Presentation is loading. Please wait.

Presentation is loading. Please wait.

Research Data and Secure Storage Options

Published byMinna Lindholm Modified over 6 years ago

Similar presentations

Presentation on theme: "Research Data and Secure Storage Options"— Presentation transcript:

1 Research Data and Secure Storage Options
Ashok Mudgapalli, MS, Ph.D. Director of Research IT Office (RITO)

2 Agenda Research Data Storage Options UNMC Box UNMC Box Security
UNMC Data Classification Research Data Storage Options UNMC Box UNMC Box Security Contacts and Resources Q&A What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.

3 How do I classify my Research Data?
Public Data 1 Private / Confidential Data 2 Secure DoD Data 3 VA Data 4 Give 1-2 examples of each bullet during presentation; Sufficient to say each has its own storage requirements Public = Manuals, Published Research Results, no risk if data is lost – already stored elsewhere… Private = Student Records, PHI, Export Controlled Information, risk to patients, students, or university if lost Secure DoD = Non-public information, privilege information, significant risk to US and/or university if lost VA = has additional security requirements, RITO works with the VAMC to address those needs.

4 Public Data Definition
Data if lost poses little to no risk to the University or you. Examples Public policies and procedures manuals, Campus maps, Job postings, Non-private University contact information, press releases, course information, published research results Password Protection No password protection required. Data Transfer These data can be transferred in any manner at the owner’s risk, but Internet, USB, data sharing sites all OK. Cloud / Premise Server Storage Server storage is recommended, but not required, and password protection recommended to prevent inappropriate or unauthorized modification of information. Publicly exposed documents should be “read only” category Cloud / External Storage No protection requirements required. Workstation and Laptop Storage No protection requirements required. However, the computer should be encrypted as per UNMC policy 6051. Removable / Portable Media Storage No protection requirements required. However, the media should be encrypted as per UNMC policy 6051. Disaster Recovery Should be backed up in a separate location to prevent loss. Remote Access No password required. Give a brief overview of the presentation. Describe the major focus of the presentation and why it is important. Introduce each of the major topics. To provide a road map for the audience, you can repeat this Overview slide throughout the presentation, highlighting the particular topic you will discuss next.

5 Private / Confidential Data
Definition Unauthorized disclosure, alteration or destruction could result in a significant risk to you, research subjects, patients, or students and/or the University or its employees or its affiliates. Examples I. Student Records, non-public research data, employment or admission applications, personnel files, individual benefits information, birth date, and personal contact information, Donor contact information and non-public gift amounts, Privileged attorney-client communications, Non-public policies, UNMC internal memos and , budgets, plans, and financial information, contracts, University and employee ID numbers. II. All Protected Health Information (PHI) – which includes any of the following: 1. Patient Names 2. All geographical subdivisions smaller than a State (e.g., street address, city, county, precinct, zip code) 3. Date other than year directly related to an individual (birth, admission , discharge, or death date); or age over 89 unless aggregated as 90 or older 4. Phone or FAX number 5. or Internet Protocol (IP) addresses, or Web Universal Resource Locators (URLs) 6. Social Security, Medical record, or Health plan beneficiary numbers 7. Account, or Certificate/license numbers 8. Vehicle identifiers and serial numbers, including license plate numbers 9. Device identifiers or serial number 10. Biometric identifiers, including finger and voice prints 11. Full face photographic images and any comparable images; or 12. Any other unique identifying number (e.g., Passport or visa numbers

6 Private / Confidential Data Continue
Examples III. Export controlled information under U.S. laws; Data protected by state or federal regulations; and/or Data protected by confidentiality agreements Password Protection Limited to those permitted under law, regulation and policies, and on a need to know basis. At least one physical (e.g., locked room and /or card access) or electronic barrier (e.g., software- and/or hardware-based firewalls) should be in place when not under direct individual control of an authorized user. Data Transfer Encryption and/or password protection required to transmit information through a network. Use UNMC services to transfer confidential information within the network and to external entities. Transfer should be encrypted if sent over the Internet, or university-approved resources (e.g., Box or SharePoint). Cloud / Premise Server Storage Server storage is highly recommended unless otherwise stated by law, regulation, contract, or other agreement. Server security must follow internal and external requirements including physical and logical access protection. Workstation and Laptop Storage Data if stored on a workstation or laptop must follow internal and external requirements including physical and password protection. It is recommended that these data be placed in a folder with additional password or encryption. Removable / Portable Media Storage Encrypted external hard drive or other university approved resources (e.g., Box) but not USB or other portable devices should be used unless otherwise agreed upon by law, regulation, contract, or other agreement. Removable and portable media must be encrypted and contain a layer of logical and physical access protection unless under the direct use of authorized individuals. Disaster Recovery All Private/Confidential Data should be backed up on a server in a separate physical location that contains similar logical and physical security controls in place. Remote Access Requires VPN secure remote access.

7 Secure DoD Data Definition Unauthorized disclosure, alteration or destruction of these data could cause a significant level of risk to the United States, University or other partners . Security controls should be applied as defined by the level of security of the data. Examples Non-public information provided to a contractor, Information developed during the course of a DoD contract, grant, or other legal agreement, Privileged information contained in transactions, Military Health System Information, data protected by state or federal privacy regulations and data protected by confidentiality agreements, or other sensitive information that does is not include in the Private/Confidential data type . Password Protection Access is limited to those permitted under law, regulation, and policies, and on a need to know basis. Access defined by the defined level of security. Data Transfer Defined by level of DoD security classification but may require special military-grade encryption or information security protocols. Cloud / Premise Server Storage Workstation and Laptop Storage DoD classified information needs to be stored separately on devices accessible to only those approved to access. Degree of security as defined but may require special military-grade encryption or information security protocols. Removable / Portable Media Storage Removable and/or portable media storage is not allowed. If need to be used, UNMC recommended encryption, access control and password protection need to be applied. Cloud / External Storage Cloud or external third party storage is prohibited. Disaster Recovery All DoD classified information must be backed up according to law, regulation, contract, or other agreement. Remote Access Remote access via the UNMC VPN utilizing two factor authentication is allowed.

8 VA Data Definition Unauthorized disclosure, alteration or destruction could result in a significant risk to you, research subjects, patients, the VA or its employees or its affiliates. Examples I. Non-public research data, personnel files, internal memos and , budgets, plans, and financial information, contracts. II. All Protected Health Information (PHI) III. Private Personal Information (PPI) Password Protection Limited to those permitted under law, regulation and policies, and on a need to know basis. At least one physical (e.g., locked room and /or card access) or electronic barrier (e.g., software- and/or hardware-based firewalls) should be in place when not under direct individual control of an authorized user. Data Transfer Encryption and/or password protection required to transmit information through a network. Use UNMC services to transfer confidential information within the network and to external entities. Transfer should be encrypted if sent over the Internet. Cloud / Premise Server Storage Must be on VA servers. Workstation and Laptop Storage Data if stored on a workstation or laptop must follow internal and external requirements including physical and password protection. It is recommended that these data be backed-up on VA servers. Removable / Portable Media Storage Removable and portable media must be VA approved, encrypted, and Federal Information Processing Standard Publication (FIPS PUB) compliant. Cloud / External Storage Cloud or external third party storage is prohibited. Disaster Recovery All Private/Confidential Data should be backed up on a server in a separate physical location that contains similar logical and physical security controls in place. Remote Access Requires VA VPN secure remote access.

9 Research Data Storage Options
Enterprise Storage (PHI) Archival Storage (PHI) BOX Cloud Storage (PHI) Storage at Peter Kiewit Institute (non-PHI) Attic Storage (non-PHI at PKI) XSEDE Supercomputer facility storage (non-PHI) What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.

10 What will the audience be able to do after this training is complete
What will the audience be able to do after this training is complete? Briefly describe each objective how the audience will benefit from this presentation.

11 II. Research Data Storage - Local
Storage Option Can protect PHI? Cost/year Suitable for Comments Enterprise (on site) Yes $499/TB Daily or more frequent access More robust and dynamic environment, Automatic Replication and weekly backup Enterprise Archive (on site) $100/TB Long term storage No backup or replication Holland Computing Center , Omaha No (non-PHI only) $250 / TB ($105 / TB if no replication and backup) Automatic backup / replication if desired Department /College/Unit server (if available) Yes or No Limited by departmental server capacity Reserved for active small research datasets; folders with PHI should be password protected; Automatic backup/ no replication

12 II. Research Data Storage in Cloud
Storage Option Can protect PHI? Cost/year Suitable for Comments BOX Cloud (Enterprise Grade) Yes $420 flat fee unlimited space for data that can be accessed regularly Daily or more frequent access Automatic backup / replication, Each file must be =< 15 GB size. 90 days of worth of deleted files available. OneDrive for Business Free (no cost) Offered by UNMC ITS (Microsoft 365 solution). Contact ITS Help Desk for more information.

13 II. Research Data Storage – Off Site
Storage Option Can protect PHI? Cost/year Suitable for Comments XSEDE (NSF funded infrastructure across USA). Not a Cloud No Free Daily or more frequent access No Backup or Replication, Should be reserved for high computing jobs. Annual renewal is needed. Third party vendor storage solutions, Dropbox, Amazon Cloud, Google docs Negotiated NOT RECOMMENDED for any research data storage because no Business Associate Agreement with UNMC nor may not be HIPAA certified *Replication: Creates a copy of the file (live) at remote location **Backup: Backup files point in time to remote location

14

15

16 UNMC Box Security (Info from Box security team)
Secure data centers: User data is stored on enterprise-grade servers that undergo regular audits and are monitored 24/7 Redundancy: Files are backed up daily to additional facilities All files uploaded to Box are encrypted at “rest” using 256-bit AES encryption For files in transit, AES 256 is a supported cipher, however Box default to use RC4-128 encryption. Box do this to mitigate a known vulnerability in SSL called the BEAST attack, which an attacker could use to hijack someone's web session when other ciphers (including AES 256) are used. 128 bit encryption is currently considered safe and secure for data in transit UNMC paid users should use their UNMC NET ID and password to log into Box

17 UNMC Box Security (Info from Box security team)
Box is SAS70 Type II and Safe Harbor certified, ISO27001 certified (globally recognized security standard) and supports RC4 encryption Disaster Recovery Box physical infrastructure is designed not only for disaster recovery, but true disaster avoidance, building in advanced measures for N+1 redundancy for all components, geographical diversity, physical security, and environmental controls. Access to systems are monitored around the clock by onsite monitoring and guards, and access to cages are restricted to only top-level clearance Box employees, managed by keys and biometric scanning

18 Who’s Who RITO PERSONNEL Role Phone Contact Email
Ashok Mudgapalli, MS, Ph.D. Director of Research IT Mike Gleason, Ph.D. Programmer Analyst III Praveen Reddy, MS Programmer Analyst II Leela Krishna Golla,  MS Mike Zietz, BS Chanikya Gopisetty, MS Programmer Analyst Keep it brief. Make your text as brief as possible to maintain a larger font size.

19 Microsoft Engineering Excellence
Resources Research IT Office web site ( UNMC BOX Cloud Storage ( ITS OneDrive for Business Cloud ( XSEDE (Extreme Science and Engineering Discovery Environment) ( Microsoft Confidential

20 Microsoft Engineering Excellence
Microsoft Confidential

Download ppt "Research Data and Secure Storage Options"

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.

The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
Informed Consent.

Informed Consent.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
Health Budgets & Financial Policy Privacy and HIPAA Security 15 December 2009 - 0800 & 1000 17 December, 2009 - 0800 & 1600 Bridge Number: 877-960-7130.

Health Budgets & Financial Policy Privacy and HIPAA Security 15 December & December, & 1600 Bridge Number:
Protecting Sensitive Information PA Turnpike Commission.

Protecting Sensitive Information PA Turnpike Commission.
Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.

Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.
Protected Health Information (PHI). Privileged Communication An exchange of information between two individuals in a confidential relationship. (Examples:

Protected Health Information (PHI). Privileged Communication An exchange of information between two individuals in a confidential relationship. (Examples:
Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.

Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.
CPS Acceptable Use Policy Day 2 – Technology Session.

CPS Acceptable Use Policy Day 2 – Technology Session.

Similar presentations

Ads by Google