Research Data Classification and Secure Storage Options
Explore the classification of research data into public, private, secure DoD, and VA data categories, with examples and guidelines for secure storage options. Understand the risks associated with unauthorized disclosure of private/confidential data and learn how to protect sensitive information to prevent potential harm to individuals, research subjects, patients, and the university.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Research Data and Secure Storage Options Ashok Mudgapalli, MS, Ph.D. Director of Research IT Office (RITO)
Agenda I. UNMC Data Classification II. Research Data Storage Options III.UNMC Box IV.UNMC Box Security V. Contacts and Resources VI.Q&A
How do I classify my Research Data? 1 Public Data Private / Confidential Data 2 3 Secure DoD Data 4 VA Data
Public Data Definition Examples Data if lost poses little to no risk to the University or you. Public policies and procedures manuals, Campus maps, Job postings, Non-private University contact information, press releases, course information, published research results No password protection required. Password Protection Data Transfer These data can be transferred in any manner at the owner s risk, but Internet, USB, data sharing sites all OK. Cloud / Premise Server Storage recommended to prevent inappropriate or unauthorized modification of information. Publicly exposed documents should be read only category Cloud / External Storage Workstation and Laptop Storage Removable / Portable Media Storage Disaster Recovery Remote Access No password required. Server storage is recommended, but not required, and password protection No protection requirements required. No protection requirements required. However, the computer should be encrypted as per UNMC policy 6051. No protection requirements required. However, the media should be encrypted as per UNMC policy 6051. Should be backed up in a separate location to prevent loss.
Private / Confidential Data Definition Unauthorized disclosure, alteration or destruction could result in a significant risk to you, research subjects, patients, or students and/or the University or its employees or its affiliates. Examples I. Student Records, non-public research data, employment or admission applications, personnel files, individual benefits information, birth date, and personal contact information, Donor contact information and non-public gift amounts, Privileged attorney- client communications, Non-public policies, UNMC internal memos and email, budgets, plans, and financial information, contracts, University and employee ID numbers. II. All Protected Health Information (PHI) which includes any of the following: 1. Patient Names 2. All geographical subdivisions smaller than a State (e.g., street address, city, county, precinct, zip code) 3. Date other than year directly related to an individual (birth, admission , discharge, or death date); or age over 89 unless aggregated as 90 or older 4. Phone or FAX number 5. E-mail or Internet Protocol (IP) addresses, or Web Universal Resource Locators (URLs) 6. Social Security, Medical record, or Health plan beneficiary numbers 7. Account, or Certificate/license numbers 8. Vehicle identifiers and serial numbers, including license plate numbers 9. Device identifiers or serial number 10. Biometric identifiers, including finger and voice prints 11. Full face photographic images and any comparable images; or 12. Any other unique identifying number (e.g., Passport or visa numbers
Private / Confidential Data Continue Examples III. Export controlled information under U.S. laws; Data protected by state or federal regulations; and/or Data protected by confidentiality agreements Limited to those permitted under law, regulation and policies, and on a need to know basis. At least one physical (e.g., locked room and /or card access) or electronic barrier (e.g., software- and/or hardware-based firewalls) should be in place when not under direct individual control of an authorized user. Data Transfer Encryption and/or password protection required to transmit information through a network. Use UNMC email services to transfer confidential information within the network and to external entities. Transfer should be encrypted if sent over the Internet, or university-approved resources (e.g., Box or SharePoint). Cloud / Premise Server Storage external requirements including physical and logical access protection. Workstation and Laptop Storage data be placed in a folder with additional password or encryption. Removable / Portable Media Storage regulation, contract, or other agreement. Removable and portable media must be encrypted and contain a layer of logical and physical access protection unless under the direct use of authorized individuals. Disaster Recovery location that contains similar logical and physical security controls in place. Remote Access Password Protection Box, SharePoint and server storage is highly recommended unless otherwise stated by law, regulation, contract, or other agreement. Server security must follow internal and Data if stored on a workstation or laptop must follow internal and external requirements including physical and password protection. It is recommended that these Encrypted external hard drive or other university approved resources (e.g., Box) but not USB or other portable devices should be used unless otherwise agreed upon by law, All Private/Confidential Data should be backed up on a server in a separate physical Requires VPN secure remote access.
Secure DoD Data Definition Unauthorized disclosure, alteration or destruction of these data could cause a significant level of risk to the United States, University or other partners . Security controls should be applied as defined by the level of security of the data. Non-public information provided to a contractor, Information developed during the course of a DoD contract, grant, or other legal agreement, Privileged information contained in transactions, Military Health System Information, data protected by state or federal privacy regulations and data protected by confidentiality agreements, or other sensitive information that does is not include in the Private/Confidential data type . Access is limited to those permitted under law, regulation, and policies, and on a need to know basis. Access defined by the defined level of security. Defined by level of DoD security classification but may require special military-grade encryption or information security protocols. Cloud / Premise Server Storage encryption or information security protocols. Workstation and Laptop Storage grade encryption or information security protocols. Removable / Portable Media Storage Cloud / External Storage Disaster Recovery or other agreement. Remote Access Remote access via the UNMC VPN utilizing two factor authentication is allowed. Examples Password Protection Data Transfer Defined by level of DoD security classification but may require special military-grade DoD classified information needs to be stored separately on devices accessible to only those approved to access. Degree of security as defined but may require special military- Removable and/or portable media storage is not allowed. If need to be used, UNMC recommended encryption, access control and password protection need to be applied. Cloud or external third party storage is prohibited. All DoD classified information must be backed up according to law, regulation, contract,
VA Data Definition Unauthorized disclosure, alteration or destruction could result in a significant risk to you, research subjects, patients, the VA or its employees or its affiliates. I. Non-public research data, personnel files, internal memos and email, budgets, plans, and financial information, contracts. II. All Protected Health Information (PHI) III. Private Personal Information (PPI) Limited to those permitted under law, regulation and policies, and on a need to know basis. At least one physical (e.g., locked room and /or card access) or electronic barrier (e.g., software- and/or hardware-based firewalls) should be in place when not under direct individual control of an authorized user. Encryption and/or password protection required to transmit information through a network. Use UNMC email services to transfer confidential information within the network and to external entities. Transfer should be encrypted if sent over the Internet. Must be on VA servers. Examples Password Protection Data Transfer Cloud / Premise Server Storage Workstation and Laptop Storage Data if stored on a workstation or laptop must follow internal and external requirements including physical and password protection. It is recommended that these data be backed-up on VA servers. Removable and portable media must be VA approved, encrypted, and Federal Information Processing Standard Publication (FIPS PUB) 140-2 compliant. Removable / Portable Media Storage Cloud / External Storage Disaster Recovery Cloud or external third party storage is prohibited. All Private/Confidential Data should be backed up on a server in a separate physical location that contains similar logical and physical security controls in place. Remote Access Requires VA VPN secure remote access.
Research Data Storage Options I. RITO Enterprise Storage (PHI & non- PHI) II. Office365 SharePoint (PHI & non-PHI) III. BOX Cloud Storage (PHI & non-PHI) IV.Attic Storage (non-PHI at PKI) V. ITS managed on premise Enterprise storage (contact ITS HelpDesk)
II. Research Data Storage - Local Storage Option Can protect PHI? Cost/year Suitable for Comments Enterprise (on site) Yes $499/TB Daily or more frequent access More robust and dynamic environment, Automatic Replication and weekly backup Holland Computing Center , Omaha No (non- PHI only) $250 / TB ($105 / TB if no replication and backup) Daily or more frequent access Automatic backup / replication if desired Department /College/Unit server No Do not use Retired NA
II. Research Data Storage in Cloud Storage Option Can protect PHI? Cost/year Suitable for Comments BOX Cloud (Enterprise Grade) Yes $115 / user/ year / unlimited space for data that can be accessed regularly Daily or more frequent access. Automatic backup / replication, Each file must be =< 32 GB size. Unlimited days of worth of deleted files available in Box Trash can. Up to 100 versions of single file can be maintained UNMC 365 SharePoint Yes Free Daily or more frequent access Offered by UNMC ITS (Microsoft 365 solution). Contact ITS Help Desk for more information. Each file size can be 5 GB or more. Contact HelpDesk for latest information
II. Research Data Storage Off Site Storage Option Can protect PHI? Cost/year Suitable for Comments UNMC Office365 OneDrive Do not use for storing research data Free Daily or more frequent access Not recommended for research data storage but can be used for word, excel, PDF and other document types. Third party vendor storage solutions, Dropbox, Amazon Cloud, Google docs No NA NA All File Shares have been decommissioned. *Replication: Creates a copy of the file (live) at remote location **Backup: Backup files point in time to remote location
UNMC Box Security (Info from Box security team) Secure data centers: User data is stored on enterprise- grade servers that undergo regular audits and are monitored 24/7 Redundancy: Files are backed up daily to additional facilities All files uploaded to Box are encrypted at rest using 256-bit AES encryption For files in transit, AES 256 is a supported cipher, however Box default to use RC4-128 encryption. Box do this to mitigate a known vulnerability in SSL called the BEAST attack, which an attacker could use to hijack someone's web session when other ciphers (including AES 256) are used. 128 bit encryption is currently considered safe and secure for data in transit
UNMC Box Security (Info from Box security team) Box is SAS70 Type II and Safe Harbor certified, ISO27001 certified (globally recognized security standard) and supports RC4 encryption Disaster Recovery Box physical infrastructure is designed not only for disaster recovery, but true disaster avoidance, building in advanced measures for N+1 redundancy for all components, geographical diversity, physical security, and environmental controls. Access to systems are monitored around the clock by onsite monitoring and guards, and access to cages are restricted to only top-level clearance Box employees, managed by keys and biometric scanning
Resources Research IT Office (RITO) web site (http://www.unmc.edu/vcr/rito/index.html) has storage options in more details UNMC BOX Cloud Storage (https://app.box.com/login/) Contact RITO for more information rito@unmc.edu
Whos Who RITO PERSONNEL Role Phone Contact Email Ashok Mudgapalli, MS, Ph.D. Director of Research IT 559-9072 ashok.mudgapalli@unmc.edu Mike Gleason, Ph.D. Programmer Analyst III 559-9088 mgleason@unmc.edu Mike Zietz, BS Programmer Analyst II 559-4857 mike.zietz@unmc.edu Vinod Kumar Yarroju, MS Programmer Analyst II 559-4878 vinodkumar.yarroju@unmc.edu Amruthavally Konakanchi, Programmer Analyst II 559-3821 a.konakanchi@unmc.edu