Roche cobas infinity central lab User guide

cobas

®

infinity central lab

EU GDPR Compliance Guide

Software version 3.03 and higher

Publication version 2.0

2

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

Publication information

Publication version Software version Revision date Change description

1.0 >1.2.0 July 2018 First edition

2.0 >3.03 December 2020

• Reference material number, GTIN number and intended

use updated

• Migration from screenshots to illustrations.

• Cover page information updated.

y Revision history of GDPR Compliance Guide

Edition notice

This publication is intended for operators of the cobas

®

infinity central lab.

Every effort has been made to ensure that all the

information contained in this publication is correct at the

time of publishing. However, the manufacturer of this

product may need to update the publication information

as output of product surveillance activities, leading to a

new version of this publication.

Where to find information

The User Assistance contains all information about the

product, including the following:

• Safety

• Routine operation

• Configuration information

The User Guide focuses on routine operation. The

chapters are organized according to the normal

operation workflow.

General attention

To avoid incorrect results, ensure that you are familiar

with the instructions and safety information.

r Pay particular attention to all safety notices.

r Always follow the instructions in this publication.

r Do not use the software in a way that is not described

in this publication.

r Store all publications in a safe and easily retrievable

place.

Training

Do not carry out operation tasks or maintenance actions

unless you have received training from Roche

Diagnostics. Leave tasks that are not described in the

user documentation to trained Roche Service

representatives.

3

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

Screenshots

The screenshots in this publication have been added

exclusively for illustration purposes. Configurable and

variable data, such as tests, results, or path names visible

therein must not be used for laboratory purposes.

Warranty

Any customer modification to the system renders the

warranty or service agreement null and void.

For conditions of warranty, contact your local sales

representative or refer to your warranty contract partner.

Always leave software updates to a Roche Service

representative, or perform such updates with their

assistance.

Copyright

reserved.

License information

cobas

®

infinity central lab software is protected by

contract law, copyright law, and international treaties.

cobas

®

infinity central lab contains a user license

between F. Hoffmann-La Roche Ltd. and a license

holder, and only authorized users may access the

software and use it. Unauthorized use and distribution

may result in civil and criminal penalties.

Open Source and Commercial Software

cobas

®

infinity central lab may include components or

modules of commercial or open-source software. For

further information on the intellectual property and other

warnings, as well as licenses pertaining to the software

programs included in cobas

®

infinity central lab, refer to

the electronic distribution included with this product.

This open source and commercial software and cobas

®

infinity central lab as a whole can constitute a device

regulated in accordance with applicable law. For more

detailed information, refer to the user manual and

labeling.

Please note that the respective authorization is no longer

valid according to the corresponding legislation should

any unauthorized changes be made to cobas

®

infinity

central lab.

Trademarks

The following trademarks are acknowledged:

4

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

COBAS, COBAS INFINITY, and LIFE NEEDS ANSWERS

are trademarks of Roche.

All other trademarks are the property of their respective

owners.

Feedback

Every effort has been made to ensure that this

publication fulfills the intended use. All feedback on any

aspect of this publication is welcome and is considered

during updates. Contact your Roche representative,

should you have any such feedback.

Disclaimer

This publication may contain information and references

to products that may not be available in your country or

sold by Roche Diagnostics. This publication makes no

claims regarding the use or performance of those

products. Selected third-party products are available for

use with cobas

®

infinity central lab.

Contact addresses

Roche Diagnostics GmbH

Sandhofer Strasse 116

D-68305 Mannheim

Germany

Made in Spain

Distributed in the United States by:

Roche Diagnostics

9115 Hague Road

Indianapolis, IN 46256

USA

Date of manufacture

07613336177129

09180443001

Consult instructions for use

Consult the instructions for use for important cautionary

information such as warnings and precautions that

cannot, for a variety of reasons, be presented on the

medical device itself.

5

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

Table of contents

Intended use ............................................................................ 7

Use environment and intended users ............................ 8

Symbols and abbreviations ................................................ 9

Safety classifications............................................................. 11

System safety information .................................................. 11

EU General Data Protection Regulation........................ 17

Recommendations regarding environment,

accesses, and processes..................................................... 21

Database backup................................................................... 25

About database backup in the software............ 25

Data retention and data removal ..................................... 26

About data retention and data removal in the

software.......................................................................... 26

Configuring automatic data removal................... 27

Deleting orders manually......................................... 28

Pseudonymization.................................................................. 30

About pseudonymization in the software.......... 30

Defining the patient ID1........................................... 31

Defining sample IDs .................................................. 32

Disabling patient demographics ........................... 34

Data minimization.................................................................. 36

About data minimization in the software........... 36

Editing patient demographics ................................ 37

User authentication and authorization .......................... 38

About user authorization and authentication

in the software ............................................................. 38

Creating profiles.......................................................... 39

Creating users.............................................................. 41

Logging on to the software..................................... 42

Encryption at rest and in transit ....................................... 44

cobas

®

infinity central lab and data subject rights

45

Deleting patient records........................................... 45

Deleting software users............................................ 46

Correction of data subject information............... 47

Editing data subject information

manually.............................................................. 47

Configuring the software to allow

patient data modification through HCA.. 48

Exporting order data.................................................. 49

6

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

Exporting user information...................................... 50

Configuring report information.............................. 50

About the disclosure of personal data........................... 52

About data details.................................................................. 54

Patient data ................................................................... 54

HCP data ........................................................................ 55

Product user data ....................................................... 55

Product service staff .................................................. 56

7

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

Intended use

Intended use of the EU GDPR Compliance

Guide

This compliance guide explains the EU GDPR provisions

to help your laboratory or medical organization as data

controller or processor comply with its requirements

while using the cobas

®

infinity central lab. It is intended

for those individuals in your organization, whose daily

responsibility is data protection.

Intended use of the cobas

®

infinity central lab

cobas

®

infinity central lab software is intended to be

used for:

• the configuration and connectivity management of

instruments and software systems

• the management of data regarding

– Samples

– Technical validation including automatic release

– Quality control (both qualitative and quantitative)

– Test results and their entry (offline workplaces)

• the management and storing of information, such as

– Samples Archiving Storage information

– Rule engine for technical validation

– Notifications from any part of the system

– Reagent and Calibrator management

– Turn Around Time management

– Production statistics

In addition to the above intended use, the cobas

®

infinity central lab software is intended for:

• the management of data regarding

– Order Data

– Patient Data for Clinical Labs (not relevant to

cobas® infinity central lab if intended for Blood/

Plasma Donor Screening Labs)

– Medical Validation support for Clinical Labs (not

relevant to cobas® infinity central lab if intended

for Blood/Plasma Donor Screening Labs)

– Result Consolidation and Reporting

– Billing support

• the management and storing of information, such as

– General statistics (Data Warehouse)

• Microbiology workflows and data for (Microbiology

module):

8

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

– Human samples

cobas

®

infinity central lab is intended for Clinical

Laboratories.

cobas

®

infinity central lab is intended for Blood/Plasma

Donor Screening Laboratories (Excluding U.S.).

Use environment and intended users

cobas

®

infinity central lab is intended for Clinical

Laboratories.

cobas

®

infinity central lab is intended for Blood/Plasma

Donor Screening Laboratories (Excluding U.S.).

You can find different user profiles using the cobas

®

infinity central lab software.

Lab Technician

Lab technicians utilize the solution to perform technical

validation on patient and QC results, manually edit orders

(add or remove tests, edit patient-demographic data),

enter patient and QC results that have been obtained

from offline workplaces, print-out patient and QC reports,

archive samples, retrieve samples from the archive, etc.

Access level depends on specific user rights.

Lab Physician/Director

Lab Physicians/Directors utilize the solution to check

technically validated results, search for samples or test

results on patient results, and add comments to the

results or order.

Access level depends on specific user rights.

Lab IT Administrator

Lab IT Administrators maintain users and authorization,

and maintain tests and senders.

Access level will depend on specific user rights.

GP/Hospital doctor/Hospital nurse/

Community nurse

These users are not employees of the laboratory; thus

their access is restricted to the Lab Link module only.

They enter orders manually within the Lab Link module,

release print-outs of barcode labels for the tubes for

positive patient/sample identification, release print-outs

of reports for the patient for blood drawing, and view and

print the patient result report of their patients.

9

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

Phlebotomist

These users are employees of the laboratory, but their

access is restricted to the Lab Link module only.

Phlebotomists confirm in the software that the samples

have been taken according to the order.

IT Manager

• Network and security configurations

• WLAN device configuration security type EAP

• EAP Settings management (EAP settings and EAP

settings assignment)

Roche Service representative (global and

local)

Roche Service representatives configure the system and

master data (test, test groups, senders, instruments,

reports, interfaces, etc.) according to specific

requirements of the customers with regards to

connected hosts, instruments, and sample workflow.

Access level depends on specific user rights.

Symbols and abbreviations

Product names

Except where the context clearly indicated otherwise, the

following product names and descriptors are used.

Product name Descriptor

cobas

®

infinity central lab

software

cobas

®

infinity general lab

module

cobas

®

infinity emergency lab

module

cobas

®

infinity lab flow

module

cobas

®

infinity lab link

module

cobas

®

infinity microbiology

module

cobas

®

infinity total quality

management

module

y Product names

Symbols used in the publication

Symbol Explanation

o

List item

u

Related topics containing further information

q

Tip. Extra information on correct use or useful

hints.

r

Start of a task

I

Extra information within a task

y Symbols used in the publication

10

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

Symbol Explanation

f

Result of an action within a task.

j

Prerequisites of a task.

u

Topic. Used in cross-references to topics.

p

Task. Used in cross-references to tasks.

y

Table. Used in table titles and cross-references

to tables.

y Symbols used in the publication

Abbreviations

The following abbreviations are used.

Abbreviation Definition

ACL Access control list

ANSI American National Standards

Institute

API Application programming interface

CIR Case Investigation and Resolution

DBI Database Independence

EU European Union

GCS Global Customer Support

GDPR General Data Protection Regulation

HCA Host Connectivity Agent

HCP Healthcare Professional

HIS Hospital Information System

ID Identifier

IT Information Technology

JDBC Java Database Connectivity

LAN Local Area Network

LDAP Lightweight Directory Access

Protocol

LIS Laboratory Information System

ODBC Open Database Connectivity

OS Operating System

PC Personal Computer

RCSC Regional Customer Support Center

REST Representational State Transfer

RnD Research and Development

SOP Standard Operating Procedure

SSL Secure Sockets Layer

TLS Transport Layer Security

VPN Virtual Private Network

y Abbreviations

11

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

Safety classifications

The safety precautions and important user notes are

classified according to the ANSIZ535.6 standard.

Familiarize yourself with the following meanings and

icons.

These symbols and signal words are used for specific

hazards:

WARNING!

Warning...

r ...indicates a hazardous situation which, if not

avoided, could result in death or serious injury.

CAUTION!

Caution...

r ...indicates a hazardous situation which, if not

avoided, could result in minor or moderate injury.

NOTICE!

Notice...

r ...indicates a hazardous situation that, if not avoided,

may result in damage to the system.

Important information that is not safety relevant is

displayed as the following icon:

i

Tip...

...indicates additional information on correct use

or useful tips.

System safety information

Roche Diagnostics has established a series of

recommendations with the aim of allowing the user to

work with the software under safe conditions and

guaranteeing the correct operation and proper

performance of the communication network in which this

product has been installed.

i

Read the following recommendations carefully for

the correct operation of the software.

12

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

Security overview

WARNING!

Antivirus and firewall software

Under normal circumstances, the system is connected to

other networks or to the Internet. Make sure that the

following points are carefully adhered to:

r Make sure that antivirus software is installed.

r Use the most recent version of the antivirus software

and keep it up to date.

r Use a firewall to block unauthorized access. Confirm

that cobas

®

infinity central lab is compatible with

the antivirus and firewall software in use.

r Block the unnecessary inbound and outbound ports

in the firewall. For further information, contact your

Roche Service representative.

r Restrict the “Allow”-firewall-rules to a specific port,

application (e.g. executable, or dll), and/or remote

system (IP).

r Always delete the HealthShare and database paths

from the configuration of the real-time protection

agent of the antivirus software. Doing this prevents

critical files in the operating system from becoming

blocked.

r Remove all console administration applications from

Apache Tomcat, leaving only the report server

application.

r Block access to the HealthShare documentation and

management portals. For further information, contact

your Roche Service representative.

r Enable monitoring solutions to proactively identify

unusual system or network activity (for example,

unusual processes, high resource consumption,

unusual network traffic, unrecognized ports).

r Configure HTTPS.

WARNING!

Database encryption

Unauthorized parties could access confidential data and

configuration items. HealthShare provides a mechanism

to manage database encryption keys securely.

r Encrypt the database with the Caché proprietary

option (managed key encryption). For further

information about database encryption and its correct

use, contact your Roche Service representative.

r Configure the operating system security appropriately.

13

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

i

Keep all security parameters (profiles, access

restrictions, etc.) enabled (they are enabled by

default) as disabling security parameters may

lead to potentially major risks. For example,

unqualified personnel may change instruments or

system configurations or unauthorized users may

access confidential information.

i

To ensure that the software is properly

configured, contact your Roche Service

representative, as unauthorized users could gain

access to the system, which could lead to a

potential harm to patient safety.

Data safety precautions

WARNING!

Loss of data integrity or unavailability of the system

due to malicious software or unauthorized system

access

To avoid infection of malicious software or the

unauthorized misuse of the system, the following

recommendations are important:

r Make sure that other computers and services on the

network are properly secured and protected against

malicious software and unauthorized access.

r Activate Caché backup and recovery features.

r Laboratory IT is responsible for the security of their

local area network, especially in protecting it against

malicious software and attacks. This protection might

include measures, such as a firewall, to separate the

device from uncontrolled networks as well as

measures that ensure that the connected network is

free of malicious code.

r Restrict physical access to the system and all

attached IT infrastructure (computer, cables, network

equipment, ports, wiring, etc.).

r Make sure that system backups and archive files are

protected from any unauthorized access and disaster.

This includes remote storage location, disaster

recovery sites, secure transfer of backup files.

r Use TLS or SSL-encrypted communication channels

between authenticated nodes. For further information,

contact your Roche Service representative.

r Write access to application files and folders on any

computer should be restricted only to authorized

personnel.

14

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

WARNING!

Risk of privacy violations

A secure infrastructure for the software network and

security policies must be defined to address potential

problems or system failures.

r Access is controlled by a login. Every access to the

software is registered and logged, including the

unsuccessful ones.

r Change all default configuration settings of the

operating system, the services, and the database to

ensure better protection.

r Lock down system commands and utilities with

restricted ACLs.

r Deploy up-to-date versions of off-the-shelf software

with product releases.

r Remove all console administration applications from

Apache Tomcat, leaving only the report server

application.

r Enable monitoring solutions to proactively identify

unusual system and network activity, such as unusual

processes, high resource consumption, unusual

network traffic, or unexpected ports.

r Pay special attention when configuring the number of

logon attempts, the password expiry period, and

session management.

WARNING!

Unauthorized parties may be able to obtain

confidential patient data

Disclosing confidential data is a severe breach of

regulations and laws.

r Encrypt the database to prevent unauthorized access.

r Do not take any patient identification data outside of

the laboratory.

15

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

WARNING!

Insufficient audit trail

Lack of auditing and logging of changes made to the

configuration information may make it impossible to

identify when changes were made and who made them.

Suspicious activity on the system may go undetected.

r Do not use shared user accounts and instruct

customers not to do it.

r Collect and back up the audit and log files from the

operating system, Apache web server, Apache

Tomcat, and HealthShare.

r Only dedicated application user accounts should have

access to configuration stores, logfiles, and sensitive

data in the file system ACLs and the database.

WARNING!

Caché database backups

If the data in the system are corrupted or manipulated,

test results might be delayed or lost.

r Store the backups securely; that is, save them on

independent disks, separate from the main server, on

a different server, and so on.

r Perform regular backup restores on a test

environment.

WARNING!

Hardware and software requirements for cobas

®

infinity central lab

Not following the hardware and software requirements

may lead to issues in the system.

r To ensure that you follow the hardware and software

requirements, contact your Roche Service

representative.

WARNING!

Backup restores

When restoring a backup, configuration data or test data

may be corrupted. This prevents the software from

operating correctly.

r After restoring a backup, contact your Roche Service

representative to check the source and the integrity

of the data.

16

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

User and password management

WARNING!

Passwords and security

r Ensure that the passwords and, therefore, the

integrity, accessibility, and confidentiality of the data

managed are handled with the appropriate safety

measures. Use the passwords appropriately.

r Do not disclose the password to customers or third

parties, and ensure that customers cannot see the

information in this documentation. For this reason,

never hand out copies of the documentation or leave

it in a place where it may be accessed by people who

are not authorized Roche personnel. Otherwise the

software could display invalid results or information

about patient health or the operation of cobas

®

infinity central lab could be made public.

i

When managing access to the information,

consider the following recommendations:

• Ensure that access to sensitive or confidential

information is always limited to authorized

personnel.

• When managing access by users to the

application, apply the minimum permissions

required for their function.

• Ensure that the cobas

®

infinity central lab

and HealthShare passwords and, therefore,

the integrity, accessibility, and confidentiality

of data involved are handled with the

appropriate safety measures.

17

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

WARNING!

Passwords and security

When managing passwords, consider the following

recommendations:

r Ensure that the cobas

®

infinity central lab and

HealthShare passwords and, therefore, the integrity,

accessibility, and confidentiality of data involved are

handled with the appropriate safety measures.

r Change the passwords every so often, at least every

six months.

r Avoid password re-use.

r The cobas

®

infinity central lab password can be

configured to be as restrictive as possible through the

following general parameters:

• Minimum number of uppercase letters in

password

• Minimum number of digits or symbols in

password

• Minimum password length

WARNING!

Passwords and security

To avoid that the application displays invalid results or

information about patient health or the operation of the

cobas

®

infinity central lab is made public:

r Use the password properly: do not disclose it to

clients or third parties and ensure that clients cannot

see the information described in this service manual.

r Never hand out copies of this documentation or leave

it where people who are not authorized Roche

personnel may access it.

EU General Data Protection Regulation

What is the EU GDPR?

This regulation lays down the rules for protecting EU

citizens and residents with regard to the processing of

personal data and rules relating to the free movement of

personal data. In addition, it protects fundamental rights

and freedoms of natural persons and, in particular, their

right to the protection of personal data.

Who is affected by the EU GDPR?

This regulation applies to the controlling and processing

of personal data carried out by organizations operating

within the EU. It also applies to organizations outside the

EU that offer goods and services to individuals in the EU.

18

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

This regulation does not apply to certain activities, such

as processing for national security purposes or

processing carried out by individuals purely for personal

and household activities.

What information does the EU GDPR apply

to?

This regulation applies to two categories of information:

• Personal data: Any information relating to an

identifiable person who can be directly or indirectly

identifies in particular by reference to an identifier.

• Sensitive personal data: Special categories of

personal data, such as genetic and biometric data,

which can be used to uniquely identify someone if

processed.

What are the lawful bases for collecting and

processing personal data?

One of the following lawful bases has to apply whenever

you collect and process personal data:

• Consent: The data subject has to give clear consent

for the data controller to process their personal data

for a specific purpose.

• Contract: The processing has to be necessary for a

contract the data controller has with the data subject,

or because the data subject have asked the data

controller to take specific steps before entering into a

contract.

• Legal obligation: The processing is necessary for the

data controller to comply with the law (not including

contractual obligations).

• Vital interests: The processing is necessary to protect

someone’s life.

• Public task: The processing is necessary for the data

controller to perform a task in the public interest or

for the official functions of the data controller, and the

task or function has a clear basis in law.

• Legitimate interests: The processing is necessary for

the legitimate interests of the data controller or the

legitimate interests of a third party unless there is a

good reason to protect the individual’s personal data,

which overrides those legitimate interests.

Who are data controllers, processors and

subjects in the EU GDPR?

Data controllers are the principal party who decides why,

how and what personal data needs to be collected and

processed. Data controllers are expected to ensure that

contracts with data processors comply with the EU

GDPR.

19

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

Data processors are entities that handle personal data on

behalf of data controllers. Specific legal obligations are

placed on data processors. For example, you are required

to maintain records of personal data and processing

activities.

Data subjects are all individuals whose personal data is

collected, managed and processed by data controllers

and data processors.

What are the main topics of the EU GDPR?

This regulation addresses the following fundamental

rights and freedoms of data subjects:

• Right to be informed: EU citizens and residents have

the right to be informed about how personal

information is collected and processed, and what is

the purpose of collecting and processing this

information.

• Right of access: EU citizens and residents have the

right to access their data from the data collector or

data processor.

• Right to rectification: EU citizens and residents have

the right to ask the data controller or processor to

correct information they believe is inaccurate.

• Right to erasure: EU citizens and residents have the

right to have their personal information deleted by the

data controller or processor.

• Right to restriction of processing: EU citizens and

residents have the right to request that the data

controller or data processor to stop processing their

data.

• Right to object: EU citizens and residents have the

right to object to the data controller or data processor

to use their data.

• Right to data portability: EU citizens and residents

have the right to enable the machine and human-

readable export of their personal information from the

data controller or data processor.

• Rights regarding automated decision-making: The

data controller and data processor is responsible for

demonstrating compliance with this regulation if the

use automated individual decision-making and

profiling tools.

In addition, this regulation includes provisions that

promote accountability and governance of personal data.

In order to be EU GDPR compliant, organizations have to

demonstrate the following measures:

• Implement appropriate technical and organizational

measures that ensure and demonstrate that you

comply, such as internal audits of processing

activities and staff training.

20

Roche Diagnostics

cobas

®

infinity central lab · · Publication version 2.0

• Maintain relevant documentation on processing

activities.

• Appoint a data protection office, where appropriate.

• Implement measures that meet the principles of data

protection by design and by default, such as data

minimization, and pseudonymization.

• Use data protection impact assessments, where

appropriate.

Lastly, organizations have to follow the address the

following data protection principles:

• Security principle: Organizations have to ensure that

they process personal data securely by means of

appropriate technical and organizational measures.

• International data transfers: The EU GDPR imposes

restrictions on the transfer of personal data outside

the EU, to third countries or other international

organizations.

• Personal data breaches: Organizations have a duty to

report certain types of personal data breaches to the

relevant supervisory authority within 72 hours of

becoming aware of the breach, where feasible.

Page is loading ...

Roche cobas infinity central lab User guide

Roche cobas infinity central lab User guide

Related papers

Other documents