Administration and Security | Moana Digital Health
Moana's administration and security framework gives health system operators precise, auditable control over access, configuration, and accountability across every connected facility in the network.
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 25 25" xmlns="http://www.w3.org/2000/svg"><path d="M 13.026 5.977 C 12.471 6.334 11.826 6.522 11.161 6.522 C 10.496 6.522 9.851 6.334 9.295 5.977 L 0.149 0.102 C 0.098 0.069 0.048 0.035 0 0 L 0 9.627 C 0 10.731 0.93 11.607 2.055 11.607 L 20.267 11.607 C 21.412 11.607 22.321 10.711 22.321 9.627 L 22.321 0 C 22.273 0.035 22.223 0.069 22.173 0.102 Z" fill="rgb(27, 18, 61)" height="11.607177083333333px" id="F3jyorGue" transform="translate(1.339 8.927)" width="22.321395833333213px"/><path d="M 0.874 3.575 L 10.021 9.486 C 10.367 9.71 10.764 9.821 11.161 9.821 C 11.558 9.821 11.954 9.71 12.301 9.486 L 21.447 3.575 C 21.995 3.221 22.321 2.63 22.321 1.991 C 22.321 0.893 21.4 0 20.267 0 L 2.054 0 C 0.921 0 0 0.893 0 1.992 C 0 2.63 0.327 3.221 0.874 3.575 Z" fill="rgb(27, 18, 61)" height="9.821395833333332px" id="KOAXH2cGk" transform="translate(1.339 4.464)" width="22.321395833333213px"/></svg>)
contact@moanadigitalhealth.com
Overview
A health system platform is only as trustworthy as its governance layer. The most clinically sophisticated EHR is a liability rather than an asset if the wrong person can access the wrong patient's record, if clinical documentation can be altered without a trace, if emergency access bypasses accountability, or if the audit log that should exist for a regulatory inspection has never been properly maintained.
The Administration and Security module is the governance infrastructure of the Moana platform. It controls who can access the system at every level, what each user can see and do within their access, how every facility is configured independently, and how every action taken in the platform is recorded, attributed, and retained. It is designed to meet the operational governance requirements of Ministries of Health, district health authorities, provincial health authorities, and multi-site hospital networks managing data sovereignty and regulatory compliance simultaneously.
The framework is built for the specific governance requirements of health systems in the Pacific, South Asia, and Southeast Asia, where multi-country, multi-province, and multi-facility deployments require strict data isolation between organisational units while national administrators retain aggregate visibility. A provincial health authority must not be able to access the patient data of another province. A clinical nurse at a district hospital must not be able to export bulk patient data. A Ministry surveillance officer must be able to view national programme indicators without accessing individual patient records. All of these constraints are enforced by the same governance layer.
Every action taken in the platform, from viewing a patient record to approving a laboratory result to performing an emergency breakglass access, generates an immutable audit log entry. No record can be altered or deleted without a corresponding audit trail entry. No access permission can be granted or revoked without a corresponding identity management log entry.
Core Capabilities
User Management and Identity Lifecycle
Administrators create, update, and deactivate user accounts across all connected facilities from a central management interface. Each user account is associated with a verified email address, an assigned role, a primary facility, and optionally a department scope. User account creation generates a welcome notification with credentials. When staff leave an organisation, accounts are deactivated immediately, revoking all access, rather than deleted, preserving the attribution of all historical actions in the audit log. User lifecycle events, including creation, role changes, facility reassignment, deactivation, and reactivation, are logged in the identity management audit trail.
Role-Based Access Control (RBAC)
Every function in the Moana platform is controlled by a defined permission set. Roles aggregate permissions into meaningful clinical and administrative profiles: Doctor, Nurse, Pharmacist, Laboratory Technician, Laboratory Manager, Radiologist, Reception Staff, Facility Administrator, Programme Officer, and Ministry Surveillance Officer are among the standard roles. Each role defines exactly which modules the user can access, which actions they can perform within those modules, and which data scope they can see. Role definitions are versioned, auditable, and configurable by system administrators. Custom roles can be created for facility-specific operational needs.
Department-Scoped Access Control
Access control extends to the department level through JWT-carried scope enforcement with x-facility-id and x-department-id header validation on every API request. This means that a nurse working in Ward A at a multi-ward hospital sees Ward A patient data and Ward A bed management only, not the full facility patient list. A laboratory technician at Central Laboratory sees the Central Laboratory processing queue, not the provincial reference laboratory queue. This department-scoped enforcement is critical for multi-PHA deployments, where each provincial health authority must be isolated from the data of other provinces while national administrators retain cross-facility and cross-province visibility.
Multi-Facility Configuration Management
Each facility in the network is configured independently across every operational dimension: departments, wards, bed types, services, charge codes and fee schedules, workflow rules, notification preferences, and clinical form templates. Configuration is hierarchical with a most-specific-wins resolution chain: SYSTEM level defaults apply globally, FACILITY level settings override for a specific facility, DEPARTMENT level settings override for a specific department, and USER level settings override for an individual user. This means a system-wide change to a workflow step applies everywhere, unless a facility has explicitly overridden it, and the facility-specific override applies everywhere in that facility, unless a department within it has overridden it further.
HIPAA-Grade Audit Logging
Every action in the platform generates an audit log entry, without exception. Every entry records the user identity, timestamp at millisecond precision, action type, affected resource and record ID, IP address, user agent, device fingerprint, and response outcome. Action types are enumerated: VIEW, CREATE, UPDATE, DELETE, EXPORT, PRINT, VOID, APPROVE, REJECT, BREAKGLASS_VIEW, OVERRIDE, and LOGIN and LOGOUT events. The audit log is append-only: no user, including system administrators, can modify or delete audit entries. Audit log retention is configured for a minimum of six years, consistent with clinical governance requirements. Audit log data is exportable for regulatory inspection and external audit.
Breakglass Emergency Access
Clinical emergencies sometimes require a clinician to access a patient's record outside their normal permission scope. Moana handles this through a Breakglass workflow: the clinician requesting emergency access must document the reason for access before access is granted. The access is recorded with the BREAKGLASS_VIEW action type, the documented reason, the requesting clinician, the accessed record, and the timestamp. The accessing clinician's supervisor is notified automatically. The breakglass event appears on the supervisor's access review dashboard and must be reviewed and acknowledged by a supervisor within a configurable SLA window. This design ensures that genuine clinical emergencies can always be handled, while every exception to normal access controls is fully visible and accountable.
Multi-Factor Authentication and Session Security
All user accounts support multi-factor authentication. Ministry surveillance accounts require OTP-based 2FA as mandatory, with 12-character minimum passwords, 90-day rotation, and last-five-password history enforcement preventing the reuse of recent passwords. Device fingerprinting captures a signature of each device used to log in. Login attempts from unrecognised devices trigger login alert notifications to the user and to facility administrators. Failed login attempts are tracked and accounts are locked after a configurable number of consecutive failures, with unlock requiring administrator action. Session tokens have configurable expiry and are invalidated on logout.
Custom Forms and No-Code Configuration
Clinical documentation templates, custom workflow steps, and facility-specific configuration settings are managed by facility administrators without developer involvement. Administrators configure custom clinical forms using a form builder interface, add facility-specific services to the service catalogue, modify default workflow behaviour, and adjust system settings within the governance boundaries defined by the system-level configuration. This allows facilities to adapt the platform to their specific clinical processes and local requirements while remaining within the governed, audited platform framework.
Database Backup and Data Integrity
Automated database backups run on configurable per-service schedules with documented restore tooling and tested recovery procedures. Full database export to multi-sheet Excel format or CSV archive supports both operational backup and data portability requirements. Round-trip import with foreign key constraint deferral supports safe restore testing. Per-service backup scheduling supports data sovereignty requirements for governments that require all data to remain within national borders or a specified cloud region. Backup events are logged and backup success is monitored with alerting on failure.
Who Uses This Module
System Administrators
Manage user lifecycle, role assignments, facility configuration, and system-level settings across the entire deployment.
Facility Administrators
Manage user accounts, roles, and configuration for their specific facility. Review the access audit log. Approve or review breakglass access events.
Ministry and Network Administrators
Manage multi-facility deployments, provincial data isolation, network-wide configuration, and cross-facility audit oversight.
Compliance and Governance Officers
Access the complete audit log for regulatory inspection, external audit, and medico-legal review. Review override records and breakglass access events as part of routine governance monitoring.
How This Connects to the Rest of Moana
The Administration and Security module underlies every other module in the platform. User identity, role permissions, and facility scope are validated on every API request across the entire system. Audit log entries are generated by every clinical and administrative action across all modules. Configuration settings managed here propagate to module-level behaviour across Clinical Care, Laboratory, Pharmacy, Billing, and Surveillance. The security primitives established here, including JWT scope enforcement, multi-factor authentication, and audit logging, are the governance foundation on which the entire platform operates.
Standards and Compliance
The administration and security framework is designed to meet HIPAA-equivalent standards for health data governance. AES-256-CBC encryption is applied to data at rest. TLS 1.2 minimum is enforced for all data in transit. JWT tokens carry facility and department scope and are validated server-side on every request. The audit log structure and retention policy align with clinical governance requirements across the Pacific, Southeast Asian, and African regulatory environments in which Moana operates. The framework supports IHR (International Health Regulations) compliance for health security incident reporting.
