Educause Security Discussion mailing list archives
Re: research data security
From: Faith Mcgrath <faith.mcgrath () YALE EDU>
Date: Wed, 4 Nov 2009 18:16:09 -0500
We completed a RFI for IT-GRC products with Agiliance, Archer, Brabeion and Modulo, but funding has become an issue, so this project is currently on hold. Most of our human subjects research is covered by HIPAA rules and we are grappling with NIH contracts and VA.gov data with onerous FISMA requirements (Federal Information Security Management Act). We are also seeing an increase in non-HIPAA covered human subjects research using data sets from BLS, dbGaP-NCBI and UNC-Add Health -- which all have unique security requirements. The issue of federated identity management is also becoming more of a research issue -- especially with NIH funding where they are being asked/required to share research data with other organizations doing similar protocols -- including human subjects data that is not de-identified -- and where the University is acting as a data repository for multi-center clinical trials. Since a substantial amount of our compliance efforts are currently related to HIPAA (and to a lesser degree FISMA), in our review and revision of IT (and records management & protection) policies and procedures, we are trying to align with NIST (csrc.nist.gov) since both HHS.gov (enforcement for HIPAA), NIH and FISMA reference their standards and guidance. In coordination with our IRB we created and 'Interim Guidance on Human Subjects Research Data Security' (http://www.yale.edu/its/policy/GuidanceClassification.pdf) until we have revised policies and procedures. -- Faith McGrath, Compliance Officer Yale University ITS - Information Security faith.mcgrath () yale edu Steve Brukbacher wrote:
Thanks for the reply. I recently had an RFI out for a GRC product. Didn't get anything from Archer unfortunately. Our vision is to purchase a HIPAA module for a GRC product, similar to what you are talking about. So what do you get for your subscription to HI Trust? Conceptually, my goal has been to do what you are talking about. Funding it is turning out to be another matter entirely, but it is very comforting to hear that this is working for someone else.
-- Steve Brukbacher, CISSP University of Wisconsin Milwaukee Information Security Architect UWM Computer Security Web Site www.security.uwm.edu Phone: 414.229.2224 Chris Kidd wrote: > > Steve, > > > > We are embarking on a similar effort with the IRB, but are also pulling in the Office of Sponsored Projects. We're using the HI Trust Alliance Common Security Framework (anyone else using that?) with Archer. Our initial thoughts are that the inherent/residual risk questionnaires would become a part of the research and grant application processes. > > > > Let me know what you come up with. > > > > Chris > > > > Chris Kidd > > Chief Information Security and Privacy Officer > > The University of Utah > > 650 Komas Drive, Suite 102 > > Salt Lake City, UT 84108 > > Office: 801.587.9241 > > Cell: 801.747.9028 > > chris.kidd () utah edu > > > > http://www.secureit.utah.edu > > > > > > -----Original Message----- > > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Brukbacher > > Sent: Wednesday, November 04, 2009 1:06 PM > > To: SECURITY () LISTSERV EDUCAUSE EDU > > Subject: [SECURITY] research data security > > > > Hi, > > I'm working on my strategy for working with our researchers. We are > > beginning to work more formally with researchers as part of the IRB > > process. > > > > The variety of their work is great. Everything from one on one > > interviews going into an access database all the way to much larger > > web-based survey instruments that will need to handle PHI. > > > > What I'm wondering is how are other institutions handling these > > situations? Do you do a risk assessment/security planning engagement > > with each of them? Is it left up to departmental IT staff? > > > > Any tips for managing the workload on these? > > > > Anyone have checklists that have been useful in getting the basics taken > > care of? > > > >
Current thread:
- research data security Steve Brukbacher (Nov 04)
- <Possible follow-ups>
- Re: research data security Chris Kidd (Nov 04)
- Re: research data security Steve Brukbacher (Nov 04)
- Re: research data security Scott Bradner (Nov 04)
- Re: research data security Faith Mcgrath (Nov 04)
- Re: research data security Steve Brukbacher (Nov 05)