Security Checklist for Research Datasets (Version 4/13) This checklist covers essential security controls for your research dataset containing E-PHI (electronic protected health information). It is designed to cover areas of particular concern but is in no way exhaustive. You should also review the JHU policies, standards, and guidance on HIPAA compliant use of datasets [link] and consider the specific risks related to the electronic storage of PHI before completing the checklist. The checklist should be updated at any time you make substantial changes to the dataset or its configuration, as well as at the time of submission of your continuing review application. For comments and questions about use of electronic datasets that contain PHI, please contact itpolicy@jhu.edu. Electronic Data Security Control Description Data Management Planning – E-PHI datasets require updated lifecycle management plans. These begin with accounts of interfaces and data feeds from Hopkins clinical or data warehousing systems. Once data is derived plan for risk mitigation and privacy impact should be implemented. The plan should also discuss triggers for disposal of Restricted data. 1 Have all data sources and formats for the research datasets been identified and documented with source system administrators? 2 Has a data management plan appropriate to project sponsors and risk been documented that covers on-going data management responsibilities? 3 Does the data management plan include risk mitigation discussions (e.g. dataset de-identification, elimination of SSN, limited access distributions to certain team members)? 4 Does the data management plan discuss data disposal requirements? 5 Have the entire research and project support (e.g. IT) teams reviewed the data management plan? Device security -- E-PHI datasets should be stored on professionally managed servers or in data centers. Copying datasets to client workstations and devices (especially mobile devices) increases risk and the need for more controls. 6 Has the entire research team agreed that Hopkins policies must be followed for any personally owned-device used to store E-PHI datasets, including requirements for encryption, endpoint protection and monitoring? 7 For any dataset to be stored on a laptop or other mobile device or media, will it be encrypted using full disc Encryption (e.g. FileVault, Checkpoint, Bitlocker, TrueCrypt)? 8 Do all devices have (1) up-to-date patching (e.g., OS, Flash, Java), (2) endpoint/anti-virus protection (e.g. MS System Center, Symantec, Kaspersky)? Data Access -- Only those individuals with a business need to access E-PHI are authorized to have access. Dataset owners must address whether a user has a need-to-know the information in the dataset and whether the minimum necessary E-PHI is made available for access. Users must be validated by use of a password, token or other means before accessing data. 9 a. Do you have a current list of those individuals who are authorized to access the E-PHI datasets? b. Is this list periodically reviewed and updated? Research Security Checklist -- Page 1 of 3 10 Do you have a documented process for quickly adding and removing individuals from the authorized access list (hence terminating access to E-PHI datasets)? 11 Do you track when individuals who are authorized to access the EPHI datasets leave Johns Hopkins yet are still authorized to access the datasets? 12 Is each authorized individual assigned a unique user ID to access the E-PHI dataset? (Note: This can be done by creating LAN groups with access to the system, controlling machine level access or by database applications creating user IDs) Are users prohibited from sharing user IDs and passwords? 13 14 Are file sharing applications (e.g. jShare, Sharepoint) managed or approved by Johns Hopkins? Physical Security -- Machines storing E-PHI must have appropriate physical security. One of the main reasons for storing E-PHI datasets on managed servers is that these servers are generally better protected against loss, theft and environmental hazards. Access to E-PHI datasets must have automatic log-off due to user inactivity, and this can be done by password protected screensavers, among other techniques. 15 Are machines storing E-PHI datasets located in secured enclosed areas, access restricted areas, locked rooms, etc. to protect against physical threats? 16 Are devices accessing E-PHI automatically logged off (or put in sleep mode) after a reasonable period of inactivity? 17 Are media storing E-PHI (e.g. DVDs, backups, flash drives) encrypted and secured in locked rooms, cabinets or the like? 18 Are the media storing E-PHI destroyed or otherwise rendered unreadable prior to disposal ? 19 If practical, are you using a Hopkins-hosted virtual desktop to store and process E-PHI? Server Protection -- Machines used to access and store E-PHI must have basic security controls, such as antivirus and patch management. Johns Hopkins also encourages the use of personal firewalls and anti-spyware programs. 20 Are all or servers that will be used to store the E-PHI datasets managed by trained staff familiar with Hopkins IT standards and practices? 21 Are all servers actively monitored and access logged and monitored through Systems Center or similar tools? For how long do you keep security and event logs? 22 Do server configuration and management follow a build and/or configuration checklist, reflecting systems administration best practices? 23 Do you have a formal event and security log review process and trigger critical alerts in real time? Transmission Security -- Information passing over public networks such as the Internet is insecure. Johns Research Security Checklist -- Page 2 of 3 Hopkins requires users to take reasonable steps to protect all transmissions of E-PHI. For transmitting all or substantial portions of an E-PHI dataset, users may not use insecure protocols -- such as TELNET, FTP, most forms of IRC and unencrypted e-mail. If all or part of the dataset is to be transferred across the Internet, users should use secure encrypted transfer methods (such as JShare, Secure FTP or VPN) or should password protect or encrypt file attachments [link to Encryption Guidance]. These transfers should include only the minimum amount of E-PHI. 24 Are users of E-PHI datasets instructed to avoid email messaging for and use encrypted file sharing services instead? 25 For those involved in data transfers do you use encrypted/authenticated transmission practices (e.g., SFTP, https)? If you require assistance in developing your e-PHI application to be HIPAA compliant, please contact itpolicy@jhu.edu Research Security Checklist -- Page 3 of 3