1082 — A Data Security Framework for Research Study Databases Using Metadata
Obrosky DS (Center for Health Equity Research and Promotion (CHERP),VA Pittsburgh Healthcare System), Burkitt KH
(CHERP, VA Pittsburgh HCS), Zickmund S
(CHERP, VA Pittsburgh HCS)
Objectives:
Recent changes in VA data security require careful scrutiny of all research study standards and practices. An essential first level of protection is the database itself. Our objective is to present methods for standardizing the definition and automatic application of security to a database.
Methods:
We describe the design and implementation of a data security framework for a study’s database management system. Information (“metadata”) describing user, role, and group access to specific database “objects” (e.g., tables, views, and stored procedures) are maintained in a data dictionary. Utility programs use these metadata to apply, log, and report permissions.
Results:
Databases for research studies are often accessed by a variety of users with differing roles and training. To ideally meet the needs of these users, different types of application front-ends are needed, such as front-ends with data entry, viewing, or reporting functions, or statistical analysis programs. While a useful supplement, defining and synchronizing data security from these front-ends is difficult and not fully sufficient. The primary level of data security must still be at the database and database object level. In our system being developed for the HSR&D-funded PATHS Study at the VA Pittsburgh Healthcare System, we are able to ensure database security with the following steps: (1) As database objects are created, records are programmatically inserted into metadata tables indicating that initial access to these newly created objects should be disallowed. Utility procedures apply these permissions to the objects. (2) Specific user, role, and group permissions are then defined only via these metadata. (3) Any permission changes are automatically logged, giving the ability to report on user, role, and group access levels and the time periods of access. Thus, when used in conjunction with logging of stored procedures execution and data entry/modifications, a complete history of a user’s access, entry, and modification to specific data columns and rows can be maintained and reported upon.
Implications:
Standardization and automation in defining, applying, logging, and reporting on database object security facilitates necessary VA data security efforts.
Impacts:
The use of a common data security framework for one or more research studies will greatly facilitate research data security.
