Make access to digital data of the laboratory restricted (both physically and virtually)


In phase 2 regular (weekly) backup of the computerized laboratory information system was started. These backups are stored behind lock and key in a building separated from the building in which the computerized laboratory information system is housed. This prevents unauthorized access and loss of laboratory information if the laboratory facility is destroyed, e.g. in case of fire or any other disaster. However, besides these physical measures to secure digital laboratory information, also digital protection is needed to prevent unauthorized access and damage to the information.


Take the following measures to protect the computerized laboratory information system both physically and digitally:

  • Ensure that a good firewall is installed on the computerized laboratory information system to prevent unauthorized access via internet.
  • Have a good virus scanner installed and weekly updated (e.g. at the same time the back-up is made) and run a full scan every week.
  • Authorize specific staff members for accessing laboratory information only, and for both accessing and changing laboratory information (use passwords). This way it is clear who is allowed to access digital laboratory information and who is not, making access to digital laboratory information better controlled. Clinical staff (requesters of tests) are also allowed to have access to certain medical records containing patient data stored in the computerized system.

In the right-hand column an information sheet is provided on computerized laboratory information systems of the WHO Laboratory Quality Management System (LQMS) training.

How & who

Equipment Officer (or, if applicable: the Data Officer):

  1. Install a firewall.
  2. Install a good virus scanner and update it weekly.
  3. Run a virus scan weekly.
  4. Make a document that contains the protocol for updating and running virus scans and also for performing weekly backups (the procedure for backup was developed in phase 2). This protocol will be added to the SOP on Information Management that will be developed later in this phase.

Laboratory Manager:

  1. Authorize specific staff members to either:
    • Access digital laboratory information only
    • Access and enter digital laboratory information
    • Access, enter and change digital laboratory information
  2. Adapt the Authorization Matrix to include the activities of "accessing digital laboratory information", "accessing and entering digital laboratory information", or "accessing, entering and changing digital laboratory information, together with the indication of which positions are authorized to perform one of these activities. Also include the position of test requester and define the authorizations for this position (mostly requesters may only consult medical records, not enter and change information in the archive). Ensure that these authorizations are adhered to by giving a password to each staff member that he/she has to use to log in to the computer system. Program the computer system such that the correct authorizations are set for each password.
  3. Notify all staff members in a weekly staff meeting of the new rules regarding accessing laboratory information and explain for each position in the laboratory the authorizations regarding the management of laboratory information.

Back to Roadmap Activity Overview
This activity belongs to the QSE Information Management
ISO15189:2007: B4.1 B4.2 B4.3 C7.1 C8.1
ISO15189:2012: 5.10.2 5.10.3