Re: research data security

[Faith Mcgrath <faith.mcgrath () YALE EDU>]

We completed a RFI for IT-GRC products with Agiliance, Archer, Brabeion
and Modulo, but funding has become an issue, so this project is
currently on hold.

Most of our human subjects research is covered by HIPAA rules and we are
 grappling with NIH contracts and VA.gov data with onerous FISMA
requirements (Federal Information Security Management Act).  We are also
seeing an increase in non-HIPAA covered human subjects research using
data sets from BLS, dbGaP-NCBI and UNC-Add Health  -- which all have
unique security requirements.

The issue of federated identity management is also becoming more of a
research issue  -- especially with NIH funding where they are being
asked/required to share research data with other organizations doing
similar protocols -- including human subjects data that is not
de-identified -- and where the University is acting as a data repository
for multi-center clinical trials.

Since a substantial amount of our compliance efforts are currently
related to HIPAA (and to a lesser degree FISMA), in our review and
revision of  IT (and records management & protection) policies and
procedures, we are trying to align with NIST (csrc.nist.gov)  since both
HHS.gov (enforcement for HIPAA), NIH and FISMA reference their standards
and guidance.

In coordination with our IRB we created and 'Interim Guidance on Human
Subjects Research Data Security'
(http://www.yale.edu/its/policy/GuidanceClassification.pdf) until we
have revised policies and procedures.

--
Faith McGrath, Compliance Officer
Yale University ITS - Information Security
faith.mcgrath () yale edu


Steve Brukbacher wrote:
> Thanks for the reply.  I recently had an RFI out for a GRC product.
> Didn't get anything from Archer unfortunately.
>
> Our vision is to purchase a HIPAA module for a GRC product, similar to
> what you are talking about.
>
> So what do you get for your subscription to HI Trust?
>
> Conceptually, my goal has been to do what you are talking about.
> Funding it is turning out to be another matter entirely, but it is very
> comforting to hear that this is working for someone else.
-- Steve Brukbacher, CISSP University of Wisconsin Milwaukee Information
Security Architect UWM Computer Security Web Site www.security.uwm.edu
Phone: 414.229.2224 Chris Kidd wrote:
> > Steve,
> >
> > We are embarking on a similar effort with the IRB, but are also
pulling in the Office of Sponsored Projects. We're using the HI Trust
Alliance Common Security Framework (anyone else using that?) with
Archer. Our initial thoughts are that the inherent/residual risk
questionnaires would become a part of the research and grant application
processes.
> >
> > Let me know what you come up with.
> >
> > Chris
> >
> > Chris Kidd
> > Chief Information Security and Privacy Officer
> > The University of Utah
> > 650 Komas Drive, Suite 102
> > Salt Lake City, UT 84108
> > Office: 801.587.9241
> > Cell: 801.747.9028
> > chris.kidd () utah edu
> >
> > http://www.secureit.utah.edu
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Brukbacher
> > Sent: Wednesday, November 04, 2009 1:06 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] research data security
> >
> > Hi,
> > I'm working on my strategy for working with our researchers.  We are
> > beginning to work more formally with researchers as part of the IRB
> > process.
> >
> > The variety of their work is great. Everything from one on one
> > interviews going into an access database all the way to much larger
> > web-based survey instruments that will need to handle PHI.
> >
> > What I'm wondering is how are other institutions handling these
> > situations?  Do you do a risk assessment/security planning engagement
> > with each of them?  Is it left up to departmental IT staff?
> >
> > Any tips for managing the workload on these?
> >
> > Anyone have checklists that have been useful in getting the basics
taken
> > care of?
> >
> >