|
Privacy & Confidentiality Issues
|
|
SEER-MHOS Policy on Encryption & Data Security: Portable Devices & Removable Media
There have been a growing number of reports of stolen laptops that have
contained sensitive personal data about patients in clinical studies. Because of
the potentially sensitive nature of the SEER-MHOS data, the National Cancer
Institute (NCI) implemented a new policy, effective June 2008, related to how
the SEER-MHOS may be stored, transferred or used on portable devices and
removable media.
Definitions of Portable Devices & Removable Media
- A portable device includes any non-fixed equipment that contains an
operating system which may be used to create, access or store SEER-MHOS data.
This includes but is not limited to laptops, personal digital assistants (PDAs),
and smart phones.
- Removable media includes, but is not limited to: CDs, DVDs, MP3 players,
removable memory, and USB drives (thumb drives).
Policy
Any investigator who has obtained the SEER-MHOS data (including all persons
with access to the data) must take all reasonable measures to ensure the safety
and confidentiality of the data that are downloaded to any portable device or
removable media. Reasonable measures include storing large files only on network
drives or password-protecting data AND encrypting any data on a portable device or
removable media. Encryption is a method used to protect the confidentiality,
integrity, and authenticity of the data. SEER-MHOS data stored on portable
devices or removable media must be encrypted using one of the following approved
encryption standards: Data Encryption Standard (DES) that uses a 64-bit
input-output block size; Advanced Encryption Algorithm (AES) that uses a 128,
192, or 256-bit key size; or International Data Encryption Algorithm (IDEA) that
uses a 128-bit key size. If any portable device or removable media containing
SEER-MHOS data are lost or stolen, the investigator must report the loss to the
SEER-MHOS contact within 24 hours/first business day of discovering the
loss.
|
|