AuSCR Data Security Policy

advertisement
AuSCR DATA SECURITY POLICY
Version 1.2
26 August 2009
1.0
Preamble
This policy document describes the data security measures incorporated for the Australian Stroke
Clinical Registry (AuSCR) including the collection, use and access of data in accordance with legal,
ethical and national best practice guidelines.
1.1
Overview of AuSCR
The AuSCR collects information from participating hospitals in Australia about the treatment of
stroke and transient ischaemic attacks (TIA). In brief, a minimum data set of variables, including
personal and clinical information, processes of care and outcomes at time of separation is collected
on each eligible patient, using the web-based tool and/or a paper-based form. The initial collection
occurs during the hospital stay and at discharge. After three (3) months post-stroke onset, all
registered people known to be alive at the time of hospital separation are contacted for a single
follow-up questionnaire; this is by either telephone interview or mail. The information collected in
the AuSCR will be used to assist efforts to understand quality of health care provided in Australia,
plan services and assist prevention efforts and treatment decisions.
The AuSCR is a clinical quality registry that allows web-based submission of data. This data entry
may occur directly, with data entered through the web-based screen, or data may be indirectly
imported from separate health administrative systems. Data may also be collected and submitted to
the Registry using paper based forms.
Security is important as (1) the AuSCR database contains personal identifying information about
patients and (2) data are centrally housed at an independent research institute.
2.0
Security Operating Principles
2.1
Secure Data Housing
AuSCR data are stored by the Data Custodian, currently The George Institute for International
Health. Security of data is ensured in the following ways:

The AuSCR database is maintained on a dedicated server in a locked server room. Access to
this room is by swipe-card only and limited to The George Institute’s Information
Technology staff. A log of access to this room is maintained at all times.

All paper information is stored in a locked filing cabinet at The George Institute until the
data are entered into the AuSCR online tool. After the data are entered the forms will be
shredded prior to disposal in accordance with The George Institute disposal of medical
information policy and ethical protocols. Validation of paper based data forms occurs prior
to disposal, in line with the AuSCR Quality Assurance and Data Quality policy.
Aspects of secure data housing fundamental to the storage of AuSCR data includes:



Appropriate off-site backup procedures: Backups are written to tape on a daily basis and
stored locally with the appointed Data Custodian (The George Institute for International
Health). Backups are also written to tape on a weekly basis and stored offsite in secure
storage and rotated once a month. Current weekly backup tapes are stored at the Missenden
Road building of The George Institute for International Health which is a different building
to the dedicated AuSCR server.
Disaster recovery procedures, including failover and redundancy.
Regular and adequate testing of all data security procedures in accordance with The George
Institute of International Health IT Department routine procedures.
AuSCR Data Security Policy_Version 1.2_26 August 2009
2
All secure data housing elements are the responsibility and commitment of the appointed Data
Custodian (The George Institute for International Health). All future custodians must adhere to this
policy and the Data Custodian Policy. This policy should be read in conjunction with the Data
Custodian Policy.
2.2
Use of the AuSCR by individuals and protection of data
The AuSCR online tool comprises secure access controls to ensure that only authorized people are
able to retrieve information from the database. The AuSCR online tool is password protected at an
individual level, thus ensuring that an audit trail exists and to make certain that data cannot be
tampered with.
There are six types of user access in the AuSCR system, each with different levels of authority to
access certain system functionality. All users are issued with a unique username and password
enabling them the appropriate level of access to the system. User access is provided by AuSCR
Office, and can only be activated following receipt of the AuSCR Online Tool User Request Form
which is logged. This will ensure an ability to audit all users of the online tool. In addition, having
levels of user access is fundamental to the security of the AuSCR online tool.
The matrix below shows the level of user access to the functional elements of the AuSCR online
tool:
Function
Logging on
Menu
Search/List Page
New Patient
Add Episode
Match Existing Patient
Lock Episode
Unlock Episode
Request Deletion of an Episode
Delete Episode
Request Deletion of Patient Record
Delete Patient Record
Generate Follow Up
Search for Follow Up Patients
Process Follow Up
Incomplete Follow Ups
Unlock Follow Up
Print Follow Up Mailing Labels
Request Opt Out
Confirm Opt Out
Merge
User Administration – Reset Password
Administration – User Management
Administration – Hospital Management
Import Data
Export Data
Web Service
HU


























tbc
HU = Hospital Users
FU = Follow Up Users
HA = Hospital Administrator
(one per site)
tbc= To be Confirmed
PU = Project Team User
(AuSCR Office staff)
AuSCR Data Security Policy_Version 1.2_26 August 2009
HA


























tbc
FU


























tbc
PU


























tbc
PA


























tbc
SU


























tbc
PA = Project Team Administrator
(AuSCR Epidemiologist and
Clinical Research Associates )
SU = Superuser (Project Manager
plus Project Coordinator)
3
2.3
Secure Transfer and Messaging
The transmission of AuSCR data from individual hospital sites to the AuSCR Office occurs via a
web-based system, electronically in XML format or manually by fax or mail. All AuSCR data are
transmitted in a secure manner and access to data are only permitted after authentication is
provided.
2.4

When transferring AuSCR data over the internet, data flowing between the browser, web
server and the AuSCR server is encrypted to 128 bits via Secure Sockets Layer (SSL). For
further information refer to Section 3.0: Technical Security Standards in this document.

AuSCR data transmitted by fax must only be done so after contacting the recipient via
telephone to alert them to the incoming fax. The AuSCR Office has a dedicated secure fax
telephone line; the fax machine is also located within a locked, swipe-card access room
ensuring an audit trail of room access.

AuSCR data transmitted by mail must only be done so using Registered Mail and after
contacting the recipient via telephone to alert them to the incoming mail. AuSCR data
transmitted via mail must be addressed to a specific person who will take responsibility for
ensuring the arrival of the data.
Ethics and Privacy
It is a requirement of the AuSCR project that approval for the collection of data at every site is
given by an Institutional Ethics Committee (IEC). Ethics approval must include approval for data to
be collected using an opt-off consent model. Opt out consent presumes that an individual will be
willing to be included on an Australian Clinical Quality Registry unless they lodge an objection.
Contributing hospitals include private sector organisations (eg private hospitals) and public sector
organisations (eg public hospitals). Private hospitals in Australia are listed as ‘organisations’ under
the Commonwealth Privacy Act 1998 and are therefore subject to its provisions, which generally
require consent to the collection of ‘sensitive information’ (which includes ‘health information’).
State public hospitals are not subject to the Commonwealth Privacy Act 1998. However, consent to
the collection of personal information is consistent with the requirements of State legislation that
applies to the handling of public hospital information.
All AuSCR personnel are familiar with and abide by the requirements set out in Australian privacy
legislation, the National Statement on Ethical Conduct in Human Research and the Australian Code
for the Responsible Conduct of Research.
All personnel (both employed and volunteer or in-kind) who see name-identified data from AuSCR
records must sign the Covenant of Confidentiality to ensure commitment to upholding the
confidentiality and privacy of all participants.
2.5
Access to Information
All information held in the AuSCR database is confidential. The procedures for making a request
for aggregated data (de-identified information) and identifying data (personal information) are
outlined in the AuSCR Data Access Policy and the AuSCR Publication Policy.
This document should be read in conjunction with the AuSCR Data Access and Publication Policies
which provide more information on this topic.
AuSCR Data Security Policy_Version 1.2_26 August 2009
4
3.0
Technical Security Standards
AuSCR architecture can be pictured as below:
Data Entry Layer
Secure Managed Hosting Environment
Paper
Collection
Central
Data-entry
(browser)
Managed
Firewall
https
SQL
Registry Database
(RDBMS)
https
Direct
Browser
Trail
Middle Tier (Web)
Database Tier
AuSCR security standards are aligned with NEHTA security standards as outlined in the Operating
Principles and Technical Standards for Australian Clinical Quality Registries (November 2008).
Secure Socket Layering (SSL) is used for all pages once the user is logged in. The user roles are
maintained by the application and govern the authorization of the exposed functionality (see matrix
on page 3 of this document). The Data Custodian has configured the server firewall so that the
access to the application server is restricted.
This document should be read in conjunction with the AuSCR Technical Notes which provide more
information on this topic.
AuSCR Data Security Policy_Version 1.2_26 August 2009
5
Table 1: AuSCR Security Standards and Principles
Security Standard/Principle
Adherence to
legislation and
national clinical
standards for disease
registries
Commonwealth of Australia Privacy Act 1988, incorporating the Privacy
Amendment (Private Sector) Act 2000 – sets out National Privacy
Principles applicable to handling of personal information by private sector
organizations.
Guidelines approved under Section 95A of the Privacy Act 1988 (National
Health and Medical Research Council, December 2001) – includes
guidelines for research or compilation or analysis of statistics relevant to
public heath or public safety, for management, funding or monitoring of a
health service, and on the role of human research ethics committees.
Health Records and Information Privacy Act 2002 (NSW). The Act’s
provisions are generally consistent with those of the Commonwealth
Privacy Act 1988 and apply to organisations operating in New South
Wales.
National Statement on Ethical Conduct in Research Involving Humans
(National Health and Medical Research Council, 2007) - guidance on how
to fulfil broader ethical obligations in the conduct of research, statistical
and health service management activities.
Operating Principles and Technical Standards for Australian Clinical
Quality Registries (Australian Commission for Safety and Quality in
Health Care (ACSQHC), NHMRC Centre for Research Excellence in
Patient Safety at Monash University and the National E-Health Transition
Authority (NEHTA))- guidelines on establishing and operating a clinical
quality registry
Minimum Guidelines for Health Registers for Statistical and Research
Purposes (National Health Information Management Group, 2001) – sets
out good practice for health registers.
Australian Standard: Personal privacy protection in health care
information systems (Standards Australia AS 4400 – 1995)
Industry Standards
AS/NZS ISO 9001:2000 Quality management systems - Requirements
AS/NZS ISO/IEC 27001:2006 Information technology- Security
techniques - Information security management systems
ISO/IEC 11404 Information technology - General-Purpose Datatypes
Passwords
Passwords for user accounts are MD5 encrypted.
MD5 is an algorithm that is used to verify data integrity through the
creation of a 128-bit message digest from data input (which may be a
message of any length) that is as unique to that specific data as a
fingerprint is to the specific individual.
Transfer of Data
Encrypted to 128 bits via Secure Sockets Layer (SSL)
Server Solution
Java server solution (platform independent)
Operating System
Red Hat Enterprise Linux 5 (RH EL 4) which is an open source Linux
operating system.
Security Layer
JBoss/Apache security layer - enforces SSL encryption
AuSCR Data Security Policy_Version 1.2_26 August 2009
6
Table 2: Disaster Recovery and Backup Procedures
Scenario
Recovery Process
Down time period
1. Disk Failure – Failure
of disk where the
application and
database is installed
System has been setup to run in RAID 1
(mirrored disk), if the 1st disk failed the 2nd disk
should be able to handle the application and
database.
None
2. Database Failure –
Possible corruption in
database file
Restore the snapshot of database from latest data
dump. The current setup backs up complete
AuSCR database every hour and backup files
will be copied to backup server.
Up to 2 hours
3. Application Failure –
Possible AuSCR or
database application
failure
There is a standby Application/Database server
located at an alternate address of The George
Institute (known as the standby server).
Recovery process will be to re-direct traffic if
the primary application server fails. When
activating the standby server, the latest database
backup from the primary application server will
be uploaded to the standby server.
Up to 2 hours
4. Network Failure –
System could not be
reached due to
network failure
A standby Application/Database server to be
Up to 2 hours
established at an alternate address of The George
Institute. Other recovery steps will be same as
scenario 3.
AuSCR Data Security Policy_Version 1.2_26 August 2009
7
COVENANT OF CONFIDENTIALITY
All personnel (both employed and volunteer or in-kind) who see name-identified data from
AuSCR records must sign this declaration.
I declare that it is necessary for me to access name-identified data held in AuSCR. I will preserve the
confidentiality of the information released into my care and will adhere to the AuSCR Data Security Policy,
the Commonwealth Privacy Act 1998, and all National Health and Medical Research Council guidelines on
research as stated in the National Statement on Ethical Conduct in Human Research 2007. I understand that I
cannot publish or release data during or after my engagement with AuSCR, including release to the media,
without written permission from the AuSCR Management Committee.
DECLARANT
WITNESS
SIGNATURE
POSITION
NAME
DATE
SIGNATURE
POSITION
NAME
DATE
SIGNATURE
POSITION
NAME
DATE
SIGNATURE
POSITION
NAME
DATE
SIGNATURE
POSITION
NAME
DATE
AuSCR Data Security Policy_Version 1.2_26 August 2009
8
Download