Roche cobas infinity central lab User guide

cobas

®

infinity central lab

EU GDPR Compliance Guide

Version 1.0

Software versions 1.2.0 and higher

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

2

Publication information

Edition notice

This publication is intended for operators of the cobas

®

infinity central lab.

Every effort has been made to ensure that all the

information contained in this publication is correct at the

time of publishing. However, the manufacturer of this

product may need to update the publication information

as output of product surveillance activities, leading to a

new version of this publication.

Where to find information The User Assistance contains all information about the

product, including the following:

• Safety

• Routine operation

• Configuration information

The User Guide focuses on routine operation. The

chapters are organized according to the normal operation

workflow.

!

General attention

To avoid incorrect results, ensure that you are familiar

with the instructions and safety information.

r Pay particular attention to all safety notices.

r Always follow the instructions in this publication.

r Do not use the software in a way that is not described

in this publication.

r Store all publications in a safe and easily retrievable

place.

Training Do not carry out operation tasks or maintenance actions

unless you have received training from Roche

Diagnostics. Leave tasks that are not described in the

user documentation to trained Roche Service

representatives.

Screenshots The screenshots in this publication have been added

exclusively for illustration purposes. Configurable and

variable data, such as tests, results, or path names visible

therein must not be used for laboratory purposes.

Warranty Any customer modification to the system renders the

warranty or service agreement null and void.

Publication version Software version Revision date Change description

1.0 ≥1.2.0 July 2018 First edition

y Revision history of GDPR Compliance Guide

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

3

For conditions of warranty, contact your local sales

representative or refer to your warranty contract partner.

Always leave software updates to a Roche Service

representative, or perform such updates with their

assistance.

reserved.

License information

cobas

®

infinity central lab software is protected by

contract law, copyright law, and international treaties.

cobas

®

infinity central lab contains a user license

between F. Hoffmann-La Roche Ltd. and a license holder,

and only authorized users may access the software and

use it. Unauthorized use and distribution may result in

civil and criminal penalties.

Open Source and Commercial Software

cobas

®

infinity central lab may include components or

modules of commercial or open-source software. For

further information on the intellectual property and other

warnings, as well as licenses pertaining to the software

programs included in cobas

®

infinity central lab, refer to

the electronic distribution included with this product.

This open source and commercial software and cobas

®

infinity central lab as a whole can constitute a device

regulated in accordance with applicable law. For more

detailed information, refer to the user manual and

labeling.

Please note that the respective authorization is no longer

valid according to the corresponding legislation should

any unauthorized changes be made to cobas

®

infinity

central lab.

Trademarks The following trademarks are acknowledged:

COBAS, COBAS INFINITY, and LIFE NEEDS ANSWERS

are trademarks of Roche.

All other trademarks are the property of their respective

owners.

Feedback Every effort has been made to ensure that this publication

fulfills the intended use. All feedback on any aspect of

this publication is welcome and is considered during

updates. Contact your Roche representative, should you

have any such feedback.

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

4

Disclaimer This publication may contain information and references

to products that may not be available in your country or

sold by Roche Diagnostics. This publication makes no

claims regarding the use or performance of those

products. Selected third-party products are available for

use with cobas

®

infinity central lab.

Contact addresses

Roche Diagnostics GmbH

Sandhofer Strasse 116

D-68305 Mannheim

Germany

Made in Spain

07154003001

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

5

T

able of contents

Intended use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Use environment and intended users . . . . . . . . . . . . . 7

Symbols and abbreviations . . . . . . . . . . . . . . . . . . . . . . 8

Safety classifications . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

System safety information . . . . . . . . . . . . . . . . . . . . . . . 11

EU General Data Protection Regulation . . . . . . . . . . . 18

Recommendations regarding environment,

accesses, and processes . . . . . . . . . . . . . . . . . . . . . . . . 22

Database backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

About database backup in the software . . . . . . . . 26

Data retention and data removal . . . . . . . . . . . . . . . . . 27

About data retention and data removal in the

software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Configuring automatic data removal . . . . . . . . . . . 28

Deleting orders manually . . . . . . . . . . . . . . . . . . . . 29

Pseudonymization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

About pseudonymization in the software . . . . . . . 31

Defining the patient ID1 . . . . . . . . . . . . . . . . . . . . . 32

Defining sample IDs. . . . . . . . . . . . . . . . . . . . . . . . . 33

Disabling patient demographics. . . . . . . . . . . . . . . 36

Data minimization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

About data minimization in the software. . . . . . . . 37

Editing patient demographics. . . . . . . . . . . . . . . . . 38

User authentication and authorization . . . . . . . . . . . . 39

About user authorization and authentication in

the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Creating profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Creating users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Logging on to the software . . . . . . . . . . . . . . . . . . . 44

Encryption at rest and in transit . . . . . . . . . . . . . . . . . . 45

cobas

®

infinity central lab and data subject rights . . 46

Deleting patient records . . . . . . . . . . . . . . . . . . . . . 46

Deleting software users . . . . . . . . . . . . . . . . . . . . . . 48

Correction of data subject information . . . . . . . . . 48

Editing data subject information manually . . . 49

Configuring the software to allow patient

data modification through HCA . . . . . . . . . . . . 49

Exporting order data. . . . . . . . . . . . . . . . . . . . . . . . . 51

Exporting user information . . . . . . . . . . . . . . . . . . . 52

Configuring report information. . . . . . . . . . . . . . . . 53

About the disclosure of personal data. . . . . . . . . . . . . 54

About data details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

6

Patient data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

HCP data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Product user data . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Product service staff. . . . . . . . . . . . . . . . . . . . . . . . . 58

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

Intended use 7

Intended use

Intended use of the EU GDPR Compliance

Guide

This compliance guide explains the EU GDPR provisions

to help your laboratory or medical organization as data

controller or processor comply with its requirements

while using the cobas

®

infinity central lab. It is intended

for those individuals in your organization, whose daily

responsibility is data protection.

Intended use of the cobas

®

infinity central lab

The cobas

®

infinity central lab software is intended to

be used for:

• the configuration and connectivity management of

instruments and software systems

• the management of data regarding

- Samples

- Technical validation including automatic release

- Quality control (both qualitative and quantitative)

- Test results and their entry (offline workplaces)

• the management and storing of information, such as

- Samples archiving storage information

- Rule engine for technical validation

- Notifications from any part of the system

- Reagent and calibrator management

- Turnaround time management

- Production statistics

In addition to the above intended use, the cobas

®

infinity central lab software is intended for:

• the management of data regarding

- Order data

- Patient data

- Medical validation support

- Result consolidation and reporting

- Billing support

• the management and storing of information, such as

- General statistics (data warehouse)

• Microbiology workflows and data for (Microbiology

module):

- human samples

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

8 Use environment and intended users

Use environment and intended users

The cobas

®

infinity central lab software is intended for

Clinical Laboratories.

You can find different user profiles using the cobas

®

infinity central lab software.

Roche Service representative (global and

local)

Roche Service representatives configure the system and

master data (test, test groups, senders, instruments,

reports, interfaces, etc.) according to specific

requirements of the customers with regards to connected

hosts, instruments and sample workflow.

Access level depends on specific user rights.

Lab technician Lab technicians use the solution to perform technical

validation on patient and QC results, manually edit orders

(add or remove tests, edit patient-demographic data),

enter patient and QC results that have been obtained

from off-line workplaces, print-out patient and QC

reports, archive samples, retrieve samples from the

archive, etc.

Access level depends on specific user rights.

Lab physician/director Lab physicians/directors will use the solution to check

technically validated results, search for samples or test

results on patient results, and add comments to the

results or order.

Access level depends on specific user rights.

Lab IT administrator Lab IT administrators maintain users and authorization,

and maintain tests and senders.

Access level depends on specific user rights.

GP/Hospital doctor/Hospital

nurse/Community nurse

These users are not employees of the laboratory, thus

their access is restricted to the Lab Link module only.

They enter orders manually within the Lab Link module,

release print-outs of barcode labels for the tubes for

positive patient/sample identification, release print-outs

of reports for the patient for blood drawing, and view and

print the patient result report of their patients.

Phlebotomist These users are employees of the laboratory, but their

access is restricted to the Lab Link module only.

Phlebotomists confirm in the software that the samples

have been taken according to the order.

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

Symbols and abbreviations 9

Symbols and abbreviations

Product names Except where the context clearly indicated otherwise, the

following product names and descriptors are used.

Symbols used in the publication

Abbreviations The following abbreviations are used.

Product name Descriptor

cobas

®

infinity central lab

software

cobas

®

infinity general lab

module

cobas

®

infinity emergency

lab

module

cobas

®

infinity lab flow

module

cobas

®

infinity lab link

module

cobas

®

infinity microbiology

module

cobas

®

infinity total quality

management

module

y Product names

Symbol Explanation

o List item

u Related topics containing further information

q

Tip. Extra information on correct use or useful

hints.

r Start of a task

I Extra information within a task

f Result of an action within a task.

j Prerequisites of a task.

u Topic. Used in cross-references to topics.

p Task. Used in cross-references to tasks.

y

Table. Used in table titles and cross-references

to tables.

y Symbols used in the publication

Abbreviation Definition

ACL Access control list

ANSI American National Standards

Institute

API Application programming

interface

CIR Case Investigation and Resolution

DBI Database Independence

EU European Union

GCS Global Customer Support

GDPR General Data Protection

Regulation

HCA Host Connectivity Agent

y Abbreviations

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

10 Symbols and abbreviations

HCP Healthcare Professional

HIS Hospital Information System

ID Identifier

IT Information Technology

JDBC Java Database Connectivity

LAN Local Area Network

LDAP Lightweight Directory Access

Protocol

LIS Laboratory Information System

ODBC Open Database Connectivity

OS Operating System

PC Personal Computer

RCSC Regional Customer Support

Center

REST Representational State Transfer

RnD Research and Development

SOP Standard Operating Procedure

SSL Secure Sockets Layer

TLS Transport Layer Security

VPN Virtual Private Network

Abbreviation Definition

y Abbreviations

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

Safety classifications 11

Safety classifications

The safety precautions and important user notes are

classified according to the ANSI Z535.6 standard.

Familiarize yourself with the following meanings and

icons.

These symbols and signal words are used for specific

hazards:

WARNING

!

Warning...

r ...indicates a hazardous situation which, if not avoided,

could result in death or serious injury.

CAUTION

!

Caution...

r ...indicates a hazardous situation which, if not avoided,

could result in minor or moderate injury.

NOTICE

Notice...

r ...indicates a hazardous situation that, if not avoided,

may result in damage to the system.

Important information that is not safety relevant is

displayed as the following icon:

q Tip...

...indicates additional information on correct use or useful

tips.

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

12 System safety information

System safety information

Roche has established a series of recommendations with

the aim of allowing the user to work with software under

safe conditions and guaranteeing the correct operation

and optimal performance of the communication network

in which this product has been installed.

q Read the following recommendations carefully for

the correct operation of the software.

Security overview

WARNING

!

Antivirus and firewall software

Under normal circumstances, the system is connected to

other networks or to the Internet. Make sure that the

following points are carefully adhered to:

r Make sure that antivirus software is installed.

r Use the most recent version of the antivirus software

and keep it up to date.

r Use a firewall to block unauthorized access. Confirm

that cobas

®

infinity central lab is compatible with the

antivirus and firewall software in use.

r Block the unnecessary inbound and outbound ports in

the firewall. For further information, contact your

Roche Service representative.

r Restrict the “Allow”-firewall-rules to a specific port,

application (e.g. executable, or dll), and/or remote

system (IP).

r Always delete the HealthShare and database paths

from the configuration of the real-time protection

agent of the antivirus software. Doing this prevents

critical files in the operating system from becoming

blocked.

r Remove all console administration applications from

Apache Tomcat, leaving only the report server

application.

r Block access to the HealthShare documentation and

management portals. For further information, contact

your Roche Service representative.

r Enable monitoring solutions to proactively identify

unusual system or network activity (for example,

unusual processes, high resource consumption,

unusual network traffic, unrecognized ports).

r Configure HTTPS.

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

System safety information 13

WARNING

!

Database encryption

Unauthorized parties could access confidential data and

configuration items. HealthShare provides a mechanism

to manage database encryption keys securely.

r Encrypt the database with the Caché proprietary

option (managed key encryption). For further

information about database encryption and its correct

use, contact your Roche Service representative.

r Configure the operating system security appropriately

WARNING

!

Enabled security parameters

Disabling security parameters may lead to potentially

major risks, for example, unqualified personnel may

change instruments or system configurations or

unauthorized users may access confidential information.

r Keep all security parameters (profiles, access

restrictions, etc.) enabled (they are enabled by

default).

WARNING

!

Vulnerabilities of the software

Unauthorized users could gain access to the system.

Potential harm to patient safety.

r To ensure that the software is properly configured,

contact your Roche Service representative.

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

14 System safety information

Data safety precautions

WARNING

!

Loss of data integrity or unavailability of the system

due to malicious software or unauthorized system

access

To avoid infection of malicious software or the

unauthorized misuse of the system, the following

recommendations are important:

r Make sure that other computers and services on the

network are properly secured and protected against

malicious software and unauthorized access.

r Activate Caché backup and recovery features.

r Laboratory IT is responsible for the security of their

local area network, especially in protecting it against

malicious software and attacks. This protection might

include measures, such as a firewall, to separate the

device from uncontrolled networks as well as

measures that ensure that the connected network is

free of malicious code.

r Restrict physical access to the system and all attached

IT infrastructure (computer, cables, network

equipment, ports, wiring, etc.).

r Make sure that system backups and archive files are

protected from any unauthorized access and disaster.

This includes remote storage location, disaster

recovery sites, secure transfer of backup files.

r Use TLS or SSL-encrypted communication channels

between authenticated nodes. For further information,

contact your Roche Service representative.

r Write access to application files and folders on any

computer should be restricted only to authorized

personnel.

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

System safety information 15

WARNING

!

Risk of privacy violations

A secure infrastructure for the software network and

security policies must be defined to address potential

problems or system failures.

r Access is controlled by a login. Every access to the

software is registered and logged, including the

unsuccessful ones.

r Change all default configuration settings of the

operating system, the services, and the database to

ensure better protection.

r Lock down system commands and utilities with

restricted ACLs.

r Deploy up-to-date versions of off-the-shelf software

with product releases.

r Remove all console administration applications from

Apache Tomcat, leaving only the report server

application.

r Enable monitoring solutions to proactively identify

unusual system and network activity, such as unusual

processes, high resource consumption, unusual

network traffic, or unexpected ports.

r Pay special attention when configuring the number of

logon attempts, the password expiry period, and

session management.

WARNING

!

Unauthorized parties may be able to obtain

confidential patient data

Disclosing confidential data is a severe breach of

regulations and laws.

r Encrypt the database to prevent unauthorized access.

r Do not take any patient identification data outside of

the laboratory.

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

16 System safety information

WARNING

!

Insufficient audit trail

Lack of auditing and logging of changes made to the

configuration information may make it impossible to

identify when changes were made and who made them.

Suspicious activity on the system may go undetected.

r Do not use shared user accounts and instruct

customers not to do it.

r Collect and back up the audit and log files from the

operating system, Apache web server, Apache

Tomcat, and HealthShare.

r Only dedicated application user accounts should have

access to configuration stores, logfiles, and sensitive

data in the file system ACLs and the database.

WARNING

!

Caché database backups

If the data in the system are corrupted or manipulated,

test results might be delayed or lost.

r Store the backups securely; that is, save them on

independent disks, separate from the main server, on

a different server, and so on.

r Perform regular backup restores on a test

environment.

WARNING

!

Hardware and software requirements for cobas

®

infinity central lab

Not following the hardware and software requirements

may lead to issues in the system.

r For ensure that you follow the hardware and software

requirements, contact your Roche Service

representative.

WARNING

!

Backup restores

When restoring a backup, configuration data or test data

may be corrupted. This prevents the software from

operating correctly.

r After restoring a backup, contact your Roche Service

representative to check the source and the integrity of

the data.

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

System safety information 17

User and password management

WARNING

!

Passwords and security

r Ensure that the passwords and, therefore, the

integrity, accessibility, and confidentiality of the data

managed are handled with the appropriate safety

measures. Use the passwords appropriately.

r Do not disclose the password to customers or third

parties, and ensure that customers cannot see the

information in this documentation. For this reason,

never hand out copies of the documentation or leave

it in a place where it may be accessed by people who

are not authorized Roche personnel. Otherwise the

software could display invalid results or information

about patient health or the operation of cobas

®

infinity central lab could be made public.

WARNING

!

Passwords and security

When managing access to the information, consider the

following recommendations:

r Ensure that access to sensitive or confidential

information is always limited to authorized personnel.

r When managing access by users to the application,

apply the minimum permissions required for their

function.

r Ensure that the cobas

®

infinity central lab and

HealthShare passwords and, therefore, the integrity,

accessibility, and confidentiality of data involved are

handled with the appropriate safety measures.

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

18 System safety information

WARNING

!

Passwords and security

When managing passwords, consider the following

recommendations:

r Ensure that the cobas

®

infinity central lab and

HealthShare passwords and, therefore, the integrity,

accessibility, and confidentiality of data involved are

handled with the appropriate safety measures.

r Change the passwords every so often, at least every

six months.

r Avoid password re-use.

r The cobas

®

infinity central lab password can be

configured to be as restrictive as possible through the

following general parameters:

o Minimum number of uppercase letters in

password

o Minimum number of digits or symbols in

password

o Minimum password length

WARNING

!

Passwords and security

To avoid that the application displays invalid results or

information about patient health or the operation of the

cobas

®

infinity central lab is made public:

r Use the password properly: do not disclose it to clients

or third parties and ensure that clients cannot see the

information described in this service manual.

r Never hand out copies of this documentation or leave

it where people who are not authorized Roche

personnel may access it.

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

EU General Data Protection Regulation 19

EU General Data Protection Regulation

What is the EU GDPR? This regulation lays down the rules for protecting EU

citizens and residents with regard to the processing of

personal data and rules relating to the free movement of

personal data. In addition, it protects fundamental rights

and freedoms of natural persons and, in particular, their

right to the protection of personal data.

Who is affected by the EU GDPR? This regulation applies to the controlling and processing

of personal data carried out by organizations operating

within the EU. It also applies to organizations outside the

EU that offer goods and services to individuals in the EU.

This regulation does not apply to certain activities, such

as processing for national security purposes or

processing carried out by individuals purely for personal

and household activities.

What information does the EU GDPR apply to? This regulation applies to two categories of information:

• Personal data: Any information relating to an

identifiable person who can be directly or indirectly

identifies in particular by reference to an identifier.

• Sensitive personal data: Special categories of personal

data, such as genetic and biometric data, which can

be used to uniquely identify someone if processed.

What are the lawful bases for collecting and

processing personal data?

One of the following lawful bases has to apply whenever

you collect and process personal data:

• Consent: The data subject has to give clear consent

for the data controller to process their personal data

for a specific purpose.

• Contract: The processing has to be necessary for a

contract the data controller has with the data subject,

or because the data subject have asked the data

controller to take specific steps before entering into a

contract.

• Legal obligation: The processing is necessary for the

data controller to comply with the law (not including

contractual obligations).

• Vital interests: The processing is necessary to protect

someone’s life.

• Public task: The processing is necessary for the data

controller to perform a task in the public interest or for

the official functions of the data controller, and the

task or function has a clear basis in law.

• Legitimate interests: The processing is necessary for

the legitimate interests of the data controller or the

legitimate interests of a third party unless there is a

good reason to protect the individual’s personal data,

which overrides those legitimate interests.

Roche Diagnostics

cobas infinity central lab · Software versions 1.2.0 and higher · EU GDPR Compliance Guide · Version 1.0

20 EU General Data Protection Regulation

Who are data controllers, processors and

subjects in the EU GDPR?

Data controllers are the principal party who decides why,

how and what personal data needs to be collected and

processed. Data controllers are expected to ensure that

contracts with data processors comply with the EU GDPR.

Data processors are entities that handle personal data on

behalf of data controllers. Specific legal obligations are

placed on data processors. For example, you are required

to maintain records of personal data and processing

activities.

Data subjects are all individuals whose personal data is

collected, managed and processed by data controllers

and data processors.

Page is loading ...

Roche cobas infinity central lab User guide

Roche cobas infinity central lab User guide

Related papers

Other documents