Clinical Researcher—December 2017 (Volume 31, Issue 6)
Adrienne Bogacz, MHA
WannaCry. Yahoo. Equifax. The seemingly endless news stories about ransomware attacks and hacks should frighten anyone responsible for protecting data. Healthcare organizations are particularly vulnerable because of both the breadth of their data (personal, financial, health, etc.) and the thousands of employees who could serve as unwitting and unknowing breach points. Clinical research is not immune, especially when conducted within covered entities.
Of course, strong technical safeguards are the first line of defense to prevent data attacks; however, when attacks bypass these tools and processes, those thousands of individual users stand between secure data and disaster. As individual managers, clinicians, and users of data ourselves, what can we do to prepare for cyberattacks that reach our colleagues and employees? What are our individual responsibilities for data protection and good stewardship?
As we work with data from human subjects, we are responsible for protecting this information by recognizing protected and confidential data; selecting and protecting a secure password; and identifying and reporting phishing attempts.
Recognize Protected and Confidential Data
For healthcare institutions, defining protected and confidential data is the easy part. In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) explicitly defines what protected health information (PHI) is and what an organization must do to protect the data, in terms of physical, technical, and administrative measures.
HIPAA requires healthcare organizations to train staff on PHI and PHI-related procedures. However, these annual lessons may sometimes feel distant in the day-to-day grind, especially for research staff who don’t provide direct patient care.
While clinical research studies commonly have full or partial waivers of HIPAA, research staff must still be educated so they understand how to recognize and protect sensitive data. Researchers have resources available for this training, such as the Collaborative Institutional Training Initiative (CITI). Protecting data can start locally, by developing measures to champion this cause, including regular reminders at meetings, documented procedures in an easily accessible place, posted notices (“Place documents to be shredded in the locked bin HERE.”), and discussions about how HIPAA affects the specific work.
Select and Protect a Secure Password
Across the research enterprise, you are required to have many passwords—for your work computer or laptop, for the clinical trials management system, for electronic case report forms, for submitting information to your institutional review board…the list goes on and on. You are likely required to change passwords at set intervals and use a particular combination of numbers, capital letters, and symbols each time. This is known as a “secure” password, because it prevents individuals from using an easily guessable password, such as the name of their children or pets (provided that the user doesn’t have the secure password written down on a sticky note at his or her desk).
Recently, however, the “secureness” of the secure password has been called into question. Hackers can run password-cracking code that guesses combinations of letters, numbers, and symbols at potentially hundreds or thousands of times per second. In June 2017, the National Institute of Standards and Technology, part of the U.S. Department of Commerce, released a special publication on digital identity guidelines,1 which recommends “passphrases” rather than traditional passwords.
The report states that, when required to use numbers and symbols in passwords, users generally select short passwords that are easier for hacking software to decode. Passphrases are a series of unrelated words that result in longer passwords, with fewer elements to remember. For example, with random password 4%JKLmno9, a user has to remember nine separate elements. With passphrase chickenbluesciencecommunicate, the user has to remember four words. The latter would take hacking software much longer to guess.
In summary, the longer the password, the better, whether it uses symbols or phrases, but phrases are likely easier to remember.
Identify and Report Phishing Attempts
Phishing attempts are more sophisticated than they’ve ever been. While e-mail users (and hopefully spam filters!) may know to ignore e-mails from far-off royalty requesting wire transfers, they might not be savvy enough to identify bogus e-mails that appear to come from familiar places or senders.
A popular type of phishing e-mail notifies users that their password has expired and appears to come from the institution’s information technology (IT) department, using the right logos, colors and language. When users click a link in the bogus e-mail and enter a user name and password, they hand the hackers a key to their data. When many users fall for the same trick, you have a major problem.
When a phishing attempt bypasses your institution’s e-mail security and reaches potentially thousands of users, your employees need to know how to identify the scam and how to report it. To help them better identify phishing scams, remind them that your institution will never ask for their password and teach them how to check the actual e-mail address (not the name that appears in their inbox) and hyperlink before responding to suspicious e-mails or clicking links in them.
Also, make sure that staff know how to report suspected phishing attempts. Have a representative from your IT security department teach them the proper processes or set up a drill with mock phishing attempts so that users can practice reporting attempts.
Of course, even a strong training program isn’t a complete solution. With so many users, it’s nearly impossible to ensure that everyone follows the correct procedure every time. When someone does provide information in a phishing attempt, or when a hacker decodes passwords and cuts into your system, a well-defined and well-distributed breach response plan can mitigate the damage. It’s your IT department’s responsibility to put these plans in place, and it’s your responsibility to understand the plan as it pertains to data security.
- Grassi P, Garcia M, Fenton J. 2017. NIST Special Publication 800-63-3: Digital Identity Guidelines. Gaithersburg, Md. National Institute of Standards and Technology, U.S. Department of Commerce.
Adrienne Bogacz, MHA, (firstname.lastname@example.org) is a senior training and optimization analyst at The Ohio State University Wexner Medical Center.