360 likes | 471 Views
Data Security in Human Subjects Research. Glenn Martin, MD Vice Chair, IRB Associate Dean for Research Mount Sinai School of Medicine. Losses of Note (www.IDTheftcenter.org). 2005 152 incidents and 57,700,000 individuals 11% (17) healthcare facilities/companies
E N D
Data Security in Human Subjects Research Glenn Martin, MD Vice Chair, IRB Associate Dean for Research Mount Sinai School of Medicine March 1. 2006
Losses of Note(www.IDTheftcenter.org) • 2005 • 152 incidents and 57,700,000 individuals • 11% (17) healthcare facilities/companies • 48% (73) educational settings • Through 2/21/06: • 25 incidents and 1,642,296 individuals • 6 hospitals or insurers and 395,379 patients
Losses of Note • Card Systems Solutions: • 40,000,000 credit card numbers (May, 05) • Ameriprise: • stolen password protected unencrypted laptop • 58,000 customers and 68,000 financial advisers • Marriott: • 206,000 customers (12/26/05)
Losses of Note • ChoicePoint: • 157,000 records (>9,000 NYS) (Feb, 05) • DSW shoe outlet: • credit card information 1,400,000 (holiday 04-05) • Dept of Justice: • password protected laptop, credit card info on 80,000 workers (May 2005) • Bank of America: • 65,000 customers (>675,000 stolen all told in NJ) • stolen back up tape 1.2 Mil federal employees(03/05)
Losses of Note • UC Berkeley: • stolen unencrypted laptop • 98, 000 SSN graduate students, employees and applicants (March, 05) • hacked research computer • >600,000 participants in the state's In Home Supportive Services program (Aug, 04) • UCLA: • 145,000 Blood donors; unencrypted laptop (06, 04) • Providence Home Services: • 365,000 patients; unencrypted back up tapes (01/06)
Losses of Note • MSMC: • >10,000 research patients with >6000 SSN; stolen desktop, password protected unencrypted • Recovered and not accessed • Regulatoryreporting • OHRP, funding agency, collaborating sites • Media Reports • NY Daily News, NY Sun, NY Times, Newsday, NY Post • NY 1, WCBS, • Blogs
Data Loss Issues • If it can be lost, it has been lost! • Paper • Questionnaires from cars with full demographics
Data Loss Issues • Computers • Laptops with PHI • PDA with phone numbers and names of minors • Desktops with SSN and PHI • Emails without blinded CC’s
Data Loss Issues • Other media • Thumb drives • Digital camera memory cards
Sensible precautions • Separate the data from the identifiers ASAP • Don’t collect what you don’t need • SSN, d.o.b. when age would do, etc. • Don’t use derived codes without a very good reason • Initials, last 4 numbers of SSN, d.o.b. etc.
Sensible precautionsPC’s • Physically secure the workstation • Password protect the operating system, perhaps BIOS • Install current patches for your operating system and your applications, ideally via automatic updates • Install anti-virus software and perform regular updates and scans of your computer • Install spyware scanners and conduct regular updates and scans of your computer
Sensible precautionsPC’s • Install only the applications you really need • Perform day to day tasks under a user account with limited/reduced permissions rather than administrator/root account • Don't open attachments or click on links in suspicious email. • Consider using a different web browser • Configure browser settings to be as secure as possible
Sensible precautionsThumb drives • If possible, encryption should be used to safeguard the information. The level of encryption should be at least 128 bit long, 256 bit is preferred. AES is the preferred encryption method. • If possible, select a product using biometric authentications – i.e. fingerprint reader. • PHI or other confidential information should not be left on flash media for an extended period of time. • The flash media should be secured when it is not in the personal possession of the user. The media should be locked in a desk, drawer, or otherwise secured. • The flash media should not be left attached to the computer when not in use.
Encryption • Truecrypt is an open source program for Windows XP/2000 and Linux that will allow the user to encrypt any part of the file system, including USB Thumb drives. More information can be found at http://www.truecrypt.org/. • PGP offers a commercial solution that supports both Windows and Macintosh operating systems. More information can be found at http://www.pgp.com/products/desktop/professional/index.html • Mac OS X supports native file system encryption using a feature called File Vault - http://www.apple.com/macosx/features/filevault/. Encrypted Disk Images can also be created using the Disk Utility application.
Passwords • Weak: • Admin • Password • 12345 • Glenn • Strong • Long, random, mixed • Freeware available
Reporting Requirements • Privacy Officer • IRB • Possibly NYS!! • Notify the “owners” • Notify Mr. Spitzer • Read about it in the press
NYS Information Security Breach and Notification Act • social security number; • driver's license number or non-driver identification card number; or • account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
NYS Information Security Breach and Notification Act • indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information • indications that the information has been downloaded or copied • indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.
NYS Information Security Breach and Notification Act • NYS Attorney General • NYS Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) • NYS Consumer Protection Board • Credit agencies if over 5000 people • All reports through Aviva Halpert
Disposal • Computer hard drives must be sanitized by using software that is compliant with Department of Defense (DoD) standards. • Non-rewritable media, such as CDs or non-usable hard drives, must be physically destroyed. • Magnetic media can also be degaussed. • Lots of freeware, shareware and commercial software is available
What happens if you leave MSMC?Transfer of PHI • Depending on sponsor and status of the grant the research data may stay or leave. • If the PHI leaves it may be necessary to have new HIPAA authorizations signed or a waiver granted. • Discussion with the privacy officer and the IRB is needed.
Backups • General rules: • Encrypt • Multiple sequential snapshots • Offsite • Gmail • Cheap and easy but not guaranteed forever • Safety Deposit Boxes • Commercial solutions • On-Site • External Hard Drives • Flash Drives
Contacts: • Kenny Chu Assoc. Director IT Security • kenny.chu@mountsinai.org • 212.659.1516 • Aviva Halpert Chief HIPAA Officer • aviva.halpert@mountsinai.org • 212.241.4669 • Glenn Martin Vice Chair IRB • glenn.martin@mssm.edu • 212.659.8980