This webpage covers a high-level overview of MPOG’s database security practices.
Local Instance of MPOG Database
In order to allow contributing institutions to best comply with their internal IT security policies, MPOG does not specify any technical security requirements regarding a local MPOG database instance. Nonetheless it is strongly recommended that the following guidelines are adhered to.
In order to join MPOG an institution must acquire a local dedicated database server that is not shared by other departments or initiatives. Physical access to this server should be restricted to IT staff only and should be maintained within a secure datacenter or server room. If the server is acquired through institutional IT services this should not be an issue.
Several forms of PHI are stored in the MPOG database, including patient name, date of birth, and social security numbers. As such database access should be limited to individuals with approved research projects. A number of database roles are included with the MPOG install that make it easier to constrain user rights.
- MPOG Researcher – This role’s permissions is chiefly comprised of read-only access to EMR data and some stored procedure execution.
- MPOG Importer – This role grants rights for inserting, updating, and deleting rows in most tables as well as the ability to use configuration applications in the application suite.
- MPOG Exporter – Individuals must be a member of this role to use any of the export utilities within the application suite. They will be responsible for sending data outside your institution.
It is recommended that Windows Authentication is used to connect to the database. SQL Authentication should be avoided if at all possible.
Please note that data stored in the MPOG database is not encrypted by default. This follows from the fact that most records are stored or transmitted in plain-text within the hospital network. However, institutions can choose to use the Transparent Data Encryption (TDE) feature of SQL Server to protect at-rest data. Note that this feature requires Enterprise 2012 or later.
Finally the server should be contained within institutional firewalls. This is necessary to prevent protected patient data from being exposed to external networks.