Scott Van Heest IT Specialist NAACCR 2010, Quebec City, Canada June 24, 2010 Central Cancer Registry: Data Security The Reporting of Veterans Health Administration (VHA) Data to a Central Cancer Registry National Center for Chronic Disease Prevention and Health Promotion Place Descriptor Here
Data Security – Why is it important Cancer registry data contains Personally Identifying Information (PII ) that can be used for illicit purposes. Identity theft. A person's medical history can be used to obtain prescription medication fraudulently embarrass or blackmail the person increase insurance premiums. Health care providers could use this breached data to give a competitive advantage in the market.
Overview of VHA Data Security Requirements VA Directive Released October 1, 2009 VA directive Released August 17, 2007 VA Directive 6500 Released August 4, 2006 Handbook released September 18, 2007
VHA Directive 6500 Requires Department-wide compliance with the Federal Information Security Management Act (FISMA) of 2002, 44 U.S.C. §§ Pertains to the security of VA information and systems administered by VA, or on behalf of VA. Applies to all VA Administrations and staff offices Directive is available at the VA web site: ID=50&FType=2 ID=50&FType=2
Directive Required cancer registries to establish a Data Transfer Agreement (DTA) And encrypt all Personal Identifiable Information (PII) Encryption software must be validated by the National Institute of Standards and Technology (NIST) Meet the current version of Federal Information Processing Standards (FIPS) 140 This VHA Directive is no longer available on the VA web site
Directive VHA Directive is rescinded. Existing data release agreements are nullified. Must obtain a Data Use Agreement (DUA) Instead of the Data Transfer Agreement (DTA) from directive , Transporting or Transmitting the VA data to the State in accordance with VA Handbook 6500 Re-disclosure of VA data with patient identifiers by the State is not permitted Directive is available at the VA web site: ID=50&FType=2 ID=50&FType=2
Current Status of Data Security with NPCR Programs From the Security Assessment at the last years NPCR- PD meeting Of the registries that responded: Over 18% were currently receiving VA data Over 30% had obtained a fully executed (DTA) from the VHA Less than 15% are encrypting there registry data Over 50% completed a security assessment or internal audit Over 73% identified and designated a person to ensure data security Over 80% aware of the NPCR security web page Over 70% identified and designate a person to work directly with your organization (e.g. state health department) to ensure data security.
Sources of Information on Security NAACCR Standards for Completeness, Quality, Analysis, Management, Security, and Confidentiality of Data (August 2008) (PDF) Focus on NAACCR Chapter 6: Security & Confidentiality Located at 8%20v2.pdf 8%20v2.pdf NPCR Data Security web site Located at * Citations, references, and credits – Myriad Pro, 11pt
NAACCR Chapter 6: Security & Confidentiality Responsibility of every registry to protect its data from unauthorized access and release. The CCRs Director MUST be responsible for data security There SHOULD be a Chief Technology Officer who works directly with the CCR Director to ensure data security The CCR MUST maintain the same standards of confidentiality as customarily apply to the doctor-patient relationship The CCR MUST comply with all applicable security procedures and practices of its parent organization The CCR MUST: protect the privacy of the individual patient protect the privacy of the reporting sources provide public assurance that the data will not be abused abide by any confidentiality-protecting legislation or rules
NAACCR Chapter 6: Security & Confidentiality (Continued) Risk Assessment of the Vulnerability of Central Registry Systems A risk assessment of the vulnerability of the central registry SHOULD be conducted and included in the central cancer registry’s security manual SHOULD identify potential threats from natural, human, and environmental sources as well as vulnerabilities due to weaknesses in security configuration, policy standards, procedures, and degree of compliance with both technical and non-technical requirements
NPCR Data Security Web Site Planning for Data Security Data Security Guidelines for Cancer Registries The CDC Certification and Accreditation (C&A) Process Security Features in Web Plus Maximizing Data Security in Web Plus Introduction to Data Encryption Details about Data Encryption Data Breach Response Frequently Asked Questions about Data Security Data Security Related Links
Steps to Address VHA Directive Steps to improve data security Indentified vulnerabilities Address the easiest to fix vulnerabilities first Then more difficult vulnerabilities Then the more costly vulnerabilities Common difficulties encountered Resistance by staff Lack of expertise * Citations, references, and credits – Myriad Pro, 11pt
Conclusion How to address the VHA directives These sources provides successful methods Provide a more complete data on the national cancer burden Data Security should not be “only” to address the VHA directives Protect image of CCR ‘s Future Funding
For more information please contact Centers for Disease Control and Prevention 1600 Clifton Road NE, Atlanta, GA Telephone, CDC-INFO ( )/TTY: Web: The findings and conclusions in this report are those of the authors and do not necessarily represent the official position of the Centers for Disease Control and Prevention. Scott Van Heest, CDC Joseph Rogers, CDC Sanjeev Baral, Northrop Grumman Contractor National Center for Chronic Disease Prevention and Health Promotion Place Descriptor Here