Presentation is loading. Please wait.

Presentation is loading. Please wait.

DATA SECURITY FOR MEDICAL RESEARCH

Published byChristal Cain Modified over 6 years ago

Similar presentations

Presentation on theme: "DATA SECURITY FOR MEDICAL RESEARCH"— Presentation transcript:

1 DATA SECURITY FOR MEDICAL RESEARCH

2 What is PHI? Protected health information about the health staus, provision of health care, or payment for health that can be linked to a specific individual. PHI applies under laws in the US (HIPAA) and many other countries, e.g. eu (EU Data Proection Directive/epPrivacy Directive). Examples: 1. Names 2. Addresses 3. Dates 4. Phone and fax numbers 5. addresses and mobile device identifiers 6. Government ID numbers 7. Medical records numbers 8. Biometric information (fingerprints, face/hand scan/image Some laws prohibit collection of this information, while others require proper safeguards to be in place. Encryption is the most common safeguard in use.

3 How can participant's PHI be protected while using the internet?
1. De-identification a. Remove or omit identifying elements when data is collected b. Study design should reflect need to protect identifying data by avoiding collection or using encryption 2. Encryption a. Web-based tools must use encryption to protect PHI transmitted over the internet. Enable web encryption by using Transport Layout Security (TLS), also called SSL. URLs must begin with and a lock symbol, indicating PHI is protected between you and the web site. b. Use of TLS/SSL is evident to the end user. c. Note that sites using TLS/SSL during data transmission may not be designed for use with PHI. d. Defer to your organization's requirements for PHI protection (see laws pertaining to PHI protection).

4 con't PHI protection while using the internet?
3. Use proper authentication of individual users, through passwords (see later on creating a good password). 4. System gives users minimal permission to access data necessary. Not everyone is a system account administrator. 5. Sessions are limited. The system logs off automatically when the user is idle. 6. Data should be classified so that the system provides greater protections and limitations to more sensitive PHI, or greater or lesser protections to all PHI. 7. The use of audit logging allows administrators to know who has access to PHI, as well as when, whether, and how it has been modified. 8. The system has integrity by backing up information and protecting information from corruption or loss. The system obscures PHI information if unauthorized access occurs, including chile transmitting data. 9. Always install the latest software updates, which may include security enhancements.

5 How can participant's PHI be protected while using Microsoft Word?

6 How can participant's PHI be protected while using storage devices
Use a storage device that automatically encrypts data. Example: Ironkey is the brand name of a family of encrypted USB and hard drive portable storage devices. The IronKey™ Cryptochip protects your critical data by keeping encryption key management on the device, where it's safe and protected. Only after the user logs in with an authorized password will the drive unlock data and applications.

7 How can participant's PHI be protected while using hosted and cloud-based services
1. Check with your institution to understand the correct web address to access the service. 2. Determine how data is handled by the service. Review terms and conditions and communicate with the company providing the service to answer these questions: a. How is access to the study data controlled? Can others see the data without your permission?   b. If data can be shared between users, can they create, modify, or delete the data within your study? c. Ensure that you have control over the study data, the ability to delete the data and study details from the service entirely. 4. Use established electronic tool available online to researchers, reducing the need to handle technical IT and security challenges involved. Examples: SherlockMD and REDCap

8 con't hosted and cloud-based services
SherlockMD is a “cloud service”. 1. There is no software download necessary to use the tool. Collected data is processed and warehoused within a secure cloud running on Amazon’s best-of-breed data center technology. 2. It is independent of any particular research institution, so it is very easy for independent researchers use it without waiting for an institution to configure user accounts and software. 3. It is available to use on the desktop in a web browser or on a mobile device. 4. The use of TLS/SSL to ensure all data is securely encrypted from your browser to the service. 6. It enforces the use of strong passwords and authorization levels

9 con't hosted and cloud-based services
REDCap is a “cloud service”. 1. REDCap enforces the use of strong passwords and authorization levels to ensure the studies it can be safely and securely shared with collaborators using the same service. 2. It is available to use on the desktop in a web browser or on a mobile device. 3. Websites and mobile apps can use TLS/SSL to ensure all data is securely encrypted from the browser to the service. 4. RedCap is a “hosted” service. An institution downloads the software and configures it to run on it's own network/website, then provides access to the tool and the data.

10 con't How can participant's PHI be protected while using hosted and cloud-based services
Mobile devices 1. If PHI will be captured or stored on mobile device, configure it to use the built-in mobile device encryption if available. 2. iOS iPhone and iPad The device will automatically encrypt everything stored inside, but ONLY when using a password. Create a 6-digit numeric or alphanumeric password in the Settings menu.

11 con't PHI protection while using mobile devices
3. Android a. Device encryption is enable directly in the Settings menu. b. To ensure the security of this setting, ensure the device will lock with a regular password, PIN, or pattern lock. c. Always install the latest software updates, which may include security enhancements.

12 con't PHI protection while using mobile devices
4. The value of mobile apps for protecting PHI a. Mobile apps and websites use SSL/TLS to ensure data is securely encrypted from the browser to the service. b. Encrypts secure data even when not in use with standard "AES 256-bit encryption. c. Encrypts when data is lost or stolen. d. Enforces the use of strong passwords. Strong password have 10 characters mixing upper/lower case letters, numbers, symbols, and punctuation. e. Mobile apps require multiple levels of authorization. 5. Sources of mobile apps a. Google Play b. Apple App Store c. Directly by your affiliated institution.

13 Summary Recommendations
When evaluating a too to protect PHI: 1. Omit or de-identify identifying health information before submitting it online. 2. Use an online service that uses encryption in transmission. 3. Ensure the service or tool requires user accounts and requires strong passwords to protect access to data. 4. Select a service or tool the provides for deleting data if necessary. 5. Configure the device or workstation to safeguard access to the service, tool and data, such as passwords and auto-locks. 6. Encrypt the data in case the device is lost or stolen. 7. If it is an institution providing the security service, comply with its guidelines for PHI date protection and use.

Download ppt "DATA SECURITY FOR MEDICAL RESEARCH"

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Microsoft Passport www.passport.com Waldemar Swiercz.

Microsoft Passport Waldemar Swiercz.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
SECURITY: 2014. Personal Health Information Protection Act, 2004 this 5 min. course covers: changing landscape of electronic health records security threats.

SECURITY: Personal Health Information Protection Act, 2004 this 5 min. course covers: changing landscape of electronic health records security threats.
The Right Choice for Call Recording WWW.OAISYS.COM OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.

The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.

Similar presentations

Ads by Google