1 / 27

AMC Privacy & Security: Progress & Prospects September 26-28, 2006

AMC Privacy & Security: Progress & Prospects September 26-28, 2006. Clinical Research Track Risk Assessment in Research Joseph R. Sherwin, Ph.D. University of Pennsylvania Lee Olson Mayo Foundation. Risk Assessments in Research – Assessing Security and Privacy in Research Activities.

linh
Download Presentation

AMC Privacy & Security: Progress & Prospects September 26-28, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AMC Privacy & Security: Progress & ProspectsSeptember 26-28, 2006 Clinical Research Track Risk Assessment in Research Joseph R. Sherwin, Ph.D. University of Pennsylvania Lee Olson Mayo Foundation

  2. Risk Assessments in Research – Assessing Security and Privacy in Research Activities Joseph R. Sherwin, Ph.D. Director, Regulatory Affairs University of Pennsylvania

  3. Objectives • Objective #1 - To identify key institutional information-related risks to research and how AMCs are measuring the existence and extent of such risks. • Objective #2 - List areas in which many AMCs experience externally information-related risks and how they are planning to manage them.

  4. Risk Areas • Patient privacy – PHI in clinical trials • Secondary (tertiary??) data sets with PHI • Electronic compliance data • IRB oversight including adverse events • Animal protocol compliance data • Research data not otherwise covered under HIPAA • Animals • Tissue

  5. Structuring Compliance Monitoring • U Penn decentralized approach • Several offices involved from Trustee level through local school/center/institute level • Research issues raised are brought to attention of Vice Provost for Research • In-the-field routine lab visits as well as paper driven review processes • Primarily issue specific (i.e. humans, animal etc) • Cross training to issues and inter-office communications including numerous standing and ad hoc meetings

  6. Patient Privacy - Risks • HIPAA covers most issues raised in AMCs. With exception of studies under waiver, most routine uses and disclosure are covered under authorization • Noted failure to document authorization • Disclosures beyond the scope of authorization • Investigator transfer to another institution • During trial • After completion of primary data collection

  7. Secondary data sets • Self-identification by type (electronic vs. paper) • Stratification by risk, covered entity versus non-covered entity; data type • Migration to secure servers and/or password protected systems, secure storage etc. based on risk • Development of standard procedures for responding to breech

  8. Compliance Data • IRB – Human subject monitoring QA/QI • FDA access to review of protocol tracking databases • Social sciences and confidentiality issues • IACUC • Required inspections versus voluntary compliance oversight • Animal activists • Separation of functionality • Emerging USDA issues

  9. Research data not otherwise covered under existing privacy • Tangible research property and use of appropriate material transfer agreements • Access to physician investigators in pivotal trials • Review of investigator confidentiality agreements • Conflicts of interest and commitment • Student access to, and data ownership • Transfer of data between institutions • Do we need a more formal mechanism?

  10. Security Risk Analysis in Research Lee Olson Mayo Clinic

  11. Risk analysis involves: • Identification of assets • Threat assessment – types, likelihood & severity • Identification of countermeasures • Identification of exposures where countermeasures are lacking • Risk is expressed in terms of loss expectancy • Risk management is the application of cost-effective countermeasures to reduce loss expectancies.

  12. Mayo Clinic compliance documentation (high level): Risk Analysis

  13. Risk analysis made really simple • Volume • Users • Data • Systems • Sensitivity • Infectious diseases vs. blood gasses • Targetablility • Economic, military, publishing bragging rights

  14. C.I.A. and Security Risk • Confidentiality • Human studies • Multi-center protocols • Availability • Lack of backup • Information theft • Integrity • “Today you’re the sys admin.”

  15. The Big Three for IRB • Information sensitivity – PHI anyone? • External transmission • Whether or how non-Mayo personnel have access to computing infrastructure Mayo Clinic prompts researchers to address these aspects in the IRB submission process.

  16. The risk model in Research is different than in clinical practice or education.

  17. Clinical and business information is generally not targeted for theft. Most has little intrinsic value outside the corporate environment. Most security violations in clinical and business areas are personal in nature and privacy-related. Much of Research’s information is intrinsically valuable. Conducting research is expensive and the resultant intellectual property is targeted for theft. It may have economic value, military value, or both.

  18. Trends • Thefts are discovered inadvertently. • Foreign nationals are responsible for theft of intellectual property • Intent is often apparent • Perpetrators act individually • No evidence to indicate state sponsorship

  19. Theft Occurrences in Research • Attempted theft of biomedical imaging source code by Indian graduate student, 1993 • Theft of soft tissue regeneration data, lab books and specimens; destructive alteration of data by Japanese fellow, 1999 • Attempted theft of DARPA and NIH grant materials by South Korean PhD, 2000 • Attempted theft of NIH-funded hypertension research data containing patient identifiers by Polish senior research fellow, 2002 • Ultrasound technology useful for analysis of missile and aircraft airframes transferred to Iran by PhD with dual U.S. – Iranian citizenship, 2000

  20. Hacking tools found on one researcher’s system Evidence Eliminator Flow Protector- spy stopper Disk Juggler- CD cracker Plustech IP Changer XP AntiSpy Zone Alarm Yahoo Extra Byte Remover Leap FTP Godizilla Leech FakeSurf FTP Scanner Clever Contact Distinct E-mail Extractor Anarchists Cookbook 2000 How to crack The Cracking manual versions 1&2 Uncle Joes- how to crack

  21. Motivations • Bragging rights – first to publish • Economic / personal gain • International sponsors benefit • Patriotic loyalty to home country • Dual use (civilian & military) value

  22. Facilitated Discussion

  23. Question 1 • How many of your organizations have taken any step to assess the risks presented by your research enterprise?

  24. Question 2 • On a scale of 1-5, where do you think your organization is relative to assessing risks presented by the research enterprise and taking steps to address them?

  25. Question 3 • In the research environment where do you find your greatest concerns? -What assessment methods work most effectively for your institution? • What are your greatest challenges in addressing identified risks?

More Related