Privacy of Data is an Ongoing Concern
This week, just outside of Toronto, an unencrypted USB key was lost that contained the names, government-issued ID numbers and personal health information of more than 80,000 patients who visited a local H1N1 vaccine clinic.
Here’s the story from CBC News:
Ont. privacy commissioner orders ‘strong encryption’ of health records
In December the Durham health authority, which is responsible for a large area east of Toronto, announced it had lost the medical records of thousands people after a nurse misplaced a USB key at Durham region’s headquarters in Whitby, Ont. The information on the USB key, also known as a memory stick, was not encrypted. The device contained data collected from more than 83,000 patients during H1N1 flu vaccination clinics in the region between Oct. 23 and Dec. 15.
On Thursday, Ontario privacy commissioner Ann Cavoukian said Durham must ensure the safety of patient records and ordered it “to immediately implement procedures to ensure that any personal health information stored on any mobile devices [laptops, memory sticks, etc] is strongly encrypted.” Cavoukian made clear in her report that she expects every health authority in the province — not just Durham — to follow suit.
As Cavoukian notes, personal health information must be kept confidential. This includes (although Cavoukian doesn’t explicitly say this) personal health information that is part of research data. The safeguard that she is urging all health authorities to implement (encryption) is something that ethics review boards should be urging researchers to use in order to protect the confidentiality of research data. And this, of course, doesn’t just apply to personal health information, but any research data about which a promise has been made to maintain confidentiality. We have become much more sensitive to the careful protection of health information (although this story indicates otherwise!) but there is a great deal of research that has nothing to do with health in which careful consideration must be taken to protecting confidential data or identities, as promised in many processes of consent.
Simply advising researchers to encrypt electronic data isn’t enough. Granted, it’s better than just protecting your data with a password. But there are more things that researchers who use electronic data must be thinking about.
There are two questions related to electronic data storage and security that ethics review boards must ask researchers to also think about if they haven’t already. collection.
The first question is, where are the data being stored? Best case scenario is always to store data locally, i.e. on secure servers that never requires the data to be “moved” anywhere. Many hospitals and academic centres now have these and issue staff passwords and “space” on the servers so that data can be stored locally. Once you transport data electronically even just to a non-local server, you increase the risk of that data being lost, manipulated, leaked or corrupted. This is something that is particularly worth keeping in mind when research projects involve electronic surveys. Many electronic survey tools store data remotely, even outside of the country where the research is being conducted. Case in point: Survey Monkey. Survey Monkey has long been the choice of many researchers to collect information easily using an electronic survey. However, the fact data are stored on servers within the USA and are therefore subject to the USA PATRIOT Act means that many non-USA researchers are now choosing Canadian-based, local survey tools.
The second question is how are the data being stored? If the data are stored on a local server accessible only to the researcher and research team via a password-protected desktop computer in a securely locked office, that’s a very good start. The data doesn’t have to be “transported” anywhere so it’s difficult to lose it and it’s reasonably inaccessible to others. If, however, the data is being stored on any kind of portable device such as a laptop or memory key — as data often are — then the data must be encrypted.
It’s very easy to now buy a USB key that uses encryption to store data. If you happen to lose it, the data is virtually useless to others. They’re much cheaper now and hold large amounts of data.
One final strategy is to always require that researchers store identifiable information separately from other kinds of data. Coding lists, consent forms and raw data should always be stored securely and separately.
Hopefully none of these safeguards is news to most researchers and ethics review board members. They are, for the most part, not burdensome or time-consuming for the researcher. However, clearly, as the above story demonstrates, many are not paying attention to these quite easy-to-implement safeguards, resulting in deleterious effects: loss of trust, breaking promises of confidentiality, and the potential for significant harm.
Research Ethics Blog 
Good points but I’d add the following for starters:
1. Not all encryption is equal. Ideally one should be using AES and SHA-2 hashing or something at least as strong.
2. Not all USB drives that support encryption are secure. A security company in Germany just determined that many brand-name drives have a fatal flaw that allows encrypted data to be accessed fairly easily. If you want something secure better, go with something like an IronKey.
3. Most people create low-entropy passwords that are easily cracked if there are no strengthening mechanisms to introduce significant time factors through hashing rounds or a lock-out process. So even if the data is encrypted it is often still vulnerable to dictionary and brute force attacks.
4. Confidential data stored on a local server should only be accessible from within the local network; not from the Internet. It is just too easy to accidentally expose the data by incorrectly setting access permissions.
5. Getting people to properly secure data is harder than it might first appear…
Good points but I’d add the following for starters:
1. Not all encryption is equal. Ideally one should be using AES and SHA-2 hashing or something at least as strong.
2. Not all USB drives that support encryption are secure. A security company in Germany just determined that many brand-name drives have a fatal flaw that allows encrypted data to be accessed fairly easily. Go with something like an IronKey if you want a secure USB drive or use TrueCrypt.
3. Most people create low-entropy passwords that are easily cracked if there are no strengthening mechanisms to introduce significant time factors through hashing rounds or a lock-out process. So even if the data is encrypted it is often still vulnerable to dictionary and brute force attacks.
4. Confidential data stored on a local server should only be accessible from within the local network; not from the Internet. It is just too easy to accidentally expose the data by incorrectly setting access permissions.
5. Getting people to properly secure data is hard. Convenience generally wins out over security and people general have a poor understanding of the risks and how to manage them. Education is critical.
This topic always fascinates me, thanks for the great post Nancy.
So, I understand the logic behind US data storage, however internet data that even passes through the US (which we don’t really have control of) is theoretically just as susceptible to being intercepted by an eavesdropping government. If you are interested in the topic, take a look at the Total Information Awareness Program or when the NSA took up residence at AT&T’s major internet data center and rerouted data to their own facilities. A story I don’t enjoy bringing up, as in my opinion it might cause more unnecessary fear of the internet.
So, if i understand what you are saying correctly, the problem seems to be that the concern is more that in the agreement researchers say they will keep the participants information confidential, period, thus there is no wiggle room. To me this seems like a fair statement, but is it promising to much? Is there a way to caveat that by saying you will do all things reasonable to make sure no harm is done. Does a surgeon promise that a hip replacement won’t cause a patient harm? No, but the overall intent of the surgery is a positive one for the patient, and a surgeon does everything in their control to minimize risk and pain of the patient.
I think that at times we prohibit the sharing of information, at greater hinderance to the progress of research, or even the treatment of the patient. There are many anecdotal stories of how patient’s have suffered when health information was not shared. Examples include, not getting pain medications after transfers (http://www.cnn.com/2010/HEALTH/01/14/medical.records/index.html) or there was a failure to restart a medication or translate a test result, which actually harms the patient. Can you (or anyone reading this) send me research or stories of how loss of patient data caused serious harm to the patient. Perhaps a few horror stories will help understand the grave concern that ethicists have regarding some of these issues. Not to say that I don’t agree partially, but I do question if we have the mixture right.
To the point about where you store data, storing it locally does increase security. However, unless you are managing the IT hardware yourself there is usually a few IT technicians that have administrative rights and also could theoretically also access the data without any regard for patient confidentiality, except this person would likely risk their job unlike someone using the patriot act. Anyway, I’m very likely way off the mark, but just something I thought might stir conversation that would further enlighten my ignorance.
Rob
Hi Rob,
No, I don’t think you’re off the mark at all. Your points are very well taken.
As an ethics review board chair, I’d never encourage a researcher to make a “promise” that couldn’t be kept. Or use language in a consent process that is unrealistically firm, if that kind of a promise can’t be kept.
A consent process that clearly explains to participants, for example, that the researcher will do his/her best to maintain confidentiality by doing the following…then explaining what steps are being taken to protect confidentiality…seems to me to be a good option. You’re right, no one has the power of prediction to know that their data will be perfectly protected. And as Alan points out in his comment, even what we might think are the most stringent of privacy protections may not be enough. So to expect researchers to promise that “all will be well no matter what” in terms of protecting privacy is an empty promise. Instead to promise and articulate that “x” steps will be taken in a clear and intentional effort to maintain confidentiality seems to be to be what we should expect researchers to do. The strategies I suggest – trying to ensure that your data are stored locally wherever possible and that they are, at minimum, stored on a device that is encrypted (not just password protected) I see as a starting point.
Thanks for your comments.
Nancy