Frequently Asked Questions

Are there individual accounts for all users of the system so that there is accountability for the integrity of the data within the system?


Accounts capable of expiring?


Do the passwords have complexity requirements?

Yes. Passwords must contain characters from three of the following five categories:

  • Uppercase characters
  • Lowercase characters
  • Base 10 digits (0 through 9)
  • Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/
  • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase.


Is access to the system granular enough so that people who fit a particular role can only see the data associated with that role?


Does user activity in the system get logged?

Yes, the following types of activities are logged

  • Successful authentications
  • Unsuccessful authentications
  • Password change and reset
  • Searches
  • De-identified and identified document access

For each log entry the following information is captured wherever applicable

  • Activity Type
  • Date and time.
  • Userid
  • User’s First and Last Name
  • User Role
  •  Protocol / Study user has logged into.
  • Any additional information pertinent to the activity type.
Does the system have automatic backout, logout, or lockout in order to reduce the risk of patient information being left on a screen?


Are internal communication lines and external (if any) communications protected?

Yes. RSA 1024 cipher strength message level security for all communications between clients and the server.

Does all access to data occur through controlled programming to reduce the risk of back-end data changes reducing the integrity of the system?


Did the vendor supply all the required system documentation? Is it readily accessible?


Do all users have access to user level documentation?