DATA SECURITY FOR MEDICAL RESEARCH

What is PHI? Protected health information about the health staus, provision of health care, or payment for health that can be linked to a specific individual. PHI applies under laws in the US (HIPAA) and many other countries, e.g. eu (EU Data Proection Directive/epPrivacy Directive). Examples: 1. Names 2. Addresses 3. Dates 4. Phone and fax numbers 5. Email addresses and mobile device identifiers 6. Government ID numbers 7. Medical records numbers 8. Biometric information (fingerprints, face/hand scan/image Some laws prohibit collection of this information, while others require proper safeguards to be in place. Encryption is the most common safeguard in use.

How can participant's PHI be protected while using the internet? 1. De-identification a. Remove or omit identifying elements when data is collected b. Study design should reflect need to protect identifying data by avoiding collection or using encryption 2. Encryption a. Web-based tools must use encryption to protect PHI transmitted over the internet. Enable web encryption by using Transport Layout Security (TLS), also called SSL. URLs must begin with https://www and a lock symbol, indicating PHI is protected between you and the web site. b. Use of TLS/SSL is evident to the end user. c. Note that sites using TLS/SSL during data transmission may not be designed for use with PHI. d. Defer to your organization's requirements for PHI protection (see laws pertaining to PHI protection).

con't PHI protection while using the internet? 3. Use proper authentication of individual users, through passwords (see later on creating a good password). 4. System gives users minimal permission to access data necessary. Not everyone is a system account administrator. 5. Sessions are limited. The system logs off automatically when the user is idle. 6. Data should be classified so that the system provides greater protections and limitations to more sensitive PHI, or greater or lesser protections to all PHI. 7. The use of audit logging allows administrators to know who has access to PHI, as well as when, whether, and how it has been modified. 8. The system has integrity by backing up information and protecting information from corruption or loss. The system obscures PHI information if unauthorized access occurs, including chile transmitting data. 9. Always install the latest software updates, which may include security enhancements.

How can participant's PHI be protected while using Microsoft Word?

How can participant's PHI be protected while using storage devices Use a storage device that automatically encrypts data. Example: Ironkey is the brand name of a family of encrypted USB and hard drive portable storage devices. The IronKey™ Cryptochip protects your critical data by keeping encryption key management on the device, where it's safe and protected. Only after the user logs in with an authorized password will the drive unlock data and applications.

How can participant's PHI be protected while using hosted and cloud-based services 1. Check with your institution to understand the correct web address to access the service. 2. Determine how data is handled by the service. Review terms and conditions and communicate with the company providing the service to answer these questions: a. How is access to the study data controlled? Can others see the data without your permission?   b. If data can be shared between users, can they create, modify, or delete the data within your study? c. Ensure that you have control over the study data, the ability to delete the data and study details from the service entirely. 4. Use established electronic tool available online to researchers, reducing the need to handle technical IT and security challenges involved. Examples: SherlockMD and REDCap

con't hosted and cloud-based services SherlockMD is a “cloud service”. 1. There is no software download necessary to use the tool. Collected data is processed and warehoused within a secure cloud running on Amazon’s best-of-breed data center technology. 2. It is independent of any particular research institution, so it is very easy for independent researchers use it without waiting for an institution to configure user accounts and software. 3. It is available to use on the desktop in a web browser or on a mobile device. 4. The use of TLS/SSL to ensure all data is securely encrypted from your browser to the service. 6. It enforces the use of strong passwords and authorization levels

con't hosted and cloud-based services REDCap is a “cloud service”. 1. REDCap enforces the use of strong passwords and authorization levels to ensure the studies it can be safely and securely shared with collaborators using the same service. 2. It is available to use on the desktop in a web browser or on a mobile device. 3. Websites and mobile apps can use TLS/SSL to ensure all data is securely encrypted from the browser to the service. 4. RedCap is a “hosted” service. An institution downloads the software and configures it to run on it's own network/website, then provides access to the tool and the data.

con't How can participant's PHI be protected while using hosted and cloud-based services Mobile devices 1. If PHI will be captured or stored on mobile device, configure it to use the built-in mobile device encryption if available. 2. iOS iPhone and iPad The device will automatically encrypt everything stored inside, but ONLY when using a password. Create a 6-digit numeric or alphanumeric password in the Settings menu.

con't PHI protection while using mobile devices 3. Android a. Device encryption is enable directly in the Settings menu. b. To ensure the security of this setting, ensure the device will lock with a regular password, PIN, or pattern lock. c. Always install the latest software updates, which may include security enhancements.

con't PHI protection while using mobile devices 4. The value of mobile apps for protecting PHI a. Mobile apps and websites use SSL/TLS to ensure data is securely encrypted from the browser to the service. b. Encrypts secure data even when not in use with standard "AES 256-bit encryption. c. Encrypts when data is lost or stolen. d. Enforces the use of strong passwords. Strong password have 10 characters mixing upper/lower case letters, numbers, symbols, and punctuation. e. Mobile apps require multiple levels of authorization. 5. Sources of mobile apps a. Google Play b. Apple App Store c. Directly by your affiliated institution.

Summary Recommendations When evaluating a too to protect PHI: 1. Omit or de-identify identifying health information before submitting it online. 2. Use an online service that uses encryption in transmission. 3. Ensure the service or tool requires user accounts and requires strong passwords to protect access to data. 4. Select a service or tool the provides for deleting data if necessary. 5. Configure the device or workstation to safeguard access to the service, tool and data, such as passwords and auto-locks. 6. Encrypt the data in case the device is lost or stolen. 7. If it is an institution providing the security service, comply with its guidelines for PHI date protection and use.