140 likes | 155 Views
This article discusses the importance of data security in cancer registry reporting, specifically in the context of the Veterans Health Administration (VHA) data. It provides an overview of VHA data security requirements and the current status of data security with NPCR programs. Additionally, it offers sources of information on security and highlights the responsibilities and procedures for maintaining data security in cancer registries.
E N D
Central Cancer Registry: Data SecurityThe Reporting of Veterans Health Administration (VHA) Data to a Central Cancer Registry Scott Van Heest IT Specialist NAACCR 2010, Quebec City, Canada June 24, 2010 National Center for Chronic Disease Prevention and Health Promotion Place Descriptor Here
Data Security – Why is it important • Cancer registry data contains Personally Identifying Information (PII ) that can be used for illicit purposes. • Identity theft. • A person's medical history can be used to • obtain prescription medication fraudulently • embarrass or blackmail the person • increase insurance premiums. • Health care providers could use this breached data to give a competitive advantage in the market.
Overview of VHA Data Security Requirements • VA Directive 2009-46 • Released October 1, 2009 • VA directive 2007-023 • Released August 17, 2007 • VA Directive 6500 • Released August 4, 2006 • Handbook released September 18, 2007
VHA Directive 6500 • Requires Department-wide compliance with the Federal Information Security Management Act (FISMA) of 2002, 44 U.S.C. §§ 3541-3549 • Pertains to the security of VA information and systems administered by VA, or on behalf of VA. • Applies to all VA Administrations and staff offices • Directive is available at the VA web site: http://www1.va.gov/vapubs/viewPublication.asp?Pub_ID=50&FType=2
Directive 2007-023 • Required cancer registries to establish a Data Transfer Agreement (DTA) • And encrypt all Personal Identifiable Information (PII) • Encryption software must be validated by the National Institute of Standards and Technology (NIST) • Meet the current version of Federal Information Processing Standards (FIPS) 140 • This VHA Directive is no longer available on the VA web site
Directive 2009-046 • VHA Directive 2007-023 is rescinded. • Existing data release agreements are nullified. • Must obtain a Data Use Agreement (DUA) • Instead of the Data Transfer Agreement (DTA) from directive 2007-023, • Transporting or Transmitting the VA data to the State in accordance with VA Handbook 6500 • Re-disclosure of VA data with patient identifiers by the State is not permitted • Directive is available at the VA web site: http://www1.va.gov/vapubs/viewPublication.asp?Pub_ID=50&FType=2
Current Status of Data Security with NPCR Programs • From the Security Assessment at the last years NPCR-PD meeting • Of the registries that responded: • Over 18% were currently receiving VA data • Over 30% had obtained a fully executed (DTA) from the VHA • Less than 15% are encrypting there registry data • Over 50% completed a security assessment or internal audit • Over 73% identified and designated a person to ensure data security • Over 80% aware of the NPCR security web page • Over 70% identified and designate a person to work directly with your organization (e.g. state health department) to ensure data security.
Sources of Information on Security • NAACCR Standards for Completeness, Quality, Analysis, Management, Security, and Confidentiality of Data (August 2008) (PDF) • Focus on NAACCR Chapter 6: Security & Confidentiality • Located at http://www.naaccr.org/filesystem/pdf/Volume%20III%20final%202008%20v2.pdf • NPCR Data Security web site • Located at http://www.cdc.gov/cancer/npcr/tools/security/ * Citations, references, and credits – Myriad Pro, 11pt
NAACCR Chapter 6: Security & Confidentiality • Responsibility of every registry to protect its data from unauthorized access and release. • The CCRs Director MUST be responsible for data security • There SHOULD be a Chief Technology Officer who works directly with the CCR Director to ensure data security • The CCR MUST maintain the same standards of confidentiality as customarily apply to the doctor-patient relationship • The CCR MUST comply with all applicable security procedures and practices of its parent organization • The CCR MUST: • protect the privacy of the individual patient • protect the privacy of the reporting sources • provide public assurance that the data will not be abused • abide by any confidentiality-protecting legislation or rules
NAACCR Chapter 6: Security & Confidentiality (Continued) • Risk Assessment of the Vulnerability of Central Registry Systems A risk assessment of the vulnerability of the central registry • SHOULD be conducted and included in the central cancer registry’s security manual • SHOULD identify potential threats from natural, human, and environmental sources as well as vulnerabilities due to weaknesses in security configuration, policy standards, procedures, and degree of compliance with both technical and non-technical requirements
NPCR Data Security Web Site • Planning for Data Security • Data Security Guidelines for Cancer Registries • The CDC Certification and Accreditation (C&A) Process • Security Features in Web Plus • Maximizing Data Security in Web Plus • Introduction to Data Encryption • Details about Data Encryption • Data Breach Response • Frequently Asked Questions about Data Security • Data Security Related Links
Steps to Address VHA Directive • Steps to improve data security • Indentified vulnerabilities • Address the easiest to fix vulnerabilities first • Then more difficult vulnerabilities • Then the more costly vulnerabilities • Common difficulties encountered • Resistance by staff • Lack of expertise * Citations, references, and credits – Myriad Pro, 11pt
Conclusion • How to address the VHA directives • These sources provides successful methods • Provide a more complete data on the national cancer burden • Data Security should not be “only” to address the VHA directives • Protect image of CCR ‘s • Future Funding
Scott Van Heest, CDC 770-488-4863 sgv1@cdc.gov Joseph Rogers, CDC jdr0@cdc.gov Sanjeev Baral, Northrop Grumman Contractor sbaral@cdc.gov National Center for Chronic Disease Prevention and Health Promotion Place Descriptor Here