Security in the Context of Security in the Context of Generic Clinical Study Data Generic Clinical Study Data Management Systems Management Systems

Prakash NadkarniPrakash NadkarniRohit GadagkarRohit GadagkarCharles LuCharles Lu

Aniruddha DeshpandeAniruddha Deshpande

Kexin SunKexin Sun

Cynthia Brandt Cynthia Brandt

Yale Medical SchoolYale Medical School

What is a “Generic” What is a “Generic” Clinical Study Data Clinical Study Data Management System Management System (CSDMS)?(CSDMS)? A database designed for managing data A database designed for managing data

generated by an arbitrary number of generated by an arbitrary number of clinical studies and patients.clinical studies and patients.

Can handle an arbitrary range of clinical Can handle an arbitrary range of clinical domains/specialties.domains/specialties.

The schema does not change.The schema does not change. Uses an Entity-Attribute-Value data model Uses an Entity-Attribute-Value data model

for clinical data, similar to clinical patient for clinical data, similar to clinical patient record systems.record systems.

Security Issues for Security Issues for CSDMSs: Differences vs. CSDMSs: Differences vs. CPRSs (1)CPRSs (1)

CSDMS differ from CPRSs in the CSDMS differ from CPRSs in the concept of a “study”.concept of a “study”.

In a generic CSDMS, the same set of In a generic CSDMS, the same set of tables manages an arbitrary number of tables manages an arbitrary number of studies. Therefore security must be studies. Therefore security must be implemented at a row level.implemented at a row level.

Done by tagging rows directly or Done by tagging rows directly or indirectly with user/group ID as well as indirectly with user/group ID as well as study ID, and defining privileges of study ID, and defining privileges of individual users with respect to a study.individual users with respect to a study.

Security Issues for Security Issues for CSDMSs: Differences vs. CSDMSs: Differences vs. CPRSs (2)CPRSs (2)

In a generic CSDMS, the vast majority of In a generic CSDMS, the vast majority of users must typically be unaware of even users must typically be unaware of even the existence of studies other than the the existence of studies other than the ones that they have access to.ones that they have access to.

Somewhat easier to define policies, Somewhat easier to define policies, because various Roles are somewhat because various Roles are somewhat clearer. E.g., read/only, edit, deletion, clearer. E.g., read/only, edit, deletion, locking at various levels (form / patient / locking at various levels (form / patient / entire study).entire study).

Security Issues for Security Issues for CSDMSs: Differences vs. CSDMSs: Differences vs. CPRSs (3)CPRSs (3)

The Chinese (Afghan) Warlord Scenario The Chinese (Afghan) Warlord Scenario – Many studies are multi-centric and Many studies are multi-centric and

performed by consortia of investigators. performed by consortia of investigators. These consortia are often marriages of These consortia are often marriages of convenience.convenience.

– Even if no PHI were stored, investigators Even if no PHI were stored, investigators may not really trust one another, so each may not really trust one another, so each gets to see and operate only their own gets to see and operate only their own patients.patients.

Security Issues for Security Issues for CSDMSs: Differences vs. CSDMSs: Differences vs. CPRSs (4)CPRSs (4)

The Issue of Paranoia The Issue of Paranoia – Distrust of the Informatics Investigator - may Distrust of the Informatics Investigator - may

be regarded as closer to one or two research be regarded as closer to one or two research investigators than to others. It is important to investigators than to others. It is important to be neutral- consortia have failed if the be neutral- consortia have failed if the informatics investigator attempts to mine the informatics investigator attempts to mine the data on one’s own for research purposes.data on one’s own for research purposes.

– Distrust of the System/ Technology – old Distrust of the System/ Technology – old habits die hard, and investigators sleep habits die hard, and investigators sleep better at night if they can download their own better at night if they can download their own data securely and store it locally on demand.data securely and store it locally on demand.

CSDMSs: Genetics & CSDMSs: Genetics & GenomicsGenomics Many genetic conditions of research Many genetic conditions of research

interest are statistically rare. So, even interest are statistically rare. So, even staying within the bounds of HIPAA, and staying within the bounds of HIPAA, and without storing PHI, it is still possible to without storing PHI, it is still possible to de-identify individuals.de-identify individuals.– Jimmy Carter pedigree – a cluster of three Jimmy Carter pedigree – a cluster of three

individuals in a nuclear family who have individuals in a nuclear family who have died of pancreatic cancer.died of pancreatic cancer.

– If an individual is typed for an adequate If an individual is typed for an adequate number of genetic loci that are highly number of genetic loci that are highly polymorphic (i.e., have multiple variants), polymorphic (i.e., have multiple variants), the full profile can act as a “fingerprint”. the full profile can act as a “fingerprint”.

Recording PHI in CSDMSs: Recording PHI in CSDMSs: Issues (1)Issues (1)

Retrospective studies vs. Prospective Retrospective studies vs. Prospective studies.studies.

Studies involving clinical interventions Studies involving clinical interventions with significant riskwith significant risk– Laparoscopy in patients with elevation of a Laparoscopy in patients with elevation of a

serum marker for a specific cancerserum marker for a specific cancer– Dose escalation in cancer chemotherapy trialsDose escalation in cancer chemotherapy trials– PHI acts as an additional safeguard against a PHI acts as an additional safeguard against a

risky intervention being accidentally risky intervention being accidentally performed on the wrong patient.performed on the wrong patient.

PHI Issues in CSDMSs (2)PHI Issues in CSDMSs (2)

PHI can ensure Investigator PHI can ensure Investigator AccountabilityAccountability– The Fictitious Patient ScenarioThe Fictitious Patient Scenario

PHI is sometimes the only way to link PHI is sometimes the only way to link CSDMS data reliably with that in CSDMS data reliably with that in external systems (e.g., using MRUN)external systems (e.g., using MRUN)– Unforeseen interventions (e.g., blood Unforeseen interventions (e.g., blood

transfusion, marrow transplant)transfusion, marrow transplant)– Interposing manual steps is a source of Interposing manual steps is a source of

delay and errordelay and error

PHI Issues in CSDMSs (2)PHI Issues in CSDMSs (2) A major benefit of CSDMS – facilitation of A major benefit of CSDMS – facilitation of

logistic operations – is lost if PHI is not logistic operations – is lost if PHI is not captured.captured.– In studies performed on an out-patient In studies performed on an out-patient

basis, generation of form letters / mail basis, generation of form letters / mail merge / E-mail merge / E-mail

– Bulk import of data from external systems – Bulk import of data from external systems – e.g., lab tests.e.g., lab tests.

Overall approach to Overall approach to CSDMS securityCSDMS security

Clear-cut definition of security policies – Clear-cut definition of security policies – software can deal only with the technical software can deal only with the technical aspects of security.aspects of security.

Need to know - even when PHI is stored, all Need to know - even when PHI is stored, all persons with access to the study need not persons with access to the study need not access PHI (e.g., biostatisticians).access PHI (e.g., biostatisticians).

Storage of all PHI in database encrypted Storage of all PHI in database encrypted form, with encryption / decryption performed form, with encryption / decryption performed on a separate middle tier- 2-administrator on a separate middle tier- 2-administrator scenario- one for DBMS, one for middle tier.scenario- one for DBMS, one for middle tier.

IRB BarriersIRB Barriers Many IRBs look askance at PHI being Many IRBs look askance at PHI being

stored at an extra-institutional site stored at an extra-institutional site – Roots of suspicion date back to WWII, when Roots of suspicion date back to WWII, when

Japanese-Americans were identified through Japanese-Americans were identified through census data and placed in concentration census data and placed in concentration camps.camps.

– Concerns about extra-institutional PHI storage Concerns about extra-institutional PHI storage stem as much from investigator/institutional stem as much from investigator/institutional concerns about intellectual property/ poaching.concerns about intellectual property/ poaching.

– Need to be educated about risks due to Need to be educated about risks due to absence of PHI – Race, age and sex often not absence of PHI – Race, age and sex often not enough for identity confirmation (e.g., in a enough for identity confirmation (e.g., in a study of Ashkenazi Jewish women with Breast study of Ashkenazi Jewish women with Breast Cancer mutations).Cancer mutations).