** NOTE: PIs should consult the new ORD guidelines posted February 6, 2007 **
Items to be included in
a Data Security Plan
Requestors of VA-Medicare data must provide VIReC
with an IRB approved data security plan. A comprehensive
data security plan will address all of the questions
listed below. Researchers should work with their
system administrator, local ISO, and privacy officer
to develop a comprehensive data security plan.
Plans that fail to address any of the questions
listed below will be returned to the requestor
for additional information. Examples are provided
to help clarify the questions.
Where will the data be stored? Will it
be networked? Will it be protected by a firewall?
How will physical access to the data storage system
be restricted? Who will have access to the data storage system?
Example for data stored on servers: The data
will be stored on a server in a locked room on
the grounds of Soldier’s Memorial VA Medical
Center. Access to the server room is limited to
system administrators. The server is connected
to the VISN 99 network, which is behind the VISN
99 firewall. Data will only be stored on network
drives and not on local drives. There will be no
remote access to the data.
How will the data be logically secured?
Who will have authority to access the data?
Example: Only authorized project staff members
will have access to the data and access to directories
in which the data is stored.
Authorized project staff members will be assigned
an active, individually unique user identification
code and an individually unique password to the
server/network containing the data. The accounts
and passwords will comply with existing VA policies
and procedures for computer access. Passwords will
not be shared. All users will be trained in the
protection of patient privacy and workstation security
including the policies described above prior to
receiving authorization to access the data.
User identification codes limit access to specific
directories and files based on roles and responsibilities,
and are updated when roles and responsibilities
change. Access is granted to only the authorization
level appropriate for each user (e.g., read-only,
update, delete, print, etc.).
Workstation security includes automatic password-protected
screen saver after 15 minutes of non-use. Workstations
left unattended will be locked.
Will the data be physically (CDs, DVDs)
or electronically (via email or FTP) transferred?
If so, how will it be protected?
Example: There will be no transfer of data via
the Internet, e-mail or file transfer protocols
(FTP), or through electronic media (CDs, DVDs)
after receipt from VIReC. The CDs received from
VIReC, along with all printed material containing
individual level data, will be properly secured
in a locked file cabinet in a locked room, which
is accessible only by the project staff.
How will electronic media (CDs, DVDs)
or printed output with individual level data
be secured?
Example: All CDs containing Medicare data (including
those received from VIReC) will be zipped using
encryption and password protection. The CDs, along
with all printed material containing individual
level data, will be properly secured in a locked
file cabinet in a locked room, which is accessible
only by the project staff.
How will the data be destroyed at the
end of the project?
Example: At the end of the project, all printed
material with individual level data will be shredded
with a crosscut shredder and CDs will be shredded
using a disc shredder. All data obtained from VIReC
will be erased from the server upon study completion.
|