View
7
Download
0
Category
Preview:
Citation preview
Protecting Research Data
Scott Weinman, CISSP, CISA, CPA, MBA, MS
Sean Gallagher
Agenda
• Who are we?
• Why is data security important?
• Data security guidance
• Questions
Who are we?
Sean Gallagher
• Pitt IT – IT Security Department
• IT Security Analyst –Policy and Compliance
• Business analyst at HM Health Solutions
• Completed Cyber Security training at SecureSet Academy
Who are we?
Scott Weinman
• Pitt IT –IT Security Department
• Senior IT Security Analyst –Policy and Compliance
• 20 years of IT and financial control implementation and testing in healthcare, banking, and education
• CISSP, CISA, CPA, MBA, and MS-ISM
Who are we?
Pitt IT
Provides innovative services that support learning, teaching, research, and business.
To learn more go to: https://www.technology.pitt.edu/services
IT Services
Data Networking Security Consulting Services Web Hosting
Help Desk Voice and Telephone Qualtrics (online survey) Software Packages
Managed Server Hosting Cloud Services Globus (file transfer) Research Computing
Virtual Private Network (VPN) Email Software downloads LastPass
Who are we?
Pitt IT Security
Provides services to protect the confidentiality, integrity, and availability of the data.
To learn more go to: https://www.technology.pitt.edu/services
Security Services
Firewall requests Security training Phishing training Security consulting
Incident Response Logging and Monitoring Centralized anti-virus Vulnerability scans
IRB reviews/consultations Contract reviews NIST 800-171 reviews Vendor reviews
Data Security Consultation
https://www.technology.pitt.edu/247-it-help-desk
Incident Reporting
If you suspect your computer or data has been compromised, contact the Pitt IT Help Desk immediately.
412-624-HELP (4357)
For more information go to: https://www.technology.pitt.edu/security/incident-response
Why is data security important?
Why is data security important?
• Protect your participant’s personal data
• Protect your research data with consideration for confidentiality, integrity, and availability
• Protect yours and the University’s intellectual property and reputations
• PI is responsible for data security and compliance with contract requirements such as NIST 800-171, FISMA, Cybersecurity Maturity Model Certification (CMMC), etc.
Data Security Guidance
Principle Investigator is responsible for the security of the data.
• Is the data high risk/value?
• Where is the data going to be processed, stored, and transmitted?
• How will access be managed?
• How will confidentiality, integrity, and availability of the data be achieved?
Data Security Guidance
Collecting and Coding
• Collect only the data you need.
• Code (de-identify) data as much as possible.
• Use study-created email addresses (participant1@pitt.edu)
• Store linkage spreadsheets separate from coded data.
• Create basic data flow diagrams to understand the devices and locations where data will be processed, stored, and transmitted.
• Transmit and store data in locations where it is absolutely necessary and only for as long as necessary.
Data Security Guidance
Access Controls
• Unique user names and complex passwords/passphrases
• Multifactor
• Role-based security
• Least privilege
• Control admin rights
• No anonymous links
• Periodic access reviews
Data Security Guidance
Storage Types
Storage De-identified Identifiable Identifiable/Sensitive
Pitt NOC Server
Pitt Department Server with E
UPMC Managed Server
Third Party Collaborator Server with E, C
Other Server Storage with E, C
= Not approved for storage
= Approved for storage
E = Encryption required
C = Data Security Consultation required
Data Security Guidance
Storage Types
Storage De-identified Identifiable Identifiable/Sensitive
Pitt Box , C
Pitt OneDrive/SharePoint Online , C
Pitt Azure/AWS , C
UPMC One Drive/SharePoint Online
Other Cloud Storage (Survey tools, Apps) , E, C
= Not approved for storage
= Approved for storage
E = Encryption required
C = Data Security Consultation required
Data Security Guidance
Storage Types
Storage De-identified Identifiable Identifiable/Sensitive
Pitt desktop/laptop , E
UPMC desktop/laptop , E
Personal desktop/laptop , E
Portable storage (USB, DVD, etc.) , E
Other Cloud Storage – Personal Accounts
(Drop Box, Google)
= Not approved for storage
= Approved for storage
E = Encryption required
C = Data Security Consultation required
Data Security Guidance
Encryption
• In Transit
• HTTPS/TLS
• Stored
• Disk – File Vault, BitLocker • Contact the Help Desk
• File Level – SecureZip• Software.pitt.edu
Data Security Guidance
Mobile Device Security
• Password/Pin
• Screen lock timeout
• Encrypt the device
• Download only trusted apps• Google Play; Apple Store
• Permission list – location, camera, contacts, logs
• Remote wipe
Data Security Guidance
Basic Security Controls
• Privacy policies• 3rd party apps• Websites
• End-user license agreements
• Non-disclosure agreements
• Non-compete agreements
Data Security Guidance
How can Pitt IT Security help with basic security controls?Security Control Pitt Services
Vulnerability Management/Patching Security scans, reports, managed servers, managed
desktops
Logging and Monitoring Centralized log collection and alerting
Anti-virus installed, updated, and monitored Centrally managed Symantec anti-virus
Firewalls Centrally managed firewalls
Incident response Incident response team trained in forensic
investigations
Security Training Security training to departments
Study email addresses Create study email addresses
Request services by calling the Pitt IT Help Desk (412) 624-HELP (4357)
Data collection using text messaging
Text messages are not always encrypted through the whole transmission or storage process.
(phone → tower→ mobile provider→ provider database)
Text Messaging Risks
• Not a secure form of communication
• Not always encrypted when transmitted or stored
• Stored on service providers servers
Recommendations for decreasing risks
• Utilize study phones to preserve anonymity
• Do not text sensitive, identifiable information; keep it general
• Include language in the consent form detailing the risks of text messaging
PittBox
Any type of data can be stored in PittBox, BUT Pitt IT Security MUST be consulted PRIOR to storing PHI or other sensitive data.
• Specific controls MUST be implemented
• Access MUST be managed
• Anonymous links CANNOT be used
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
• European law that established protections for privacy and security of personal data about individuals in European Economic Area (“EEA”)-based operations and certain non-EEA organizations that process personal data of individuals in the EEA. It applies to the collection and use of personal information:
• Through activities within the borders of EEA countries
• That is related to offering goods and services to EEA residents, or
• That involves monitoring the behavior or EEA residents.
• Submit specific questions to GDPR@pitt.edu
PittPRO Data Management
Section Guidance
Identifiers Understand and document all the identifiers that will be collected.
• Collect only data that is necessary
• Code identifiers when possible
Technologies Understand and document all tools used to collect, store, or transmit data.
• Code data - Participant1,participant1@pitt.edu
• Data flow – Where and how is the data transmitted
• Access Controls – usernames, passwords, multifactor
• Data transmission – HTTPS/TLS
• Storage locations – Pitt/UPMC servers, Other servers, Cloud (Azure, AWS)
• Devices/Websites/Apps – Request security reviews, Read privacy policies
• Risks – Document in consent form
• Sensitive identifiable data – Encrypt data in transit and when stored
PittPRO Data Management
Section Guidance
Storage Understand and document all storage locations
• Keep servers, laptops/desktops, other devices updated
• Keep anti-virus up to date
• Encrypt
• See the data storage guidance in the Storage Type slides
Collaborator/Vendor Security Reviews
When data is not on Pitt or UPMC devices or infrastructure, Pitt IT must perform a security review of the collaborator or vendor.
• Collaborators • Pitt IT meets with collaborators to understand security controls in place
• Vendors• Pitt IT sends the vendor a security questionnaire
• Researchers can request a vendor security by completing a Qualtrics questionnaire
https://pitt.co1.qualtrics.com/jfe/form/SV_6tV3eIiDKESNYMJ
Movement Studies and Data Security
Movement Studies
• Clearly identify the risks in the consent form
• Let the participants know their location will be tracked and recorded
• Code data as much as possible
• Limit the data that is being collected
• Use study devices and not a participant’s device
• Read the privacy policies of any apps or devices
• Understand where the data is transmitted and stored
3rd Party Apps
Risky due to the loss of control of the data
What steps to take…
• Involve Pitt IT Security early on
• Request a vendor security review
• Code data: logins and email addresses
• Whose device is used? (researcher’s, participant’s)
• Read the privacy polices and end user license agreements
• Disable unnecessary features: location tracking, access to other functions
• Understand the security controls in place• Access controls• Storage locations• Encryption
Pitt’s CTSI REDCap
Pitt’s CTSI REDCap:
• Network Operation Center’s (NOC) servers
• Behind Pitt firewalls
• Data is encrypted in transit but not at rest
• Separate identifiable data from research data when entering into REDCap
• Use a study ID
• Separate table or file linking the identifiers with the study ID
• Social Security numbers are not permitted in REDCap
• Not FDA Part 11 compliant or HIPAA compliant
• Contact Clinical Translation Science Institute (CTSI) – ctsi.pitt.edu for further guidance
Wi-Fi Security Considerations
• Utilizing free Wi-Fi without using a VPN is strongly discouraged especially when sensitive, identifiable information is stored on or transmitted from your computer. (Files containing sensitive, identifiable data must be encrypted with a tool like SecureZip with the strong password stored separately from the data.)
• Security Recommendations:• Utilize a VPN to establish a secure network connection. (Pitt IT offers Pulse through
software.pitt.edu.)
• Only access sites that start with HTTPS:
• Turn off the public folder sharing option on your computer.
• Be aware of your surroundings
Collaboration and Data Security
Data Security Considerations when Collaborating:
• Access controls in place?• Grant the minimum access necessary
• Periodic access reviews performed?
• Non-disclosure agreements in place?
• Data use agreements in place?
• Are the collaborators internal or external to Pitt?• If external, will they be storing data?
• If external, what are their security controls?
Health Records Research Request (R3)
Information regarding R3 services can be found at:
http://rio.pitt.edu/services
Questions
Questions?
Contact Information
Sean Gallagher
Email: Sean.Gallagher@pitt.edu
Scott Weinman
Email: sdw37@pitt.edu
Thank You
Protecting Research Data
References
• https://slate.com/technology/2018/06/facebook-changed-14-million-peoples-privacy-settings-to-public-without-warning-due-to-a-bug.html (slide 8)
• https://www.wired.com/story/facebook-exposed-87-million-users-to-cambridge-analytica/ (slide 8)
• http://science.sciencemag.org/content/359/6383/1450 (slide 8)
• https://www.cnn.com/2018/01/28/politics/strava-military-bases-location/index.html (slide 8)
• https://www.cnn.com/2018/03/27/us/atlanta-ransomware-computers/index.html (slide 8)
• https://www.forbes.com/sites/tonybradley/2018/03/30/security-experts-weigh-in-on-massive-data-breach-of-150-million-myfitnesspal-accounts/#6623150f3bba (slide 8)
• https://www.theverge.com/2019/11/1/20943318/google-fitbit-acquisition-fitness-tracker-announcement(slide 26)
• https://www.wsj.com/articles/iphone-privacy-is-brokenand-apps-are-to-blame-11559316401 (slide 27)
Recommended