Protecting Research Data

Scott Weinman, CISSP, CISA, CPA, MBA, MS

Sean Gallagher

Agenda

• Who are we?

• Why is data security important?

• Data security guidance

• Questions

Who are we?

Sean Gallagher

• Pitt IT – IT Security Department

• IT Security Analyst –Policy and Compliance

• Business analyst at HM Health Solutions

• Completed Cyber Security training at SecureSet Academy

Who are we?

Scott Weinman

• Pitt IT –IT Security Department

• Senior IT Security Analyst –Policy and Compliance

• 20 years of IT and financial control implementation and testing in healthcare, banking, and education

• CISSP, CISA, CPA, MBA, and MS-ISM

Who are we?

Pitt IT

Provides innovative services that support learning, teaching, research, and business.

To learn more go to: https://www.technology.pitt.edu/services

IT Services

Data Networking Security Consulting Services Web Hosting

Help Desk Voice and Telephone Qualtrics (online survey) Software Packages

Managed Server Hosting Cloud Services Globus (file transfer) Research Computing

Virtual Private Network (VPN) Email Software downloads LastPass

Who are we?

Pitt IT Security

Provides services to protect the confidentiality, integrity, and availability of the data.

To learn more go to: https://www.technology.pitt.edu/services

Security Services

Firewall requests Security training Phishing training Security consulting

Incident Response Logging and Monitoring Centralized anti-virus Vulnerability scans

IRB reviews/consultations Contract reviews NIST 800-171 reviews Vendor reviews

Data Security Consultation

https://www.technology.pitt.edu/247-it-help-desk

Incident Reporting

If you suspect your computer or data has been compromised, contact the Pitt IT Help Desk immediately.

412-624-HELP (4357)

For more information go to: https://www.technology.pitt.edu/security/incident-response

Why is data security important?

Why is data security important?

• Protect your participant’s personal data

• Protect your research data with consideration for confidentiality, integrity, and availability

• Protect yours and the University’s intellectual property and reputations

• PI is responsible for data security and compliance with contract requirements such as NIST 800-171, FISMA, Cybersecurity Maturity Model Certification (CMMC), etc.

Data Security Guidance

Principle Investigator is responsible for the security of the data.

• Is the data high risk/value?

• Where is the data going to be processed, stored, and transmitted?

• How will access be managed?

• How will confidentiality, integrity, and availability of the data be achieved?

Data Security Guidance

Collecting and Coding

• Collect only the data you need.

• Code (de-identify) data as much as possible.

• Use study-created email addresses (participant1@pitt.edu)

• Store linkage spreadsheets separate from coded data.

• Create basic data flow diagrams to understand the devices and locations where data will be processed, stored, and transmitted.

• Transmit and store data in locations where it is absolutely necessary and only for as long as necessary.

Data Security Guidance

Access Controls

• Unique user names and complex passwords/passphrases

• Multifactor

• Role-based security

• Least privilege

• Control admin rights

• No anonymous links

• Periodic access reviews

Data Security Guidance

Storage Types

Storage De-identified Identifiable Identifiable/Sensitive

Pitt NOC Server

Pitt Department Server with E

UPMC Managed Server

Third Party Collaborator Server with E, C

Other Server Storage with E, C

= Not approved for storage

= Approved for storage

E = Encryption required

C = Data Security Consultation required

Data Security Guidance

Storage Types

Storage De-identified Identifiable Identifiable/Sensitive

Pitt Box , C

Pitt OneDrive/SharePoint Online , C

Pitt Azure/AWS , C

UPMC One Drive/SharePoint Online

Other Cloud Storage (Survey tools, Apps) , E, C

= Not approved for storage

= Approved for storage

E = Encryption required

C = Data Security Consultation required

Data Security Guidance

Storage Types

Storage De-identified Identifiable Identifiable/Sensitive

Pitt desktop/laptop , E

UPMC desktop/laptop , E

Personal desktop/laptop , E

Portable storage (USB, DVD, etc.) , E

Other Cloud Storage – Personal Accounts

(Drop Box, Google)

= Not approved for storage

= Approved for storage

E = Encryption required

C = Data Security Consultation required

Data Security Guidance

Encryption

• In Transit

• HTTPS/TLS

• Stored

• Disk – File Vault, BitLocker • Contact the Help Desk

• File Level – SecureZip• Software.pitt.edu

Data Security Guidance

Mobile Device Security

• Password/Pin

• Screen lock timeout

• Encrypt the device

• Download only trusted apps• Google Play; Apple Store

• Permission list – location, camera, contacts, logs

• Remote wipe

Data Security Guidance

Basic Security Controls

• Privacy policies• 3rd party apps• Websites

• End-user license agreements

• Non-disclosure agreements

• Non-compete agreements

Data Security Guidance

How can Pitt IT Security help with basic security controls?Security Control Pitt Services

Vulnerability Management/Patching Security scans, reports, managed servers, managed

desktops

Logging and Monitoring Centralized log collection and alerting

Anti-virus installed, updated, and monitored Centrally managed Symantec anti-virus

Firewalls Centrally managed firewalls

Incident response Incident response team trained in forensic

investigations

Security Training Security training to departments

Study email addresses Create study email addresses

Request services by calling the Pitt IT Help Desk (412) 624-HELP (4357)

Data collection using text messaging

Text messages are not always encrypted through the whole transmission or storage process.

(phone → tower→ mobile provider→ provider database)

Text Messaging Risks

• Not a secure form of communication

• Not always encrypted when transmitted or stored

• Stored on service providers servers

Recommendations for decreasing risks

• Utilize study phones to preserve anonymity

• Do not text sensitive, identifiable information; keep it general

• Include language in the consent form detailing the risks of text messaging

PittBox

Any type of data can be stored in PittBox, BUT Pitt IT Security MUST be consulted PRIOR to storing PHI or other sensitive data.

• Specific controls MUST be implemented

• Access MUST be managed

• Anonymous links CANNOT be used

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

• European law that established protections for privacy and security of personal data about individuals in European Economic Area (“EEA”)-based operations and certain non-EEA organizations that process personal data of individuals in the EEA. It applies to the collection and use of personal information:

• Through activities within the borders of EEA countries

• That is related to offering goods and services to EEA residents, or

• That involves monitoring the behavior or EEA residents.

• Submit specific questions to GDPR@pitt.edu

PittPRO Data Management

Section Guidance

Identifiers Understand and document all the identifiers that will be collected.

• Collect only data that is necessary

• Code identifiers when possible

Technologies Understand and document all tools used to collect, store, or transmit data.

• Code data - Participant1,participant1@pitt.edu

• Data flow – Where and how is the data transmitted

• Access Controls – usernames, passwords, multifactor

• Data transmission – HTTPS/TLS

• Storage locations – Pitt/UPMC servers, Other servers, Cloud (Azure, AWS)

• Devices/Websites/Apps – Request security reviews, Read privacy policies

• Risks – Document in consent form

• Sensitive identifiable data – Encrypt data in transit and when stored

PittPRO Data Management

Section Guidance

Storage Understand and document all storage locations

• Keep servers, laptops/desktops, other devices updated

• Keep anti-virus up to date

• Encrypt

• See the data storage guidance in the Storage Type slides

Collaborator/Vendor Security Reviews

When data is not on Pitt or UPMC devices or infrastructure, Pitt IT must perform a security review of the collaborator or vendor.

• Collaborators • Pitt IT meets with collaborators to understand security controls in place

• Vendors• Pitt IT sends the vendor a security questionnaire

• Researchers can request a vendor security by completing a Qualtrics questionnaire

https://pitt.co1.qualtrics.com/jfe/form/SV_6tV3eIiDKESNYMJ

Movement Studies and Data Security

Movement Studies

• Clearly identify the risks in the consent form

• Let the participants know their location will be tracked and recorded

• Code data as much as possible

• Limit the data that is being collected

• Use study devices and not a participant’s device

• Read the privacy policies of any apps or devices

• Understand where the data is transmitted and stored

3rd Party Apps

Risky due to the loss of control of the data

What steps to take…

• Involve Pitt IT Security early on

• Request a vendor security review

• Code data: logins and email addresses

• Whose device is used? (researcher’s, participant’s)

• Read the privacy polices and end user license agreements

• Disable unnecessary features: location tracking, access to other functions

• Understand the security controls in place• Access controls• Storage locations• Encryption

Pitt’s CTSI REDCap

Pitt’s CTSI REDCap:

• Network Operation Center’s (NOC) servers

• Behind Pitt firewalls

• Data is encrypted in transit but not at rest

• Separate identifiable data from research data when entering into REDCap

• Use a study ID

• Separate table or file linking the identifiers with the study ID

• Social Security numbers are not permitted in REDCap

• Not FDA Part 11 compliant or HIPAA compliant

• Contact Clinical Translation Science Institute (CTSI) – ctsi.pitt.edu for further guidance

Wi-Fi Security Considerations

• Utilizing free Wi-Fi without using a VPN is strongly discouraged especially when sensitive, identifiable information is stored on or transmitted from your computer. (Files containing sensitive, identifiable data must be encrypted with a tool like SecureZip with the strong password stored separately from the data.)

• Security Recommendations:• Utilize a VPN to establish a secure network connection. (Pitt IT offers Pulse through

software.pitt.edu.)

• Only access sites that start with HTTPS:

• Turn off the public folder sharing option on your computer.

• Be aware of your surroundings

Collaboration and Data Security

Data Security Considerations when Collaborating:

• Access controls in place?• Grant the minimum access necessary

• Periodic access reviews performed?

• Non-disclosure agreements in place?

• Data use agreements in place?

• Are the collaborators internal or external to Pitt?• If external, will they be storing data?

• If external, what are their security controls?

Health Records Research Request (R3)

Information regarding R3 services can be found at:

http://rio.pitt.edu/services

Questions

Questions?

Contact Information

Sean Gallagher

Email: Sean.Gallagher@pitt.edu

Scott Weinman

Email: sdw37@pitt.edu

Thank You

Protecting Research Data

References

• https://slate.com/technology/2018/06/facebook-changed-14-million-peoples-privacy-settings-to-public-without-warning-due-to-a-bug.html (slide 8)

• https://www.wired.com/story/facebook-exposed-87-million-users-to-cambridge-analytica/ (slide 8)

• http://science.sciencemag.org/content/359/6383/1450 (slide 8)

• https://www.cnn.com/2018/01/28/politics/strava-military-bases-location/index.html (slide 8)

• https://www.cnn.com/2018/03/27/us/atlanta-ransomware-computers/index.html (slide 8)

• https://www.forbes.com/sites/tonybradley/2018/03/30/security-experts-weigh-in-on-massive-data-breach-of-150-million-myfitnesspal-accounts/#6623150f3bba (slide 8)

• https://www.theverge.com/2019/11/1/20943318/google-fitbit-acquisition-fitness-tracker-announcement(slide 26)

• https://www.wsj.com/articles/iphone-privacy-is-brokenand-apps-are-to-blame-11559316401 (slide 27)