The ISO and the IRB: Protecting Research Information

1
The ISO and the IRB Protecting Research
Information

• October 7, 2009

2
Discussion Topics

• Field Security Service Region 4 Overview
• What Does An ISO Do
• Why Is The ISO A Member Of The IRB
• The Information Security Review
• Benefits Of Using A Checklist
• When Should The ISO Review A Study
• What If The ISO Identifies An Information
  Security Issue
• What The ISO Should Not Do
• Other ISO Research Activities

3
Field Security Service
Director of Field Security Service
Special Projects Coordinator
Information Security Officers Division
Data Center Support Division
Health Information Security Division
Region 1
Region 3
Region 4
Region 5
Region 2
Network 1, 2, 3, 4, 5 OIT FO POs
Network 12, 15, 16, 17 23 POs SOC
VBA NCA VACO AAC
Network 6, 7, 8, 9, 10 11 POs
Network 18, 19, 20, 21 22 POs
4
Field Security Service Leadership
IT FSS Director (Supervisor) Randy Ledsome
Special Projects Vacant
IS RD, Region 1 (Supervisor) Dennis Smith (Acting)
IS RD, Region 2 (Supervisor) Alan Papier (Acting)
IS RD, Region 3 (Supervisor) Barbara Smith
IS RD, Region 4 (Supervisor) Alan Papier
IS RD, Region 5 (Supervisor) Dennis Smith
Data Center Support Division (Supervisor) Casey
Johle
HISD (Supervisor) German John Baron
Network 6 ISO (Supervisor) Steve
Blackwell Network 7 ISO (Supervisor) Greg
Walker Network 8 ISO (Supervisor) Dale
Bogle Network 9 ISO (Supervisor) Chris
Varacalli Network 10 ISO (Supervisor) Kristin
Steel Network 11 ISO (Supervisor) Cynthia
Gentille
Network 1 ISO (Supervisor) Tim O'Donnell Network
2 ISO (Supervisor) Tim ODonnell
(Acting) Network 3 ISO (Supervisor) Charles
Kondracki Network 4 ISO (Supervisor) Starr
Washington Network 5 ISO (Supervisor) Erich
Fronck Network OIT ISO (Supervisor) Dan Cleaver
Network 12 ISO (Supervisor) Bill Naida Network
15 ISO (Supervisor) ChrysAnn Higginbotham Network
16 ISO (Supervisor) Mike Ward Network 17 ISO
(Supervisor) Diane Dixon Network 23 ISO
(Supervisor) Louis Dolton
Network VBA Eastern Area ISO (Supervisor) Connie
Hamm Network VBA Southern Area ISO
(Supervisor) Jessica Lewis Network VBA Central
Area ISO Shelia Farmer Network VBA Western
Area SO (Supervisor) Patrice Volante Network
VACO ISO (Team Lead) Louise Lovett-Robinson Netwo
rk Program Office ISO Judy Huffjman
Network 18 ISO (Supervisor) Steve Kerby Network
19 ISO (Supervisor) Armando Diaz De Leon Network
20 ISO (Supervisor) Michael Sutherland Network
21 ISO (Team Lead) Mary Ebner Network 22 ISO
(Team Lead) Doug Foster

• Region 4 provides information security support to
  the CIRB.
• Lucy Fleming has been assigned membership until a
  Sr. Research ISO is selected.

5
What Does An ISO Do

• The following list is not all-inclusive
• Evaluate confidentiality, integrity and
  availability of information systems
• Coordinate the protection of sensitive data
• Report security incidents within one hour
• Provide IS awareness information to staff and
  assure annual security awareness training

6
What Does An ISO Do - cont.

• Participate in facility rounds
• Interact with inspection/review teams on IS
  issues (IG, ITOC, JCAHO, SCA, SOARS, etc.)
• Lead business continuity and contingency planning
  relative to availability of information
• Act as subject matter expert (SME) on information
  security issues

7
What Does An ISO Do - Cont.

• Assure that CBOCs have the same security posture
  as primary facility
• Authorize access to information systems
• Audit data destruction sanitization program
• Review compliance with research information
  security requirements
• Serve as non-voting member of IRB or RDC

8
Why Is The ISO A Member Of The IRB

• To ensure research complies with Federal and VA
  information security laws, regulations and
  requirements
• To identify potential information security
  vulnerabilities and work with investigators to
  mitigate them
• To serve as a SME and advisor to the IRB (and RD
  Committee) on information security issues
• To review applications and other relevant
  material and inform IRB of findings
• Note The ISO is appointed to serve as a
  non-voting member.

9
When Should The ISO Review A Study

• When human subjects are involved
• Prior to approval of initial submission
• When changes are made to data capture, storage or
  retention
• Every three years
• In coordination with Research Compliance Officer
  (RCO) compliance audits

10
The Information Security Review

• Facility may use a specific IS document, such as
  a checklist, or include information security
  specific information in a dedicated section
  within the application
• ISO should briefly review the full application in
  addition to a more detailed review of any IS
  specific information
• ISO must provide a summary of findings to the IRB
  or RDC that indicates
• All VA and Federal IS requirements have been met,
  or
• Identifies specific deficiencies along with
  suggested options to correct the deficiencies

11
The Information Security Review- contd

• The ISO must provide the summary findings within
  the established time frame so as not to prolong
  the approval process
• Prior to the convened IRB where the study will be
  reviewed
• Prior to final approval when expedited review has
  been requested
• To the ACOS/RD prior to initiation of the study
  when the study is exempt
• The ISO should confirm the investigators
  information security awareness training is up to
  date.

12
The Information Security Review contd

• The ISO should look for
• Whether PO and/or PI identified sensitive
  information will be collected
• Whether VA Research or HIPAA Consent Form
  authorized disclosure
• Whether data or information will be disclosed or
  re-disclosed to non-VA entities, e.g.
  pharmaceutical company, NIH, research org,
  medical center
• Whether VA sensitive data will reside only in a
  VA protected environment
• Whether VA sensitive data will reside on non-VA
  equipment (OE) or in a non-VA protected
  environment, including affiliate, business
  partner, statistician, etc. If so, ISO should
  ensure a waiver, MOU or ISA (Interconnection
  Security Agreement) is in place

13
The Information Security Review contd

• The ISO should look for
• VA Handbook 6500 waivers, if required, for VA
  owned sensitive information stored on other
  equipment (OE) if there is no MOU/ISA with remote
  site
• Whether VA Research Consent Form indicates where
  the participants data will be stored and who
  will have access to the data
• How data will be securely transported, i.e. FIPS
  140-2 validated encryption off-site waivers to
  transport data
• How and where data will be securely stored and
  backed up
• Use of mobile storage devices or medical devices
• How the data system is secured

14
The Information Security Review contd

• The ISO should look for
• A statement that information will be retained
  for audit purposes
• Information regarding how data will be accessed
  and by whom
• How data will be returned to the VA and how it
  will be disposed
• How suspected or confirmed loss of VA
  information will be reported
• Evidence of compliance with Information Security
  Awareness Training
• Evidence of appointment on medical center staff
• MOU, DUA, DTA, ISA as appropriate

15
The Information Security Review contd

• A word about the MOU/ISA, i.e. Memorandum of
  Understanding/Interconnection Security Agreement
• An MOU, in this discussion, is a document
  established between parties that defines their
  respective responsibilities in establishing,
  operating securing a system interconnection
• ISA (aka SIA) is an agreement established between
  the organizations that own and operate connected
  IT systems that documents the technical and
  security requirements of the interconnection.
  The ISA supports an MOU between the organizations
• The MOU document and the ISA document are most
  often combined into one MOU/ISA
• Local OIT management, the ISO, the system owner,
  and the Enterprise Security Change Control Board
  approve the MOU/ISA

16
The Information Security Review contd

• More about the MOU/ISA
• Not required for internal agency systems
• Should be obtained prior to connection with the
  system
• Should be obtained prior to sharing of sensitive
  data/information
• Should detail the rules of behavior that must be
  maintained by the interconnecting systems
• Will define the party responsible for the expense
  of antivirus software, patches and updates
• Click icon to view MOU/ISA Template

17
Benefits Of Using A Checklist

• Informs the PI of the basic research IS
  requirements
• Standardizes the IS review and requested
  information for the PI, IRB and ISO
• Assures necessary information is captured to
  evaluate confidentiality, integrity and
  availability of research information
• Provides mechanism for PI to provide IS
  information
• PI and ISO signify agreement on IS issues when
  both sign
• Checklist is submitted to the IRB or RDC
• Click icon to view sample checklist
  

18
What If The ISO Identifies Information Security
Issues

• The ISO should discuss with the study team, i.e.
  the PI and/or study coordinator and recommend
  other options
• ISO should follow-up with investigator to assure
  compliance before the study is initiated
• If unresolved, findings should be reported to the
  IRB or RD Committee.
• It is the responsibility of the IRB or RD
  Committee to take any appropriate action

19
What The ISO Should Not Do

• Approve or disapprove research
• Impede research
• Prevent research
• Stop research
• Comment on aspects of the research other than IS

20
Other ISO Research Activities

• Participating in regulatory audits
• Each study at least every three years
• In conjunction with the RCO and affiliate ISO
  equivalent
• Assess VA and Federal laws and regulations
• Assure consistency with approved study in terms
  of IS
• Discrepancies can be corrected on the spot
• Summary report provided to the RCO
• Significant concerns should be elevated to
  ACOS/RD, IRB Chair, Medical Center Director and
  others as appropriate

21
Other ISO Research Activities

• Participating in environmental rounds, including
  research areas
• Reviewing offsite facilities storing VA sensitive
  research information ( along with the offsite ISO
  or equivalent)
• Reporting confirmed or suspected information
  security breaches and incidents to VA-SOC
  (Security Operations Center) within in one hour
  of awareness and following through to resolution
• Reviewing the protection of data and information
  in data repositories

22

• Information Protection
• is
• EVERYONE's
• Responsibility!

22
23
QA

• Alan Papier
• Region 4 Information Security Director
• 908-604-5327
• Alan.Papier_at_va.gov

23