Skip to main content

User Account Policy

Your Account, Your Responsibility

Every action under your login is personally attributed to you. Access to CCMS is a privilege, not a right. All activities are permanently logged in audit trails.

Policy References: This document aligns with KKM ICT Security Policy v5.0, MOH User Access Control Policy (UACP) 2011, and KPK Circular 5/2023: Patient Medical Record Handling Guidelines.

Scope & Roles

RoleCore Responsibility
All Users (MO, SN, MA, Clerk, PK)Credential security, legitimate access only, screen locking, incident reporting
Unit Head / SupervisorMonitor task lists, ensure coverage during staff absence
Clinic AdministratorProvision access, enforce password changes, audit trail review
ICTSOAccount creation, lockout resolution, incident investigation

The 5 Non-Negotiables

Never Share Your Login
Your account is exclusive for your use-case only
Lock Your Screen Immediately
Lock your laptop/PC screen while you are away
Access Data Legitimately
Only access data you responsible with
Log Out at Shift End
Be cognizant and always logout your account before returning
Report Concerns Immediately
Don't Wait! Report any issues immediately to respective parties

1. Never Share Your Login

If someone else uses your account — even with your permission — YOU will be held responsible for their actions.

  • You are personally accountable for every action under your account
  • Change your password immediately if you suspect it is known by anyone else
You must NEVER
  • Tell your password to anyone — including supervisors or IT staff
  • Allow anyone else to log in using your account
  • Write your password on paper, sticky notes, or unsecured documents
  • Save passwords in browsers on shared workstations

2. Lock Your Screen Immediately

  • Press Windows + L every time you leave your workstation — even for 30 seconds
  • Close all patient records when not actively using them
  • Never leave a workstation unattended with an active session
  • Log out completely when finishing work — screen auto-lock is not enough
  • Never log in on multiple workstations simultaneously

3. Access Data Legitimately

You MAY access records when:

  • The patient is under your direct clinical care
  • Access is necessary for your assigned clinical duties
  • Required for authorized administrative functions in your role

You must NEVER access records:

  • Out of curiosity or personal interest
  • For family members, friends, or colleagues unless you are treating them
  • For celebrities, VIPs, or high-profile patients without clinical need
  • For your own medical records through staff access
All Access Is Permanently Logged

Your name, timestamp, and patient details are recorded permanently. Unauthorized access will be detected and investigated.

4. Log Out at Shift End

  • Log out completely when finishing work — screen auto-lock is not enough
  • Never log in on multiple workstations simultaneously

5. Report Concerns Immediately

  • Lost or stolen credentials
  • Suspected unauthorized access to your account
  • Lost or stolen devices containing patient data
  • Witnessed security violations by colleagues
  • Suspicious system behaviour
How to Report

Contact your Clinic Administrator or ICTSO immediately. Do not delay — even if you are unsure whether an incident occurred.

Password Standards

RequirementSpecification
Minimum length8 characters
ComplexityUppercase, lowercase, and numbers
Change frequencyEvery 30 days (or immediately if compromised)
Reuse restrictionCannot reuse previous 4 passwords
Account lockout3 failed attempts → automatic lockout
Automatic Lockout

CCMS enforces automatic lockout after 3 failed login attempts. Contact your Clinic Administrator or ICTSO to unlock — do not ask colleagues to help using their accounts.

Workstation & Physical Security

SituationRequired Action
Leaving workstationWindows + L or Ctrl+Alt+Del → Lock — every single time
End of shiftLog out completely
Active sessionClose all patient records when not in use
DevicesUse only KKM-authorized devices — no personal phones, tablets, or laptops
PrintingDispose of patient documents in confidential waste bins only
USB / external storageProhibited — risk of data exfiltration and malware
Screenshots / photographyProhibited — creates uncontrolled copies of sensitive data
Unauthorized softwareNever install software not approved by ICTSO

Prohibited Activities

The following will result in disciplinary action, account revocation, and potential legal consequences:

ActivityWhy It's Serious
Sharing login credentials with anyoneMakes you responsible for others' actions. Violates accountability.
Accessing records without clinical needPrivacy violation. Breach of professional ethics.
Using personal devices for patient dataUnsecured devices risk data breaches.
Photographing or screenshotting patient infoCreates uncontrolled copies of sensitive data.
Discussing patients in public spacesViolates confidentiality and patient trust.
Installing unauthorized softwareSecurity risk. May introduce malware.
Using USB drives on clinic systemsData exfiltration and malware transmission risk.
Circumventing security controlsDeliberately undermines protection measures.
Falsifying or backdating documentationProfessional misconduct. Compromises patient safety.
Ignoring suspected security breachesAllows problems to escalate. Duty to report.

How to Report Concerns

You must report immediately:

  • Lost or stolen credentials
  • Suspected unauthorized access to your account
  • Lost or stolen devices with patient data
  • Witnessed security violations by colleagues
  • Suspected data breaches or accidental disclosure
  • System security vulnerabilities you discover
  • Suspicious system behaviour or unexpected access prompts
Contact

Your Clinic Administrator or ICTSO — immediately. Do not delay, even if you are unsure whether an incident occurred.

10 Critical Rules

10 Critical Rules
  1. You are personally accountable for all activity under your user account.
  2. Never share passwords or let others use your credentials — no exceptions.
  3. Lock your screen immediately when leaving your workstation — every time.
  4. Access only patients under your direct care — curiosity access is prohibited.
  5. All access is permanently logged — inappropriate access will be detected.
  6. Never use personal devices or photograph patient information.
  7. Report security concerns immediately — delay puts patients at risk.
  8. Confidentiality extends beyond the computer to all conversations and conduct.
  9. Policy violations have serious consequences including disciplinary action.
  10. Security is a professional duty, not just an employment requirement.

Contributor

Dr Fuad Jaafar

Dr Fuad Jaafar

Facilitator, CCMS • KK Bandar Maharani

84 contributions

Feedback

Send feedback

Last updated on by Fuad Jaafar

Page info

Reviewed Jun 2026
Next review Jun 2027
Dr Fuad Jaafar

Feedback

Send feedback

© CCMS Hub. Content on this site was prepared for internal clinical use. Please request permission before reproducing or republishing on other platforms.