1 / 36

Data Security in Human Subjects Research

Data Security in Human Subjects Research. Glenn Martin, MD Vice Chair, IRB Associate Dean for Research Mount Sinai School of Medicine. Losses of Note (www.IDTheftcenter.org). 2005 152 incidents and 57,700,000 individuals 11% (17) healthcare facilities/companies

dixie
Download Presentation

Data Security in Human Subjects Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Security in Human Subjects Research Glenn Martin, MD Vice Chair, IRB Associate Dean for Research Mount Sinai School of Medicine March 1. 2006

  2. Losses of Note(www.IDTheftcenter.org) • 2005 • 152 incidents and 57,700,000 individuals • 11% (17) healthcare facilities/companies • 48% (73) educational settings • Through 2/21/06: • 25 incidents and 1,642,296 individuals • 6 hospitals or insurers and 395,379 patients

  3. Losses of Note • Card Systems Solutions: • 40,000,000 credit card numbers (May, 05) • Ameriprise: • stolen password protected unencrypted laptop • 58,000 customers and 68,000 financial advisers • Marriott: • 206,000 customers (12/26/05)

  4. Losses of Note • ChoicePoint: • 157,000 records (>9,000 NYS) (Feb, 05) • DSW shoe outlet: • credit card information 1,400,000 (holiday 04-05) • Dept of Justice: • password protected laptop, credit card info on 80,000 workers (May 2005) • Bank of America: • 65,000 customers (>675,000 stolen all told in NJ) • stolen back up tape 1.2 Mil federal employees(03/05)

  5. Losses of Note • UC Berkeley: • stolen unencrypted laptop • 98, 000 SSN graduate students, employees and applicants (March, 05) • hacked research computer • >600,000 participants in the state's In Home Supportive Services program (Aug, 04) • UCLA: • 145,000 Blood donors; unencrypted laptop (06, 04) • Providence Home Services: • 365,000 patients; unencrypted back up tapes (01/06)

  6. Losses of Note • MSMC: • >10,000 research patients with >6000 SSN; stolen desktop, password protected unencrypted • Recovered and not accessed • Regulatoryreporting • OHRP, funding agency, collaborating sites • Media Reports • NY Daily News, NY Sun, NY Times, Newsday, NY Post • NY 1, WCBS, • Blogs

  7. Data Loss Issues • If it can be lost, it has been lost! • Paper • Questionnaires from cars with full demographics

  8. Data Loss Issues • Computers • Laptops with PHI • PDA with phone numbers and names of minors • Desktops with SSN and PHI • Emails without blinded CC’s

  9. Data Loss Issues • Other media • Thumb drives • Digital camera memory cards

  10. Missing Computers at MSSM

  11. Missing Computers at MSSM

  12. Sensible precautions • Separate the data from the identifiers ASAP • Don’t collect what you don’t need • SSN, d.o.b. when age would do, etc. • Don’t use derived codes without a very good reason • Initials, last 4 numbers of SSN, d.o.b. etc.

  13. Sensible precautionsPC’s • Physically secure the workstation • Password protect the operating system, perhaps BIOS • Install current patches for your operating system and your applications, ideally via automatic updates • Install anti-virus software and perform regular updates and scans of your computer • Install spyware scanners and conduct regular updates and scans of your computer

  14. Sensible precautionsPC’s • Install only the applications you really need • Perform day to day tasks under a user account with limited/reduced permissions rather than administrator/root account • Don't open attachments or click on links in suspicious email. • Consider using a different web browser • Configure browser settings to be as secure as possible

  15. Sensible precautionsThumb drives • If possible, encryption should be used to safeguard the information. The level of encryption should be at least 128 bit long, 256 bit is preferred. AES is the preferred encryption method. • If possible, select a product using biometric authentications – i.e. fingerprint reader. • PHI or other confidential information should not be left on flash media for an extended period of time. • The flash media should be secured when it is not in the personal possession of the user. The media should be locked in a desk, drawer, or otherwise secured. • The flash media should not be left attached to the computer when not in use.

  16. Encryption • Truecrypt is an open source program for Windows XP/2000 and Linux that will allow the user to encrypt any part of the file system, including USB Thumb drives. More information can be found at http://www.truecrypt.org/. • PGP offers a commercial solution that supports both Windows and Macintosh operating systems. More information can be found at http://www.pgp.com/products/desktop/professional/index.html • Mac OS X supports native file system encryption using a feature called File Vault - http://www.apple.com/macosx/features/filevault/. Encrypted Disk Images can also be created using the Disk Utility application.

  17. Passwords • Weak: • Admin • Password • 12345 • Glenn • Strong • Long, random, mixed • Freeware available

  18. Reporting Requirements • Privacy Officer • IRB • Possibly NYS!! • Notify the “owners” • Notify Mr. Spitzer • Read about it in the press

  19. NYS Information Security Breach and Notification Act • social security number; • driver's license number or non-driver identification card number; or • account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

  20. NYS Information Security Breach and Notification Act • indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information • indications that the information has been downloaded or copied • indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.

  21. NYS Information Security Breach and Notification Act • NYS Attorney General • NYS Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) • NYS Consumer Protection Board • Credit agencies if over 5000 people • All reports through Aviva Halpert

  22. Disposal • Computer hard drives must be sanitized by using software that is compliant with Department of Defense (DoD) standards. • Non-rewritable media, such as CDs or non-usable hard drives, must be physically destroyed. • Magnetic media can also be degaussed. • Lots of freeware, shareware and commercial software is available

  23. What happens if you leave MSMC?Transfer of PHI • Depending on sponsor and status of the grant the research data may stay or leave. • If the PHI leaves it may be necessary to have new HIPAA authorizations signed or a waiver granted. • Discussion with the privacy officer and the IRB is needed.

  24. Backups

  25. Backups

  26. Backups

  27. Backups

  28. Backups

  29. Backups

  30. Backups

  31. Backups

  32. Backups • General rules: • Encrypt • Multiple sequential snapshots • Offsite • Gmail • Cheap and easy but not guaranteed forever • Safety Deposit Boxes • Commercial solutions • On-Site • External Hard Drives • Flash Drives

  33. Contacts: • Kenny Chu Assoc. Director IT Security • kenny.chu@mountsinai.org • 212.659.1516 • Aviva Halpert Chief HIPAA Officer • aviva.halpert@mountsinai.org • 212.241.4669 • Glenn Martin Vice Chair IRB • glenn.martin@mssm.edu • 212.659.8980

More Related