Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Genomic Data Sharing Form

advertisement

Security Checklist for Research Datasets

This checklist covers essential security controls for your research dataset containing E-PHI (electronic protected health information). It is designed to cover areas of particular concern but is in no way exhaustive. You should also review the JHU policies, standards, and guidance on HIPAA compliant use of datasets [link] and consider the specific risks related to the electronic storage of PHI before completing the checklist.

The checklist should be updated at any time you make substantial changes to the dataset or its configuration, as well as at the time of submission of your continuing review application. For comments and questions about use of electronic datasets that contain PHI, please contact itpolicy@jhu.edu

.

Electronic Data Security Control Description

Data Management Planning – E-PHI datasets require updated lifecycle management plans. These begin with accounts of interfaces and data feeds from Hopkins clinical or data warehousing systems. Once data is derived plan for risk mitigation and privacy impact should be implemented. The plan should also discuss triggers for disposal of

Restricted data.

1 Have all data sources and formats for the research datasets been identified and documented with source system administrators?

2 Has a data management plan appropriate to project sponsors and risk been documented that covers on-going data management responsibilities?

3 Does the data management plan include risk mitigation procedures

(e.g. dataset de-identification, elimination of SSN, limited access distributions to certain team members)? Please provide details. a.

Will the analytic dataset be stripped of PHI and use synthetic study IDs rather than medical record numbers? b. In what format will the data be stored? c. Explain how data access will be limited to the study team.

4 Does the data management plan discuss data disposal requirements?

5 Have the entire research and project support (e.g. IT) teams reviewed the data management plan?

Device security -- E-PHI datasets should be stored on professionally managed servers or in data centers. Copying datasets to client workstations and devices (especially mobile devices) increases risk and the need for more

controls.

6 Has the entire research team agreed that Hopkins policies must be followed for any personally owned-device used to store E-PHI datasets, including requirements for encryption, endpoint protection and monitoring?

7 For any dataset to be stored on a laptop or other mobile device or media, will it be encrypted using full disc Encryption (e.g. FileVault,

Checkpoint, Bitlocker, TrueCrypt)?

8 Do all devices have (1) up-to-date patching (e.g., OS, Flash, Java),

(2) endpoint/anti-virus protection (e.g. MS System Center,

Symantec, Kaspersky)?

Research Security Checklist -- Page 1 of 3

Version 2 13May15

Data Access -- Only those individuals with a business need to access E-PHI are authorized to have access.

Dataset owners must address whether a user has a need-to-know the information in the dataset and whether the minimum necessary E-PHI is made available for access. Users must be validated by use of a password, token or

other means before accessing data.

9 a.

Do you have a current list of those individuals who are authorized to access the E-PHI datasets? b.

Is this list periodically reviewed and updated?

10 Do you have a documented process for quickly adding and removing individuals from the authorized access list (hence terminating access to E-PHI datasets)?

11 Do you track when individuals who are authorized to access the E-

PHI datasets leave Johns Hopkins yet are still authorized to access the datasets?

12 Is each authorized individual assigned a unique user ID to access the E-PHI dataset? (Note: This can be done by creating LAN groups with access to the system, controlling machine level access or by database applications creating user IDs)

13 Are users prohibited from sharing user IDs and passwords?

14 Are file sharing applications (e.g. JHBox, Sharepoint) managed or approved by Johns Hopkins?

Physical Security -- Machines storing E-PHI must have appropriate physical security. One of the main reasons for storing E-PHI datasets on managed servers is that these servers are generally better protected against loss, theft and environmental hazards. Access to E-PHI datasets must have automatic log-off due to user inactivity, and this

can be done by password protected screensavers, among other techniques.

15 Are machines storing E-PHI datasets located in secured enclosed areas, access restricted areas, locked rooms, etc. to protect against physical threats?

16 Are devices accessing E-PHI automatically logged off (or put in sleep mode) after a reasonable period of inactivity?

17 Are media storing E-PHI (e.g. DVDs, backups, flash drives) encrypted and secured in locked rooms, cabinets or the like?

18 Are the media storing E-PHI destroyed or otherwise rendered unreadable prior to disposal ?

19 If practical, are you using a Hopkins-hosted virtual desktop to store and process E-PHI?

Server Protection -- Machines used to access and store E-PHI must have basic security controls, such as antivirus and patch management. Johns Hopkins also encourages the use of personal firewalls and anti-spyware

programs.

20 Are all or servers that will be used to store the

E-PHI datasets managed by trained staff familiar with Hopkins IT standards and practices?

21 Are all servers actively monitored and access logged and monitored through Systems Center or similar tools? For how long do you keep security and event logs?

Research Security Checklist -- Page 2 of 3

Version 2 13May15

22 Do server configuration and management follow a build and/or configuration checklist, reflecting systems administration best practices?

23 Do you have a formal event and security log review process and trigger critical alerts in real time?

24 Is the server JHED-enabled?

Transmission Security -- Information passing over public networks such as the Internet is insecure. Johns

Hopkins requires users to take reasonable steps to protect all transmissions of E-PHI. For transmitting all or substantial portions of an E-PHI dataset, users may not use insecure protocols -- such as TELNET, FTP, most forms of IRC and unencrypted e-mail. If all or part of the dataset is to be transferred across the Internet, users should use secure encrypted transfer methods (such as JShare, Secure FTP or VPN) or should password protect or encrypt

file attachments [link to Encryption Guidance]. These transfers should include only the minimum amount of E-PHI.

24 Are users of E-PHI datasets instructed to avoid email messaging for and use encrypted file sharing services instead?

25 For those involved in data transfers do you use encrypted/authenticated transmission practices (e.g., SFTP, https)?

If you require assistance in developing your e-PHI application to be HIPAA compliant, please contact itpolicy@jhu.edu

Research Security Checklist -- Page 3 of 3

Version 2 13May15

Related documents
Security Checklist for Any E-PHI Dataset
Security Checklist for Any E-PHI Dataset
Dear students, you must test your nearest neighbor algorithms on
Dear students, you must test your nearest neighbor algorithms on
Political Science 366
Political Science 366
TROPICAL ECOLOGY ASSIGNMENT
TROPICAL ECOLOGY ASSIGNMENT
Position Statement
Position Statement
final-projects
final-projects
File
File
Download
advertisement