By Gary Evans
With big data comes great responsibility. The increasing array of devices and systems to access, store, and transfer research data calls for diligence and common sense to prevent breaches.
How seriously is the research community taking this threat? The National Institutes of Health has essentially hired hackers to constantly probe and test its database for the All of Us genome research project.
Adarsh K. Gupta, DO, MS, FACOFP, chair of the IRB at Rowan-SOM in Glassboro, NJ, addressed data threats at a recent Office for Human Research Protections workshop on privacy and health research.
“As ethics committee members, when you review research protocols be cognizant about the type of data storage option used by the researcher,” Gupta said. “Are they using a cloud, USB device, or mobile devices? What security risks come with these?”
The short answer appeared to be “many,” as Gupta reviewed the vulnerabilities of electronic devices and platforms. Using mobile devices poses a security risk unless steps to safeguard data are taken, he emphasized. If possible, IRBs should offer an option for researchers to lock down data, such as on a secure cloud storage or encrypted mobile and portable devices. Another common-sense point is to limit storing sensitive information as much as possible.
“If you don’t put it out there, it is safe,” he said. “If you do, you are liable and you have to keep an eye on that.”
Secure data are essential to comply with federal and state laws, protect the identity of participants, and preserve the integrity of the research. “Integrity means the data have not been altered or changed through some breach,” he said. “Lastly, make sure you have a secure copy in case of loss or theft of data.”
There are many regulations concerning data security, but HIPAA overrides all others, he said. If confidentiality is breached, the ramifications include potential embarrassment to participants and the risk of misuse of their personal information. “Those are the things we worry about,” Gupta said.
Some investigators equate conducting research on their phones to electronic banking. While financial institutions typically will protect customers from fraud and restore funds, investigators have no backup unless they have made a secure copy of their data, he emphasized.
“That’s why it’s important for researchers [and IRBs] to be proactive and make sure these kinds of breaches don’t happen,” Gupta said.
It is not uncommon for researchers to underestimate the risk to mobile phone cloud data. “Don’t put any protected health information on the cloud environment unless it’s really needed,” he said. “That’s the first thing — minimize putting any identifiers anywhere. If something is put on the net, it’s there somewhere in one form or other and somebody may find it and access it.”
Mobile devices have advanced so much a phone may have more computer functions than a desktop. “You can do work with Excel, PowerPoint, add a picture — everything is on there,” he said. “It is very useful, no doubt, but we have to worry about what is on the phone and how you are using it.”
For example, your phone could be at risk in a Wi-Fi hotspot if a hacker uses a Trojan virus to capture data. Some downloadable apps contain malware that can attack your phone data, he adds.
“Many health researchers may not know much about technology,” he said. “I have seen researchers who have no password on their phone. That’s the biggest security risk for a phone.”
For this and other reasons, it is a good practice to use separate phones for work and private calls. The work phone can include encryption software to log and access files that are not stored on the mobile device. “Be aware which cloud you are using,” Gupta said. “At our institution, we have a secure cloud we provide for all researchers, and they are only allowed to use that.”
Mobile phone security often is improved through software updates. Gupta recommended not deferring these when prompted to by a legitimate source.
Portable USB drives also call for common-sense measures, including not taking one of unknown origin and plugging it into your computer. “Make sure you keep the data encrypted on these devices,” he added.
Do not assume, as many do, that email is a secure form of data transmission. “Email opens up to the whole world,” he said. “A lot of this comes down to what data is being collected.”
In cases of research for publication, he said, data can be anonymized by removing all 18 of these HIPAA personal health identifiers:
• Exact location;
• Exact dates (except year);
• Phone and fax numbers;
• Email addresses;
• Social Security numbers;
• Medical record numbers;
• Insurance plan number;
• Account numbers;
• License numbers;
• Vehicle information;
• Device information
• IP numbers;
• Biometric information;
• Full face photos.