IRBs and researchers likely underestimate their vulnerability to data security breaches, which are a growing problem across the healthcare industry. Data breaches and security issues, including criminal attacks, have grown to become an enormous problem in healthcare, according to a 2015 study by the Ponemon Institute (www.ponemon.org).
The study points to a five-year trend of increased criminal attacks. Previously, employee negligence and lost or stolen devices were the primary causes of data breaches; now, it’s criminal attacks, and no institution — no matter its size — is immune.
One strategy for protecting research data and human research protection programs from cyberattacks is to form a collaboration between an institution’s information technology (IT) department and the IRB.1
When they work together, the result is improved data security, says Susie Hoffman, RN, BSN, CIP, director of the University of Virginia IRB-HSR (Health Sciences Research) in Charlottesville.
“Working with personnel from our IT department has been a learning process,” Hoffman notes. “We come from different cultures with different goals, different objectives, different language, so it’s really an evolution of trying to make a process that works for both offices.”
The University of Virginia Information Security, Policy, and Records Office (ISPRO) reached out to the IRB about collaboration because the IRB was a gateway to researchers who needed information about better data security, says Tim F. J. Tolson, PhD, information security and policy analyst at the ISPRO.
“We saw this as a way to leverage what the researcher already had to do for the IRB,” Tolson explains. “We always have encouraged people to contact us, but we don’t have the leverage to make people contact us.”
Initially, the IRB and ISPRO shared policy guidelines and definitions to provide researchers about data security. This eventually grew into a formal process in which ISPRO reviews certain research studies, assessing their data security.
“When we had a new protocol come through that wanted to collect highly sensitive data on a smartphone app, we realized we were in over our heads and didn’t have the technical expertise to review the protocol,” Hoffman says. “So we turned to our colleagues in our ISPRO office. They quickly determined that the security measures the researchers had established were inadequate and would need to be replaced.”
This led both the IRB and ISPRO personnel to the conclusion that it would be far more efficient and better for investigators if data security experts could review and guide data security plans preemptively.
“Researchers want to do the right thing, but they’re not sure what that right thing is,” Tolson says. “We understand the primacy of their needing to get the research done, but what we’re going to do is find the most secure way to accomplish what they need to get done.”
The solution was for ISPRO to add IRB protocol reviews to the existing duties of one staff member at first, and as work grew, add responsibility for reviews to a second staffer.
Tolson and Hoffman describe how the collaboration was established and works in the following ways:
• First, share and create policies. “The real first step was providing information about what the policies were,” Tolson says.
Researchers increasingly were asking the IRB whether their data safety plans complied with policy, and — separately — neither the IRB nor ISPRO could fully answer that question, he explains.
“In the last five years, a lot of medical research has moved away from paper, and data collection is online in some format,” Tolson says. “The IRB felt they didn’t have the technical expertise to judge whether a data server was adequately protected or whether it was permissible to place data on a particular cloud service provider.”
As IRB staff worked with ISPRO, they learned that researchers had been storing data in places that didn’t meet the institution’s security requirements, Hoffman notes.
“For example, researchers in one department had been storing all their data on a particular drive, and ISPRO staff discovered it wasn’t behind the firewall,” she says. “These kinds of issues arise because researchers are not IT experts.”
So the IRB needed a process for identifying which protocols would need additional data security and technical assessment, Hoffman says.
“We wanted ISPRO staff to review the protocols, but they didn’t have the personnel to review every single protocol that comes through our office,” she explains. “So we wanted to take advantage of their expertise when it was most needed.”
The solution was to screen protocols with an additional question about data security. The IRB and ISPRO staff worked together to develop the question.
Researchers are asked the following:
Will you do any of the following in this study?1
- Collect or store identifiable data onto an individual use device?
- Collect or store identifiable data via Web-based format via a non-UVA server?
- Collect or store identifiable data on the cloud?
- Collect or store to a server not included in the list of HIPAA-compliant servers?1
• Develop a data security plan. All researchers are required to complete a data security plan which asks for security details and documents the researchers’ plans for collecting, transferring, and storing research data. Review by the data security experts is only required if researchers answer “Yes” to the question. The IRB will not approve the protocol until an ISPRO approval is received.1
“Basically, the plan asks, ‘How are you going to collect the information — on a tablet, smartphone app, on a piece of paper? — and what identifiers are going to be with that information?’” Hoffman says. “We had to break down the process into three steps: How are you going to collect the data? If you are transporting the data anywhere, how are you doing it: email, mail, faxing? Where are you storing the data?”
The ISPRO review evolved as part of the collaboration, Tolson says.
The IRB and ISPRO had different priorities when it came to assessing data security in research protocols. From the IRB’s perspective, these assessments were time-sensitive. From the ISPRO perspective, these assessments were important, but could be held if an immediate institutional data security issue arose, Tolson and Hoffman say.
“We were not used to working on those timelines, so we had to develop a process where data security review happened before the researcher submitted a formal protocol to the IRB,” Tolson says. “That’s been the heart of collaboration between our two groups: working to get the review done in a way that meets IRB timelines.”
• Determine way to rate security risks. “Questions in the data security plan help the study team determine whether a study’s data is highly sensitive or moderately sensitive,” Hoffman says. “Then the privacy plan in the protocol provides concrete, specific examples of what researchers are allowed to do with data that meets either of these criteria and how to abide by institutional policies.”
“For instance, if you have highly sensitive data, such as identifiable health information, it has to be double-secured — either locked in a file cabinet and locked room or in an office that is locked in a building that is locked down,” Hoffman explains. “If data is electronic, then it has to be stored on one of the HIPAA-compliant servers. The information may not be placed on a flash drive or laptop; it may only be accessed via a VPN.”
For moderately sensitive data, which might be data that meets the criteria of a limited data set, only one level of protection is required, such as a locked file cabinet. The electronic data could be stored on a flash drive or laptop, she adds.
The only data that would be deemed not sensitive would be information that could be posted on a company website, Hoffman says.
• Obtain buy-in. ISPRO and IRB employees have adapted well to the collaboration, Tolson and Hoffman say.
“I was pleased they were as interested as we were in how researchers store and handle data appropriately and securely,” Tolson says.
Also, Tolson and Hoffman worked together to present information about research and data security to research coordinators and investigators.
“We tried to make it a very open process to researchers to let them know we value their input about what works and what doesn’t,” Tolson says. “We’re not here to obstruct or prevent what they do; we’re here to help them do it in a secure manner.”
While some IRBs might handle data security and protocol issues by having an expert on the IRB panel, this was not the best solution for the University of Virginia IRB, Hoffman notes.
“We didn’t want the IT security expert to have to sit through IRB meetings and listen to protocols that had no security risk. That’s why we decided to handle this separately, outside of the full board, just like radiation safety or pharmacy approval,” she explains.
The collaboration has resulted in open communications between researchers, IT security staff, and IRB staff, Tolson and Hoffman add.
“The collaboration has been wonderful because they have been very willing to hear what we have to say and make adjustments to their processes,” Tolson says. “And on our side, we’ve been trying to adjust and accommodate the things that are important to them.”
Hoffman agrees: “We’re now on a first-name basis, and we can call each other whenever we have a question,” she says. “Researchers know who the IT experts are and they know to go to them if their study involves a process that might increase the data security risk.”
- Hoffman S, Davis B, Tolson T. Improved data security via collaboration between the information security office and the IRB. Presented at the 2015 PRIM&R AER Conference, held Nov. 12-15, 2015, in Boston. Poster 22.