Protecting Your Data

Introduction

Certain kinds of information should be kept private. It is the responsibility of those of us who deal with this information to understand which items should be protected and the tools we can use to do so. This topic covers what data should be protected and the tools and policies related to that. We will briefly introduce Vanderbilt policies related to information privacy and provide resources that can be used to get more in-depth understanding. Various tools for data encryption and safe transmission of data will be covered.

Data privacy and protection is a big issue. The unintended disclosure of private information can do harm to the individuals identified. Such disclosure can expose the institution and responsible persons to bad publicity, legal and civil penalties, and/or embarrassment.

I don't want to get too bogged down with the minutiae of privacy policies and regulations. I will present some general definitions and policies and will provide links to sites where the policies, definitions, regulations, and practices can be studied in detail.

Information about data security can be difficult to find on the Vanderbilt web sites.

Disclaimer: This is my own distillation and interpretation of the policies.

Institutions often react precipitously when data under their care is lost or disclosed. If you have done work with the VA then you are aware of how radically their procedures changed following the loss of a VA laptop. In 2006 a laptop and external hard disk containing personal data on 26.5 million veterans and active-duty military personnel was stolen.

What kind of information should be protected?

  • http://privacyruleandresearch.nih.gov/ This is the NIH site for Health Insurance Portability and Accountability Act (HIPAA) information. This is the governing law that spells out the privacy requirements that we must observe.
  • Protected Health Information (PHI) - "PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual." (http://en.wikipedia.org/wiki/Protected_health_information). Also describes the difference between de-identification and anonymization.
  • Research Health Information (RHI) - "...a term used by Vanderbilt to identify individually identifiable health information (IIHI) used for research purposes that is not PHI, and thus is not subject to the HIPAA Privacy and Security regulations. RHI is created in connection with research activity and is not created in connection with patient care activity. If a researcher is also a healthcare provider and IIHI is created in connection with the researcher's healthcare provider activities, then the IIHI is PHI and is subject to HIPAA." (http://www.mc.vanderbilt.edu/root/vumc.php?site=hipaa&doc=12204). A lot of our data comes from patients and so is PHI. For our purposes, there is not really difference between PHI and RHI. Both have to be handled basically the same.
  • Another category is "personal Information" that may contain individually identifiable information about patients, employees, students, or research participants. Although not necessarily covered by HIPAA regulations, other regulations and Vanderbilt require that this information be protected as well.

This document... http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf ...comes as close as I have found to being a manageable explanation of the privacy rule. Note 15 lists the types of data that constitute PHI. Specifically, the note lists the items that must be removed to produce a de-identified data set.

It is not always possible to know for sure if particular data must be protected. If there is anything in a data set that might identify a person then the best practice is to assume that it is PHI.

Vanderbilt's Policies

  • Information Privacy & Security Website - The Information Privacy & Security Website for VUMC. Really incomplete. Contains links for Privacy (data breach notification, policies, training), Information Security (file transfer application, encryption), HIPAA, and a FAQ.
  • Vanderbilt Policy on De-Identification - PHI is considered de-identified if all data elements that identify the individual or of relatives, employers, or household members of the individual are removed.
  • Vanderbilt policy on encryption VMC policy stipulates that when a legitimate business purpose exists requiring an individual to maintain identifiable Protected Health Information (PHI) or Research Health Information (RHI) on a device other than a secure network server that device must be encrypted.
  • State and federal legislation requires public notification when certain person-identifiable information or PHI is lost or stolen unless the device containing the data was known to be encrypted.

Links to Vanderbilt policy documents

Privacy and Security Training

Tools and practices for protecting data

  • If you can avoid it, don't store PHI, RHI, or other identifying information
    • If you can leave the data on a server somewhere then do so. It is safer there and that satisfies Vanderbilt policy.
    • If you don't need identifying information then don't store it. REDCap, if properly configured, has the ability to remove private information before data is downloaded for analyses.
  • Watch out when using cloud storage - Be careful when you are using cloud storage services such as Dropbox, Google Docs, etc. You should never place private data on theses services and they should not be used as a tool to transfer data to others. Users have no control on how and where data is stored on these services. One has to control the storage of data to protect it.
  • Understand and use de-identification
    • "PHI is considered de-identified if all data elements that identify the individual or of relatives, employers, or household members of the individual are removed."
    • "PHI that is partially de-identified by the removal of all direct identifiers...constitutes a Limited Data Set (LDS). Use of a LDS requires a written data use agreement between Vanderbilt and the LDS recipient."
    • Vanderbilt Policy on De-Identification
  • Secure data transfer
    • Don't use email to transfer data sets that might contain private information.
    • Don't use services like Dropbox or Google Docs to transfer or store data sets that might contain private information.
    • Data-Hippo - Developed by Thomas Dupont as Biostatistic's tool for secure file transfer. Developed before VUMC had an official tool. Encrypts files during transmission and while they are stored on our servers. Files are automatically deleted after delivery or after a set amount of time has passed. Will probably go away someday when Vanderbilt tells us to take it down.
    • VUMC Secure File Transfer - VUMC's official solution for secure file transfer. Same functions as Data-Hippo. Not as easy to use, especially for the recipient.
  • Encryption
    • Policy is pretty clear. If you store PHI/RHI on a mobile device (laptop, flash drive, phone, etc.) then it needs to be encrypted. We now believe that the policy requires encryption on desktop computers, too.
    • Check Point Full Disk & Media (for USB drives) Encryption is Vanderbilt's official, recommended solution for data encryption.
      • $50.38 for license and 1 yr of maintenance
      • Supported on Windows, Macintosh, and Red Hat and SuSE Linux. Will probably work on Ubuntu Linux, but not tested.
      • Uses VUnetID for authentication and escrow storage of encryption keys and pass phrases.
    • How to create an encrypted folder (these tools lack the VUnetID authentication and escrow storage of encryption keys and pass phrases):
    • TrueCrypt is free open-source disk encryption software
      • Open-source and free
      • Well supported on many platforms
      • Encrypts full-disk, single partition, or mountable container-files
    • Ubuntu Full Disk Encryption has recently become available (as of Ubuntu version 12.10). It has to be enabled when installing Ubuntu. There are some issues such as selection of pass phrases that make this a little difficult for the IT team using current practices. We are looking into this.
    • Encfs is an application that allows you to create encrypted directories. Any file that is placed in such a directory will be encrypted.
      • Easy to install from Ubuntu repositories
      • Good way to add encryption capabilities to unencrypted system
  • Be careful with email and websites
    • Do not respond to "phishing" email attempts. Phishing is the act of attempting to acquire information such as usernames, passwords, credit card details, etc. by pretending to be a trustworthy entity in an electronic communication.
    • No legitimate entity will ever ask you for your private information(banking information, birth date, etc.) or logon credentials(usernames, passwords, etc) in an email message. Anyone who does so is a bad guy.
    • Never open an email attachment unless you are expecting its arrival.
  • Use good passwords
    • All the encryption and other stuff is useless if someone figures out your passwords and pass phrases.
    • XKCD 936: Password Strength
    • There is a lot of conflicting information and advice
    • The best advice I see is to use pass phrases that are easy to remember rather than hard to remember passwords.
    • "Security at the expense of usability comes at the expense of security"
    • Sometimes password requirements (upper/lower case, special characters, etc. make things harder)
    • Don't use personal information such as birth dates, children's names, etc. as part of passwords.

Loss reporting

  • Vanderbilt University Medical Center (VUMC) policy requires appropriate notification(s) in the event of any unauthorized acquisition, access, use or disclosure of individually identifiable patient or other personal information...
  • Known or suspected incidents involving breach of PHI are reported to the VMC Privacy Office.
  • If you lose a laptop or other device, let someone know immediately. Someone on the IT team or the Administrative Officer can help make the appropriate notifications.

Contact the IT Team at biostat-it@list.vanderbilt.edu if you have any questions or concerns.

-- DalePlummer - 14 Jan 2013
Topic attachments
I Attachment Action Size Date Who Comment
ProtectingYourData.pdfpdf ProtectingYourData.pdf manage 184.0 K 16 Jan 2013 - 11:43 DalePlummer  
protecting_your_data.pdfpdf protecting_your_data.pdf manage 764.8 K 10 Sep 2013 - 16:52 DalePlummer  
protecting_your_data2.pdfpdf protecting_your_data2.pdf manage 1960.0 K 11 Sep 2013 - 13:00 DalePlummer  
protecting_your_data2.pptxpptx protecting_your_data2.pptx manage 2533.8 K 11 Sep 2013 - 13:00 DalePlummer  
Topic revision: r10 - 07 Aug 2014, DalePlummer
 

This site is powered by FoswikiCopyright © 2013-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Vanderbilt Biostatistics Wiki? Send feedback