University of Pittsburgh Department of Critical Care Medicine CRISMA Center Data Management Core Standard Operating Procedures University of Pittsburgh Data Center Information Security CRISMA Data Management SOP: Pitt Information Security Archive Date 6.01.11
Purpose Scope Definitions This document describes the CRISMA Center s policies for the storage, access, security and use of human subject data in University of Pittsburgh computing environments. This document applies to all personnel employed by or using any computer owned and operated by CRISMA; all computers owned or operated by CRISMA; and all human subject data managed by CRISMA that are managed within the University of Pittsburgh computing environment. Protected Health Information (PHI). Any information about health status, provision of health care or payment of health care that can be linked to a specific individual. HIPPA Privacy Rule. The portion of the Health Insurance Portability and Privacy Act of 1996 that governs use and disclosure of PHI. Under the privacy rule, PHI can be used for research purposes with either patient approval or waiver by an authorized regulatory agency. Common Rule. US Federal regulations for protection of human subjects in research, described by the Department of Health and Human Services in the Code of Federal Regulations Title 45 Part 46. De identified data. Health data that does not contain unique identifiers as defined by HIPPA. Limited data set. A de identified data set that contains either (a) geographic subdivisions not smaller than a town, city, state and ZIP code; (b) dates, or (c) ages over 89 Safe harbor data set. A de identified data set that does not contain any of the unique identifiers. Researcher. As defined by the Common Rule, any individual conducting or assisting in the conduct of a systematic investigation designed to develop or contribute generalizable knowledge. Data management team. The CRISMA operations manager and data developers responsible for ensuring compliance with HIPPA, the Common Rule, and other regulatory requirements for use of human subject data. Responsibilities Research team responsibilities CRISMA researchers are responsible for ensuring that the CRIMSA research projects involving PHI are reviewed and approved by the University of Pittsburgh Institutional Review Board. CRISMA researchers are responsible for adhering to IRB approved data storage and analysis policies at all times. Team members must undergo human subjects research training and annual data security training, and are required to maintain strong passwords. CRISMA Data Management Core SOP: Pitt Information Security 6.01.11 Page 1
Data management team responsibilities The Data Management Team is responsible for enforcing the procedures described in this document for the storage, access, security and use of data. The Data Management Team Includes: Tammy Young, CRISMA Operations Manager; Jeremy Kahn, Faculty Advisor, Data Management Core; Charles Kollar, Programmer and Systems Administrator; Their immediate designees. Procedures Overview The CRISMA Pitt Data Management Core is a highly secure analytic platform specifically designed for large research projects with sensitive information. Data types Data stored by the CRISMA Pitt Data Management Core are restricted to clinical and other biomedical data generated as part of a CRISMA affiliated research project. Data containing direct personal identifiers are allowed only with the explicit permission and monitoring of the University of Pittsburgh Vice Provost for Academic Planning and Resources Management Receipt of data Data can be received either electronically or physically via electronic media. Data transmitted electronically are encrypted using a FIPS 140 2 compliant software package with passwords communicated separately via a secure, pre approved source. Data transmitted physically are manually loaded onto Pitt servers using a secure local interface. Physical data security Data Management servers are housed at the University of Pittsburgh Network Operations Center (NOC) located in the Regional Industrial Development Complex (RIDC) Park in Blawnox, Pennsylvania. The NOC is a secure, guarded facility that houses sensitive, private and protected data for University of Pittsburgh. The building is locked, staffed and patrolled 24 hours per day. Access is restricted to authorized personnel with appropriate photo identification and security clearance. The server room contains advanced climate control, a redundant power supply and non liquid fire protection capabilities. All aspects of the NOC comply with both HIPPA regulations and the Federal Information Security Management Act (FISMA) for management of sensitive data. CRISMA Data Management Core SOP: Pitt Information Security 6.01.11 Page 2
Electronic data security CRISMA uses Penguin Niveus 4200 multi processor, multi core servers with approximately 10 terabytes of disk storage and RAID 10 redundancy, running opensuse 11.4 Linux based operating system. All data is backed up daily to tape by the Pitt NOC personnel, with tapes stored in locked cabinets within the server room. The servers are partitioned into two separate Virtual Local Area Networks (VLANs), both of which utilize multiple firewalls and industry standard encryption technologies to ensure complete electronic security. One VLAN is for data containing direct personal identifiers and the other is for limited and safe harbor datasets. On the VLAN holding personal identifiers, access to the servers is through a UNIX shell via a secure shell (SSH) connection using a public/private key authentication system (one key pair per user) and an additional VPN. Each user process (including the shell) runs in its own chroot jail with signatures of the jail system maintained. The user s home directory is password encrypted and the user only has write access within their home directory. Outbound network access is prevented by the firewall. Only cipher text is saved during system backups, with the corresponding clear text removed from the system within one hour of user logout. This process allows for an exceptional level of security by which data containing PHI can be managed and analyzed directly in a secure environment. On the VLAN holding limited data sets, direct user interface is through a UNIX shell accessed remotely via a password protected secure shell (SSH) connection and a additional VPN. This level of security is both FISMA and HIPPA compliant, allowing for highly sensitive data to managed and analyzed directly in a secure environment. Data on the servers reside behind industry strength firewalls running at both the server and VLAN level. Data are managed and analyzed using SQL, SAS, Stata or MATLAB. All data management and analysis applications are run directly on the server, thereby eliminating the need to house data on desktop or laptop computers that are more of a security risk. SSH X11 forwarding is used to allow users to display graphical information on local workstations. Access to the data is limited by CRISMA Data Management Team with permissions managed by the team and governed by the CRISMA executive committee. Pitt Information Technology administrators and non study personnel are unable to access unencrypted data. Intrusion detection scans are run weekly on the servers; the availability of operating system updates and patches are checked every six hours. All server logs are recorded onto a logging server, CRISMA Data Management Core SOP: Pitt Information Security 6.01.11 Page 3
with regular port scans run by NOC IT. Data usage All data must be managed and analyzed directly on the secure server. Downloading of PHI and limited data sets are prohibited except as specified in a properly executed DUA. Downloading of safe harbor data is allowed after appropriate honest brokering is performed in accordance with the CRISMA Data Management Core Honest Broker SOP. Safe harbor datasets must still be safeguarded on passwordprotected computers at all times in accordance with project specific IRB guidelines. Access to data is provided only after submission of proof of IRB approval, submission and proof of HIPPA and human subject research training. Approval This CRISMA Standard Operating Procedure was approved by the CRISMA Executive Committee of 6.01.2011. CRISMA Data Management Core SOP: Pitt Information Security 6.01.11 Page 4