Agenda. About Our Work and Team. Background 5/11/2015. Background Prevention Incident Response Process

Transcription

1 Agenda Data Security Incidents: The Role of IRBs and Information Security Teresa Doksum, PhD, MPH & Sean Owen, CISSP, CAP, CRISC May 22, 2015 Background Prevention Incident Response Process 1. Preparation 2. Detection and Analysis 3. Containment and Eradication 4. Post-incident Abt Associates Pg 2 Background About Our Work and Team Our Work Social-behavioral research and evaluation Funders include U.S. and other governments, foundations IRB volumes (annually): 100 non-exempt human subjects research studies/yr 100 studies exempt or nonresearch w/sensitive data Our Team IRB Chair + Administrator Members: 12 voting Client Cybersecurity Team Dept partners Abt Associates Pg 3 Abt Associates Pg 4 1

2 Definitions PII Personally Identifiable Information PII has varying levels of sensitivity Consider what the PII is paired with PHI Protected Health Information per HIPAA Incident Security event that results in the loss of data confidentiality, integrity, or availability Loss of confidentiality is data being disclosed to someone who shouldn t see it Breach Loss of confidentiality of data protected under HIPAA. Breach can also have other meanings depending on the data (i.e., federal/state/contractual definitions of breach) Abt Associates Pg 5 Abt Associates Pg 6 Case Study #1: PII External study partner s PII to Abt researcher Case Study #1: What Abt does 1) Abt researcher notifies Abt IT help desk 2) Incident response team engaged 3) IRB helps identify level of sensitivity/requirements 4) Sender and receiver deletes and provides confirmation to incident response team 5) Abt researcher: Tells sender to not PII and reminds them of approved protocol Completes any additional steps required by Abt s Security team or the sender s security team Abt Associates Pg 7 Abt Associates Pg 8 2

3 Prevention Build Partnerships and Collaboration You need 5+ partners to be successful IT helpdesk manager Security manager or higher IRB chair or staff Legal counsel Grant/contracts department manager or higher Defined SOP s and templates for data security A communication strategy (meetings, posters, reminders) A training strategy for researchers AND PARTNERS Abt Associates Pg 9 Abt Associates Pg 10 Require Detailed Data Security Plan Main Contents of Data Security Plan Describes data in detail, including data dictionary/variable lists Documents flow of data from start of study to end among all study partners Identifies tools to protect data for each step Includes retention/destruction requirements Identifies applicable security/privacy regulations Lists training staff will take (CITI, HIPAA, general security awareness, study-specific) and promises to give a copy of data security plan to all staff Electronic Data Flow Chart from Data Security Plan Abt Associates Pg 11 Abt Associates Pg 12 3

4 Example of Inadequate Data Security Plan Original Abt IRB protocol section for data security: Describe the provisions to protect the privacy of subjects and to maintain the confidentiality of data Result: sparse, generic text to gain IRB approval: All staff will promise to keep data confidential Data will be stored in locked file cabinets Data will be stored in password protected computers and folders Case Study #2: Lost Audiorecorder Subcontractor travelled to site to conduct interviews Used a digital audiorecorder Sub s IRB approved study w/few data security details Digital audiorecorder lost half way through trip and interviews Abt Associates Pg 13 Abt Associates Pg 14 Case Study #2: What Abt did 1) Reported to both IRBs and funder 2) Security worked w/sub to develop procedures to prevent another incident (and continue interviews) Download interview onto laptop; delete from recorder Upload via secure web portal to secure server 3) Notified participants Poll What encryption does your institution require? A. No requirements for encryption B. Depends on personnel (students vs. other?), data & requirements C. IT encrypts and IRB isn t involved D. Not sure, but I plan to find out Abt Associates Pg 15 Abt Associates Pg 16 4

5 Encrypt Everything All mobile devices (e.g., laptops, phones, USB drives) that store, collect, process data Use full drive encryption Encrypt data being sent Microsoft file passwords are NOT encryption (or protection) Case Study #3: Stolen Laptop Field interviewer laptop stolen Laptop was company issued and encrypted Abt Associates Pg 17 Abt Associates Pg 18 Case Study #3: What Abt does 1) Field interviewer notifies IT help desk 2) Verify laptop had full disk encryption 3) Request that researcher notify police 4) Document incident and police report number Incident Response Process National Institute of Standards and Technology (NIST) SP rev.2 Abt Associates Pg 19 Abt Associates Pg 20 5

6 Main Players and Data Security Responsibilities 1. Preparation IRB Security IT Study Team Contracts Department Legal Counsel Ensure researchers protect data; respond to incidents per human subjects regulations Manage the information security incident response and investigation Maintain software and hardware used to protect the information Protect data and report incidents Support above Support above Abt Associates Pg 21 Abt Associates Pg 22 Working against the clock Timers for reporting data security incidents and/or breaches to funder or data providers are in the following: Contracts and data use agreements Varies, hours and no more than 30 days.. Federal Laws PII 60 minutes HIPAA 60 days State Laws MA Without unreasonable delay CA Without unreasonable delay Other thoughts about timers Ethical responsibility Reputation 30 days is a long time for participants, short for you. Better to over report and work out a system with your client/funder/partner/data provider than under report and surprise them. Builds trust. Abt Associates Pg 23 Abt Associates Pg 24 6

7 Case Study #4: Lost Paper Case Study #4: What Abt did Incident (Event) Program site lost 2 consents and baseline form w/ssn Forms not found despite weeks of looking and site visit Incident (Reporting) Day 1: Site notified Abt study team Day 3: Abt study team notified IRB +Security. Required study director to immediately notify funder Day 5: Abt study director notified funder Funder said notification took too long 1) Followed established process once Security was notified 2) Flew to the site and did data security refresher training 3) Explained timers involved to all parties 4) Refined incident reporting process to require simultaneous notification 5) Clarified description of an incident 6) Training on details above and remediation that can be taken in the field 7) Notified participants and offered identity theft protection Abt Associates Pg 25 Abt Associates Pg Detection and Analysis Study Team Reports Incident IT or Security will ask for the following information to begin any triage: 1. What study data was or may have been lost or disclosed to unauthorized people 2. Why you believe it was lost/disclosed 3. Who it was disclosed to, if known 4. Date and time of all the events 5. What was done, if anything, to reduce the risk of disclosure Abt Associates Pg 27 Abt Associates Pg 28 7

8 Triage What are the data? Protected Health Information (PHI) subject to HIPAA? Personally Identifiable Information (PII)? Identifiers only? Other types of data subject to data agreement requirements? What was seen or lost? How many records? There will be false alarms!!! Classification of Incidents Customize with legal counsel, funder, institution expectations Minor incidents that do not require notification Incident does not disclose information outside the study team Minor incidents that require notification Incident that results in a violation of regulation or requirement, but does not rise to the level of breach Major incidents that require notification Incidents that result in potential harm to participants. The incident satisfies the requirements for breach Abt Associates Pg 29 Abt Associates Pg Containment and Eradication Containment & Eradication Abt Associates Pg 31 Abt Associates Pg 32 8

9 4. Post-Incident Post-Incident Security Provides final incident report to funder Notifies them that you consider the matter closed IRB (if needed per policy & regulations) Request unanticipated problem report Notify participants IRB and legal counsel with Security Determine threshold for notifying externally (e.g., regulators such as OHRP) Abt Associates Pg 33 Refer to security regulations Lessons learned feeds back into prevention Abt Associates Pg 34 Final Thoughts Incident Response is a team effort Prepare before study teams collect sensitive data Train everyone on requirements and incident reporting process Communicate early and honestly with affected parties (participants, data provider, funder, regulators) Report incident trends back to study teams and internal partners For More Info/Resources PRIM&R Blog post with data security plan template: Sean_Owen@abtassoc.com; Teresa_Doksum@abtassoc.com; Abt Associates Pg 35 Abt Associates Pg 36 9