March 13, 2017, by Stefan Rennick-Egglestone
A security plan for the US National Institutes of Health
I’ve been supporting research colleagues who are applying for permissions to access to data held by the US National Institutes of Health (NIH). This is data collected from patients, and relating to a serious medical condition, and hence considered very sensitive, even though anonymised at source.
To obtain access permissions, we have created a plan to meet stringent NIH data security requirements. I thought I’d summarise key features here, so as to provide a useful case study of the various issues that researchers may need to consider when working with data that is sensitive for ethical or commercial reasons.
NIH security requirements are particularly tight – the following may not all be necessary for other types of sensitive data, but the list is intended to be a starting point for consideration.
Physical access control
Data will only be analysed on desktop computers placed in a locked room, with electronic access control through University of Nottingham staff cards.
Digital access control
Accounts will only be created for those users who need them, and users will be provided with information about how to choose a secure password (analytical work will be performed on Linux, hence standard UoN accounts cannot be used). Passwords will expire, and need to be renewed, after 120 days.
Data will be stored on encrypted drives, locked in a filing cabinet in the same room when not in use.
Computers will be scanned by Information Services for a range of issues that might make them vulnerable to attack, before initial use, and at regular intervals. They will run up-to-date virus software and a monitoring agent which reports unusual activity. They will be protected from external attack by the institutional firewall, but their own firewall will also be turned on to protect against attack from within the campus.
Clarity of expectations
Users of research data will be asked to sign a written contract, specifying what they can and cannot do with NIH data. This includes a clear statement that researchers should not take away copies of data, or pass data to others.
Minimum access footprint
The most sensitive elements of the data will only be accessed by two expert researchers, who will do initial analysis work, generating secondary data which will be used by others.