Data-security horror stories

Feb 04 2011 Published by under Research Data

I'm afraid we're going to see more data-security horror stories like this in the next few years. It's truly horrific for everyone involved.

Rather than point fingers, because there are multiple levels of epic fail in this situation and nobody comes out smelling like roses, I'll try to pull out some more-or-less depersonalized morals-of-the-story:

  • Knowing why confidentiality is important is not the same thing as knowing how to ensure it, particularly in a networked computing environment.
  • Cowboy research-IT installations and their staffers must soon expect a fair bit more scrutiny than they're used to with regard to many important data-management questions, data security hardly least. These risks may well swing the pendulum away from cowboy IT (widely perceived as cheaper) back to more centralized, accountable systems and staff.
  • The buck stops at the PI. This means that the practice of leaving computing to the young ’uns and part-timers is not going to cut it any more.
  • If it's this bad in biomedicine, which is well-funded… I'm scared about everything else. Really. I may never fill out a survey again. (Okay, that's just because I hate surveys and believe that much too much lazy survey research is done, not least in librarianship.)
  • Policy, policy, where is the policy around data issues? It's years behind where it needs to be, that's where. And don't talk to me about IRBs (or NSF grant reviewers, for that matter; this is a serious and I hope temporary weakness in the NSF data-management plan model). IRBs are made of PIs, not the necessary gimlet-eyed informaticists and IT-security pros. If you've ever been on an IRB, be honest: would you have thought to ask about IT staff competencies?
  • Anybody who reduces research data management to "storage and backup" needs repeated applications of cold water and horror stories like the above one until they come to their senses. It's more complicated than hardware, people. Much more.
  • Ditto anybody (hello, librarians! hello, OAIS model!) who thinks that data management starts when the data are final.

Data security is serious business, especially now that reidentification risks have entered the picture. If you do human-subjects research, or work with any other sensitive data in digital form, take security seriously before you get caught flatfooted.

7 responses so far

  • ecologist says:

    What is IRB? What is cowboy-IT? What is OAIS?

    • Dorothea says:

      Um, a "please" in there somewhere would be appreciated. Thanks.

      I'm updating the glossary now. "Cowboy IT" should be reasonably clear from context.

      • ecologist says:

        Sorry about that; I was in a rush. I do appreciate the glossary, but it is hard to find. I got to it by the "Jargon" heading under Categories, but you might want to add it to that list with a heading of its own.

        Independent of that, I found this post and the linked-to story pretty scary. We don't deal with human subject data, so it's not a direct problem, but we are subject to attempted intrusions. The idea that the PI is responsible for computer security raises all kinds of interesting and scary issues.

        Thanks.

        PS --- by "cowboy IT" I think you mean IT maintained by an individual, but why cowboy?

  • brooksphd says:

    once HITECH passed in the ARRA there was a mad scramble on my campus to update and confirm our security vulnerabilities. We've had a LOT of workshops and training sessions on securing and maintaining ePHI on campus.

    Frankly, it scares the crap out of me. My group do biomedical databasing for our campus, and our system holds MILLIONS of records.

    at some point every institute needs a centralised system that uses a heirarchical feed-forward system to oversee data security.

    We run the system that holds the HIPAA proetcted data - we've got the access logs and permission controls in place. We've been white-hat cracked to look for SQL vulnerbilities etc.

    Our ITS keeps the servers, maintains the firewall and scans for malicious entry.

    Our IT Security officer has details of every project and knows everyone personally.

    The CIO runs the security side with an iron-fist. He knows if something goes down, it's BIG fines for the Uni.

    But...the one thing we cannot control is the users. If they have a shitty password, or leave the computer logged in (yes, we have a time out), or do something stupid like respond to a phishing email...welll...data can get out, and this is something I emphasise with every new project and every new PI.

  • theshortearedowl says:

    I am so glad the only individuals I am ever likely to have sensitive data on are trees.

  • Joann says:

    The last time I worked with patient data it was on paper. I would never work with patient data through a computer system unless it was on the institution's system and they were totally responsible for the IT infrastructure and any possible breaks and break-ins.

    This is not something that can be done within a mom & pop shop environment. If research organiations have somehow drifted to there over the years in the shift from paper to digital, they simply have to stop doing these kinds of projects.

    It is not worth the risks to anybody and UNC should have taken full responsibility for providing an inferior research infrastructure just as though it were a physical building break-in. This is collective institutional bias against women in that the data involved women patients, for a woman's disease, studied by a woman PI.

    • Dorothea says:

      I'm not willing to call it bias until I have a sense of what other researchers' IT situations are like. My experience suggests that few if any researchers have it much better than Dr. Yankaskas -- especially those, as you say, who do their IT in-house.