Security Checklist for Research Datasets (Version 4/13)
This checklist covers essential security controls for your research dataset containing E-PHI (electronic
protected health information). It is designed to cover areas of particular concern but is in no way
exhaustive. You should also review the JHU policies, standards, and guidance on HIPAA compliant use of
datasets [link] and consider the specific risks related to the electronic storage of PHI before completing the
checklist.
The checklist should be updated at any time you make substantial changes to the dataset or its
configuration, as well as at the time of submission of your continuing review application. For comments and
questions about use of electronic datasets that contain PHI, please contact itpolicy@jhu.edu.
Electronic Data Security Control
Description
Data Management Planning – E-PHI datasets require updated lifecycle management plans. These begin with
accounts of interfaces and data feeds from Hopkins clinical or data warehousing systems. Once data is derived plan
for risk mitigation and privacy impact should be implemented. The plan should also discuss triggers for disposal of
Restricted data.
1
Have all data sources and formats for the research datasets been
identified and documented with source system administrators?
2
Has a data management plan appropriate to project sponsors and
risk been documented that covers on-going data management
responsibilities?
3
Does the data management plan include risk mitigation discussions
(e.g. dataset de-identification, elimination of SSN, limited access
distributions to certain team members)?
4
Does the data management plan discuss data disposal
requirements?
5
Have the entire research and project support (e.g. IT) teams
reviewed the data management plan?
Device security -- E-PHI datasets should be stored on professionally managed servers or in data centers. Copying
datasets to client workstations and devices (especially mobile devices) increases risk and the need for more
controls.
6
Has the entire research team agreed that Hopkins policies must be
followed for any personally owned-device used to store E-PHI
datasets, including requirements for encryption, endpoint protection
and monitoring?
7
For any dataset to be stored on a laptop or other mobile device or
media, will it be encrypted using full disc Encryption (e.g. FileVault,
Checkpoint, Bitlocker, TrueCrypt)?
8
Do all devices have (1) up-to-date patching (e.g., OS, Flash, Java),
(2) endpoint/anti-virus protection (e.g. MS System Center,
Symantec, Kaspersky)?
Data Access -- Only those individuals with a business need to access E-PHI are authorized to have access.
Dataset owners must address whether a user has a need-to-know the information in the dataset and whether the
minimum necessary E-PHI is made available for access. Users must be validated by use of a password, token or
other means before accessing data.
9
a. Do you have a current list of those individuals who are
authorized to access the E-PHI datasets?
b.
Is this list periodically reviewed and updated?
Research Security Checklist -- Page 1 of 3
10
Do you have a documented process for quickly adding and removing
individuals from the authorized access list (hence terminating access
to E-PHI datasets)?
11
Do you track when individuals who are authorized to access the EPHI datasets leave Johns Hopkins yet are still authorized to access
the datasets?
12
Is each authorized individual assigned a unique user ID to access
the E-PHI dataset? (Note: This can be done by creating LAN groups
with access to the system, controlling machine level access or by
database applications creating user IDs)
Are users prohibited from sharing user IDs and passwords?
13
14
Are file sharing applications (e.g. jShare, Sharepoint) managed or
approved by Johns Hopkins?
Physical Security -- Machines storing E-PHI must have appropriate physical security. One of the main reasons for
storing E-PHI datasets on managed servers is that these servers are generally better protected against loss, theft
and environmental hazards. Access to E-PHI datasets must have automatic log-off due to user inactivity, and this
can be done by password protected screensavers, among other techniques.
15 Are machines storing E-PHI datasets located in secured enclosed
areas, access restricted areas, locked rooms, etc. to protect against
physical threats?
16
Are devices accessing E-PHI automatically logged off (or put in sleep
mode) after a reasonable period of inactivity?
17
Are media storing E-PHI (e.g. DVDs, backups, flash drives)
encrypted and secured in locked rooms, cabinets or the like?
18
Are the media storing E-PHI destroyed or otherwise rendered
unreadable prior to disposal ?
19
If practical, are you using a Hopkins-hosted virtual desktop to store
and process E-PHI?
Server Protection -- Machines used to access and store E-PHI must have basic security controls, such as antivirus and patch management. Johns Hopkins also encourages the use of personal firewalls and anti-spyware
programs.
20
Are all or servers that will be used to store the
E-PHI datasets managed by trained staff familiar with Hopkins IT
standards and practices?
21
Are all servers actively monitored and access logged and monitored
through Systems Center or similar tools? For how long do you keep
security and event logs?
22
Do server configuration and management follow a build and/or
configuration checklist, reflecting systems administration best
practices?
23
Do you have a formal event and security log review process and
trigger critical alerts in real time?
Transmission Security -- Information passing over public networks such as the Internet is insecure. Johns
Research Security Checklist -- Page 2 of 3
Hopkins requires users to take reasonable steps to protect all transmissions of E-PHI. For transmitting all or
substantial portions of an E-PHI dataset, users may not use insecure protocols -- such as TELNET, FTP, most forms
of IRC and unencrypted e-mail. If all or part of the dataset is to be transferred across the Internet, users should
use secure encrypted transfer methods (such as JShare, Secure FTP or VPN) or should password protect or encrypt
file attachments [link to Encryption Guidance]. These transfers should include only the minimum amount of E-PHI.
24 Are users of E-PHI datasets instructed to avoid email messaging for
and use encrypted file sharing services instead?
25
For those involved in data transfers do you use
encrypted/authenticated transmission practices (e.g., SFTP, https)?
If you require assistance in developing your e-PHI application to be HIPAA compliant, please contact
itpolicy@jhu.edu
Research Security Checklist -- Page 3 of 3