Agenda. About Our Work and Team. Background 5/11/2015. Background Prevention Incident Response Process

(1)

Data Security Incidents:

The Role of IRBs and

Information Security

Teresa Doksum, PhD, MPH & Sean Owen, CISSP, CAP, CRISC

May 22, 2015

Abt Associates | Pg 2

Agenda

• Background

• Prevention

• Incident Response Process

1. Preparation

2. Detection and Analysis

3. Containment and Eradication

4. Post-incident

Background

About Our Work and Team

Our Work

 “Social-behavioral research and evaluation

 Funders include U.S. and other governments, foundations

 IRB volumes (annually):

– 100 non-exempt human subjects research studies/yr

– 100 studies exempt or non-research w/sensitive data

Our Team

• IRB Chair + Administrator • Members: 12 voting • Client Cybersecurity Team • Dept partners

(2)

Abt Associates | Pg 5 Abt Associates | Pg 6

Definitions

 PII – Personally Identifiable

Information

– PII has varying levels of sensitivity

– Consider what the PII is paired with

 PHI– Protected Health Information per HIPAA

 Incident– Security event that

results in the loss of data confidentiality, integrity, or availability

– Loss of confidentiality is data being disclosed to someone who shouldn’t see it

 Breach– Loss of

confidentiality of data protected under HIPAA. Breach can also have other meanings

depending on the data (i.e., federal/state/contractual definitions of breach)

Case Study #1: Email PII

External study partner

emails PII to Abt

researcher

Case Study #1: What Abt does

1)

Abt researcher notifies Abt IT help desk

2)

Incident response team engaged

3)

IRB helps identify level of

sensitivity/requirements

4)

Sender and receiver deletes email and provides

confirmation to incident response team

5)

Abt researcher:

– Tells sender to not email PII and reminds them of approved protocol – Completes any additional steps required by Abt’s Security team or the

(3)

Prevention

Build Partnerships and

Collaboration



You need 5+ partners to be successful

– IT helpdesk manager

– Security manager or higher – IRB chair or staff

– Legal counsel

– Grant/contracts department manager or higher



Defined SOP’s and templates for data security



A communication strategy (meetings, posters, email

reminders)



A training strategy for researchers AND PARTNERS

Require Detailed Data Security

Plan

Main Contents of Data Security Plan



Describes data in detail, including data

dictionary/variable lists



Documents flow of data from start of study to

end among all study partners



Identifies tools to protect data for each step



Includes retention/destruction requirements



Identifies applicable security/privacy regulations



Lists training staff will take (CITI, HIPAA, general

security awareness, study-specific) and

promises

to give a copy of data security plan to all staff

Electronic Data Flow Chart from

Data Security Plan

(4)

Example of Inadequate Data Security

Plan

Original Abt IRB protocol section for data security:

“Describe the provisions to protect the privacy of subjects

and to maintain the confidentiality of data”

Result: sparse, generic text to gain IRB approval:

– “All staff will promise to keep data confidential”

– “Data will be stored in locked file cabinets”

– “Data will be stored in password protected

computers and folders”

Case Study #2: Lost

Audiorecorder



Subcontractor travelled to site to conduct

interviews



Used a digital audiorecorder



Sub’s IRB approved study w/few data security

details



Digital audiorecorder lost half way through trip

and interviews

Case Study #2: What Abt did

1)

Reported to both IRBs and funder

2)

Security worked w/sub to develop

procedures to prevent another incident (and

continue interviews)

– Download interview onto laptop; delete from recorder – Upload via secure web portal to secure server

3)

Notified participants

Poll

What encryption does your institution

require?

A. No requirements for encryption

B. Depends…on personnel (students vs.

other?), data & requirements

C. IT encrypts and IRB isn’t involved

D. Not sure, but I plan to find out

(5)

Encrypt Everything

• All mobile devices (e.g., laptops, phones,

USB drives) that store, collect, process data

• Use full drive encryption

• Encrypt data being sent

• Microsoft file passwords are NOT encryption

(or protection)

Case Study #3: Stolen Laptop



Field interviewer laptop stolen



Laptop was company issued and encrypted

Case Study #3: What Abt does

1)

Field interviewer notifies IT help desk

2)

Verify laptop had full disk encryption

3)

Request that researcher notify police

4)

Document incident and police report number

Incident Response Process

(6)

Main Players and Data Security

Responsibilities

IRB Ensure researchers protect data; respond to

incidents per human subjects regulations Security Manage the information security incident

response and investigation

IT Maintain software and hardware used to

protect the information Study Team Protect data and report incidents Contracts

Department

Support above Legal Counsel Support above

1. Preparation

Working against the clock

•

Timers for reporting data security incidents and/or breaches to funder or data providers are in the following:

– Contracts and data use agreements • Varies, 24-72 hours and no more

than 30 days.. – Federal Laws

• PII – 60 minutes • HIPAA – 60 days – State Laws

• MA – “Without unreasonable delay” • CA – “Without unreasonable delay”

Other thoughts about timers

• Ethical responsibility

• Reputation

• 30 days is a long time for participants, short

for you.

• Better to over report and work out a system

with your client/funder/partner/data provider

than under report and surprise them. Builds

trust.

(7)

Case Study #4: Lost Paper

Incident (Reporting)

 Day 1: Site notified Abt study team

 Day 3: Abt study team notified IRB +Security. Required study director to immediately notify funder

 Day 5: Abt study director notified funder

Funder said notification took too long

Incident (Event)

 Program site lost 2 consents and baseline form w/SSN

 Forms not found despite weeks of looking and site visit

Case Study #4: What Abt did

1)

Followed established process once Security was notified

2)

Flew to the site and did data security refresher training

3)

Explained timers involved to all parties

4)

Refined incident reporting process to require simultaneous notification

5)

Clarified description of an “incident”

6)

Training on details above and remediation that can be taken in the field

7)

Notified participants and offered identity theft protection

2. Detection and Analysis

Study Team Reports Incident

IT or Security will ask for the following information to

begin any triage:

1. What study data was

or may have been

lost or

disclosed to unauthorized people

2. Why you believe it was lost/disclosed

3. Who it was disclosed to, if known

4. Date and time of all the events

5. What was done, if anything, to reduce the risk of

disclosure

(8)

Triage – What are the data?

• Protected Health Information (PHI) subject to

HIPAA?

• Personally Identifiable Information (PII)?

• Identifiers only?

• Other types of data subject to data agreement

requirements?

• What was seen or lost?

• How many records?

There will be false alarms!!!

Classification of Incidents

•

Customize with legal counsel, funder, institution

expectations

•

https://www.us-cert.gov/government-users/reporting-requirements

•

Minorincidents that do notrequire notification – Incident does not disclose information outside the study team

•

Minorincidents that require notification – Incident that results in a violation of regulation or

requirement, but does not rise to the level of breach

•

Majorincidents that require notification – Incidents that result in potential harm to participants. The incident satisfies the requirements for “breach”

(9)

4. Post-Incident

Post-Incident

•

Security

– Provides final incident report to funder

– Notifies them that you consider the matter closed

•

IRB (if needed per policy & regulations) – Request unanticipated problem report – Notify participants

•

IRB and legal counsel with Security

– Determine threshold for notifying externally (e.g., regulators such as OHRP)

– Refer to security regulations

•

Lessons learned feeds back into prevention

Final Thoughts

• Incident Response is a team effort

• Prepare before study teams collect sensitive data

• Train everyone on requirements and incident

reporting process

• Communicate early and honestly with affected

parties (participants, data provider, funder,

regulators)

• Report incident trends back to study teams and

internal partners

For More Info/Resources

•

PRIM&R Blog post with data security plan template:

– http://primr.blogspot.com/2015/04/the-role-of-irb-and-information-security.html

•

[email protected]; 301-347-5734