1 / 35

jacksonthompsonj@health.missouri 573 882-7775 mcr.umh

Improving data security and maintaining patient confidentiality in a time of evolving information technology (IT) and limited resources.

kpeterman
Download Presentation

jacksonthompsonj@health.missouri 573 882-7775 mcr.umh

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improving data security and maintaining patient confidentiality in a time of evolving information technology (IT) and limited resources

  2. J. Jackson-Thompson, MSPH, PhDOperations Director, Missouri Cancer Registry and Research Associate Professor, Health Management & Informatics, University of Missouri- Columbia jacksonthompsonj@health.missouri.edu573 882-7775 http://mcr.umh.edu

  3. Acknowledgments • Co-author: Nancy Cole, BS, CTR, MCR Operations Manager (colen@health.missouri.edu) • MCR Staff • Saba Yemane, BA, BS, Database Manager • Iris Zachary, CTR, MS (Informatics), Asst DBM • Alena Headd, MSIT Systems Analyst • University of Missouri IT Security Team

  4. This project was supported in part by a cooperative agreement between the Centers for Disease Control and Prevention (CDC) and the Missouri Department of Health and Senior Services (DHSS) (U58/DP000820-02/3) and a Surveillance contract between DHSS and the University of Missouri. No personal financial relationships with commercial interests relevant to this presentation existed during the past 12 months.

  5. Background • All U.S. states and Canadian provinces maintain a central cancer registry (CCR) that collects information on all (≥ 95%) new cases of cancer. • All CCRs collect demographic, tumor & treatment data on each case, using • text and standard codes • standard data layout.

  6. Background: Uses of CCR Data • Public health surveillance • Cancer incidence/trends by race, gender, age group, specific site, stage at diagnosis, etc.; • Program evaluation; • Research • QOL, patterns of care studies, etc.

  7. CCRs are required to: • Meet national standards for completeness, timeliness & quality • e.g., NAACCR, CDC/NPCR, NCI/SEER • Protect patient and provider confidentiality • Specific state & federal statutes/laws/regs • Maintain data security • Some guidelines

  8. MCR Data • Process > 50-60,000+ records/year • c. 29,000 MO incident cases • Data exchange w/ 20 states • Database >1 million records (1972-2009) • Population-based since 1985 • NPCR reference year 1996

  9. MCR Software • Registry Plus suite of products • Started w/ Abstract Plus, then Web Plus & Link Plus • Switched to CRS Plus in 2007 • Use other software as needed • SEERStat* and SAS for data analysis • MoveIT for importing VA data

  10. MCR Approach to Data Security • Similar to reporting of cancer cases: • Report not because of a law but so we can work together for better patient outcomes. • Be vigilant about data security not based on statutory & contractual obligations but because it is the right thing to do: • Reporting facilities & cancer patients trust us.

  11. MCR Concerns • Minimal IT input on MCR software, hardware or data flow since 2005; • No strong passwords on Registry Plus products: • Web +, CRS +, Abstract +, Prep + • Strong passwords not on all laptops: • Passwords taped to some laptops.

  12. Purpose of Presentation • To describe steps taken by MCR to assess and improve the security of data, systems and processes.

  13. Methods • Reviewed MCR’s security processes and procedures. • Identified and assessed data security measures already in place. Measures: • Designed to cover all data, electronic or paper • Included Policies and Procedures that were updated as needed

  14. Examples of Data Policies and Procedures • No PHI on thumb drives • No PHI in e-mails or attachments • Lock file cabinets & offices • Only MCR staff have keys to MCR offices • Send charts/records to PO Box or by FedEx • Carry mail & data in locked bags

  15. Data Security Measures • Ongoing training for staff • All MCR staff reminded annually by signing: • Confidentiality agreement; • Acknowledgment of state and federal laws about penalties; and • MCR laptop security policy. • “The Security Mouse was here”

  16. Weather alert changed MCR’s paper-handling policies • Tornado drill – staff from another unit directed to MCR office • Led to changes: • Change in drill location • More locking cabinets • Lock doors if leave • No papers visible • Cross-cut shredder

  17. Actions re. electronic data security • Requested that the University of Missouri’s (MU) IT security team audit our systems & business practices.

  18. Data Security Structure • MU • IT: dept, campus and hospital • Servers housed off-site in 24/7 IT facility • Most reporting facilities use Web Plus (VA hospitals use MoveIT) • DHSS/State Office of Administration • SFTP site folder restrictions at DHSS • BCCCP data • Some path lab data (PHIN/MS)

  19. MU Information Security Program • System initiative - all 4 campuses • MCR & IT Security Team met to review issues: • Data classification systems • General security procedures • strong passwords, encryption, etc. • Workplace security manual • Audits

  20. Steps for each phase of security inspection program • Identification • Coordination • Inspection • Evaluation • Recommendation • Repetition

  21. What IT Audit Includes • Hard drive security • Data flow • Applications • Desktop risks • Firewall issues with individual computers • Hardening operating system • Laptop & jump drive encryption • Virtual servers

  22. Audit priorities established • Start with Web Plus: • Considered MCR’s most vulnerable area by Audit team • Concern about text fields – places where hackers could include hazardous characters.

  23. First phase: Applications – Web Plus Audit • Facility abstractor/uploader and central administrator/central abstractor/reviewer. • 52 hours of testing using an automated vulnerability scanner and manual inspection of web pages. • Results: 4 high-risk vulnerabilities, several moderate risks. • Auditor comments: • “Went better than expected.” • “Web Plus is a good application.”

  24. Web Plus Audit - continued • Results sent to CDC • High-risk vulnerabilities & some moderate risks fixed immediately • Requested 2nd scan to test fixes • Second scan results • No high-risk vulnerabilities detected • Fixes on moderate risks also worked • Remaining moderate risks fixed.

  25. Second Phase: Hardening operating systems • Server audit issues related to: • Configuration • Proper port use, etc. • Management • Managing administrative infrastructure • Controlled access to file system & resources • Process is ongoing (virtual servers)

  26. Next Steps • Increase security on mobile devices (Laptops, external hard drives, etc.): • Identify & purchase encryption software • Consider alternatives: • Remote access reduces need for abstracting software (and PHI) on laptops.

  27. Future Steps • Research use of encryption software for desktop computers: • TruCrypt (an open-source software) • Other options • Determine security level of networked drive.

  28. Other Security Concerns • Physical space: • MCR has P & Ps for off-site and commuting staff • MCR developed P & Ps for paper containing PHI, locking office, etc. • Audit of MCR’s space by MU Security requested 10/09 • Attempt to kick in door

  29. Recommendations • Start with your institution’s P&Ps: • CCR’s may need to be more restrictive. • Use CDC/NPCR or other guidance. • Annually, require that CCR staff sign: • Confidentiality agreement; • Acknowledgments of state and federal laws about penalties; and • CCR security policy.

  30. Recommendations continued • Look for opportunities to further employee awareness: • Items in the news, etc. • Computer stolen from unsecured work station. • Learn from other organizations’ practices and mistakes.

  31. Conclusions • Frequent review of security processes and business practices is needed to maintain data security. • Many improvements involve minimal cost; others require funding.

  32. Causes of Data Breaches • Private files available in public spaces. • Unused files with personal information. • Lost or stolen laptops. • Old or unused equipment without updated security protection. • Sending files/allowing file access to wrong (reporting) facility.

  33. You think you are secure! • “…no matter how secure you are you fundamentally still are at risk.” • Howard, Schmidt, a former Bush cyber-security adviser, now president of the Information Security Forum. February 23, 2009 – fcw.com • “The only way to 100 percent protect yourself from attacks is to turn off your computers.” • Dan Chenok, chairman of the Information Security and Privacy Advisory Board, an advisory panel to NIST. February 23, 2009 – fcw.com

  34. Resources • CDC/NPCR Data Security: http://www.cdc.gov/cancer/npcr/tools/security/ • For complete details about MU’s Information Security program: http://doit.missouri.edu/security/ • Federal Computer Week - Complimentary paper subscriptions, also available on-line. Variety of topics, including security: http://www.fcw.com

  35. Manager - Brandon Hough Auditors - Tyler Hargis Michael Morrison Caine Henderson Sara Rohrs Audit coordinator - Becky Fowler Safety awareness - Kristy White Account management: Megan Hartz Joanne Boomer MU IT security teamhttp://doit.missouri.edu/security/

More Related