as IT failure due to natural disasters and cyber attacks listed in "⑦ Medical information system" of "Analysis"
Occasionally, medical information when the medical information system cannot be used under normal conditions
Describe the BCP and points to note of the information system. However, with a part of the BCP of the entire medical institution, etc.
And consistent measures must be taken so that the provision of medical services is the highest priority.
Needless to say.
"Unusable under normal conditions" means that the system itself malfunctions or stops.
The usage environment may become unsteady.
As for the former, the medical information system is systematically damaged due to natural disasters and cyber attacks.
Due to damage, the system will be degenerate or completely shut down, leading to the provision of medical services.
This is a case where a problem is expected to occur.
As for the latter, in the event of a natural disaster, many injured and sick people will seek medical services.
Even if the medical information system is normal, it is not noticeable when working under normal access control.
This is a case where convenience may occur. The response regarding personal information protection at this time is "life, body".
It is understood that it corresponds to "when it is difficult to obtain the consent of the person for the protection of
To

(1) Business continuity plan in an emergency
It's hard to hope for proper decision-making in the midst of an emergency, so you can do it in advance.
It is advisable to prepare as many decisions as possible. Appropriately classify emergencies in advance
This is difficult, and it is desirable to verify the contents of the plan through preliminary exercises as much as possible.
The following is a list of general items related to the formulation plan and operation of the BCP.

(1) Matters that need to be known in advance as a BCP
It is necessary to publicize the countermeasures in advance and gain their trust.
・ Policy and planning
You should understand and define what is an "emergency situation".

68

Page 76

・ Emergency detection means
Disaster and failure detection function and means of confirming occurrence information
· Emergency response team contact list, contact methods and countermeasure tools
・ Documents and information that should be made public in an emergency

② BCP execution phase
After detecting the occurrence (or possibility of occurrence) of a disaster, accident, cyber attack, etc.
Judge whether BCP is executed or normal failure countermeasures, and if it is judged that BCP is executed, the person concerned
Convene, set up a countermeasures headquarters, contact related parties, request cooperation, and switch systems
/ Prepare for degeneracy. For example, standalone, disconnected from the network
It can be used or used on paper.
A communication system with the business operator that outsources the business and a tiger that is integrated with the outsourced business operator
How to deal with bulls should be clearly stated. In addition, the medical information system has failed.
If so, the competent authority should be contacted as necessary.
Specific items are "formulation of basic policy", "confirmation of occurrence events", "safety assurance / safety confirmation",
"Contacting related parties" and "Confirming the degree of impact".

③ Business resumption phase
After activating BCP, work by alternative means such as backup site and manual work
In the phase of restarting and getting on track, reliable switching to alternative methods and restoration work
Promotion, shift of human resources such as personnel, confirmation of BCP execution status, review of BCP basic policy
The point is.
Resume from the most urgent business (core business).
Specific items are "securing human resources", "securing alternative facilities and equipment", and "restart / restoration activities".
"Both" and "Countermeasures against risks newly created by risk countermeasures".

④ Business recovery phase
Further expand the scope of work after the most urgent work or function is resumed
In the phase, the scope of work will be expanded while continuing alternative equipment and alternative means, so it is currently
The point is to make a careful judgment in consideration of the confusion of the place.
Specific items are "determination of expansion range", "confirmation of impact of business continuity", and "confirmation of full recovery plan".
"Approval" and "Confirmation of restrictions".

⑤ Full recovery phase
Judgment and procedure for full restoration in the phase of switching from alternative equipment / means to normal operation
There is a risk that mistakes will cause new business interruptions, so careful response is required.

69

Page 77

Is done.
Specific items are "judgment to switch to normal operation", "reconfirmation of recovery procedure", "confirmation items"
"Maintenance" and "Summary".

⑥ Review of BCP
After returning to normal, it is necessary to consider problems and reviews related to BCP.
It is important. In a real emergency, something that would not normally be expected occurs
Not a few things. Frankly evaluate and reflect on the success points and failure points in the actual response, and BCP
It is important to review and prepare for the next emergency.

(2) Response to emergency use of medical system
① Preparation of emergency user account
Similar to measures against power outages, fires, and floods, what to do if normal user authentication is not possible
is required. Even if the medical information system can be used, the situation on the user side is steady.
Not in case you can't expect the operation by a legitimate access authority
must not. For example, in the method known as break glass, use in an emergency
Prepare a user account in preparation for medical service and restrict access to patient data
Care is taken not to cause a decrease in the cost. In break glass, emergency user
Explicit seal of the count at normal times, notification that it has entered the state of use, trace of use
Keep it, change to a new emergency user account after returning to steady state
Is the basis.

(2) Implementation of functions for emergency operation
In the event of a disaster, it is expected that people will move differently than in normal times. For example, in the event of a disaster, at the reception
If necessary, respond to emergency operations, such as considering operations that do not require patient registration.
It is necessary to implement the above functions.

The preparation of the above-mentioned emergency use response function is well known to the parties concerned and is appropriate in an emergency.
It needs to be used, but it may lead to increased risk. Careless use
Management and operation must be careful in order not to do.

(3) Emergency response in the event of a cyber attack
Medical information system infected with computer virus etc. by targeted e-mail attack etc.
In that case, it may be necessary to take the following measures. In preparation for these, contact the parties concerned
It is necessary to prepare alternative means such as means and paper operation.
-External to block the attacked server, etc. and prevent the impact on other medical institutions, etc.

70

Page 78

Temporary disconnection of network
-Isolation of the infected device to prevent the spread of infection to other devices and prevent information leakage.
・ Suspension of business system for confirmation of damage such as investigation of spread to other equipment
-Restore important files from backup when infected with malware (important)
Files should be backed up for several generations)

For the measures to be taken to prevent cyber attacks, see "6.5 Technical Safety Measures",
See “6.6 Human Safety Measures”.

C. Minimum guidelines
1. A mechanism to judge "emergency" as part of BCP to continue to provide medical services
Only, provide a procedure for returning to normal. That is, the criteria, procedures, and judgments for judgment
Decide in advance who will be cut off.
2. After returning to normal, prepare a rule to ensure data consistency while operating by alternative means.
3. Operation of information system in an emergency
-Establish a management procedure for "emergency user accounts and emergency functions".
・ If the emergency function is used, prevent it from being used improperly during steady state.
Appropriate management such as making it known to many people that it was used
And audit.
・ If an emergency user account is used, it cannot be used continuously after returning to normal.
Please change it so that it is.
・ Medical information systems are infected with computer viruses due to targeted email attacks, etc.
If so, prepare alternative means such as contacting related parties and paper operation.
4. A system for providing medical services, such as suspension of some medical services in a wide area due to cyber attacks
If any trouble occurs, contact the competent authority after judging it as an "emergency".
In addition, regardless of the above, if a failure occurs in the medical information system, it is necessary.
To contact the competent authority.
Contact Information Medical Technology Information Promotion Office, Research and Development Promotion Division, Medical Affairs Bureau, Ministry of Health, Labor and Welfare (03-3595-2430)
* Incorporated administrative agencies, etc. are based on the information security policy of each corporation.
Contact the administration department.

Information-technology Promotion Agency provides technical consultation regarding malware and unauthorized access.
We have opened a reception desk. Who is the website that received the targeted email?
If there is a risk of being tampered with, unauthorized access, etc., please use the contact information below.
It is possible to consult.
Contact Information-technology Promotion Agency Information Security Security Consultation Counter (03-5978-7509)

71

Page 79

6.11 Safety management when exchanging medical information including personal information with the outside
B. Way of thinking
In this chapter, when exchanging information with the outside of the organization, personal information protection and network security
The items that should be especially noted regarding qualities are described. Here, not only bidirectional, but one
Also includes directional transmission. As a case of exchanging medical information etc. with the outside, medical equipment in cooperation with regional medical care
Medical fees for exchanging medical information, etc. via a network in cooperation with Seki, etc. and inspection companies, etc.
Use ASP / SaaS type services that connect to examination and payment institutions via a network for billing
Workers at medical institutions, etc. use mobile terminals such as laptop computers for business purposes.
Access from the outside by patients, etc. to connect to information systems such as medical institutions as needed
It is conceivable to allow.
When exchanging medical information with the outside using a network, make sure that the source sends information to the destination.
You need to send the news, "to the person to send", "correct content", "do not snoop on the content"
Must be sent in the best possible way. That is, from the transmitting device of the transmission source to the receiving device of the transmission destination.
It is necessary to secure the above contents in the communication path between the above, and disguise the source and destination.
"Spoofing", "eavesdropping" and "tampering" with transmitted and received data, "intrusion" into communication paths
And must be protected from threats such as "jamming".
However, this guideline does not assume all of these usage scenes, but rather the net.
Regarding the network connection method when exchanging medical information through work, there are some
Describe by assuming a case. In addition, individuals in the exchange of information when the network intervenes
Information protection and network security have different perspectives, so each concept is different.
I will describe it.
Please refer to Appendix 1 and 2 when transporting information using portable media or paper.

B-1. Precautions for medical institutions, etc.
Here, among the responsibilities described in "4.2 Demarcation of Responsibilities in Entrustment and Provision", through the network
Organize points to keep in mind when transmitting medical information including medical information.
First of all, what you must be strongly aware of at medical institutions is the medical situation until information is transmitted.
The responsibility for managing the information lies with the medical institution that sent it. This is the source of the information
Information is appropriately sent from medical institutions, etc. through the network provided by the telecommunications carrier.
It is applied in a series of steps until it is handed over to Seki.
However, if organized so that there is no misunderstanding, the management responsibility here is described electronically.
It is the responsibility of the content of the information, and the content of the description and the legitimacy of the person who wrote it are maintained (authenticity).
Securing sex). In other words, "B-2. Consideration of network security to be selected" described later.
The method to be dealt with is different from "How to do it". For example, even if the same "encryption" is applied here
Is the encryption described in the above tentatively the sender by encrypting the medical information itself?
Even if there is eavesdropping of communication data on the communication path to the destination, a third party cannot read the information.

72

Page 80

Refers to the procedure to be kept. It is also possible to add an electronic signature to detect tampering.
This is one of the measures. In this way, security for the content of information is object security.
Sometimes called lit. On the other hand, "B-2. Concept of network security to be selected"
The encryption described in is the encryption of the network line route, and steals information during the transmission of information.
Refers to the treatment that is not seen. Security for information on such lines
Sometimes called channel security.
From this point of view, when information is to be transmitted at a medical institution, etc., that information
Responsibility to protect the property arises, and it is necessary to keep in mind the following points.

① Response to the risk of "eavesdropping"
This eavesdropping must be the most important consideration when transmitting information over a network.
I. Eavesdropping occurs in various situations. For example, someone is virtual in the middle of network transmission
Form a detour to steal information, or attach physical equipment to network equipment to steal
Obvious criminal acts that are not necessarily the responsibility of medical institutions, such as taking a picture, are also assumed. on the other hand,
Inappropriate settings of network equipment may cause unintended information leakage or erroneous transmission.
In such a case, it is conceivable that the medical institution will be responsible.
In the midst of these various cases, medical institutions, etc., should be in the middle of transmission.
Even if the information is stolen, or if an unintended information leak or mistransmission occurs, medical information will be provided.
Appropriate measures need to be taken to protect it. One way to do this is to encrypt medical information.
Conceivable. The encryption here is the encryption of the information itself (object) illustrated above.
It refers to security).
Transmission about what kind of encryption is applied and when to apply encryption
It depends on the confidentiality of the information to be tried and the operation method of the information system constructed by medical institutions.
Therefore, it is difficult to unconditionally specify in the guidelines, but at least information
Is encrypted at the stage when information is transmitted from facilities such as medical institutions.
Is desirable.

This eavesdropping prevention is the same when performing maintenance by remote login, for example.
To In that case, the medical institution, etc. confirms the above points with the maintenance contractor, etc. and supervises them.
Take responsible.

② Response to the danger of "tampering"
When transmitting information over a network, the legitimate content must be communicated to the destination.
Not. When information is encrypted and transmitted, the risk of falsification is reduced, but on the communication path
There is a possibility that the data will be altered regardless of intentional or unintentional factors due to the failure of
You need to be aware of that. In addition, "B-2. Network security to be selected" described later
Depending on the network configuration of "Liti's way of thinking", the information concealment machine in the network itself

73

Page 81

In some cases, the ability is insufficient, and it is necessary to take measures against tampering without fail. In addition, it should be noted.
As a method for detecting tampering, it is assumed that an electronic signature is used.

③ Response to the danger of "spoofing"
When transmitting information through a network, the medical institution, etc. that intends to send the information is the destination.
You have to make sure that your institution is the one you intended. On the contrary, with the recipient of the information
The destination institution is the one with which the medical institution, etc., from which the information is sent is surely trying to communicate.
Also, I do not have to confirm that the information sent is the information of the medical institution etc. of the sender.
Must not be. This is because the network is a non-face-to-face means of communicating information.
It is.
Therefore, for example, in order to properly identify the starting and ending institutions of communication, public key cryptography and sharing
Mutual authentication before and after entering the network using an established authentication mechanism such as a key method
It is conceivable to take measures such as In addition to preventing tampering, the sender is a legitimate sender.
Consider combining electronic signatures for medical information, etc. to confirm the origin
Be done.
In addition, when the above danger is due to a cyber attack, the response is "6.10 disaster, cyber attack, etc."
Please refer to "Emergency Response".

B-2. Network Security Concepts to Choose
In "B-1. Points to note in medical institutions, etc.", the information content is mainly an object that responds to threats.
I explained about security, but here it is a response to threats on the communication path.
Explain flannel security.
Network selection to select when exchanging medical information with the outside via a network
Regarding curity, after clarifying the demarcation point of responsibility, it is different from the points to be noted in medical institutions.
It is necessary to organize the way of thinking from the perspective of. The network here is the information of medical institutions, etc.
External network of the institution that receives information from the external network connection point of the institution that sends the information
Medical treatment from the outside, such as to the connection point, from the need for work, and to allow access from patients
Refers to the connection point that accesses the information system of the institution, etc., and is configured inside the medical institution, etc.
LANs that are used are not covered. However, even in "4.2 Demarcation of Responsibilities in Entrustment and Provision to Third Parties"
As mentioned, it is not intended due to the network configuration and route design of the medical institution to which it is connected.
It is your responsibility to be aware of and confirm the potential for information leaks.
When configuring a network for exchanging medical information with the outside via a network,
However, medical institutions need to sort out the confidentiality of the information they are trying to exchange. Basically medical
When exchanging information, reliable security measures are indispensable, but for example, the reservation system
Excessive security measures for non-confidential information such as revisit appointment information handled by
If applied, it will result in high cost and unrealistic operation. In other words, for information security

74

Page 82

It is necessary to analyze the situation and select an appropriate network for cost and operation.
To After implementing this arrangement, the responsibility for security in the network lies on the net.
Whether to become a business provider of work, a medical institution, etc., or to share the responsibility of both parties
It is necessary to clarify in the contract etc. The way of thinking at that time is roughly categorized into the following two types.
Is done.

・ Line operators and online service providers are responsible for security on network routes.
If you want to keep
Of the network services provided by line operators and online service providers,
Networks provided by these operators in a form that guarantees security on the network
It is a connection form, and most of them are closed network connections described later. Also, now
Even with an open network connection, the communication path like the Internet-VPN service is dark
There are also services provided by telecommunications carriers as networked networks.
In the case of such a network, medical institutions for security on the communication path
Etc. can outsource most of their management responsibilities to these businesses. Of course, at your own medical institution, etc.
In the meantime, pay the duty of due care of a prudent manager and comply with the rules of organizational, physical, technical and human safety management.
You must confirm the safety management of the system of your own medical institution.

・ Line operators and online service providers are responsible for security on network routes.
If you do not keep
For example, network connection devices after mutual agreement between medical institutions using the Internet
Is conceivable to introduce and connect both. In this case, security on the network
On the other hand, the line operator and the online service provider are not responsible. Therefore, above
In addition to the above-mentioned safety management, appropriate management of installed network connection equipment and appropriate communication route
Those who have to take measures such as encryption and do not have accurate knowledge of the network
Take all possible measures to prevent medical information from being threatened by easily building a network
Need to be done.
Therefore, in addition to network connection devices installed at the source and destination of information, medical devices
Information terminals installed in Seki, etc., functions installed in the terminals, and users of the terminals, etc.
It is necessary to establish a means to surely confirm. In addition, between institutions that exchange information
Conclude a contract regarding the handling of information, connect to the telecommunications carrier (in case of a threat)
Creation of stricter operation management rules than when entrusting security on the work path, dedicated
The appointment of a person in charge must also be taken into consideration.

In this way, a place where medical information is exchanged through a network at medical institutions, etc.
In that case, the network should be established after understanding the ideal demarcation point of responsibility from the viewpoint of the service form provided.

75

Page 83

It is necessary to select. Also, understand the characteristics of the security technology you choose and accept the risk.
It is necessary to explain the risk to patients, etc. from the viewpoint of accountability as necessary after recognizing the surroundings.
There is a need.
Since there are various types of services provided by the network, we will discuss some cases thereafter.
Assuming that points to keep in mind are described.
In addition, among the assumed cases, so-called mobile phones, PHS, portable computers, etc.
When connecting from the outside such as a medical institution using a bail terminal etc., with the mobile terminal to be used
Since there are multiple connection types depending on the network connection service and its combination,
In particular, the idea is to set up "III When connecting from outside a medical institution using a mobile terminal, etc."
Is organized.

I. When connecting in a closed network
The closed network described here is a dedicated network network specialized for business.
Refers to. In the case of this connection, a network that is not connected to the so-called Internet
It is defined as being used as a network. Connection format that provides such a network
There are "(1) leased line", "(2) public network", and "(3) closed IP communication network".
Since these networks are basically not connected to the Internet, they are in communication.
The risk of "eavesdropping", "intrusion", "tampering", and "jamming" is relatively low. However, "B-1. Medical institutions, etc."
The risk of eavesdropping of information by the physical method described in "Notes on" cannot always be denied.
Therefore, it is necessary to consider the encryption of the information itself to be transmitted. Also, Will
Appropriately apply the pattern definition file of the countermeasure software and the security patch of the OS, etc.
Consideration is also required to ensure the safety of the computer system.
The features of each connection method will be described below.

① When connected by a dedicated line
A leased line connection is a contract that is always connected while maintaining network quality between two points.
It is a network connection dedicated to about institutions. Network quality and communication speed depending on the carrier
Since the degree (hereinafter referred to as "bandwidth") is guaranteed, a large amount of information and content are always connected between bases.
It is used when transmitting a large amount of information.
However, although it can be said that the quality is high, the network connection form is poorly expandable.
In general, since it is a high-cost connection form, the information exchanged when introducing it
It is necessary to determine the balance between importance and the amount of information.

76

Page 84

Figure B-2-① When connected by a dedicated line

② When connected by a public network
Communication with public networks such as ISDN (Integrated Services Digital Network) and dial-up connection
It refers to a connection form that connects using a public line via a switch.
However, the connection assumed here is an Internet service provider (hereinafter referred to as "ISP").
A method in which the source of information specifies a telephone number as the destination and connects directly, not the method of connecting to
Is. When connecting via an ISP, the so-called Internet connection is made after the ISP.
Therefore, as the requirements to be met, see "II. When connecting with an open network" described later.
Apply.
In the case of this connection form, the network connection is established by dialing directly to the connection destination.
If you introduce a mechanism such as confirming the phone number before establishing a network connection, you can be sure of the connection destination.
Can communicate with.
On the other hand, there is a risk of erroneous connection and transmission due to not using the mechanism to confirm the phone number.
There is, it is not as expandable as a dedicated line, and it is compared with the current broadband connection.
Since the communication speed is slow, it is not suitable for transmitting a large amount of information or large-capacity information such as images.
Therefore, it is necessary to properly determine the scope of application.

Figure B-2-② When connected by a public network

③ When connected by a closed IP communication network
The closed IP communication network defined here is a wide area network and medical equipment owned by the telecommunications carrier.
The communication line that connects to the communication equipment installed in Seki, etc. is shared with other network services, etc.
A connection method that is not used. This kind of connection service is IP-VPN in this guideline.
(Internet Protocol-Virtual Private Network), as a closed network

77

Page 85

handle. A connection form that does not conform to this shall be an open network connection. Main usage
As a state, when constructing an information sharing network between head offices and branches between companies, including remote areas
It is often used like an in-house LAN, and the responsible entity is used as a single entity.
This connection method can be introduced at a lower cost than the connection by a dedicated line. Also, the obi
Since the area can be secured depending on the contract type and the type of service, a large amount of information and a large amount of information can be secured.
It is possible to transmit information.

Figure B-2-③-a When connected by a closed network provided by a single carrier

Figure B-2-③-b When multiple closed networks are interconnected and connected in the middle

With the above three closed network connections, in a closed network
There is no possibility of intrusion from the outside, and in that sense it is highly safe. Also of different carriers
There may also be a form in which closed networks are connected to each other via a connection point.
When interconnected via a connection point, once to deliver the source information to the destination
The destination of the transmitted information may be interpreted at the connection point or new information may be added. This
At that time, it cannot be said that there is a possibility that the contents of the information may be accidentally leaked. There is a telecommunications business law,
Even if it is accidentally leaked, it is unlikely that it will spread further, but from the perspective of the confidentiality obligation of medical staff.
Must be avoided from. In addition, connecting to a closed IP communication network from a medical institution, etc.
In general, the degree of ensuring safety may change at the point of demarcation of responsibility, so special attention is required.
These connection services are encrypted for the information that is commonly sent.
Not in. Therefore, even if a closed network is selected, "B-1. Medical device"
The content cannot be read by encrypting the information to be delivered in accordance with "Notes on Seki, etc."
In this way, it is necessary to take measures such as introducing a mechanism that can detect tampering.

78 78

Page 86

II. When connected by an open network
This is the so-called Internet connection form. From the current spread of broadband,
By using an open network, introduction costs can be reduced, and a wide range of regional medical cooperation can be achieved.
It is conceivable that the range of use will expand, such as by building a mechanism. in this case,
There are various threats such as "eavesdropping", "intrusion", "tampering", and "jamming" on the communication path.
It is essential to implement appropriate security measures. Also, the encryption of medical information itself
Measures must be taken. That is, in line with the concept of object security
It is necessary to take measures.
However, as mentioned at the beginning of B-2, even when connecting with an open network,
Line operators and online service providers network to counter these threats
The service may be provided in a form that guarantees security on the route. Medical institutions etc.
When using such services, most of the management responsibility on the communication path is entrusted to these operators.
I can entrust you. Therefore, it is also possible to use it after clarifying the demarcation point of management responsibility in contracts etc.
is there.
On the other hand, medical institutions, etc. use their own open networks to include external and personal information.
When exchanging medical information, most of the management responsibility is entrusted to medical institutions, etc., so medical institutions
It is necessary to introduce it at the discretion of. In addition, we guarantee technical safety at our own risk.
It means that you have to do it, and you need to keep that in mind.
Security Thoughts on Network Paths When Using Open Network Connections
Of the 7 layers defined in the "OSI (Open Systems Interconnection) hierarchical model *",
It depends on the level of security. Based on the OSI hierarchical model
For more information on security on the network path, see "Safety management of medical information systems.
Report on Implementation Cases of "Guidelines for" (Health / Medical / Welfare Information Secure Net
The Network Infrastructure Promotion Consortium: HEASNET; February 2007) will be helpful.

* OSI hierarchical model (Open System Interconnection)
An international standard protocol that enables cross-species interconnection by interconnecting open systems.

For example, when using SSL-VPN, the route is located in the 5th layer called the "session layer".
Since the encryption procedure is performed, there is no problem if the route is encrypted correctly, but the route is encrypted.
There is an inherent risk of eavesdropping and the construction of inappropriate routes in the process of eavesdropping. Also to a fake server

79

Page 87

As a general rule, it should not be used in medical information systems because many measures are inadequate.
On the other hand, when IPsec is used, it is called the "network layer" of the second or third layer.
It is less dangerous than SSL-VPN because the route encryption procedure is performed in the layer below the part,
It is called IKE (Internet Key Exchange) for exchanging encryption keys to encrypt the route.
It is necessary to ensure its safety by combining standard procedures.
In addition, the Internet is not guaranteed by VPN connection using IPsec.
Other medical institutions and patients connect to the medical information system through an open network such as
If so, HTTPS encryption is required. But nowadays there is a prototype in SSL / TLS
There have been a series of reports of attacks that exploited vulnerabilities in col and software, and SSL / TLS is used appropriately.
Otherwise, even if HTTPS is used for the connection, security cannot be ensured. Use SSL / TLS
Created by CRYPTREC and published by Information-technology Promotion Agency as an appropriate setting method.
Guidance was given in the "SSL / TLS encryption setting guideline". SSL / TLS Cryptography Configuration Guide
By setting the settings shown in "Line", you can secure a certain level of security from known attacks on SSL / TLS.
Can be secured. "SSL / TLS encryption setting guideline" defines three levels of setting criteria
By reflecting the "high security type" setting, which has the highest level of security.
It is necessary to reduce the risk of attacks on SSL / TLS. In addition, one of the "high security type" settings
As the available protocol version should be limited to TLS1.2, the server class
Note that it is imperative that both Iants support TLS1.2. in addition,
In the case of an open network, there is a risk of being connected from an unspecified terminal, so countermeasures
As one, it is necessary to perform TLS client authentication.
In addition, when connecting via an open network, software-based IPsec or TLS 1.2
Even if the session itself is safe, other open network sessions live together
Therefore, devices and systems connected to the network are exposed to attacks such as targeted emails.
There is a risk of being affected. Temporarily, terminals, etc. that connect to the network due to such attacks are round.
When infected with ware and remote control is possible, it is legitimate to a session by IPsec or TLS1.2.
Access can occur.
Therefore, the software type IPsec and TLS1.2 high security type are adopted, and the end
Times between sessions, if there are open ports to the open network at the end
From attacks such as sneaking in (access to closed sessions that are not legitimate routes)
Appropriate measures need to be taken for protection.
For software-type IPsec and TLS 1.2 connections, you can set the appropriate route settings.
It is possible to avoid wraparound between the two. General Incorporated Association Health, Medical and Welfare Information Safety Management Suitable
IPsec + IKE service for online billing of receipts to payment funds, etc. by the Association for Evaluation of Compatibility (HISPRO)
The "Bis" checklist item collection will be helpful.
* Checklist items for "IPsec + IKE service for online billing of receipts to payment funds, etc."
http://www.hispro.or.jp/open/pdf/200909OnRece%20koumoku.pdf

80

Page 88

In this way, various security technologies are available when using an open network connection.
Since the existing and inherent risks also differ depending on the technology used, it is suitable for medical institutions to use.
Therefore, it is necessary to thoroughly consider the risk at the time of introduction to determine the range of risk acceptance. In addition, it should be noted.
SSL / TLS through daily coverage of security incidents and information provided by businesses
It is necessary to be careful and aware of the risk of such vulnerabilities. Also, in many cases,
When the network is introduced, it will be outsourced to a business operator, etc., but at that time, ask for an explanation of the risk and understand it.
It is also necessary.

Figure B-2-④ When connected via an open network

III. When connecting from the outside such as a medical institution using a mobile terminal etc.
Here, mobile phones / PHS, laptops, smartphones, tablets, etc.
Connect to the internal network of a medical institution from the outside such as a medical institution using a loose mobile terminal
Organize the security requirements when doing so.
For external connections, use the maintenance purposes described in "6.8 Information System Modification and Maintenance".
Business access by staff of access, medical institutions, etc., as well as medical information for B-3 patients, etc. in this chapter
Access from patients, etc. described in "Concept of network when providing information, etc."
Various cases are assumed.
Therefore, the connection service between the mobile terminal and the network used in the actual connection
And clearly identify which of the connection types described in this chapter corresponds to their combination.
Is important.
When connecting to an internal network such as a medical institution from the outside, the connection form currently available
A bird's-eye view is shown in Figure B-2-⑤.

81

Page 89

Figure B-2-⑤ Connection form in mobile environment

As shown in Fig. B-2-⑤, the connection form can be categorized into the following three systems. (Circles in parentheses
Each character corresponds to Figure B-2-⑤)

1) When dialing up directly via the public network (telephone network) (①, ②)
2) When connecting via the Internet (③, ④, ⑤)
3) When connecting via a closed network (IP-VPN network) (⑥, ⑦, ⑧, ⑨)

Here, "I. When connecting with a closed network" and "II. Open" in this chapter.
Indicate which case is applicable as explained in "When connecting with a network", and each
Summarize the security considerations in the case.

82

Page 90

1) When dialing up directly via the public network (telephone network)

Figure B-2-⑥ Connection form in mobile environment (via public network)
① is a place with a normal telephone line such as home or hotel, connect the mobile terminal to the telephone line,
This is a case of dialing up directly to an access point provided in a medical institution or the like.
② is a communication car that uses a mobile phone / PHS or its carrier wave instead of the telephone line in ①.
It is a case for connecting to a mobile phone / PHS network by attaching a device to a mobile terminal. ① and ② are mobile phones
There is a difference whether or not it goes through the PHS network.
In both cases, "② Connect via public network" in "I. When connecting via a closed network"
The security requirement must apply the description there, as it corresponds to "if it has been".
There is a need. It is relatively safe because it goes through a closed network.

83

Page 91

2) When connecting via the Internet

Figure B-2-⑦ Connection form in mobile environment (via the Internet)
③ is a place with a normal telephone line, such as your home or hotel, and connect your mobile terminal to the telephone line.
Dial up to the access point of your Internet service provider and inter
This is a case of connecting to an access point such as a medical institution via the Internet.
④ is an internet connection to your home, hotel, etc. instead of the telephone line in ③.
This is a case of connecting using a LAN where there is a face. Wired LAN as LAN
In some cases, wireless LAN is used instead. Connection using so-called public wireless LAN is also available
Included in the form of.
⑤ is a service provided by service providers such as mobile phones and PHS via mobile phones and PHS networks.
This is a case of connecting to the Internet using a screw.
In all cases (3) to (5), in "II. When connected by an open network"
Equivalent to. Therefore, security requirements need to apply the description there. Oh
Since it goes through a puny network, the of the above mentioned in "B-1 Precautions for medical institutions, etc."
Measures are needed to ensure project security and channel security.
In all of these cases, the operator must connect using his / her own mobile terminal.
However, using the terminals provided in so-called Internet cafes, etc., in medical institutions, etc.
There may be cases where information is accessed. Such an access method is risky.
Regarding whether medical institutions, etc. allow such access forms as an organizational policy,
Careful consideration is required.

84

Page 92

3) When connecting via a closed network

Figure B-2-⑧ Connection mode in mobile environment (via closed network)
Both ⑥ and ⑦ call mobile terminals at homes, hotels, and other places with regular telephone lines.
Connect to the line and dial to the access point of the service provider of the closed network
This is a case of connecting to an access point such as a medical institution via a closed network.
⑥ is very similar to ⑦, but once ⑥ dials up, it is an open network (a)
While going through the provider that provides the Internet), in ⑦, the closed network is used.
The difference is that you dial up directly to the provider you provide.
⑧ is an internet connection to your home, hotel, etc. instead of the telephone line in ⑥.
This is a case of connecting using a LAN where there is a face. Variation of this case
In some cases, wireless LAN is used instead of wired LAN as LAN, so Iwayu
Public wireless LAN, etc. are also included in this case.
⑨ is a case of connecting to a closed network via a mobile phone / PHS network. This place
The connection from the mobile phone / PHS network to the closed network is made by the mobile phone / PHS service provider.
It is a service provided by the company.
In both cases, "③ Closed IP communication network" in "I. When connecting with a closed network"
Since it corresponds to "when connected by", the security requirement applies the description there.
There is a need to. It is relatively secure because it goes through a closed network.
However, in cases ⑥ and ⑧, the network is open by the time it reaches the closed network.
Because it goes through the Internet, some service providers have channels between them.
Security may not be ensured. Closed network to ensure channel security

85

Page 93

When configuring a network in anticipation of adopting a network, contact the service provider in advance.
You need to check your contract carefully to ensure channel security.
is there.
In addition to the security requirements related to mobile connection types as described here, medical care
There is a risk peculiar to the act of accessing information outside the institution.
For example, management risks such as theft or loss of mobile devices containing confidential information, and further
Risk of confidentiality leakage due to peeping from others by browsing information in public places
And so on.
This is described in detail in "6.9 About taking out information and information equipment".
Please refer.

B-3 Thinking about external access by employees
Employees of medical institutions, etc. access medical information systems from home, etc., including telework
It is possible to allow that. Network safety management requirements in such cases
As already mentioned, the safety management of devices such as PCs used for access is also important, and it is a personal PC.
Even if it is an unmanaged terminal, technical measures must be taken to enable certain safety management.
Absent. In addition, the safety management of equipment used for access from the outside shall be stipulated in the operation management rules.
Is important, but there are three things to consider.

・ Even if it is a PC, etc., a certain amount of knowledge and skills are required to confirm its safety management measures.
It is difficult to demand that knowledge and skills from staff.
・ Appropriate luck to explain that what is stipulated in the operation management regulations is being implemented reliably
It is necessary to inspect and audit for the purpose, but it is not possible to inspect and audit the status of access from the outside.
Usually difficult.
・ Used by private PCs that are beyond the control of medical institutions and, in extreme cases, by an unspecified number of people
When using a PC, of ​course, use equipment under the control of medical institutions, etc. as needed.
Even if it is used, it may be affected unexpectedly if it is used in a different environment.

Therefore, although it should not normally be done, it is possible to deal with overwork of medical staff due to a shortage of doctors, etc.
If it is unavoidable to do so, create a virtual safety-managed environment in the work environment of the PC.
Technologies such as virtual desktops realized in combination with VPN technology are widespread, and these
It is important to consider the introduction of the system, and the requirements for operation, etc. are also required to be quite strict.
To

B-4. Concept of network when providing medical information to patients, etc.
While disclosure of medical information is progressing, medical information is provided to patients (or family members, etc.) via the network.

86

Page 94

There is also the possibility of providing or browsing medical information in medical institutions. This guider
Inn envisions the exchange of medical information between medical institutions, etc., but provides information to patients.
The situation is fully expected. Here, I will touch on the way of thinking at that time.
The principle of the way of thinking here is that the medical institution, etc. implements it by itself with the consent of the patient, etc.
In the case of providing information, the business operator entrusted with the external storage of medical records and medical records has its own information.
No information should be provided.
When providing medical information to patients via a network, be aware of it first.
What must be said is that there is a big difference between the security knowledge of patients who browse information and the environment.
That is to say. Also, once the information is provided, the responsibility lies not with the medical institution, etc.
It also occurs in patients. However, as long as there is a big difference in security knowledge, we will provide information.
The medical institution, etc. will fully explain the danger until the patient, etc. is satisfied, and clarify the purpose of the provision.
Responsible. In addition, in the unlikely event that an accident such as an information leak occurs due to lack of explanation,
We must recognize that we cannot escape that responsibility.
Providing information to patients, etc. in the form of network connection such as a dedicated line as described above.
Is not realistic because patients need to lay a dedicated line at home, and it is used for provision.
As a network, it is generally via an open network. This place
In that case, the risk of eavesdropping is extremely high, and the patient should be referred to a technique to avoid the risk.
Is also difficult.
Basic points to be noted in medical institutions, etc. have already been described in Chapter 4 and B-1, but open
Since it is a network connection, security measures that consider both utilization and safety are essential.
Is. In particular, medical institutions, etc. through computer systems that disclose information to patients, etc.
Turn off the system and applications to prevent unauthorized intrusion into the internal system of
It is necessary to separate them. Therefore, firewall, access monitoring, TLS darkness of communication
It is necessary to use technologies such as numbering and PKI personal authentication.
In this way, when providing information to patients, etc., only network security measures
Not only security measures for internal information systems such as medical institutions, patients who are the subject of information, etc.
A wide range of information including the dangers, convincing explanations of the purpose of provision, and various legal grounds related to non-IT.
It is necessary to take appropriate measures and clarify their responsibilities before implementing them.

C. Minimum guidelines
1. 1. Measures to prevent tampering such as message insertion and virus contamination in the network route
To do.
Prevent password eavesdropping and text eavesdropping by crackers on the route between facilities
Take measures.
Take measures to prevent spoofing such as session hijacking and IP address spoofing.
As a measure to satisfy the above, secure by using, for example, IPsec and IKE

87

Page 95

Securing a communication path can be mentioned.
Network with the expectation of adopting a closed network to ensure channel security
When configuring the service, check with the operator about the range of closedness of the service to be selected.
When.
2. At the data source and destination, the entrance / exit of the base, the equipment used, the functional unit on the equipment used,
It is necessary to confirm the other party in the necessary units such as users. Communication method and luck to be adopted
Determine the authentication method to be adopted according to the management rules. PKI is used as the authentication method
Authentication, key distribution like Kerberos, use of pre-distributed common key, one-time performance
It is desirable to use a method that is not easily deciphered, such as Seward.
3. 3. Preventing spoofing of authorized users and spoofing of authorized devices in the facility
Take measures. This is comprehensively described in "6.5 Technical Safety Measures".
See it.
Four. For network equipment such as routers, use equipment whose safety can be confirmed, and use the roux in the facility.
Route setting so that transmission and reception cannot be performed between VPNs that connect different facilities via data.
is being done. Equipment whose safety can be confirmed is defined by, for example, ISO15408.
A statement that specifies a security target or similar security measures
A book that can be confirmed to comply with this guideline.
Five. Security such as encryption of the information itself between the sender and the other party
Take measures. For example, using SSL / TLS, using S / MIME, for files
Measures such as encryption can be considered. At that time, the e-government recommends the encryption key
Use a cryptographic one.
6. Information communication between medical institutions is not limited to medical institutions, but also telecommunications carriers and systems.
Many organizations such as integrators, outsourced operations, and equipment maintenance companies that perform remote maintenance
Is related. Therefore, regarding the following matters, the responsibility demarcation points and responsibilities of these related organizations
Clarify the location of the item in a contract, etc.
・ Timing to send medical information including medical information to the destination medical institution, etc.
Determining the action to start the operation related to the information exchange of the ream
・ What to do if the source medical institution cannot connect to the network
・ What to do if the destination medical institution cannot connect to the network
-What to do if there is a interruption or significant delay in the middle of the network route
・ What to do if the stored information received by the destination medical institution cannot be received correctly
place
・ What to do if there is a problem with the encryption of transmission information
・ What to do if there is a problem with the authentication of the source medical institution, etc. and the destination medical institution, etc.
・ Responsibility to isolate the damaged part when a failure occurs
・ What to do when the sending medical institution or the sending medical institution cancels the information exchange

88

Page 96

In addition, even within medical institutions, the following matters are stipulated in contracts and operation management rules.
To do.
・ Clarification of management responsibilities for communication equipment, encryption equipment, authentication equipment, etc. (management to external businesses)
When outsourcing, organize the responsibility including the demarcation point and conclude a contract)
・ Clarification of accountability for patients, etc.
・ Restoration work in the event of an accident ・ Dedicated manager for contacting other facilities and vendors
Installation
・ Clarification of management responsibility and post-responsibility for exchanged medical information (handling of personal information)
To the medical institution of both the sender and the recipient when there is an inquiry from the patient
Matters concerning contact and confidential matters regarding the handling of personal information in that case)
7. 7. Appropriate access points as needed for remote maintenance
Prevent unnecessary login by setting, protocol limitation, access authority management, etc.
To stop.
For maintenance itself, refer to "6.8 Information System Modification and Maintenance".
8. 8. Against threats when concluding contracts with line operators and online service providers
Check if there are any problems with the scope of management responsibility and quality such as line availability.
Also, make sure that the above 1 and 4 are satisfied.
9. If you want the patient to view the information, use the computer system that publishes the information.
To prevent unauthorized intrusion into the internal system of medical institutions, etc.
And application isolation, firewall, access monitoring, communication TLS
Take measures using technologies such as encryption and PKI personal authentication. Also, the subject of information
Provide a convincing explanation about the danger and purpose of provision to the patient, etc.
Establish a wide range of measures, including legal grounds other than those, and clarify their responsibilities.
Ten. Use IPsec when connecting over HTTPS over an open network
SSL / TLS unless security is guaranteed by VPN connection etc.
The protocol version of is limited to TLS1.2 only, and the client certificate is used.
Perform the TLS client authentication used. At that time, the TLS setting is set to server / class.
The most secure level specified in the "SSL / TLS encryption setting guidelines" for both Iant
Make appropriate settings according to the high security type. So-called SSL-VPN
As a general rule, do not use because many of them have insufficient countermeasures against fake servers. Also,
When connecting by software-type IPsec or TLS1.2, the number of times between sessions
Attacks by sneaking in (access to closed sessions that are not legitimate routes)
Take appropriate measures to protect against.

89

Page 97

D. Recommended guidelines
1. 1. If it is unavoidable to allow employees to access from the outside, the work environment of the PC
Virtual death that realizes a virtually secure environment inside in combination with VPN technology
Use technology such as Ktop and set requirements such as operation.

90

Page 98

6.12 Regarding the electronic signature of the name and seal stipulated by law
A. Institutional requirements
An "electronic signature" is an electromagnetic record (electronic, magnetic, or otherwise recognized by human perception.
It is a record made by a method that cannot be understood and is used for information processing by a computer.
It means what is done. same as below. ) Is a measure taken for information that can be recorded in
Anything that meets any of the following requirements.
(I) To show that the information is related to the creation of the person who took the measure.
There is.
(Ii) It is possible to confirm whether or not the information has been altered.
There is.

(Act on Digital Signature and Authentication Business (Act No. 102 of 2000), Article 2.1)

B. Way of thinking
In April 1999, "In the electronic medium of medical records and medical records for which preservation obligations are stipulated by law.
Documents, etc. that are required to be signed or signed / stamped by law in "Notice Concerning Preservation by Law"
Is in an undeveloped state of the "Act on Digital Signatures and Authentication Business" (hereinafter referred to as the "Electronic Signature Act").
Because it was, it was excluded from the target.
However, the Electronic Signature Law was enacted in May 2000, and medical services are covered by the e-Document Law.
For documents, etc. designated by the Ordinance of the Ministry of E-Document Law as related documents, etc., "A. Institutional requirements"
Create and save by applying an electronic signature instead of a name / seal with the electronic signature shown in "Section".
Is now possible.
However, for medical documents, etc., it is necessary to be able to verify the signature with reliability for a certain period of time.
is there. Unlike signatures on paper media and signatures / seals, electronic signatures are one of "A. Institutional requirements".
Second, while it is possible to rigorously verify, the expiration date of digital certificates, etc. has expired or expired.
If so, there is a feature that it cannot be verified. In addition, it is the technical basis for digital signatures.
Cryptography technology is becoming more and more vulnerable as cryptanalysis methods and computer computing speeds progress.
In the future, it is also required to shift to a stronger cryptographic algorithm. For example, currently electronic
RSA 1024bit, which is a commonly used encryption method for signing, and SHA1, which is a hash function, are government aircraft.
The transition schedule from Seki's information system has been decided, and information security in April 2008
"Cryptographic algorithms used in government information systems" decided by the Policy Council
Based on "Transition Guidelines for SHA1 and RSA1024" (revised in October 2012), RSA has been implemented since 2014.
The transition to 2048bit and SHA2 is underway.
Therefore, when giving an electronic signature, these points should be taken into consideration, and the validity period and revocation of the digital certificate should be taken into consideration.
In addition, regardless of whether the encryption algorithm is weakened or not, the electronic signature is digitally signed for a certain period such as the legal retention period.
It is necessary to be able to continue the verification of. In addition, the target documents are subject to administrative oversight, etc.

91

Page 99

It is necessary that the child signature can be verified by an administrative agency. In recent years, digital time stamping technique
The standardization of the long-term signature method using the technique has progressed, and it has become possible to continue long-term signature verification.
Long-term signature profile of JIS X 5092: 2008 CMS Digital Signature (CAdES)
Il, JIS X 5093: 2008 XML Signature Utilization Electronic Signature (XAdES) long-term signature profile).
In the long-term signature method, signature verification can be continued by the following.

・ The time stamp given to the signature guarantees the signature time (time star given to the signature)
Prove that the signature existed before the time of completion).
・ Store verification information (related certificates, revocation information, etc.) at the time of signing.
-A stronger encryption is added by adding a time stamp to the entire signature target data, signature value, and verification information.
Protect the whole with rugorism.

Some medical information has a long-term retention period of 5 years or more, and system updates and verification systems
From the viewpoint of compatibility, it is desirable to use standard technology. Therefore, for example, the above-mentioned mark
To be able to continue to verify digital signatures for the required period using quasi-technology.
is important.

Furthermore, regarding medical documents, etc., not only the validity of the signature, but also the medical doctor, like the prescription.
There are also documents that require confirmation of national qualifications such as teachers. In that case, health, medical and welfare
It is also necessary to confirm national qualifications in the field.

C. Minimum guidelines
For documents, etc. that are required to be signed or signed / stamped by law, the name / stamp is made an electronic signature.
When replacing, it is necessary to digitally sign the following conditions.

(1) Health, medical and welfare field PKI certification authority or
Digitally sign using an electronic certificate issued by a certified specific certification business operator, etc.
1. 1. Health, medical and welfare field The PKI certification authority is related to health, medical and welfare of doctors, etc. in the electronic certificate.
It stores qualifications and is built as an authentication platform to prove the qualifications. Obey
It is recommended to utilize the electronic signature issued by the PKI Certification Authority in the field of health, medical care and welfare.
Will be done.
However, all persons who must verify the electronic signature include national qualifications.
It is necessary to be able to verify the electronic signature correctly.
2. Do not use an electronic certificate issued by a certified specified certification business operator based on the provisions of the Electronic Signature Law.
It is possible to meet the requirements of A at most, but we will verify your identity with the same rigor.
Furthermore, it is necessary for the administrative agency that monitors, etc. to be able to verify the electronic signature.

92

Page 100

3. 3. "Act on Certification Business of Local Public Organization Information System Organization for Electronic Signatures, etc."
Based on (Law No. 153 of 2002), it started on January 29, 2004.
It is possible to use the public personal identification service, but in that case, other than the government agency
Anyone who has to verify the digital signature uses the public personal identification service
It is necessary to be able to verify the digital signature.

(2) Add a time stamp to the entire document including the electronic signature.
1. 1. The time stamp is "Guidelines for Time Business-Safe Use of Network"
For safe long-term storage of electronic data- "(Ministry of Internal Affairs and Communications, November 2004), etc.
Certified by the Japan Data Communication Association in accordance with the standard of time certification business
A third party can verify the time stamp using the one of the time authentication company that has been used.
Being possible.
2. Take measures to keep the time stamp valid during the legal retention period.
3. 3. Regarding the use of time stamps and long-term storage, we will continue to provide notifications and guidelines from relevant ministries and agencies.
It is necessary to take appropriate measures while paying attention to the contents, standard technology, and related guidelines.
To

(3) Use a valid digital certificate at the time of giving the above time stamp.
1. 1. Of course, the digital signature must be done using a valid digital certificate.
Originally, the legal retention period requires that the electronic signature itself can be verified, but Thailand
If the stamp can be verified, it is proved that there is no fact of modification including the electronic signature.
Therefore, if the electronic signature can be verified at the time of adding the time stamp, the electronic signature
It is possible to verify the effectiveness at the time of grant. Specifically, the electronic signature is valid
While, the information required to verify the digital signature (related digital certificate and revocation information)
Etc.), and time stamp the entire document along with the document to be signed and the signature value.
It is necessary to take measures such as granting.

93

Page 101

7 Requirements for electronic storage

* The provisions of this chapter are described in Chapters 7 and 9 in "3.1 Documents subject to Chapters 7 and 9".
It is applied when electronically storing documents, etc. listed as the target of.

In order to electronically store documents that are legally obliged to be stored, it is necessary to use daily medical care and audits.
In addition, it must be ensured that digitized documents can be handled without any problems.
Eh, the accuracy of the content is also required to have a level of evidence in proceedings, etc.
Is done. Incorrect medical information is related to the life and death of the patient, so the digitized medical information is correct.
Maximum effort is required to ensure accuracy. In addition, about the retention period of documents related to medical treatment
Is stipulated in various laws and regulations, and must be stored safely for a specified period of time.
I.
Authenticity, readability and preservation are the requirements for electronic preservation of these legally obligatory documents, etc.
Three criteria for ensuring sex are presented. Responding to those requirements is both operational and technical
You need to do it yourself. If the emphasis is on either the operational or technical aspects, the requirements are high for the high cost.
Is not fully satisfied, or it is assumed that only annoyance will be recruited, so the difference between the two
It is important to take comprehensive measures that can be taken care of. Each medical institution, etc. is responsible for the scale of its own institution and each department.
After carefully assessing the characteristics of the stem and existing system, the operational aspects and techniques that most effectively meet the requirements
Please consider the surgical measures.

7.1 Ensuring authenticity
A. Institutional requirements
Regarding the matters recorded in the electromagnetic record, modification or modification of the matters during the period to be preserved
Take measures to confirm the existence of the fact of erasure and its contents, and the electromagnetic record
Clarify the responsibility for creating the record.
(E-Ministerial Ordinance of Document Law, Article 4, Paragraph 4, Item 2)

② Ensuring authenticity
Regarding the matters recorded in the electromagnetic record, modification or modification of the matters during the period to be preserved
Take measures to confirm the existence of the fact of erasure and its contents, and the electromagnetic record
Clarify the responsibility for creating the record.
(A) Prevent false input, rewriting, erasure and confusion due to intentional or negligence.
(B) Clarify the responsibility for creation.
(Enforcement Notice No. 2 2 (3) ②)

"Must meet the criteria for ensuring the authenticity, readability and preservation of records such as medical records.

94

Page 102

thing. "
(External Preservation Amendment Notification No. 21 (1))

B. Way of thinking
Authenticity means false entry, rewriting, erasure and deletion of records created with legitimate authority.
The confusion is prevented, and the responsibility for the creation is clear from the perspective of a third party.
In addition, confusion means that the patient is mistakenly recorded, or the relationship between the recorded information is incorrect.
It means to do.
In addition, when saving to the outside through the network, the outsourcer's medical institution, etc.
To prevent medical records from being rewritten or deleted during transfer to an external storage facility, and with other information
Care must be taken not to cause confusion.
Therefore, when saving to the outside of a medical institution through the network, save to the medical institution etc.
In addition to ensuring authenticity when doing so, we must also be aware of network-specific risks.
I.

B-1. Prevent false input, rewriting, erasure and confusion
When electronically storing documents that are obliged to be stored, the system administrator who carries out electronic storage is correct.
Digitized medical information, etc. is erroneously entered, rewritten or deleted without going through proper procedures or due to negligence.
And it is necessary to take measures to prevent being confused. Also, the medical record in the system
Entry person (hereinafter referred to as "input person") who creates, rewrites, deletes, etc. information such as
A confirmed person who has the authority to carry out confirmation * (hereinafter referred to as "confirmed person") is before saving the information.
Make sure that the information is entered correctly and that there is no rewriting / erasure or confusion due to negligence.
I have a duty.
* Confirmation of record means having the authority to confirm the information entered by the input person.
Confirmation of input completion by a confirmed person, and acquisition of output results by inspection and measurement equipment
It means that the inclusion is completed.

Regarding false input, rewriting, erasure and confusion due to intentional or negligence, the input person, etc. intentionally or
Divide into two types, one caused by negligence and the other caused by the equipment and software used.
Can be done.
The former is, for example, when the input person intentionally falsifies information such as medical records, or an input error.
It is conceivable that incorrect information may be input due to negligence such as.
In the latter case, for example, the input person is manipulating the information correctly, but the device or software used is
When the information entered by the input person is not saved correctly in the system due to a malfunction or bug.
Etc. are conceivable.
Prevention of these false inputs, rewrites, erasures and confusion is a technology in equipment and software.

95

Page 103

Since it is difficult to prevent with only practical measures, it is necessary to consider preventive measures including operational measures.
There is.

(1) Prevention of false input, rewriting, erasure and confusion due to intentional or negligence
Intentional false input, rewriting, erasure and confusion are illegal in the first place, but prevent them
In order to do so, the following must be observed.

1. 1. Describe the work procedure, etc. related to the input of information and the confirmation of records in the operation management rules.

2. If the person who entered the information and the person who entered the information are different from the person who confirmed the information, both (hereinafter referred to as "the person who entered the information and the person who confirmed the information").
It is called "confirmed person". ) Is clear and can be confirmed at any time.
3. 3. Make sure to identify and authenticate the input person and the confirmed person. That is, spoofing etc.
Establish an operational operation environment that cannot be used.
Four. Limit the information that can be accessed according to the authority of the input person and the person who can operate the system.
thing.
Five. When, who, where, and what information regarding the operations performed by the input person and the confirmer
What kind of operation was performed is recorded, and if necessary, medical treatment is performed on the operation record.
It shall be audited that the use is proper in accordance with the operation management rules established by the institution.

It shall be audited that the use is proper in accordance with the operation management rules established by the institution.
6. For the confirmed information, it is determined by the medical institution etc. that the confirmation operation was performed by the confirmed person.
Being able to audit in accordance with the operational management rules.
7. 7. Information that has been confirmed and stored does not leave a history within the retention period specified in the operation management rules.
Do not modify or erase with.
8. 8. True if there is a possibility of accessing medical records due to system modification or maintenance, etc.
Pay attention to ensuring correctness and follow the procedure described in "6.8 Modification and maintenance of information system".
There is a need.

False input, rewriting, erasure and confusion due to negligence are simple typos, false assumptions and emotions.
It is caused by a mistake in information. There is a technical method to reduce erroneous input to a level that does not cause any problems.
Both operational measures and technical measures are recognized, recognizing that input errors will always occur because they do not exist.
From the aspect, it is required to take measures to prevent erroneous input. For example, before confirming the information
It is stipulated in the operation management rules that the contents should be sufficiently confirmed, and sufficient education and training should be provided.
Alternatively, based on the case of a hiyari hat, the parts where erroneous operation is likely to occur are displayed in different colors.
It is desirable to take technical measures to alert the operator.

(2) Prevention of false input, rewriting, erasure and confusion caused by the equipment and software used
False input, rewriting, erasure and confusion caused by the equipment and software used are the input person.
The result is due to a problem caused by the system you are using, even though you have entered it properly.

96

Page 104

Refers to the risk that the situation will be different from what the input person intended. The source of this situation
The following cases can be considered as the cause.

1. 1. If there is a problem with the equipment or software that makes up the system (malfunction, thermal runaway,
Software bugs, version inconsistencies, etc.)
2. There is no problem with the device and software, but the specified function is not set correctly.
When it is in a non-operating state
3. 3. Legitimate equipment and software have been replaced by another by a malicious third party
If
Four. Infected with malicious software such as viruses, illegally rewriting or erasing data,
If there is a malfunction of the software

These threats should be carefully verified at the time of system implementation, as well as system maintenance and control.
It is thought that this can be prevented by doing the right thing, and quality control of the system is carried out at medical institutions, etc.
It is important to take the initiative. For specific measures, see "C. Minimum Guidelines"
Please refer to the description of.

B-2. Clarify the responsibility for creation
For information that is subject to electronic storage, the person who entered it and the person who confirmed it become clear each time a record is created.
It is necessary that the responsibility for creation is clarified. In addition, the information once recorded is added.
It is thought that corrections and erasures are also performed on a daily basis, but every time additions, corrections and erasures are made
It is necessary to clarify the input person and the confirmed person.
A place where it becomes obvious who has confirmed the creation, addition, correction, etc., depending on the scale of the medical institution and the form of management and operation.
It is also possible. In that case, determine the operation method so that the confirmed person is clear, and set it in the operation management rules, etc.
After clearly stating, the confirmer has confirmed the content created, added, corrected, or deleted by the input person.
It is necessary to carry out the operation in a form that leaves some kind of record. Input of information to be stored electronically
Is, in principle, performed by the practitioner of medical practice. However, for example, the progress at the time of surgery
The input by the surgeon who is the practitioner of the original medical practice is physically input, as when recording in Rute.
Since it is impossible, it is assumed that an agent may enter it. In addition, the doctor's office work assistant
It is also conceivable to input to the electronic medical record under the instruction of the doctor. In this way, medical practice, etc.
If a person who is not the implementer inputs on behalf of that person, formulate rules for proxy input and
A record must be kept regarding its implementation.
Here, the following four are taken up as requirements, and the way of thinking about each is shown.

(1) Identification and authentication of input person and confirmed person
(2) Confirmation of record

97

Page 105

(3) Recording of identification information
(4) Save update history

(1) Identification and authentication of input person and confirmed person
To ensure authenticity, the system should be used by someone who does not have any access rights.
Must be excluded and restricted to valid inputters with their own ID. Therefore,
Identification and authentication of the input person is essential. Also, if the input person and the confirmed person are different, the confirmed person
Identification and authentication are required.
For specific measures, see "6.5 Technical Safety Measures (1) User Identification and Authentication"
Please refer to.

<Points to keep in mind when inputting on your behalf>
For the operation of medical institutions, etc., when performing proxy input, be sure to enter each individual
You must issue an ID to and access the system with that ID. Also, daily
In operation, you can tell other people your ID, password, etc., or access the system with another person's ID.
It becomes impossible to identify the worker from the work history saved in the system.
Therefore, it must be prohibited.

(2) Confirmation of record
The confirmation of the record is, of course, carried out by a confirmed person who has the authority to confirm the record.
Must be done. In many cases, it is assumed that the input person has that authority,
If the input person does not have the authority, the authorized person who has the authority must confirm the record.
To
The confirmation of the record also makes it clear that the authenticity is secured and preserved from the time of confirmation.
Therefore, clarify when and by whom the input and confirmation were made, and the stored information itself.
The purpose is to ensure that no additions, changes or erasures have been made to the body.
If there is a need to add, change, or delete after the confirmation, the contents have been confirmed.
It must be created as a new record associated with the information and saved separately.
For manual input (including information acquisition operations from peripheral devices such as scanners and digital cameras)
If more records are created, the input person confirms that there is no erroneous input or confusion due to negligence.
Need to be. In addition, clarify the distinction from the subsequent addition, rewriting, and deletion of information.
Therefore, the confirming operation must be performed by the confirming person.
Even if no explicit confirmation operation is performed, a certain amount of time has passed since the last input or special
In the case of operation assuming that the record will be confirmed by passing the fixed time, the input person
It is necessary to determine the operation method together with the method to identify the confirmed person and specify it in the operation management rules.
To

98

Page 106

When information is registered from an external device system other than manual input, import or registration
Confirm that the accuracy and accuracy of the desired information has been achieved at the time of
It is necessary that the confirmation operation is performed.
Clinical examination system, medical image imaging device (modality) and filing system
In the record created by a specific device or system such as (PACS), is it the device?
A place where the output results of these devices are treated as definitive information at the responsibility of the administrator of the device and operated.
There is also a case. In this case, the definitive information is which record was created, when, and by whom.
It needs to be clarified by the combination of system functions and operations.

(3) Recording of identification information
The confirmed record is the one entered and confirmed by whom and when from the perspective of a third party.
It needs to be clear. Name and work are included in the identification information of the input person and the confirmed person.
It is necessary to include the time when it was made. In addition, the identification information of the input person and the confirmed person is recorded.
It is associated with information and cannot be erroneously associated by ordinary means, and its association
It must be guaranteed that it cannot be separated, changed or tampered with.
The identification information is used to examine individual patients for each individual action for which the input person and the confirmed person are responsible.
In principle, it will be recorded or described in medical records. Entered when creating the first medical record, etc.
Identification information of the powerful person and the confirmed person is required, but additions, corrections, after being saved after confirmation,
Even when deleting, etc., the input person and the confirmed person related to the information for the corresponding medical record etc.
Identification information is required.
In addition, even if there are multiple input persons as in group medical treatment, information is input.
A person is an individual, and each of the plurality of individuals is recorded as an input person. And that note
The confirmation of the record must be carried out in accordance with "(2) Confirmation of the record".

(4) Save update history
For example, medical information increased with the performance of medical treatment, and at that time, new knowledge was obtained.
Therefore, it is not uncommon to add or modify records that have been confirmed and saved. this
It is necessary to easily distinguish between updating records based on such medical practice and falsification of illegal records.
Must be. For that purpose, record the update contents of the record, the update date and time, and give the authority
The identification information of the confirmed person who confirmed the updated content based on it is associated and saved, and their alteration
It must be saved in an environment that can prevent tampering and can verify it in the unlikely event of tampering.
Must be.

C. Minimum guidelines

[When storing in a medical institution, etc.]
(1) Identification and authentication of input person and confirmed person

99

Page 107

When a record is created by a general-purpose input terminal such as a PC in an electronic medical record system, etc.
1. 1. Correctly identify the input person and the confirmed person, and perform authentication.
2. For all input operations to the system, the job type, affiliation, etc. of the input person for each target information
Establish authority management (access control) based on the required classification. Also,
Prevent creation, addition, and modification by anyone other than an authorized input person.
3. 3. Manage terminals that can run business applications, and access from unauthorized persons
Prevent seth.

b. Specific equipment or systems such as clinical laboratory systems, medical image filing systems, etc.
When a record is created by
1. 1. The person in charge of equipment management and the operator are clarified in the operation management rules, and the person in charge of equipment management and operation
Operation of the device by anyone other than the author is prohibited in operation.
2. Recording by the device is a combination of system functions and operation when and who performed it.
Being clearer.

(2) Establishment of record confirmation procedure and recording of identification information
When a record is created by a general-purpose input terminal such as a PC in an electronic medical record system, etc.
1. 1. When trying to create and save medical records, etc., the system registers the confirmed information.
To have a mechanism that can be used. At that time, identification information such as the names of the input person and the confirmed person, trust
The date and time of creation using a possible time source should be included.
2. To be able to fully confirm the contents when "confirming the record".
3. 3. "Confirmation of record" shall be carried out by a confirmed person who has the authority to carry out the confirmation.
Four. Preventing confirmed records from being deliberately mistyped, rewritten, erased and confused
Take measures to stop it, and consider the procedure for restoring it to its original state.
Five. In the case of operation where the record is automatically confirmed after a certain period of time, identify the input person and the confirmed person
Develop clear rules and specify them in the operation management rules.
6. If the confirmed person cannot perform the confirmation operation for some reason, for example, the management responsibility of a medical institution, etc.
Responsibility for finalizing records by establishing rules such as the person's implementation of finalizing records in the operation management rules
Clarify the whereabouts of.

b. Specific equipment or systems such as clinical laboratory systems, medical image filing systems, etc.
When a record is created by
1. 1. The rules for confirming the records created by the device are defined in the operation management rules, etc.
That. At that time, identification information (or device) such as the name of the person in charge of management of the device or the operator
Identification information), the date and time of creation using a reliable time source shall be included in the record.
2. Preventing confirmed records from being deliberately mistyped, rewritten, erased and confused

100

Page 108

Take measures to stop it and consider the procedure for restoring it to its original state.

(3) Save update history
1. 1. When the medical records, etc. that have been confirmed once are updated, the update history is saved and before the update if necessary.
And be able to compare the updated contents.
2. Even if the same medical record is updated multiple times, the order of updates can be identified.
Can be referred to as.

(4) Proxy input approval function
1. 1. When performing proxy input, what kind of business is specifically applied, and who is acting on behalf of
Determine whether or not to do so in the operation management rules.
2. When proxy input is performed, management information of who's proxy was performed by whom and when
However, it should be recorded each time the proxy input is made.
3. 3. Medical records, etc. recorded by proxy input will be "confirmed" by the confirmed person as soon as possible.
Operation (approval) "is performed. At this time, the confirmation operation is performed without confirming the contents.
must not.

(5) Quality control of equipment and software
1. 1. What kind of equipment and software the system is composed of, in what kind of situation and application
It is clarified whether it will be used, and the system specifications are clearly defined.
thing.
2. The revision history of equipment and software, and the validity of the work actually performed at the time of its introduction.
The process for verification is specified.
3. 3. Incorporate work contents related to quality control of equipment and software into operation management rules, and follow
To provide education to vendors.
Four. Regularly conduct internal audits on system configuration and software operation status
thing.

[When storing outside a medical institution, etc. through a network]
In addition to the minimum guidelines for storage in medical institutions, the following items are required.

(1) Perform mutual authentication to recognize that the other party of communication is legitimate
Institutions that outsource the online external storage of medical records, etc. and medical institutions that outsource them communicate with each other.
A mutual authentication function is required to recognize whether or not the person is a legitimate partner.

(2) Guarantee that it has not been "tampered with" on the network

101

Page 109

It can be guaranteed that medical records, etc. have not been tampered with during network transfer.
Reversible information compression / decompression and tagging and encryption to ensure security
Falsification, flat culture, etc. are not falsification.

(3) Limiting the remote login function
Appropriately piped so that it cannot be performed except when absolutely necessary, such as for maintenance purposes.
A function must be provided to limit only the remote logins that have been accepted.

Regarding these specific requirements, "6.11 Exchange medical information including medical information with the outside"
Please refer to "Safety management when doing".

102

Page 110

7.2 Ensuring readability
A. Institutional requirements
Immediately clear and orderly by outputting the items recorded in the electromagnetic record as needed.
Display on the computer or other equipment used in the format and make it possible to create a document.
That.
(E-Ministerial Ordinance of Document Law, Article 4, Paragraph 4, Item 1)

① Ensuring readability
Immediately clear and orderly by outputting the items recorded in the electromagnetic record as needed.
Display on the computer or other equipment used in the format and make it possible to create a document.
That.
(A) The content of the information can be easily made visible to the naked eye as needed.
(B) The content of the information can be displayed in writing immediately as needed.
(Enforcement Notice No. 22 (3) ①)

"Must meet the criteria for ensuring the authenticity, readability and preservation of records such as medical records.
thing. "
(External Preservation Amendment Notification No. 21 (1))

B. Way of thinking
Readability is the content stored in electronic media, "medical treatment," "explanation to patients," "audit," and "litigation."
Response time, throughput, and operation method that do not interfere with each purpose according to the requirements such as
So, it is possible to make it readable with the naked eye. In the spirit of e-Document Law, on-screen reading
It is required that the sex is ensured, but depending on the request, the content of the target information is immediately provided.
It may be required to be able to be displayed in writing, so please respond as necessary.
Need to consider.
Information stored on electronic media is different from information recorded on paper and remains as it is for the following reasons.
May not be readable.

・ In order to call the information stored in the electronic medium on the screen so that it can be read, some kind of a
Application is required.
・ Records are often created by referring to other databases, masters, etc.
It can be read as a correct record if it does not depend on the master etc. adopted at the time of creating the data.
Absent.
・ The interrelationship of information recorded in multiple media can be understood at a glance as it is.
Peg.

103

Page 111

By responding appropriately to these, it is necessary to ensure readability equivalent to that of paper records.
It doesn't become.
In addition, even if some kind of system failure occurs, there is no serious problem in medical treatment.
Measures to ensure the readability of the limit should also be taken into consideration. Especially in an emergency such as a disaster, Sith
Since there is a risk that the system will stop completely, perform regular backups and perform medical treatment.
It is desirable to be able to confirm the patient information described in the records.
If you store it externally over the network, be sure to handle these things appropriately.
Sufficient consideration including consideration that readability will be impaired due to the circumstances of the institution of the external storage destination
Is required. In that case, referring to "4.2 Demarcation of Responsibilities in Entrustment and Provision to Third Parties"
It is also necessary to clarify responsibilities in advance and take care to ensure prompt recovery.
To
Even if these things are taken into consideration, it is possible if the stored information is damaged.
We will strive to recover as quickly as possible and respond to requests such as "medical treatment," "explanation to patients," "auditing," and "litigation."
Readability must be ensured.

C. Minimum guidelines
(1) Information location management
Even if the information is distributed and managed in various media, including paper-managed information, it is for each patient.
All whereabouts of information are managed on a daily basis.

(2) Management of reading means
All information stored on electronic media and their reading means are managed in association with each other.
Being. In addition, equipment, software, related information, etc., which are reading means, are always in place.
Being.

(3) Response time according to the purpose of reading
Being able to promptly search or display in writing according to the purpose.

(4) Ensuring redundancy as a countermeasure against system failures
Even if one system of the system fails, as long as it does not interfere with normal medical care, etc.
System redundancy (entire system even in the event of a failure) to make medical records etc. readable
Prepare spare equipment such as servers and network equipment from normal times to maintain the function of the body
And operate) or provide alternative reading means.

D. Recommended guidelines

104

Page 112

[When storing in a medical institution, etc.]
(1) Backup server
Even if the system stops, use a backup server and a general-purpose browser, etc.
Being able to read the minimum medical records required for daily medical care.

(2) External output to ensure readability
Even if the system is stopped, a series of medical records of patients corresponding to the purpose of reading can be used for general purposes.
Output to an external file in a format that ensures readability so that it can be read by a browser, etc.
What you can do.

(3) Reading function using remote data backup
As a disaster countermeasure such as a large-scale fire, back up electronic storage records in a remote location and use them.
Minimum medical care required for daily medical care using backup data and a general-purpose browser, etc.
Being able to read records, etc.

[When saving to the outside via a network]
In addition to the recommended guidelines for storage in medical institutions, the following items are required.

(1) Ensuring readability of medical records, etc. that are expected to be urgently needed
Medical records that are expected to be urgently needed should be stored internally or externally.
Even if it is duplicated or equivalent contents should be kept inside the medical institution.

(2) Ensuring readability of medical records, etc., which cannot be said to be urgently needed
Receive network and external storage for information that is not urgently needed
Take measures to deal with the failure of the entrusted institution.

105

Page 113

7.3 Ensuring storage stability
A. Institutional requirements
Keep the items recorded in the electromagnetic record in a recoverable state during the period when they should be stored.
Take measures that can exist.
(E-Ministerial Ordinance of Document Law, Article 4, Paragraph 4, Item 3)

③ Ensuring storage stability
Keep the items recorded in the electromagnetic record in a recoverable state during the period when they should be stored.
Take measures that can exist.
(Enforcement Notice No. 22 (3) ③)

"Must meet the criteria for ensuring the authenticity, readability and preservation of records such as medical records.
thing. "
(External Preservation Amendment Notification No. 21 (1))

B. Way of thinking
Preservation means that the recorded information is kept authentic for a period stipulated by laws and regulations, and can be read.
It means that it is saved in a state where it can be made possible.
When storing information such as medical records electronically, the following are the causes that threaten the preservation.
Things can be considered.

(1) Destruction and mixing of information by viruses and inappropriate software
(2) Loss or destruction of information due to improper storage and handling
(3) Unreadable or incomplete reading of information due to deterioration of recording media and equipment
(4) Information cannot be restored due to inconsistency in media, equipment, and software.
(5) Inconsistency when saving data due to failure, etc.

In order to eliminate these threats, various technical and operational measures for each cause
Need to be applied.

(1) Destruction and mixing of information by viruses and inappropriate software
Saved electronically due to improper behavior of the software due to viruses or bugs
Information such as medical records may be destroyed. Therefore, access this information
Inappropriate software such as viruses must be prevented from running.
In addition, the software that manipulates the information has not been tampered with, and according to the specifications.
You have to make sure that it is working.

106

Page 114

Furthermore, it can be confirmed that the stored information is tampered with.
It is desirable to establish a mechanism.

(2) Loss or destruction of information due to improper storage and handling
The medium that stores the electronic information is improperly stored, or the information is stored.
Information is lost or destroyed due to improper handling of the device you are using.
It may be lost. Information is stored to prevent this from happening
Take technical and operational measures to ensure proper storage and handling of media and equipment
Must be given.
A medium that understands the environmental conditions of the recording medium and recording equipment used and stores electronic information.
It is necessary to properly maintain the environment such as temperature and humidity of the server room where the body and equipment are placed.
To In addition, only authorized persons can enter the server room, etc.
It is necessary to take measures.
Also, in the unlikely event that information is lost, whether it is lost, tampered with, or destroyed.
In case of such a situation, make a backup of information such as medical records on a regular basis and back it up.
It is necessary to have a mechanism that can manage and restore the data together with the history. At this time, back
Satisfy the storage obligation by using the procedure for restoring information from the upload and the restored information for medical treatment.
It is desirable to clarify the procedure for making information.

(3) Unreadable or incomplete reading of information due to deterioration of recording media and equipment
Electronic due to unreadable or incomplete reading due to deterioration of recording media and recording equipment
Information such as medical records stored in the medical records may be lost or destroyed.
To In order to prevent this, deterioration occurs in consideration of the deterioration characteristics of recording media and recording equipment.
It is necessary to copy to a new recording medium or recording device before the process.

(4) Information cannot be restored due to inconsistency in media, equipment, and software.
Information such as medical records stored electronically due to inconsistency in media, equipment, and software
Information may not be restored. Specifically, the master database at the time of system migration
Inconsistency in index database, incompatibility of equipment and media
As a result, the restoration of information becomes incomplete or unreadable.
Appropriately create a business plan for system changes and migrations so that this does not happen
There is a need to.

(5) Inconsistency when saving data due to failure, etc.
When saving to the outside through the network, the system is in the middle of transferring medical records, etc.

Correct data is outsourced to an external contractor due to a shutdown or network failure.

107

Page 115

It is possible that it will not be stored in. In that case, medical institutions, etc. that outsource external storage again
It becomes necessary to transfer data from.
Therefore, the outsourced medical institution, etc. may delete the internal data of the medical institution, etc.
After confirming that the data has been saved at the institution that outsources the storage
There is a need to do.

C. Minimum guidelines

[When storing in a medical institution, etc.]
(1) Prevention of information destruction and confusion due to viruses and inappropriate software
1. 1. Information destruction by inappropriate software including so-called computer viruses
Software, equipment and media used in the system to prevent damage and confusion
To manage.

(2) Prevention of loss or destruction of information due to improper storage and handling
1. 1. Regarding the storage and handling of recording media and recording equipment, we have created operational management rules and are appropriate.
Educate the people concerned so that they can be stored and handled properly, and make them known. Also,
Keep a work history of storage and handling.
2. Specify the location (internal, portable medium) where the system stores information, and keep it for each location.
Available capacity (size), period, risk, response, backup frequency, back
Clarify the upload method, etc. Collect these as operation management rules and operate them
To be thoroughly known to all concerned parties.
3. 3. Only authorized persons can enter the storage location of recording media or the installation location of servers.
Take such measures.
Four. Keeping and managing access history for information such as medical records stored electronically.
Five. When the information in each storage location is lost, the backed up data is used.
Being able to return to the state before the loss. If it cannot be returned to the same state as before the damage, it will be damaged.
Make it easy to see the range.

(3) Prevention of unreadable or incomplete reading of information due to deterioration of recording media and equipment
1. 1. Copying information to a new recording medium or recording device before the recording medium deteriorates.
Clarify the period during which normal storage can be performed without deterioration for each recording medium and device.
Then, manage the start date and end date of use, and check it about once a month.
For recording media or recording devices that have been used and the end date of use is approaching, the data will be updated.
Copy to a new recording medium or recording device. Operation management of these series of operation flows
Describe it in the rules and regulations and make it known to all concerned parties.

108

Page 116

(4) Prevention of unrecoverable information due to inconsistency of media, equipment, and software
1. 1. Data such as medical records are in standard format so that migration can be performed quickly when updating the system.
Standard format for existing items, easy conversion for items that do not have a standard format
Equipped with a function that can output and input in various data formats.
2. When the master database is changed, the contents of information such as past medical records are changed.
It has a function that does not occur.

[When storing outside a medical institution, etc. through a network]
In addition to the minimum guidelines for storage in medical institutions, the following items are required.

(1) To ensure continuity and version control of data formats and transfer protocols.
Data format and transfer protocol will be upgraded or changed during the storage obligation period.
It is possible that it will be changed. In that case, the institution that entrusts the external storage is the previous data form.
Do not maintain support while there are medical institutions using formulas and transfer protocols
Must not be.

(2) Take measures against deterioration of the equipment of the network and the organization that outsources external storage.
Deterioration of lines and equipment in consideration of the conditions of the equipment of the network and the institution that outsources external storage
If so, take measures such as updating them.

D. Recommended guidelines

[When storing in a medical institution, etc.]
(1) Prevention of loss or destruction of information due to improper storage and handling
1. 1. Only authorized persons can store recording media, recording equipment, and servers.
Store in a room, keep a history of entering and leaving the room, work shoes related to storage and handling
Save in association with history.
2. Physical measures such as keys should be taken in the server room so that only authorized persons can enter the room.
To give.
3. 3. Regularly back up data such as medical records and falsify the contents
To have a function to inspect that the information has not been destroyed by.

(2) Prevention of unreadable or incomplete reading of information due to deterioration of recording media and equipment
When saving information such as medical records in a recording device such as a hard disk, RAID-1 or
Take measures against disk failures equivalent to RAID-6 or higher.

109

Page 117

[When storing outside a medical institution, etc. through a network]
(1) Ensuring compatibility of equipment of networks and institutions that outsource external storage
1. If you update the line or equipment to a new one, you will get a device compatible with the old system.
It becomes difficult and there is a possibility that reading the recorded information may be hindered. Obey
Institutions that outsource external storage will ensure future compatibility when selecting lines and equipment.
At the same time, when updating the system, it is compatible with the old system and secure data storage.
Migrate to compatible lines and equipment that can guarantee.

110

Page 118

8 Criteria for storing medical records and medical records externally

* The provisions of this chapter are listed as the subject of Chapter 8 in "3.2 Documents subject to Chapter 8".
It is applied when electronically storing documents that have been lost.

Criteria for storage locations such as medical records are presented in two cases. One is an electronic medium
The case where the external storage is performed by the body, and the other is the case where the external storage is performed with the paper medium as it is.
Furthermore, in the case of electronic media, when external storage is performed via a telecommunication line (hereinafter referred to as network).
Is specifically specified, so it is actually necessary to consider it in the following three categories.

(1) When external storage by electronic media is performed via a network
(2) When external storage using electronic media is performed using portable media such as magnetic tape, CD-R, and DVD-R.
(3) When externally storing on a medium such as paper or film

Dispensed prescriptions can be stored externally in their original form (paper or electronic), or in the form of paper media.
In that case, it can be digitized by the method shown in Chapter 9 and stored externally on an electronic medium. Paper dispensed
Prescription (Dispensed when it is not necessary to fill in the dispensing record based on Article 28, Paragraph 2 of the Pharmacists Act
Including prescription. ) Is digitized in Chapters 3 and 9 of the Dispensing Record (Pharmacist Law, Article 28, Paragraph 2).
Includes pre-dispensed prescriptions when it is no longer necessary to fill in the dispensing record based on the section. ) For external storage
Please refer to Chapter 3 for details.

8.1 When external storage by electronic media is performed via a network
If the current technology is fully utilized and carefully operated, medical records, etc. will be provided through the network.
Can be stored outside a medical institution or the like. Businesses that outsource the storage of medical records, etc.
However, by ensuring authenticity and performing appropriate safety management, medical institutions that outsource external preservation, etc.
It may save money and facilitate security operations.
The method of external storage through the network has many advantages, but it can be used for information leakage and medical treatment.
Security and communication technology and its operation method because it may lead to a supportive accident.
You need to be careful. If such an accident occurs and causes social distrust,
As a result, the computerization of medical care may be set back, which may be against the interests of the people.
You should proceed carefully and steadily.
Therefore, when storing medical records, etc. in an external institution via an electronic medium via a network
It is required that medical institutions, etc. take the initiative in safety management and promote it appropriately.

8.1.1 Compliance with 3 standards for electronic storage
3 Regarding the description of the criteria, "7.1 Ensuring authenticity", "7.2 Ensuring readability",

111

Page 119

Please refer to "7.3 Ensuring Preservation" for each integration.

112

Page 120

8.1.2 Criteria for selecting institutions that outsource external storage and criteria for handling information
A. Institutional requirements
(Safety management measures)
Businesses handling personal information prevent leakage, loss or damage of the personal data they handle, etc.
Necessary and appropriate measures must be taken for the security management of personal data.

(Article 20 of the Personal Information Protection Law)

When external storage is performed through a telecommunication line, the host computer related to the storage
Information processing devices such as servers and servers are specified in the hospital specified in Article 1-5, Paragraph 1 of the Medical Care Act or in Paragraph 2 of the same Article.
Clinics that are specified and other places that are appropriately managed by medical corporations, etc. as equivalent to this, administrative machines
Data centers, etc. established by Seki, etc., and medical institutions, etc. are confirmed based on contracts with private businesses, etc.
Must be placed in a safe and secure place.
(External Preservation Amendment Notification No. 21 (2))

B. Way of thinking
If medical records can be saved in places other than medical institutions through the network,
Stem Improvement of security measures by securing a secure storage place for highly robust information and in the event of a disaster
Electronic storage of medical records, etc. at medical institutions, etc. by promoting crisis management and reducing storage costs
It can be expected to be promoted. However, for external storage, it is difficult for the storage organization to handle inappropriate information.
There is also a risk that a large amount of patient information will be leaked instantly, and in that case, the location of the leak.
And it may be difficult to identify the person in charge. Therefore, we are always conducting risk analysis and making every effort.
Measures must be taken, and the responsibility of medical institutions, etc. becomes relatively large.
Furthermore, it is unfair for the purpose of profit by an organization or employee who is entrusted with the storage of information.
It is also true that there is a risk of use. On the other hand, financial information, credit information, and communication information are the actual situation.
The storage and management is outsourced to an external business operator other than the business operator, and it is operated rationally.
Information related to finance, credit, and communication and information related to medical care cannot be treated in the same way.
In general, businesses that outsource the storage and management of information in data centers that have a proven track record are cautious and sufficiently safe.
All measures are taken, and it is strictly managed compared to medical institutions managing themselves.
There are many.
Originally, personal rights and interests are infringed due to leakage or improper use of personal information related to medical treatment.
If this happens, it is often difficult for the victim to suffer and recover their rights.
Persons are required to take special safety management measures in accordance with laws and various guidelines.
ing. Therefore, for external storage at places other than medical institutions, etc. through a network of medical records, etc.
Regarding this, after ensuring a system equal to or better than the safety management system normally required, we will treat patients.
In principle, we can fulfill our responsibility to utilize the information in the provision of health care services, etc.
Is.

113

Page 121

In order to respond to the above, "② Established by an administrative agency, etc." as defined in "C. Minimum Guidelines"
"When storing in a data center, etc." and select an appropriate institution, "③ Medical institution, etc. is a private business
When storing in a safe place secured based on a contract with a person, etc., strictly observe the matters specified in C.
There is a need to. In addition, information processing-related businesses such as data centers set "medicines" specified by the Ministry of Economy, Trade and Industry.
"Guidelines for information processing companies that manage medical information on consignment" and "ASP / SaaS" established by the Ministry of Internal Affairs and Communications
Information Security Measures Guidelines in Japan ”and“ ASP / SaaS providers collect medical information
Confirm that the requirements of "Guidelines for safety management when handling" are met, and make a contract
It is necessary to clarify the compliance status by such means.
In this chapter, "1. Criteria for selecting an institution that outsources external storage", "2. Handling of information", "3. Proposal of information"
Organize the way of thinking by dividing it into "servants".
"4. Responsibility when handling electronic medical information" and "6.11 Doctors including external and personal information"
Since it is inseparable from "safety management when exchanging medical information", these are also included in the implementation.
Must be observed.

1. Criteria for selecting an institution that outsources external storage
① When storing in a place appropriately managed by hospitals, clinics, medical corporations, etc.
Hospitals and clinics prepare their own highly robust equipment environment, and medical records of nearby hospitals and clinics
This applies to cases such as providing ASP / SaaS type services that store such information.
In addition, as a place that medical corporations, etc. appropriately manage as equivalent to hospitals and clinics,
A place where managers of multiple medical institutions, etc. manage jointly at the office of the medical association, which is a public interest corporation.
There are places.

(2) When saving in a data center established by an administrative agency, etc.
Data centers established by national institutions, incorporated administrative agencies, national university corporations, local public organizations, etc.
It corresponds to the case of saving in.
In this case, the requirements of the other sections of this chapter, the responsibilities mentioned in the other chapters of this guideline.
The way of responsibilities, safety management measures, authenticity, readability, storability and information management system defined by C
All requirements for security must be met.

③ When storing in a safe place secured by a medical institution based on a contract with a private business operator, etc.
Data centers, etc. where institutions other than (1) and (2) store information on behalf of medical institutions, etc.
Is applicable.
In this case, medical institutions, etc. that have a legal obligation to preserve the system are safe with high system robustness.
It is necessary to select a storage location for information.
Therefore, those businesses, etc., have other requirements in other sections of this chapter, other of this guideline, etc.
Responsibility, security measures, authenticity, readability, preservation and C mentioned in the chapter

114

Page 122

It is necessary to meet all the requirements for ensuring the information management system specified in.
In addition, depending on the form of these services, the Ministry of Economy, Trade and Industry has established "consignment management of medical information."
Information in ASP / SaaS established by the Ministry of Internal Affairs and Communications and the "Guidelines for Information Processing Business Operators"
"Security Measure Guidelines" and "When ASP / SaaS Business Operators Handle Medical Information"
It is also necessary to meet the requirements of "Safety Management Guidelines".

2. Handling of information
① When storing in a place appropriately managed by hospitals, clinics, medical corporations, etc.
Even in hospitals, clinics, etc., we try to analyze medical records, etc. that have been entrusted with preservation.
In that case, with the consent of the outsourced hospital, clinic and patient, look for unfair profits and profits.
Only when it is not targeted.
In addition, it is necessary to create an organization for verification in the hospital and perform an objective evaluation for implementation.
There is.
Even when handling anonymized information, the scale of the area and outsourced medical institutions, etc.
Therefore, since it is possible that an individual can be easily identified, the validity of anonymization is verified.
Informing patients, etc. of the fact that they are being examined or handled by a certificate organization, etc.
It is necessary to consider the protection of personal information.

(2) When saving in a data center established by an administrative agency, etc.
When storing in an administrative agency, etc., the person who established the establishment is a person who is obliged to keep confidential, such as a public employee.
Therefore, there are certain restrictions on the handling of information. But the preserved emotions
The information is stored under consignment from medical institutions, etc., and is entrusted with external storage.
It is permissible for a business operator to perform its own analysis, analysis, etc. without the consent of the medical institution, etc. and the patient.
Not done.
Therefore, when selecting a business operator to be entrusted with external storage, medical institutions, etc. will implement it.
It is necessary to confirm that it is not possible or to exchange a contract etc. clearly stating that it will not be implemented
There is.
In addition, as a technical method, for example, in an emergency such as data restoration work when a trouble occurs.
As a general rule, it is guaranteed that only medical institutions can view the data contents, except for the correspondence of
It is also possible.
In addition, the information related to personal identification stored in the business operator entrusted with external storage is encrypted.
Even the manager of a business that manages properly or outsources external storage is usually accessed
It is also conceivable to have a control mechanism that cannot be used.

③ When storing in a safe place secured by a medical institution based on a contract with a private business operator, etc.
As mentioned at the beginning, the business operator entrusted with the external preservation specified in this section is from a medical institution, etc.

115

Page 123

When storing information on consignment, browse the information for the purpose of unfair profit and profit pursuit,
Analysis, etc. must not be performed and is not allowed.
These acts will be regulated for businesses that are entrusted with the external storage of medical information in the private sector, etc.
The guidelines for this are set by the Ministry of Economy, Trade and Industry and the Ministry of Internal Affairs and Communications as stated in the external preservation notice.
Therefore, medical institutions, etc. need to fully confirm the compliance status, including contracts.
As a technical method of external storage, for example, data restoration work when a trouble occurs, etc.
As a general rule, it is guaranteed that only medical institutions can view the data contents, except for emergency response.
It is also possible to do.
In addition, the information related to personal identification stored in the business operator entrusted with external storage is encrypted.
Proper management, or even the administrator of an information processing business operator can access
It is also possible to have a control mechanism that cannot be done.
Specifically, methods of "encrypting" and "distributed storage of information" can be considered.
In this case, it is necessary to pay sufficient attention to the availability of information in anticipation of an unexpected accident.
If a medical institution or the like encrypts itself and stores the encryption key, the encryption key may occur due to a fire or accident.
If becomes unavailable, all medical information that is outsourced to preservation will become unavailable.
There is a possibility.
To avoid this, deposit the encryption key to a business operator that entrusts external storage, multiple trusts
It is conceivable to deposit it at another medical institution that can do it. Similar availability for distributed storage
Guarantee is required.
However, in the case of depositing the encryption key to a business operator that entrusts external storage, the encryption key
Strict control is required for use.
Use of encryption key to prevent unauthorized use of encryption key by business operator entrusted with external storage
Operation management rules must be formulated and use should be limited to emergencies. Also, in fact
A trail in an information system using a cryptographic method that leaves a trail using an encryption key at the time of line
It is necessary to confirm whether the encryption key has been illegally used by properly managing it.
is there.

3. Providing information
① When storing in a place appropriately managed by hospitals, clinics, medical corporations, etc.
A mechanism that allows patients to access the institution that stores information and view their own records
When providing information, hospitals, clinics, medical corporations, etc. that have been entrusted with the storage of information should have appropriate access.
Information leakage or incorrect browsing (showing information of different patients or showing information of different patients)
Care must be taken not to cause information that should not be shown to the patient, etc.)
It doesn't become.
In principle, the provision of such information is agreed between the medical institution where the patient is receiving medical examination and the patient.
Is the patient a hospital, clinic, medical corporation, etc. that has been entrusted with the storage of information?

116

Page 124

Do not carry out without any consent.

(2) When saving in a data center established by an administrative agency, etc.
In any form, the company that entrusts the external storage of the stored information keeps it independently.
It must not be provided to anyone other than the existing medical institution.
Other than medical institutions that mainly store stored information through businesses that outsource external storage
When providing to the medical institution, it must be carried out with the consent of medical institutions, etc.
Of course, it is necessary to obtain the consent of the patient before carrying out the procedure. In such a case, external protection
When the business operator entrusted with the existence is entrusted with the setting of access rights, medical institutions, etc.
Information such as setting appropriate authority according to the request of the patient who obtained consent with the medical institution etc.
Leakage or misreading (showing information about different patients or not showing them to patients
It is necessary to prevent such information as being visible).
Therefore, medical institutions, etc. that intend to store medical records, etc. externally in this form are external.
It is necessary to stipulate the provision of this information in contracts, etc. to businesses that are entrusted with storage.
There is a need.

③ When storing in a safe place secured by a medical institution based on a contract with a private business operator, etc.
In any form, the company that entrusts the external storage of the stored information keeps it independently.
It must not be provided to anyone other than the existing medical institution. Even if this is anonymized information
The same is true.
Information stored through a business that outsources external storage can be stored in other than medical institutions that mainly store it.
If you want to provide it, you have to agree with each other such as medical institutions, and of course
In accordance with the Personal Information Protection Law, it is necessary to obtain the consent of the patient.
In such a case, the business operator entrusted with external storage entrusts the setting of access rights.
If so, respond to the request of the patient who has obtained consent from the medical institution, etc. or the medical institution, etc.
Information leakage and incorrect browsing (viewing information of different patients) by setting appropriate privileges
Don't let the patient see information that shouldn't be shown to the patient)
I have to do it.
Therefore, medical institutions, etc. that intend to store medical records, etc. externally in this form are external.
There is no provision in contracts, etc. regarding the provision of this information to businesses that are entrusted with storage.
must not.

C. Minimum guidelines
① When storing in a place appropriately managed by hospitals, clinics, medical corporations, etc.
(A) Keep medical records, etc. inside hospitals and clinics.
(B) For the purpose of analysis, etc. without the permission of hospitals, clinics and patients who have been entrusted with the preservation of medical records, etc.

117

Page 125

Do not treat as.
(C) Even in hospitals, clinics, etc., when analyzing medical records, etc. that have been entrusted with preservation
For the purpose of unfair profit and profit with the consent of the outsourced hospital, clinic and patient
Only if not.
(D) Verification organization to verify the validity of anonymization even when handling anonymized information
Inform patients, etc. of the fact that they are being handled by using bulletins, etc.
Carry out after considering the protection of personal information.
(E) A mechanism in which patients access the institution that stores information and view their own records.
If you provide only information, the hospital or clinic that has been entrusted with the storage of information should have appropriate access rights.
Prescribe, information leakage, incorrect browsing (showing information of different patients or patients
Be careful not to cause information that should not be shown to the user.
(F) In principle, information will be provided with the consent of the patient and the medical institution where the patient is receiving medical examination.
That.

(2) When saving in a data center established by an administrative agency, etc.
(A) According to laws and ordinances, for individuals engaged in or engaged in preservation work
Confidentiality regarding the content of personal information and prohibition of improper use are stipulated, and violation of the stipulation
More penalties apply.
(B) System auditing technology to have the technology and operation management ability necessary for appropriate external storage
Appropriate capabilities such as surgeon and Certified Information Systems Auditor (ISACA accredited)
It must be confirmed regularly, such as by undergoing an external audit by a competent auditor.
(C) Medical institutions, etc. analyze the stored information, and the business operator entrusted with external storage actually analyzes and analyzes it.
Confirm that it will not be applied, and exchange a contract, etc. that clearly states that it will not be implemented.
(D) Medical treatment so that the stored information is not provided independently by the business operator entrusted with external storage.
Institutions, etc. should stipulate the provision of information in contracts, etc. Businesses that outsource external storage
When setting the access right related to the provision, set the appropriate right, information leakage, information leakage, etc.
Incorrect browsing (information that shows information about different patients or should not be shown to patients
To prevent this from happening.

③ When storing in a safe place secured by a medical institution based on a contract with a private business operator, etc.
(A) Businesses entrusted with external storage by medical institutions, their managers, and electronic storage workers
Consignment contract including matters related to confidentiality and penalties for violations
To be able to supervise the handling of stored information.
(B) Regarding the safety of network lines connecting medical institutions and businesses that outsource external storage
Therefore, comply with "6.11 Safety management when exchanging medical information including personal information with the outside"
Being protected.

118

Page 126

(C) The contracted business operator manages the medical information contracted by the Ministry of Economy, Trade and Industry, which is imposed on private businesses, etc.
"Guidelines for information processing companies" and "Information security in ASP / SaaS" by the Ministry of Internal Affairs and Communications
"Guidelines for measures against qualities" and "When ASP / SaaS providers handle medical information
Clearly stipulate in contracts, etc. to comply with "Guidelines for Safety Management", etc.
Confirm by receiving reports at least regularly.
(D) Keeping the stored information within the scope of the contract exchanged by the business operator entrusted with external storage.
Do not browse beyond the scope necessary for defensive work. Regarding maintenance

Therefore, comply with "6.8 Information System Modification and Maintenance".
(E) Information stored by a business operator entrusted with external storage must not be analyzed or analyzed.
thing. The same applies to anonymized information. Clarify these matters in the contract
However, it should be strictly adhered to at medical institutions.
(F) Medical treatment so that the stored information is not provided independently by the business operator entrusted with external storage.
Institutions, etc. should stipulate the provision of information in contracts, etc. Businesses that outsource external storage
When setting the access right related to the provision, set the appropriate right, information leakage, information leakage, etc.
Incorrect browsing (information that shows information about different patients or should not be shown to patients
To prevent this from happening.
(G) Business that entrusts external preservation after satisfying (a) to (f) at medical institutions, etc.
Establish the selection criteria of the person. Check at least the following four points.
(A) Development of basic policies and handling rules related to safety management of medical information, etc.
(B) Establishing an implementation system for safety management of medical information, etc.
(C) Creditworthiness regarding personal data security management based on achievements, etc.
(D) Soundness of management based on financial statements, etc.

D. Recommended guidelines
(A) Among "(1) When storing in a place appropriately managed by hospitals, clinics, medical corporations, etc."
When it is stored in a place that is properly managed by the therapist, etc., the entire institution that has been entrusted with the storage
Personal information protection and information as a means of showing patients and the public further self-help efforts
Privacy mark and ISMS certification, which are certification systems for information security management
To obtain certification by a third party such as.
(B) In the case of "② When saving in a data center established by an administrative agency, etc.", the system
Will be monitored and evaluated, but as part of further evaluation, the item mentioned in (a)
To be certified by three parties.
(C) "② When saving in a data center established by an administrative agency, etc." and "③ Medical institution, etc."
In the case of storing in a safe place secured based on a contract with a private business operator, etc. "
As a surgical method, except for emergency response such as data restoration work when trouble occurs,
As a general rule, ensure that only the outsourced medical institutions can view the data contents.

119

Page 127

(D) Appropriately encrypt the personal identification information stored in the business operator entrusted with external storage.
Even the manager of a business that manages or outsources storage is usually accessed
Have a control mechanism that cannot be used. Specifically, "encrypt" and "store information in a distributed manner"
The method can be considered. In that case, access under unusual circumstances such as an emergency
With the assumption that it will be done, a mechanism that allows the fact of access to be explicitly identified by medical institutions, etc.
To have it.

120

Page 128

8.1.3 Protection of personal information
A. Institutional requirements
(Safety management measures)
Businesses handling personal information prevent leakage, loss or damage of the personal data they handle.
Necessary and appropriate measures must be taken for the security management of other personal data.
(Supervision of contractor)
When a business operator handling personal information outsources all or part of the handling of personal data,
For those who have been entrusted with the handling of personal data so that the security management of the entrusted personal data can be achieved.
Necessary and appropriate supervision must be provided.
(Articles 20 and 22 of the Personal Information Protection Law)

Pay close attention to the privacy protection of patients and ensure the protection of personal information.
(External Preservation Amendment Notification No. 21 (3))

B. Way of thinking
When saving to the outside through the network, the scope of authority and responsibility of the administrator of the medical institution etc.
Considering the protection of personal information even more in order to extend to other facilities and telecommunications carriers that are different from your own facility
It is necessary to do.
Regarding matters related to the protection of patient's personal information, the legal retention period for medical records, etc. has expired.
In some cases, personal information exists even if the contract period with the business operator entrusted with external storage has expired.
You need to be as careful as possible. Also, regarding the handling of personal information in backup information
However, a similar operation system is required.
Personal information protection when passing through the network must be considered individually depending on the type of communication method
There is a need. Regarding ensuring the confidentiality of information due to differences in communication methods, see "6.11 External and medical information, etc."
Safety management when exchanging medical information including B-2. Network security to choose from
Please refer to it as it is mentioned in "Thinking".

C. Minimum guidelines
(1) Protection of personal information within the business operator of the external storage contractor such as medical records
① Supervise appropriate contractors
Regarding the protection of personal information within the business operator that entrusts the external storage of medical records, etc., this guideline
It is necessary to refer to Chapter 6 and perform appropriate management.

(2) Explanation to patients regarding the implementation of external preservation
Facilities that outsource the external storage of medical records, etc., provide patients in advance with patients as needed.
The security and risk of personal information being sent to and stored at certain external facilities

121

Page 129

It is necessary to explain through the in-hospital bulletin board, etc., including the information, and gain understanding.

① Explanation before the start of medical treatment
It should be done before collecting personal information from the patient, including the condition, medical history, etc.
Start medical treatment after explaining that the department is being preserved through in-hospital notices, etc. and gaining understanding.
thing.

(2) When it is difficult to explain to the patient, but there is an urgency in medical treatment
When it is difficult to explain to the person due to consciousness disorder or dementia, there is an urgency in medical treatment.
In some cases, prior explanation is not always required. Explain after the fact when consciousness is restored
Need to be done and gained understanding.

③ When it is difficult to explain to the patient, but there is no particular urgency in medical treatment
If it is difficult to explain and understand the person, including infants, and there is no urgency,
As a general rule, explain to parents and guardians and gain their understanding. However, abuse by parents
If you are suspected or have no guardian, or if it is difficult to explain, please refer to the medical record, etc.
It is desirable to clarify the reason why it is difficult to clarify.

122

Page 130

8.1.4 Clarification of responsibilities
A. Institutional requirements
External storage is the responsibility of hospitals, clinics, etc. that are obliged to store medical records.
In addition, clarify the responsibility in the event of an accident.
(External Preservation Amendment Notification No. 21 (4))
The description in this section is "4 Responsibility when handling electronic medical information" and "6.11 External and individual".
Since the ideas were summarized in "Safety management when exchanging medical information including information", refer to them.
I want to be.

8.1.5 Notes
External storage is performed through the network, and this can be carried by a business operator that outsources external storage.
When storing on a medium, "Appendix 1 External storage on an electronic medium is performed using a portable medium."
Pay close attention to the matters listed in "Cases".

8.2 When external storage using electronic media is performed using portable media
Please refer to Appendix 1 as it has been moved to.

8.3 When saving externally on paper media
Please refer to Appendix 2 as it has been moved to.

one two Three

Page 131

8.4 Notes on external storage in general
8.4.1 Operation management rules
A. Institutional requirements
Managers of hospitals, clinics, etc. that perform external storage establish and implement operation management rules in accordance with them.
thing.
(External preservation revision notice No. 31)

B. Way of thinking
It is required to establish operation management rules related to external storage, and the way of thinking and specific guys
For Drine, refer to the section “6.3 Organizational Safety Management Measures”.
Regarding the responsibility at that time, "4 Responsibility when handling electronic medical information"
Please refer to "Who".
If you have already established the operation management rules for electronic storage, the items for external storage are appropriate.
It is considered sufficient to make corrections and additions.

8.4.2 Processing at the end of the external storage contract
From the viewpoint that medical records, etc. are sensitive personal information, medical treatment is required when external storage is terminated.
Certain consideration must be given to both the institution and the contracted business operator.
Medical institutions, etc. that outsource the external storage of medical records, etc., are the medical records stored in the outsourced business operator.
, Etc. should be checked regularly, and medical records, etc. that must be stored externally should be processed promptly.
An audit must be made to ensure that the process has been carried out rigorously. In addition, we accept external storage
Businesses also strictly handle and process stored medical records, etc. at the request of medical institutions, etc.
It is necessary to clearly indicate to medical institutions that this has been done.
These disposal regulations should be clearly stated in the consignment contract, etc. before starting external storage.
It is needed. In addition, in preparation for actual disposal, procedures such as disposal programs were clarified in advance.
Regulations should be prepared.
Requesting both parties to handle these strict matters is to retain personal information beyond the agreed period.
This is because doing so can be a problem in the protection of personal information, so please be aware of that.
There must be.
When storing externally via a network, the external storage system itself is also a kind of database.
It is a waste and must be carefully discarded including the index file. Also electronic medium
In the case of the body, the same consideration should be given to the backup file.
Also, if it is stored externally via a network, the storage format will naturally be an electronic medium.
Therefore, the damage caused by information leakage is expected to be enormous in terms of the amount of information. Therefore,
We will give due consideration to the protection of personal information and entrust external storage to ensure that the information has been discarded.
It is necessary to make sure that the medical institution, etc. and the contracted business operator can confirm it.

124

Page 132

8.4.3 External storage of medical records, etc. that are not obliged to be stored
Please refer to "3.4 Documents that require careful handling".

125

Page 133

9 When medical records, etc. are digitized and saved by a scanner, etc.

* The provisions of this chapter are described in Chapters 7 and 9 in "3.1 Documents subject to Chapters 7 and 9".
Applicable when documents, etc. listed as the target of
Will be done.

In this chapter, medical records, etc. that are required to be created or preserved by law are once created on paper or other media.
A place to store, store, or operate a product that has been digitized with a scanner, etc. after receiving, storing, or operating it.
It describes the handling of the case. When inputting a schema (human figure) into an electronic medical record, etc.
When drawing on paper and inputting with a scanner or digital camera, etc., it is not the subject of this chapter, but the authenticity of Chapter 7.
See the section on ensuring sex.

A. Institutional requirements
Private business operators, etc. are listed in the upper columns of Tables 1 and 2 of the attached table 1 based on the provisions of Article 3, Paragraph 1 of the Act.
Instead of preserving the documents listed in the lower column of these tables of the Decree, the electromagnetic records relating to the documents
When preserving, and the electromagnetic waves listed in the lower column of the same table of the laws and regulations listed in the upper column of the attached table 1-4
If you want to save by target record, you must do it by one of the following methods.
I.
One (omitted)
(Ii) Use a scanner (including an image reader equivalent to this) to scan the items described in the document.
The electromagnetic records obtained by reading are provided in computers for use by private businesses, etc.
How to save as a file or a file prepared with a magnetic disk, etc.
(E-Document Law Ministerial Ordinance Article 4)

9.1 Common requirements
B. Way of thinking
The following two situations can be assumed as specific examples of digitization using a scanner or the like.

(1) In the operation of electronic medical records, etc., most of the medical treatment is conducted in an electronic state.
On the other hand, it is unavoidable to accept paper or film medical information provision documents from other hospitals.
If you have feelings
Paper pre-dispensed prescription (no need to fill in the dispensing record based on Article 28, Paragraph 2 of the Pharmacists Act)
Includes pre-dispensed prescriptions if ) Also corresponds to this.

(2) The operation of electronic medical records, etc. was started and electronic storage was implemented, but medical records, etc. before the enforcement were printed on paper.
If it remains on the film and cannot be operated consistently, or if it is an order entry system

126

Page 134

When only the medical system is operated and it is difficult to store paper etc.

In this section, any of the above applies, that is, "9.2 With a scanner, etc. each time a medical examination, etc."
"When saving electronically", "9.3 Electronically saving paper media, etc. accumulated in the past with a scanner, etc."
Describe common measures in "When".
When digitized with a scanner, etc., no matter how precise the technology is used, the original paper or other medium is used.
It is not equivalent to the body record. Therefore, information that was once operated on a medium such as paper can be scanned with a scanner or the like.
Digitization needs to be done carefully. Operation by mixing electronic information and information such as paper
It should be limited to cases where there are significant obstacles. On the other hand, after digitization, the original medium
It is extremely effective from the viewpoint of ensuring authenticity and storability, and if possible, externally.
It should be considered including storage in. Regarding measures in such cases, see "9.5 (Supplement)"
For convenience of operation, digitization is performed with a scanner, etc., but media such as paper is also stored as it is.
I will describe it in "Go".

C. Minimum guidelines
1. 1. Reduce the amount of information by scanning so as not to interfere with medical work etc.
Optical resolution, sensor to prevent and secure the amount of information required for information that meets storage obligations
Use a scanner that meets certain standards and standards such as service. Also before scanning etc.
Other documents are pasted on top of the target document, or the scanner etc. can be digitized.
Information may be lost due to digitization by scanning due to the existence of information outside the enclosure.
Make sure it is not.
・ In the case of paper media such as medical information provision forms, scan with an accuracy that does not interfere with medical applications.
To do.
・ For high-definition information such as radiation film, the Electronic Information Committee of the Japan Radiological Society
Published "Guidelines for Handling Digital Images 3.0 Edition (April 2015)"
Please refer to it.
・ In addition, various objects such as waveform information such as electrocardiogram and information taken by Polaroid can be considered.
However, it is necessary to have an accuracy that does not interfere with medical work, etc., and we will give due consideration to that point.
That.
・ Image information obtained by scanning general documents is highly versatile and difficult to visualize.
Save in a format that does not. Lossy compression also reduces the accuracy of the image,
When lossy compression is performed, the accuracy should not interfere with medical work, etc., and
Keep in mind that the condition such as damage or dirt on the paper that is the target of the can is also within the range that can be judged.
You have to do it in your head. DICOM is the information obtained by scanning medical images such as radiation films.
Save in an appropriate format such as.
2. In order to prevent tampering, the person in charge of management of medical institutions, etc. should take the following measures.

127

Page 135

-Establish operational management rules for scanning with a scanner.
-The electronic information read by the scanner is equivalent to the information obtained from the original document, etc.
Assign an information creation manager to ensure that.
-When scanned by a scanner, the work manager (executor or administrator) complies with the Electronic Signature Law.
Make electronic signatures, time stamps, etc., without delay, and clarify responsibilities. In addition, it should be noted.
Regarding electronic signatures, "6.12 The name and seal stipulated by law will be digitally signed.
See "About".
3. 3. For the information creation manager, reading work with a scanner is suitable based on the above operation management rules.
Take measures that are surely implemented in a proper procedure.

128

Page 136

9.2 When digitizing and saving with a scanner etc. at each medical examination etc.
B. Way of thinking
In the operation of electronic medical records, etc., while most of the medical care is performed in an electronic state,
It is inevitable to accept medical information provision forms in paper or film media from other hospitals.
If there is a feeling, there is a risk of medical safety problems due to the mixture of media. this
It is expected to be implemented in such cases.
In this case, it is considered that there is no further motivation for tampering after satisfying "9.1 Common Requirements".
It is required that digitization be performed appropriately within a certain period of time.

C. Minimum guidelines
1. In addition to the measures in Chapter 9.1, after the information has been created or obtained to prevent tampering
Scan within a certain period of time.
・ Operation management rules within 1 to 2 days, which are considered to have no motive for falsification within a certain period of time
The scan must be performed without delay for the specified period. Machine for overtime medical treatment, etc.
Scanning is now possible when there are unavoidable circumstances such as the inability to use the vessel.
It will be done without delay at that point.

129

Page 137

9.3 When digitizing and storing paper media, etc. accumulated in the past with a scanner, etc.
B. Way of thinking
We started the operation of electronic medical records and implemented electronic storage, but the medical records before the enforcement are on paper and fill.
It is assumed that there will be cases where it remains in the medium and cannot be operated consistently. Possibility of tampering motive
Unlike the situation of "9.2 When digitizing and saving with a scanner etc. every time medical treatment etc."
It is necessary to take appropriate measures to fulfill the responsibility. All requirements of "9.1 Common requirements"
After satisfying the requirements, it is necessary to carry out a strict audit with the prior consent of the patient.

C. Minimum guidelines
In addition to the measures in Chapter 9.1, implement the following measures.
1. 1. Before digitizing, digitize and save to the target patients with a scanner etc.
Notify the target by posting, etc., and if there is an objection, digitize it with a scanner etc.
Do not do.
2. Be sure to prepare an implementation plan before implementation. The implementation plan should include the following items.
・ Preparation of operation management rules and evaluation of validity (evaluation is external for large-scale medical institutions, etc.)
It should be done by a committee that ensures fairness, including experts in the field (the ethics committee can also be used).
Possible))
・ Identification of work manager
・ Means to inform patients, etc. and response to objections
・ Implementation system including mutual surveillance
-Creation of implementation records and record items (create records that can withstand the audit in the next section)
・ Subsequent selection of auditors and audit items
-The period from digitization by scanning, etc. to the discarding of paper and film, and the method of discarding
3. 3. A system audit engineer or a system audit engineer can perform audits when digitizing with scanners owned by medical institutions, etc.
External supervisor with appropriate abilities such as Certified Information Systems Auditor (ISACA accredited)
To be done by an inspector.

4. When outsourcing to an external operator, select an appropriate operator that can meet the requirements of Chapter 9.1.
To do. To be considered an appropriate business, at least get the privacy mark
It is a business operator who has not caused any problems in information security management or personal information protection in the past.
You need to make sure that. In addition, when implementing it, a system audit engineer or Certified
Auditing by external auditors with appropriate capabilities such as Information Systems Auditor (ISACA accredited)
Please specify in the contract that sufficient safety management will be carried out, including receiving.

130

Page 138

9.4 When storing pre-prepared paper prescriptions electronically with a scanner, etc.
B. Way of thinking
Paper pre-dispensed prescription (based on Article 28, Paragraph 2 of the Pharmacists Act, it is no longer necessary to fill in the dispensing record.
Includes pre-dispensed prescriptions for cases. ) Digitization means stamping or signing a paper prescription.
It means to digitize what has been dispensed.
If you receive a paper prescription at a pharmacy, it will be digitized until it has been dispensed.
It should not be the original (wrong operation example: digitized when the paper prescription is accepted at the pharmacy,
Dispensing is performed using it as the original, and the pharmacist's electronic signature is used as the dispensation.)
In addition, even if the prescription has passed without any particular problem until the end of dispensing, the content will be changed after that.
It cannot be completely denied that a correction will occur (example: I checked the items but forgot to correct it)
Etc.). Therefore, even if it is a pre-dispensed prescription of paper that has been digitized once, the correction will occur.
there's a possibility that.

C. Minimum guidelines
In addition to the measures in Chapter 9.1, implement the following measures.
1. Implement the measures in Chapter 9.2 or 9.3 depending on the timing of digitization of pre-dispensed paper prescriptions.
That.
2. When modifying the "Electronic Paper Dispensed Prescription", "" Original "Electronic Paper Dispensing"
"Pre-prepared prescription" is electronically modified, and "'corrected' digitized paper pre-dispensed prescription"
The electronic signature of the pharmacist is essential for this. When modifying electronically, "" original "electronicization
Correct the electronic signature of "Paper Dispensed Prescription" so that it can be verified correctly.

9.5 (Supplement) For convenience of operation, digitization will be performed with a scanner, etc., but media such as paper will also be used.
When saving as it is

B. Way of thinking
Since it is extremely inconvenient to handle with a medium such as paper, it is digitized with a scanner etc., but paper etc.
When the medium is continuously stored, the digitized information is only reference information and is obliged to be stored.
Etc. are not imposed. However, consideration for personal information protection must be given equally,
In addition, it is also necessary to ensure accuracy that does not interfere with medical work when digitizing with a scanner etc.
Is.

C. Minimum guidelines
1. 1. Reduce the amount of information by scanning so as not to interfere with medical work etc.
To prevent this, use a scanner that meets certain standards such as optical resolution and sensors.

・ In the case of paper media such as medical information provision forms, scan with an accuracy that does not interfere with medical applications.

131

Page 139

That. Although the paper medium is stored separately, this is more accessible than the digitized information.
Ease is inevitable and may be stored externally in some cases.
Therefore, the digitized information can be read as the original document, etc., even for the convenience of operation.
This is because it is required to keep it as long as possible. However, the information originally printed by a printer, etc.
If the readability does not deteriorate even if the scanning accuracy is reduced to some extent, it will be referred to medical treatment.
It is also possible to reduce the scanning accuracy on the premise that the unreadable readability is maintained.
・ For high-definition information such as radiation film, the Electronic Information Committee of the Japan Radiological Society
Published "Guidelines for Handling Digital Images 3.0 Edition (April 2015)"
Please refer to it.
・ In addition, various objects such as waveform information such as electrocardiogram and information taken by Polaroid can be considered.
However, it is necessary to have an accuracy that does not interfere with medical work, etc., and we will give due consideration to that point.
That.
・ Image information obtained by scanning general documents is highly versatile and difficult to visualize.
Save in a format that does not. Lossy compression also reduces the accuracy of the image,
When lossy compression is performed, the accuracy should not interfere with medical work, etc., and
Keep in mind that the condition such as damage or dirt on the paper that is the target of the can is also within the range that can be judged.
You have to do it in your head. Information obtained by scanning medical image information such as radiation film
Save in an appropriate format such as DICOM.
2. The administrator has established the operation management rules, and the scanning work by the scanner is confirmed by the proper procedure.
Take measures that are actually implemented.
3. 3. Inspection of stored paper media, etc. so that we can respond quickly when browsing is urgently needed.
Searchability should be maintained as needed.
Four. To manage the safety of the original paper media and film after digitization.

132

Page 140

10 Operation management

In "operation management", operation management rules are extremely important for fulfilling management responsibility and accountability.
Therefore, operation management rules must be established.

A. Institutional requirements
(1) "Guidance for the proper handling of personal information by medical / nursing-related businesses"
I 6. Ensuring transparency and external clarification of measures taken by medical / long-term care providers
--- Formulate clear and appropriate rules regarding the handling of personal information, and make them externally
It is required to make it public.
--- In the rules regarding the handling of personal information, security management measures related to personal information
Regarding the outline, procedures for disclosure from the person, handling of third-party provision, response to complaints, etc.
It is conceivable to determine concretely.
Ⅲ 4 (2) ① Development and publication of regulations regarding personal information protection
--- Established rules regarding the protection of personal information ---.
The same applies to regulations regarding safety management measures for information systems that handle personal data.
To perform maintenance.
(2) Other requirements
Precautions for electronic storage of medical records, etc.
1 The facility manager establishes and implements operational management rules related to electronic storage of medical records, etc.
That.
2 The following items shall be stipulated in the operation management rules.
(1) Matters concerning the organization, system, and equipment that supervise operation management
(2) Matters concerning the protection of patient privacy
(3) Other matters necessary for proper operation management
(Enforcement Notice 3)

Precautions for external storage using electronic media
1 Managers of hospitals, clinics, etc. that perform external storage establish operational management rules and implement them in accordance with them.
That. If you have already established operational management rules for electronic storage of medical records, etc.,
Correct this as appropriate.
In formulating the operation management rules of 2 1, the operation management rules related to electronic storage of medical records, etc. should be used.
Determine what is needed.
(External preservation revision notice 3)

B. Way of thinking

133

Page 141

There are various forms of medical institutions, etc. depending on the scale, business content, etc., and the operation management rules are also accompanied by it.
Since it is considered that there are various styles and contents, here, follow the description in Chapters 4 to 9 of this manual.
Describes the management items to be determined. General pipes required regardless of whether or not they are stored electronically in (1)
The rationale is "(2) Operation management items for electronic storage, (3) Operation management items for external storage.
(4) Digitization using scanners, etc., and (5) Procedures for creating operation management rules
Is described.
Medical institutions that perform electronic storage should store the management items (1), (2), and (4) externally in addition to electronic storage.
It is necessary for medical institutions, etc. to adopt the management items of (3) together.

C. Minimum guidelines
Include the following items in the operation management rules. In Chapters 4-9 of this guideline, "D. Recommended
Items described in "Guidelines" may be omitted.

(1) General management items
① General rules
a) Philosophy (statement of basic policy and management purpose)
b) Target information
・

List of all information handled by the information system

・

Classification according to the importance of safety management

・

Risk analysis

c) Standards to be adopted and follow changes in information systems

② Management system
a) System administrator, device administrator, operation manager, safety manager, personal information protection manager, etc.
b) Management system for documents such as manuals and contracts
c)

Audit system and audit manager

d) System for accepting complaints and questions from patients and system users
e) Responsibility system for accident countermeasures
f)

System for disseminating education and training to system users

③ Obligations of managers and users
a) Responsibilities of system administrators, device managers, and operation managers
b) Responsibilities of the Audit Officer
c)

User responsibilities
・

For information on how to approach audit trails, see "Audit Trail Guide to Help Protect Personal Information"
-To protect the personal information of your hospital- (Medical Information System Development Center)

134

Page 142

Please refer to.

④ Operation management items in general management
a) Entry / exit management rules such as visitor record / identification and entry / exit restrictions
b) Regulations for management and monitoring of installation areas for information storage devices and access devices
c)

Policy for determining access rights to information

d) Regulations for management (storage, transfer, etc.) of recording media containing personal information
e) Regulations for disposal of media containing personal information
f)

How to prevent risks and respond when they occur

g) Document management rules that stipulate the division of technical and operational measures related to the safety of information systems.
When introducing the system, determine whether to respond technically or by operation
However, the rules to document and manage the contents.
-For information gathering for consideration of technical measures, refer to "Manufacturers" introduced in Chapter 6.2 B.
Please refer to "Medical Information Security Disclosure Checklist".
h) Technical Safety Measures Regulations
・

User identification and authentication method

・

How to distribute security devices such as IC cards

・

Review due to information classification, access authority management, personnel changes, etc.

・

Access log acquisition and audit procedure

・

Time synchronization method

・

Countermeasures against malicious software such as viruses

・

Countermeasures against unauthorized access from the network

・

Password management

i) Matters concerning the use of IoT devices
・ Agreement on risk acceptance regarding lending of IoT devices
・ Roles and contact information of patients and medical institutions in the event of an abnormality
・ Abnormality detection method
・ Security-critical update method
・ Countermeasures against unauthorized connection after use or during suspension
j)

Matters concerning wireless LAN
・ Wireless LAN settings (access restrictions, encryption, etc.)
・ Restrictions on the use of devices that may cause radio interference

k) Regulations on electronic signatures and time stamps
・ Target issued documents, handling rules for electronically signed receipt documents, daily operation management rules
About

135

Page 143

⑤ Safety management measures for business consignment (system operation / maintenance / modification)
a) Safety management and confidentiality clauses in business consignment contracts
b) Safety management measures in case of subcontracting
c)

Work management / supervision and work report confirmation by medical institutions and other related parties in system modification and maintenance
Approval
・ Creation and operation management of an account dedicated to maintenance personnel
・ Check the data access range during work
・ Collection and confirmation of access logs
* See also ⑦ below for remote maintenance.

⑥ About taking out information and information equipment
a) Regulations on information and information equipment to be taken out
b) Information taken out and operation management rules for information equipment
c)

Safety management measures for information and information equipment brought out

d) Countermeasures in case of theft or loss
e) How to make it known to users

⑦ When providing / consigning / exchanging medical information with an external institution
a) Regulations for confirming safety from the technical and operational aspects
b) Management rules for risk countermeasure review documents
c) Determine the demarcation point of responsibility at the time of normal operation with information processing related businesses and when dealing with accidents.
Management of contract documents and maintenance rules for contract status
d) Basic policy of remote maintenance
・ Safety confirmation of remote maintenance system by maintenance company
e) Operation management rules when employees access from outside such as medical institutions
・ Safety management of equipment used for access

⑧ Emergency response such as disasters and cyber attacks
a) Medical information system section in BCP regulations
b) System degeneracy operation management rules
c)

Emergency functions and operation management rules

d) Report destination and list of contents

⑨ Education and training
a) Manual maintenance
b) Regular or irregular system handling, privacy protection and security awareness

136

Page 144

Training on the above
c)

Personal safety management measures for employees
・ Confidentiality agreement with non-medical personnel
・ Personal information protection regulations after employee retirement

⑩ Audit
a) Audit details
b) Duties of Audit Officer
c)

Access log audit

⑪ Review of regulations
a) Periodic review procedure of operation management rules

(2) Operational management items for electronic storage
① Authenticity
a) Identification and authentication of inputters and confirmed persons
b) Record confirmation procedure and identification information recording
c)

Save update history

d) Approval record of proxy input
e) Equipment / software quality control and internal audit rules for operating conditions

② Ensuring readability
a) Information location management
b) Management of reading means
c)

Response time and throughput according to reading purpose

d) System failure countermeasures
・

Redundancy

・

backup

・

Emergency response

③ Ensuring storage stability
a) Management of software / equipment / media (for example, installation location, locking management, periodic inspection, c)
Ilscheck, etc.)
・ Measures to prevent information destruction and confusion due to viruses and inappropriate software
b) Measures to prevent information loss and destruction due to improper storage and handling
・ Backup, work history management
c)

Measures to prevent unreadable or incomplete reading due to deterioration of recording media and equipment

137

Page 145

d) Measures to prevent irrecoverable due to inconsistency of media, equipment and software
-Preparing for database inconsistency and device / media compatibility during system migration
Rules for creating business plans when changing or migrating systems

④ Ensuring interoperability
a) Measures to ensure data compatibility when modifying the system
b) Measures to ensure data compatibility when updating the system

(3) "Management items as a medical institution, etc." for external storage via a network
For external storage using portable media and external storage using paper media, refer to this section.
Create a matter.

① Management system and responsibility
a) Entrusted business operator selection rules, rules stating the grounds judged to be "conforming" at the time of selection
・ If the contractor is not a medical institution, etc., see "8.1.2 Selection of an institution that entrusts external storage.
Please refer to the requirements described in "Standards and Standards for Handling Information".
・ Select an institution that corresponds to a safe place secured based on a contract with a private business operator, etc.
In that case, the information processing-related business operator such as a data center has set the "medicine" specified by the Ministry of Economy, Trade and Industry.
"Guidelines for information processing companies that manage medical information on consignment" and established by the Ministry of Internal Affairs and Communications
"Guidelines for Information Security Measures in ASP / SaaS" and "ASP / SaaS"
Complies with "Guidelines for Safety Management when Businesses Handle Medical Information"
Regulations to confirm that
b) Manager in medical institutions, etc.
c)

Audit system for contractors

d) Demarcation point of responsibility with contractors, line operators, etc.
e) Management responsibility, accountability, regular review of contractors, line operators, etc. as necessary
Document creation and storage such as contracts that clearly state the scope of responsibility for improvement
f)

Responsibility for dealing with inconvenient situations and responsibility for isolating the faulty part
Document creation and storage of contracts, etc.
・ If the contractor is not a medical institution, etc., "8.1.2 Of the institution that outsources external storage"
Please refer to the requirements described in "Selection Criteria and Criteria for Handling Information".

g) Criteria for selecting documents that are outsourced for storage

(2) Processing at the end of the external storage contract
a) Regulations on processing methods that do not leave medical records, etc. to contractors

138

Page 146

・ Contracts that medical records, etc. will not remain in the contracted business, confirmation by the administrator

③ Ensuring authenticity
a) Adoption of mutual authentication function
b) Guarantee function that has not been "tampered with" on the telecommunications line

④ Ensuring readability
a) Confirmation of the same item (2) ② as storage in the facility
b) Means for ensuring readability of medical information that is expected to be urgently needed (recommended)
c)

Means for ensuring readability of medical information that is not urgently needed (recommended)

⑤ Ensuring storage stability
a) Preservation confirmation function by the business operator that outsources external preservation
Confirmation of the same items as storage in the facility (2) ③④
b) Adoption of standard data formats and transfer protocols (recommended)
c)

Data format and transfer protocol version control and continuity assurance

⑥ Protection of personal information while transmitting personal information such as medical records over telecommunication lines
a) Appropriate encryption for confidentiality
b) Authentication for identifying the start and end points of communication

⑦ Protection of personal information within the institution that entrusts the external storage of medical records, etc.
a) Protection of personal information at institutions that outsource external storage
b) Prohibition of access to medical records, etc. at institutions that outsource external storage
If the contractor is not a medical institution, etc., see "8.1.2 Selection of an institution that outsources external storage."
Please refer to the requirements described in "Standards and Standards for Handling Information".
c)

Access notification for troubleshooting

d) Access log integrity and access bans

⑧ Explanation to the patient
a) Explanation method before starting medical treatment
b) Explanation method when it is difficult to obtain the patient's understanding but there is a medical urgency
c)

Explanation when it is difficult to obtain the patient's understanding but there is no particular urgency in medical treatment
Method

⑨ Audit items for contractors

139

Page 147

a) Preservation record (content, period, etc.)
b) Control measures and implementation status audits by contractors

(4) When storing electronically with a scanner, etc.
(1) Regulations for documents to be read by the scanner
(2) Appointment of an information creation manager that guarantees that the electronic information read by the scanner is equivalent to the original
③ Conforms to the electronic signature method of the person in charge of work (executor or administrator) on the electronic information read by the scanner.
Digital signature / time stamp
④ Regulations regarding the timing of scanning each time a medical examination is conducted.
⑤ Implementation procedure rules for digitizing documents accumulated in the past

(5) In creating the operation management rules
Operation management rules are formulated for each medical institution, etc. in order to operate the system properly.
It is. That is, it is formulated based on voluntary judgment according to the situation of each medical institution, etc.
Is. Of course, it is possible to create your own from scratch, but the completeness of the items to be described
Since it is expected that it will be difficult to secure, the draft operation management rules are attached to Appendix 1 to Appendix 3.
To
Appendix 1 is an example of general operation management implementation items regardless of whether or not they are stored electronically, and Appendix 2 is electronic.
This is an example of operation management implementation items for storage, and Appendix Table 3 is added in the case of external storage.
This is an example of operation management items to be implemented.
Therefore, in the case of external storage, the items in Appendix 1 to Appendix 3 should be included in the operation management rules.
You will need it.
The “Operational Management Regulations” do not have to be a single independent document. Used in actual operation
Among the documents that define the management rules to be used, those described in this guideline and summarized in this chapter.
It suffices if the contents are described. However, in consideration of daily operation or review and revision, business
It is important that the units are organized in an easy-to-understand manner.
The recommended procedure for creating the operation management rules is as follows.

Step 1: Create the overall structure and table of contents
When deciding the overall chapter structure and section structure, the items in this chapter and the "Operation management items" and "Implementation" in the attached table
Refer to "Items" and create the overall configuration by considering the uniqueness of each medical institution.
At this time, not only the operation management rules regarding the electronic storage and external storage systems, but also the medical information
It is important to configure the comprehensive operation management rules for the entire information system.

Step 2: Create operation management rules
To create the operation management rule sentence, refer to the "Example of operation management rule sentence" in the attached table.

140

Page 148

In particular, for large / medium-sized hospitals and small-scale hospitals / clinics, the expression of operation management rules is large.
Assuming that they are very different, the "Target category" column is provided in the attached table. For large / medium-sized hospitals
In the case of small hospitals / clinics, select the operation management rule example of the target categories A and B.
It is recommended to select the example of the operation management rules for A and C in the target category.

Step 3: Overall review and confirmation evaluation
At the stage when the entire operation management rules are created, a review is conducted with internal parties such as medical institutions.
In addition, evaluate and improve whether implementation and operation are possible from a comprehensive perspective.
It should be noted that the operation management rules are not simply formulated, but are formulated (Plan).
Operate based on management rules (Do), carry out appropriate audits (Check), and perform as necessary
We have to improve (Action). Improvement while properly rotating this PDCA cycle
It is important to carry out continuous operation with activities.

141

Page 149

Supplementary Provision 1 When external storage using electronic media is performed using portable media
When storing information electronically stored on a portable medium to the outside, entrust it with a medical institution, etc.
Institutions are not connected online, so spoofing and eavesdropping based on threats on telecommunications lines,
There is little risk of information leakage due to falsification or major rewriting, and if operated carefully
Ensuring authenticity can be easier.
The safety of storage on portable media is generally superior to the safety of storage on paper or film.
It can be said that. Since the contents cannot be seen even by visually observing the medium, the confidentiality during transportation is relatively certain.
Easy to keep. Use a medium such as security MO that allows access control by password
The more confidential it becomes.
Therefore, in general, it is a big problem if it complies with the standard of external storage on paper media in Appendix 2.
It is considered that there is no such thing. However, we will be careful about changes in the durability of portable media over time.
There is a need to. In addition, since the amount of information stored in each medium is extremely large, the medium remains.
If lost, the amount of information lost or leaked will increase, so more careful handling is required.
In addition, documents that do not have the obligation to store, such as backup of medical records, etc., are externally stipulated by law.
When storing in, it should be treated in the same way as a document that is obliged to store from the viewpoint of personal information protection.
Is.

Supplementary Provision 1.1 Compliance with 3 Standards for Electronic Storage
A. Institutional requirements
Must meet the criteria for ensuring the authenticity, readability and preservation of records such as medical records
thing.
(External Preservation Amendment Notification No. 21 (1))

B. Way of thinking
Authenticity, readability, and maintenance required when electronically storing medical records, etc. inside medical institutions, etc.
It is thought that it is possible to deal with it by ensuring its existence, but in addition to this, it receives transportation and external storage.
It is necessary to pay particular attention to the handling at the entrusted organization and when an accident occurs.
Specifically, the following measures are required.

(1) Ensuring authenticity against failures during transportation and institutions that outsource external storage
(2) Ensuring readability for obstacles during transportation and for institutions that outsource external storage
(3) Ensuring storage stability during transportation and against failures of institutions that outsource external storage

C. Minimum guidelines
(1) Ensuring authenticity against failures during transportation and institutions that outsource external storage
(1) Record the transfer of portable media at the transportation company such as the outsourced medical institution and the outsourced institution.

142

Page 150

thing.
It is possible to reliably record the transfer and storage status of portable media and prevent accidents, loss and theft.
is necessary. In addition, it is necessary to prevent confusion by distinguishing it from other stored documents.
Must be.

② Make clear records when changing or updating media.

(2) Ensuring readability for obstacles during transportation and for institutions that outsource external storage
① Do not interfere with medical treatment
When patient information is stored externally on a portable medium, it takes a certain amount of time to access the information.
Although it is necessary, information such as medical records is urgently needed in preparation for sudden changes in the patient's condition and emergency response.
It is also necessary to assume that it will be.
In general, "when specific medical information is required immediately for medical treatment" means continuous medical treatment.
In such cases, the patient's medical information is urgently needed because it is the case.
For information on medical treatment that is expected to be, and the time required for transportation becomes a problem,
It is necessary to save it inside Rakajime. Also, even if it is saved externally, the saved information will be duplicated or
Information that has substantially the same content as that should be stored inside the outsourced medical institution, etc.
There must be.

② Do not interfere with audits, etc.
Audits, etc. are generally scheduled in advance and are not required to be urgent.
Therefore, it seems that there is no problem unless it is stored externally in a distant place where it takes a lot of time to transport.
Is done.

(3) Ensuring storage stability during transportation or in the event of a failure of an organization that outsources external storage
① Adoption of standard data format
Data can be reliably migrated to ensure interoperability with system updates, etc.
As such, it is desirable to use a standard data format.

② Measures against deterioration of media
Considering the storage conditions of the medium, for example, in the case of magnetic tape, read and write regularly, etc.
It is necessary to take measures against deterioration.

③ Measures against obsolescence of media and equipment
If the medium or device becomes obsolete, it will be difficult to read the recorded information.
There is. Therefore, in response to the obsolescence of media and equipment, we will shift to new media and equipment.

143

Page 151

Is desirable.

Supplementary Provision 1.2 Protection of Personal Information
A. Institutional requirements
(Safety management measures)
Businesses handling personal information prevent leakage, loss or damage of the personal data they handle.
Necessary and appropriate measures must be taken for the security management of other personal data.
(Supervision of contractor)
When a business operator handling personal information outsources all or part of the handling of personal data,
Necessary for the outsourced person so that the personal data outsourced to be handled can be safely managed.
Necessary and appropriate supervision must be provided.
(Articles 20 and 22 of the Personal Information Protection Law)

Pay close attention to the privacy protection of patients and ensure the protection of personal information.
(External Preservation Amendment Notification No. 21 (3))

B. Way of thinking
The revised Personal Information Protection Law was enacted, and in the medical field, "Individuals in medical / nursing care businesses"
Guidance for the proper handling of information ”has been formulated. Health information handled in medical treatment
Since it is extremely sensitive information to privacy, please refer to the above guidance and take sufficient safety control measures.
It is necessary to carry out.
If medical records, etc. are stored inside the medical institution, etc., the administrator of the medical institution, etc. (director, etc.)
Personal information is protected by the supervision.
However, when storing externally using a portable medium, the authority and responsibility of the administrator of the outsourced medical institution, etc.
Since the scope of responsibility extends to other facilities different from your own facility, it is necessary to give further consideration to the protection of personal information.
Is.
Regarding matters related to the protection of patient's personal information, when the legal retention period for medical records, etc. has expired,
In that case, even if the contract period with the institution that entrusts the external storage has expired, as long as the personal information exists
You need to be careful. The same applies to the handling of personal information in backup information.
Operation system is required.
Specifically, the following measures are required.

(1) Protection of personal information when recorded portable media such as medical records are transported
(2) Protection of personal information within the institution that entrusts the external storage of medical records, etc.

C. Minimum guidelines

144

Page 152

(1) Protection of personal information when recorded portable media such as medical records are transported
When recording medical records on a portable medium and transporting it, the portable medium may be lost or mixed with other transported items.
It is necessary to be careful about the same.

① Prevention of loss of portable media that records medical records, etc.
By taking measures such as locking the transport vehicle and sealing the transport case, etc.
To reduce the risk of loss.
(2) Prevention of confusion between portable media containing medical records, etc. and other transported items
If confusion with other items is expected, divide them into different cases and systems from other items.
Or reduce the risk by not transporting at the same time.
③ Contract regarding confidentiality with the carrier
Medical institutions that outsource external storage provide personal information to institutions and carriers that outsource storage.
Obliged to manage to comply with protection laws. Therefore, the division of responsibilities between the two will be clarified.
In addition, specify matters related to confidentiality in the contract.

(2) Protection of personal information within the institution that entrusts the external storage of medical records, etc.
The institution that outsources the preservation entrusts the preservation in response to a request from the outsourced medical institution, etc.
When providing a service to search for personal information in medical records, etc. and return the results, etc.
Or, when recording the transfer of recorded portable media such as medical records, a failure occurs in the outsourced institution.
When it is born, it may be necessary to access medical records. like this
In such cases, it is necessary to pay attention to the following matters.

① Prohibition of access to medical information at institutions that outsource external storage
Strict protection of personal information such as medical records at institutions that outsource the storage of medical records, etc.
Need to do. Even if you are the administrator of the entrusted institution, the personal information entrusted to be stored will be
We need a mechanism that cannot be accessed without good reason.

② Access notification when a failure occurs
In the event of a failure in the equipment that stores medical records, etc., it is unavoidable to add medical records, etc.
Even if you need to access, the same secret as personal information such as medical records at medical institutions etc.
At the same time as keeping it tight, you must ask for permission from a medical institution that has outsourced storage.
I.

③ Contract regarding confidentiality with an organization that outsources external storage
Institutions that outsource the storage of medical records, etc. have a legal obligation of confidentiality.
To clarify the division of responsibilities between the outsourced medical institution, etc., the outsourced institution, and the carrier.

145

Page 153

In addition, it is necessary to specify matters related to confidentiality in the contract.

④ Responsibility of medical institutions that outsource external storage
Regarding the protection of personal information such as medical records, medical devices that are ultimately obliged to store medical records, etc.
Seki, etc. must take responsibility. Therefore, the outsourced medical institution, etc. is the outsourced institution.
Request the implementation of measures to protect personal information in the contract, etc., and check the implementation status
Need to supervise.

D. Recommended guidelines
It is recommended to take the following measures in addition to "C. Minimum guidelines".

Explanation to patients regarding the implementation of external preservation
Medical institutions, etc. that outsource the external storage of medical records, etc., treat patients in advance as necessary.
Regarding the safety and risk of personal information of a person being sent to a specific trustee and stored
It is necessary to explain and gain understanding through the in-hospital bulletin board, etc.

① Explanation before the start of medical treatment
It should be done before collecting personal information from the patient, including the condition, medical history, etc.
Explain that the department is being preserved through in-hospital notices, etc., and after gaining understanding, start medical treatment.
Need to be.

(2) When it is difficult to explain to the patient, but there is an urgency in medical treatment
When it is difficult to explain to the person due to consciousness disorder or dementia, there is an urgency in medical treatment.
In some cases, prior explanation is not always required. Explain after the fact when consciousness is restored
Need to be done and gained understanding.

③ When it is difficult to explain to the patient and gain understanding, but there is no particular urgency in medical treatment
In principle, if it is difficult to obtain the consent of the person, including infants, and there is no urgency.
It is necessary to explain to parents and guardians and gain their understanding. Suspected abuse by parental authority
If it is difficult to explain, such as when there is no guardian, it is difficult to explain in the medical record etc.
It is desirable to specify the reason.

Supplementary Provision 1.3 Clarification of Liability
A. Institutional requirements
External storage is the responsibility of hospitals, clinics, etc. that are obliged to store medical records.

146

Page 154

In addition, clarify the responsibility in the event of an accident.
(External Preservation Amendment Notification No. 21 (4))

B. Way of thinking
Responsibility even when storing medical records, etc. in an electronically recorded portable medium at an external institution
The way of thinking is "4.1 Responsibility for information protection of medical institution managers" and "4.2 Entrustment and third parties"
It is necessary to organize in the same way as "demarcation of responsibility in provision".
According to these ideas, some of the actual management and partial explanations will be with the outsourced institution or carrier.
It is considered that there is no problem in sharing between them.
Also, in the unlikely event of an accident, the liability to the patient becomes the ex post liability in Chapter 4.1.
Accountability lies with the outsourced medical institution. However, it fulfills its responsibility to take appropriate measures.
However, if the demarcation point of responsibility in Chapter 4.2 is clarified in advance, the contracting organization, carrier, etc.
It is natural that the medical institution to be outsourced bears the responsibility stipulated in the contract, etc.
If you violate it, you will be responsible for it.
Specifically, the following measures are required.

(1) Clarification of responsibilities in normal operation
(2) Clarification of post-responsibility

C. Minimum guidelines
(1) Clarification of responsibilities in normal operation
① Accountability
Sufficiently for patients and society regarding the management and operation system of the storage system including users
On the premise that the outsourced medical institution will take the initiative in explaining the responsibility.
While paying attention to the protection of personal information, let the carrier or the outsourced organization give the actual explanation.
There is no problem with that.

② Management responsibility
Selection and introduction of equipment used for recording and storage on media, operation and management including users
Before the outsourced medical institution, etc. takes the initiative in dealing with responsibilities related to science, etc.
While paying attention to the protection of personal information, the actual management is carried out by the carrier or the institution that outsources it.
There is no problem in letting them do it.

③ Responsibility for regular review and improvement as necessary
Rather than transporting it on a portable medium and keeping it stored externally, the status of operation management is regularly monitored.
Audits should be conducted, problems should be identified, and if there are any points that need to be improved, they must be improved.

147

Page 155

Therefore, managers of medical institutions, etc. always re-evaluate and reexamine the current operation management in general.
It needs to be laid down.

(2) Clarification of post-responsibility
Regarding the external storage of medical records, etc., the outsourced medical institutions, outsourced institutions and carriers
While referring to "4.2 Demarcation of Responsibilities in Entrustment and Provision to Third Parties", manage and take responsibility
Clearly stipulate and exchange the following matters in contracts, etc.

・ Determining the timing to save medical records, etc. generated at the outsourced medical institution to an external institution
Action to start operations related to constant and series of external saves
・ Methods and management methods for giving and receiving portable media between outsourced medical institutions and transporters
・ What to do if there is a problem in transporting portable media due to an accident, etc.
・ What to do if there is an information leak during transportation
・ Method and management method when the consigned institution and the carrier (industry) give and receive portable media
・ When a search service using personal information is provided by a contracted institution, work records and audit methods,
Provisions regarding confidentiality, including after retirement of handling employees, suffering from information leakage
Responsibility when there is an inquiry from a person
・ The entrusted institution may return the portable medium at the request of the entrusted medical institution, etc.
What to do if you can't
・ When a patient directly requests an inquiry, complaint, or disclosure from an institution that outsources external storage.
How to deal with

Supplementary Provision 1.4 Processing at the end of the external storage contract
From the viewpoint that medical records, etc. are highly personal information, we will outsource when external storage is terminated.
Certain consideration must be given to both medical institutions and contracted institutions.
There should be some deadline for the start of external storage, and the end of external storage is also a premise.
Must be done on the basis of. The deadline may have a specific date
However, it is possible that certain conditions such as XX years after the end of a series of medical treatments are indicated.
In any case, medical institutions that outsource the external storage of medical records, etc. are stored in the outsourced institution.
Regularly check medical records, etc. that are available, and promptly process medical records, etc. that must be stored externally.
After that, it is necessary to audit whether the processing was carried out strictly. In addition, the contracting organization is also
Strictly handle and process stored medical records, etc. at the request of outsourced medical institutions, etc.
It is necessary to clearly indicate to the medical institution that entrusts the fact.
Not surprisingly, these disposal provisions are entrusted to the doctor before starting external storage.
It is also necessary to specify in the contract exchanged between the medical institution and the outsourced institution. Also,
In preparation for actual disposal, a document that clarifies the procedure such as the disposal program should be created in advance.

148

Page 156

Is.
It is the agreed period to require strict treatment from both the outsourced medical institution and the outsourced institution.
This is because retaining personal information beyond that can be a problem in terms of protecting personal information.
It should be noted that this is sufficient.
In addition, if you are implementing a search service for patient's personal information, you can use a ledger for searching.
Alternatives and search records must also be disposed of in a confidential manner.
Furthermore, the responsibilities of the outsourced medical institutions and the outsourced institutions are as described above.
Because it is stored in portable media, it is not exempt from liability for disposal.
It is necessary to pay sufficient attention.

149

Page 157

Supplementary Provision 2 When saving externally on paper media
Paper media does not only refer to paper, but also includes physical media such as X-ray films that are not electronic media.
Mu. Due to advances in testing technology, the number of medical records that must be stored at medical institutions has increased.
In many cases, it is difficult to secure a storage place for it. Originally, preservation of medical records, etc. stipulated by law
Aims to be used effectively as well as evidence, and should be preserved in an orderly manner.
It is.
Under certain conditions, medical records, etc., which are still in conventional paper media, are stored in a place other than the medical institution, etc.
However, in this case, the storage location is the same as for storage on portable media, medical equipment.
It is not limited to Seki.
However, medical records, etc. contain highly confidential personal information, and there is no delay when necessary.
Must be available. Personal information exists if the storage location is other than the medical institution concerned
As the location will expand, it is necessary to clarify the operation management system for external storage. Well
Also, the farther the storage location is, the longer it takes to transport medical records and make them available.
Of course, care must be taken not to interfere with medical treatment.
In addition, paper and film should be transported carefully. What is a portable medium to see the contents
It requires some equipment, but the paper or film is simply exposed and personal information is easily leaked.
This is because that.

Supplementary Provision 2.1 Ensuring Usability
A. Institutional requirements
Considering that records such as medical records are used for medical treatment, it is immediately beneficial if necessary.
Secure a system that can be used.
(External Preservation Amendment Notification No. 22 (1))

B. Way of thinking
Generally, medical records are used for medical treatment, explanations, audits, proceedings, etc. of patients, but everywhere.
If it is interpreted that medical records, etc. can be used immediately at any time, it is virtually outside.
It is impossible to save the part.
From the point of view of using it for medical treatment, if you need a specific medical record immediately,
There are cases where it is easily predicted that there will be an urgent need, such as patients who continue to receive medical care.
Is done. Specifically, the following measures are required.

(1) Transport time for medical records, etc.
(2) Storage method and environment

150

Page 158

C. Minimum guidelines
(1) Transport time for medical records, etc.
When using medical records stored externally for medical treatment, delays in transportation may hinder medical treatment.
It is necessary to take measures to prevent it from being damaged.

① Location of external storage
Do not store externally in an engine that takes a long time to transport.

② Save duplicates and summaries
Medical records, etc. that are expected to be urgently needed when medical treatment is continued.
Even if it is stored internally or externally, it can be copied or copied so as not to interfere with medical treatment.
Make abstracts available internally.
In addition, even if the patient continues to receive medical treatment, for example, hospitalization is completed and appropriate withdrawal is required.
If an admission summary is created and available, the medical records at admission itself are urgently needed.
The possibility of becoming is reduced. If a certain amount of time has passed, even if it is stored outside, it will hinder medical treatment.
It is considered that it will not cause any problems.

(2) Storage method and environment
① Prevention of confusion with other stored documents such as medical records
Save medical records, etc. separately from other stored documents so that you can select them according to the required usage unit.
Must be managed.

② Construction of an appropriate storage environment
Appropriate storage environment and conditions to prevent deterioration, damage, loss, theft, etc. of medical records, etc.
Must be built and maintained.

Supplementary Provision 2.2 Protection of Personal Information
A. Institutional requirements
(Safety management measures)
Businesses handling personal information prevent leakage, loss or damage of the personal data they handle.
Necessary and appropriate measures must be taken for the security management of other personal data.
(Supervision of contractor)
When a business operator handling personal information outsources all or part of the handling of personal data,
Necessary for the outsourced person so that the personal data outsourced to be handled can be safely managed.
Necessary and appropriate supervision must be provided.
(Articles 20 and 22 of the Personal Information Protection Law)

151

Page 159

Pay close attention to the privacy protection of patients and ensure the protection of personal information.
(External Preservation Amendment Notification No. 22 (2))

B. Way of thinking
The revised Personal Information Protection Law was enacted, and in the medical field, "Individuals in medical / nursing care businesses"
Guidance for the proper handling of information ”has been formulated. Health information handled in medical treatment
Since it is extremely sensitive privacy information, please refer to the above guidance and take sufficient safety management measures.
It is necessary to carry out.
If medical records, etc. are stored inside the medical institution, etc., the administrator of the medical institution, etc. (director, etc.)
Personal information is protected by the supervision. However, to the outside as a medium such as paper or film
When saving, the scope of authority and responsibility of the administrator of the medical institution to be entrusted is different from that of the own facility.
Since it is set up, it is necessary to give further consideration to the protection of personal information.
Regarding matters related to the protection of patient's personal information, when the legal retention period for medical records, etc. has expired,
In that case, even if the contract period with the institution that entrusts the external storage has expired, as long as the personal information exists
You need to be careful. The same applies to the handling of personal information in backup information.
Operation system is required.
Specifically, the following measures are required.

(1) Protection of personal information when medical records, etc. are transported
(2) Protection of personal information within the institution that entrusts the external storage of medical records, etc.

C. Minimum guidelines
(1) Protection of personal information when medical records, etc. are transported
When transporting medical records, etc., it is necessary to be careful about loss and confusion with other transported items.

① Sealing medical records and preventing loss
Medical records, etc. are for transportation, such as locking the transportation vehicle to prevent visual leakage of information.
Seal the case. In addition, we decided to take measures such as keeping records of the transfer of medical records, etc.
Therefore, reduce the risk.

② Prevention of confusion with transported items such as medical records
Confused by separating the items from other items into different cases or systems, or by not transporting them at the same time.
To reduce the risk of.

③ Contract regarding confidentiality with the carrier

152

Page 160

The company that transports medical records, etc. is entrusted because it is obliged to keep confidential under the Personal Information Protection Law.
In addition to clarifying the division of responsibilities between medical institutions, etc.
Specify matters related to confidentiality in the contract.

(2) Protection of personal information within the institution that entrusts the external storage of medical records, etc.
At institutions that outsource the storage of medical records, etc., at the request of the outsourced medical institutions, etc.
If you want to search for medical records, etc., and provide a service that returns the necessary information,
In addition, when taking records of the transfer of medical records, etc., the contents of medical records, etc. can be checked, and individual patients can be checked.
There is a possibility of viewing personal information.
(1) When there is a possibility of viewing the patient's personal information within the institution that entrusts the external storage
Institutions that outsource the storage of medical records, etc. and provide search services, etc. are the most suitable for implementing the services.
Only browse necessary information, and do not browse other information. Also information
The person who browses is limited to a specific person in charge, and no other person should browse it.
Furthermore, the institution that outsources the external storage is obliged to manage safety under the Personal Information Protection Law.
Matters concerning confidentiality or obstacles between the outsourced medical institution, etc. and the carrier
It is necessary to conclude a contract regarding the joint responsibility system.

(2) When there is no possibility of viewing the patient's personal information within the institution that entrusts the external storage
Institutions that outsource the storage of medical records, etc. exclusively manage transport cases and storage cases.
It should be done, and you should not check the contents of medical records, etc., or browse the patient's personal information.
Absent. In addition, regarding these matters, a contract is signed between the outsourced medical institution, etc. and the carrier.
Need to tie.

③ Responsibility of medical institutions that outsource external storage
Regarding the protection of personal information such as medical records, medical devices that are ultimately obliged to store medical records, etc.
Seki, etc. must take responsibility. Therefore, the outsourced medical institution, etc. is the outsourced institution.
Request the implementation of measures to protect personal information in the contract, etc., and check the implementation status
Need to supervise.

D. Recommended guidelines
( 1 ) Explanation to patients regarding the implementation of external preservation
Medical institutions, etc. that outsource the external storage of medical records, etc., respond to patients in advance as necessary.
The safety of the patient's personal information being sent to and stored at a specific trustee.
It is necessary to explain and gain understanding through in-hospital notices, etc., including risks and risks.

① Explanation before the start of medical treatment

153

Page 161

It should be done before collecting personal information from the patient, including the condition, medical history, etc.
Start medical treatment after explaining that the department is being preserved through in-hospital notices, etc. and gaining understanding.
thing.

(2) When it is difficult to explain to the patient, but there is an urgency in medical treatment
When it is difficult to explain to the person due to consciousness disorder or dementia, there is an urgency in medical treatment.
In some cases, prior explanation is not always required. Explain after the fact when consciousness is restored
Need to be done and gained understanding.

③ When it is difficult to explain to the patient and gain understanding, but there is no particular urgency in medical treatment
If it is difficult to explain and understand the person, including infants, and there is no urgency,
As a general rule, it is necessary to explain to parents and guardians and gain their understanding. Suspected abuse by parental authority
If it is difficult to explain, such as when you are asked or there is no guardian, the explanation will be given in the medical record etc.
It is desirable to specify the reason for the difficulty.

Supplementary Provision 2.3 Clarification of Liability
A. Institutional requirements
External storage is the responsibility of hospitals, clinics, etc. that are obliged to store medical records.
In addition, clarify the responsibility in the event of an accident.
(External Preservation Amendment Notification No. 22 (3))

B. Way of thinking
Even when storing medical records, etc. in an external institution, the way of thinking about responsibility is "4.1 Medical equipment".
Regarding the information protection responsibility of managers such as Seki, etc. ”and“ 4.2 Demarcation of responsibility in entrustment and provision to third parties ”
It needs to be organized in the same way.
According to these ideas, some of the actual management and partial explanations will be with the outsourced institution or carrier.
It is considered that there is no problem in sharing between them.
Also, in the unlikely event of an accident, the liability to the patient becomes the ex post liability in Chapter 4.1.
Accountability lies with the outsourced medical institution. However, it fulfills its responsibility to take appropriate measures.
However, if the demarcation point of responsibility in Chapter 4.2 is clarified in advance, the contracting organization, carrier, etc.
It is natural that the medical institution to be outsourced bears the responsibility stipulated in the contract, etc.
If you violate it, you will be responsible for it.
Specifically, the following measures are required.

(1) Clarification of responsibilities in normal operation
(2) Clarification of post-responsibility

154

Page 162

C. Minimum guidelines
(1) Clarification of responsibilities in normal operation
① Accountability
Responsibility to fully explain the management and operation system including users to patients and society
Protecting personal information on the premise that the outsourced medical institution will take the initiative in dealing with it.
It is problematic to let the carrier or the outsourced organization give the actual explanation while paying attention to
Absent.

② Management responsibility
A medical institution that outsources responsibility for the operation and management of external storage of medical records, etc.
In fact, while paying attention to the protection of personal information, on the premise that etc. will take the initiative in responding.
There is no problem in letting the carrier or the contracting organization manage the above.

③ Responsibility for regular review and improvement as necessary
Rather than transporting medical records, etc. and keeping them externally, the status of operation management is regularly monitored.
Audit, identify problems, and improve if there are any points that need to be improved.
I.
Therefore, managers of medical institutions, etc. always re-evaluate and reexamine the current operation management in general.
It needs to be laid down.

(2) Clarification of post-responsibility
Regarding the external storage of medical records, etc., the outsourced medical institutions, outsourced institutions and carriers
In between, refer to "4.2 Demarcation of Responsibilities in Entrustment and Provision to Third Parties" and establish a management / responsibility system.
Clearly stipulate and exchange the following matters in contracts, etc.

・ Determining the timing to save medical records, etc. generated at the outsourced medical institution to an external institution
Action to start operations related to constant and series of external saves
・ Method and management method when giving and receiving medical records, etc. between the outsourced medical institution, etc. and the transport (business) person
・ What to do if there is a problem in transporting medical records due to an accident, etc.
・ What to do if there is an information leak during transportation
-Methods and management methods for giving and receiving medical records, etc. between the outsourced institution and the carrier (business).
・ When a search service using personal information is provided by a contracted institution, work records and audit methods
・ Regulations regarding confidentiality including after retirement of handling employees, suffering from information leakage

155

Page 163

Responsibility when there is an inquiry from a person
・ The entrusted institution may return medical records, etc. at the request of the entrusted medical institution, etc.
What to do if you can't
・ When a patient directly requests an inquiry, complaint, or disclosure from an institution that outsources external storage.
How to deal with

Supplementary Provision 2.4 Processing at the end of the external storage contract
From the viewpoint that medical records, etc. are highly personal information, we will outsource when external storage is terminated.
Certain consideration must be given to both medical institutions and contracted institutions.
There should be some deadline for the start of external storage, and the end of external storage is also a premise.
Must be done on the basis of. The deadline may have a specific date
However, it is possible that certain conditions such as XX years after the end of a series of medical treatments are indicated.
In any case, medical institutions that outsource the external storage of medical records, etc. are stored in the outsourced institution.
Check the medical records, etc. that are available on a regular basis, and promptly process the medical records, etc. that must be stored externally.
After reasoning, it is necessary to audit whether the processing was carried out strictly. In addition, the outsourced institution
However, at the request of the outsourced medical institution, etc., the stored medical records, etc. are strictly handled and processed.
It is necessary to clearly indicate to the medical institution that entrusts the fact that it has been done.
Not surprisingly, these disposal provisions are entrusted to the doctor before starting external storage.
It is also necessary to specify in the contract exchanged between the medical institution and the outsourced institution. Also,
In preparation for actual disposal, a document that clarifies the procedure such as the disposal program should be created in advance.
Is.
It is the agreed period to require strict treatment from both the outsourced medical institution and the outsourced institution.
This is because retaining personal information beyond that can be a problem in protecting personal information.
It should be noted that this is sufficient.
In addition, if you are implementing a search service for patient's personal information, you can use a ledger for searching.
Alternatives and search records must also be disposed of in a confidential manner.
Furthermore, the responsibilities of the outsourced medical institutions and the outsourced institutions are as described above.
It is not exempt from liability for disposal just because it is stored on paper media.
It is necessary to pay attention to the minute.

156

