Murphy

1
Murphys Law

• If anything can go wrong,
• it will.

2
Data Security and Confidentiality

• a firm belief in Murphys Law and in the
  necessity to try and circumvent it.

3
What is VA Sensitive Information?

• VA sensitive information is defined in VA
  Directive 6504 as all Department data, on any
  storage media or in any form or format, which
  requires protection due to the risk of harm that
  could result from inadvertent or deliberate
  disclosure, alteration, or destruction of the
  information.

4
What is Sensitive VA Research Information?

• Sensitive VA research data consist of
  information that has been collected for, used in
  or derived from the conduct of VA research that
  fits the definition of VA sensitive information.
• Always err on the side of caution. Unless you
  are certain that specific research data are NOT
  sensitive, you should treat them as if they ARE.

5
How Can You Protect VA Research Data?

• Three-legged stool
• Technical safeguards (e.g., passwords,
  encryption, antivirus protection)
• Physical safeguards (e.g., locking up portable
  media)
• Good work practices (e.g., knowing all the
  requirements, using common sense)

6
Best Practices to Help Ensure Security

• Whenever possible, store VA research data on
  network drives with restricted access, not on
  your desktop computer
• Keep data in one file location for ease in making
  backups
• Better yet, simply backup all your VA research
  data in one location on a VA server

7
File Sharing

• Must not be on a device that you use for remote
  computing
• Only through authorized VA servers

8
Data Storage and Security Outside the VA

• Only on specifically designated systems and
  approved in advance
• Only where the non-VA systems or devices conform
  to, or exceed, applicable VA requirements

9
Non-VA System Requirements

• Must meet all requirements set forth in Federal
  Information Security Act (FISMA)
• Includes Federal Information Processing Standards
  (FIPS) 140-2 certification of all
  hardware/software
• Contact your local Information Security Officer
  (ISO) on how to obtain verification of this
  requirement

10
Principal Investigator Responsibilities

• Storage provisions
• Security measures
• Transportation or transmission methods
• Provisions for controlling access to the data
• Plans for how long identifiable information or
  linkages will be kept
• Provisions for disposition of the data at the end
  of the study

11
Certifying Each Protocol

• For all new research protocols, the principal
  investigator (PI) must certify that
• Use, storage and security of all information
  collected for, derived from, or used during the
  conduct of the research will be in compliance
  with all VA and VHA requirements.
• This will require that the PI complete two forms
• Data Security Checklist
• Principal Investigators Certification Storage
  Security of VA Research

12
De-identified Data

• Must meet both HIPAA and Common Rule requirements
• Remove all 18 HIPAA identifiers
• Removal of all information that alone or in
  combination could reveal identity of the
  individual

13
Submit questions through your local research
office to ResearchData_at_va.gov