information risks & irb strategies for technologies used ......prior to submitting an irb...

1Lastupdated:September25,2016

InformationRisks&IRBStrategiesfor

TechnologiesUsedinResearch:AGuideforResearchers,IT,andIRBs


TableofContents

1. Overview Pg.3

2. DataClassification Pgs.4-5

3. Technologies Pgs.6-31

3a.LiveTwo-WayCommunication

Pgs.6-10

3b. PhysicalStorage Pgs.11-15

3c. MobileDevicesandApplications(Apps) Pgs.16-21

3d. SurveyTools Pgs.22-26

3e. CloudServiceandStorage Pgs.27-31

4. AdditionalResources Pgs.32-39

4a. InvestigatorChecklistforSecuringResearchData Pgs.32-33

4b. GuidanceonWhentoEncryptData Pg.34

4c. PointstoConsiderWhenChoosingaCloudService Pgs.35-36

4d. GlossaryofCommonTermsforTechnologiesUsedinResearch

Pgs.37-39

5. Attribution,Sharing,andAdapting Pg.43

6. AcknowledgementsandContactUs Pg.44

7. Bibliography Pgs.45-50


1. Overview

Theuseoftechnologicallyinterconnectedproductsandservicescontinuestorevolutionizethedesignand conduct of research as researchers can nowmore easily find, recruit, and communicatewithsubjects,aswellasselectcohortsfromlargercandidatepools,andmaydosowithgreaterprecision.Newtoolsenableelectronicdatacapturethroughsurveysanddevicesthatcollect,analyze,andstoreamultitudeofbiologicalandenvironmentalmeasures. These technological innovations raise important legal, regulatory, and ethical questions forresearchers and institutional review boards (IRB) alike. Among them, do IRBs and researchersunderstand how information is collected, used, and stored in sufficient detail to protect humanresearch subjects? Can IRBs and researchers assure patients that uses of technology conform topromisesorassurancesmadeduringtheinformedconsentprocess?Atstakeareresearchsubjects’privacy,confidentiality,andtrustinthemedicalresearchenterprise.IRBs and researchers need to fully understand how new technologies work to enable reasonableassessmentsofriskstoresearchdataandimplementationofdataprotectionsafeguardstoeliminate,mitigate, or reduce these risks. While the IRB and Information Technology (IT) work together tounderstandthesafetyandpotentialrisksofthetechnology,ultimatelytheprincipalinvestigator(PI)istheresponsibleparty.IdeallythePIshouldbeworkingwithITduringprojectplanningsothatthesafetyandpotentialrisksofthetechnologyareknownandcanbesharedwiththeIRBatthetimeofIRBsubmission. This Guide to Technologies Used in Research offers a primer on broad categories of technologiesused in research along with a list of issues to consider when assessing data security risk. Theadditionalresourcessectionincludesmaterialstofurtherassistresearchers,IT,andIRBsbyprovidingsupplementarystepstoprotectresearchdata.Ifyouwishtorequest,share,adapt,orcontributetothisdocument,pleaseseethe5. Attribution, Sharing, and Adaptingsection.Finally,wewouldliketothankallthosewhocontributedtotheinformationgathering,drafting,andediting of this document. To learn more about those who contributed, please see our 6. Acknowledgments and Contact Ussectionattheendofthedocument.


2. DataClassificationWhileITandIRBsassessinformationrisk,theyoftendosofromdiverseperspectivesandregulatorymandates. IT staff, for example, are often trained in frameworks designed for large enterprisesystems or for financial transaction integrity. Examples include Federal Information SecurityModernization Act (FISMA), Federal Information Processing Standards (FIPS), InternationalOrganization forStandardizationor ISO27001,PaymentCard IndustryDataSecurityStandard (PCI-DSS), and others. IRBs, however, assess information risk in light of federal regulatory mandatesdesignedtoprotecthumanresearchsubjects.TheseincludetheFederalPolicyfortheProtectionofHuman Subjects, also known as the ‘Common Rule’, and regulations enforced by HHS Office ofHumanResearchProtections(e.g.,45CFR46,etseq.);theHIPAAPrivacyRuleandSecurityRule(45CFR160and164etseq.);FoodandDrugAdministration(FDA)regulations;aswellasassortedstatelaws. The task of information risk assessment is further complicated by ongoing innovations inresearchdesign,andthecontinuallychangingnatureofthecontent,format,andrulesofaccessfordatasourcesthatareaccessedelectronically.

Aresponsetothesedifferingperspectivesandmandatesforassessinginformationriskshasbeenforinstitutions todevelopdata classificationpolicies that characterizedata sensitivityand riskalongaspectrumofconfidentiality,identifiability,andotherfactorsjustifyingtieredlevelsofadministrative,physical,andtechnicalsafeguards.Data classification is one of many policy responses an institution may employ to assess risk toresearch data held by an institution or its researchers. As regulatory authorities continue toemphasizeapplyinganddocumentingriskassessments,institutionshandlingsensitiveresearchdatamaywant to document their consideration of data classification policies as part of an overall riskassessmentsystemforbothresearchsubjectprotectionpurposesandforcompliancewithotherdatasecurityframeworks.Keyareasforconsiderationandquestionstoaskduringriskassessment:1. Data Ownership: Who owns the data? Any given piece of technology is subject to data

ownership conflicts questioning who owns data, including pre-existing data sets or dataproduced by research. For example, technology used in research may automatically transferownership interests without the authorization of the individual, institution, or researcher. Arelevant to question ask is: Does a third party vendor automatically collect data in the cloudwithoutauthorizationbytheresearcherorresearchsubject?

2. Data Collection: How does a given technology collect data? Researchers should only collect

informationthatisneeded.Technologyshouldbecheckedtoensurethatonlytheintendeddataarebeingcollected.InvestigatorsareresponsibleforworkingwithITtodeterminewhatkindofdatathetechnologyiscollectingandhowtobestprotectthatdata.Someservicesrequirethedatatobeextractedfromthedatasourceandtransportedintoadatawarehouse,alsoknowas,Extract,Transform,Load(ETL)process.Whileinsomestudiesapersonwillmanuallyenterdata,inothers,smartphonesmayautomaticallycollecttheuser’sgeo-locationdatathatmaythenbeusedinresearch.Eachofthesemethodspresentsrisksthatmustbeunderstoodandmitigated.

3. DataAccess:Howisexistingdataanalyzed,processed,orviewed?Datamaybeheldonadevice

or in the ‘cloud’ but viewed through a smart phone or desktop computer. How is access


managed? Are there access controls? Are individuals given the minimum necessary accessrequiredtoperformagivenresearchtask?

4. Data Storage:How is the data kept or held? Is the data being stored on a server, handhelddevice,ordrive,orbyathirdpartyvendor?Themethodofdatastoragecanaffecttheriskthatthe datawill be lost, stolen, or viewed by unauthorized parties. For example, data held on aserverwithanopenportconnectedtotheinternetmaybeexposedtopublicsearchengines.

5. DataTransmission:Datatransmissionreferstodata inmotionfromonemachineordeviceto

another.Researchdatamaybetransmittedinavarietyofwayssuchasoverwiredorwirelessnetworks, using various transmission technologies such as internet protocols, cellular phoneprotocols,orpublicswitchesandrouters.

6. DataSharing:Datasharingmayinvolvetheresearchcollaborator/co-PIorstaffwhosharedata

withothermembersofthestudyteam. Inothercases,datasharingmay involvemoving largedatasetstomakethemavailabletoothersoutsidethestudyteamforresearchpurposes.Risksassociatedwithdatasharingmayinvolveunauthorizeduse,disclosures,etc.Theserisksmaybereduced through management and monitoring of proper user controls. Examples of riskassessmentconsiderationsfordatasharinginclude:

R Technologiesmayenablemultiplepeopletoview,edit,oranalyzedatainasharedresearch space. Consider ways to control data viewing such as remote locking,timed-outlocking,passwordprotections,etc.

R Note whether there are, or will be, external collaborators. Identify externalcollaborators and note if the technology has the capability to verify access, howaccess will be monitored, and which data and subsets of data require access byexternalcollaborators.

R Ensurewheneverpossiblethatthedatahasbeende-identified.R If applicable, ensureappropriate localpolicy is inplace (e.g., datauseagreement,

termsofuse,etc.).R Ifapplicable,ensurethetechnologyestablishesasecureweb-basedportal.

7. Data Retention and Destruction: If data needs to be stored for long periods of time, thetechnologychosentostore thedatashouldbeassessedtoensure long-termaccess forpersonnelmonitoringandsupport for the formofmedia.Thetechnologyshouldbeperiodically reviewedtodetermine if thedataneeds tobemovedtoanupdatedstorageoption (e.g.,movingdata fromaCD-ROMtoaUSB).Datathatisnolongerneededinaresearchstudyshouldbedestroyed.Aproperdisposalpolicymayincludeensuringthatsensitiveinformationisshredded,andthatmediaholdingsensitiveinformationiscleanedaccordingtoindustrystandardsoncethatinformationisnolongerneededfortheresearch.Encryption is the conversion of data into a format that is not easily understood by unauthorizedviewers.Encryptioncanbeappliedtostoragedevices(data"atrest")andtonetworkdata(data"intransit”). The type of computing device and network, and whether personal or Protected HealthInformation(PHI)isinvolved,willdictatewhetherencryptionisrequired.Encryptionisagreatwaytoprotectyourresearchdatabut it isnotrequiredifyoudonotstoreorworkwithresearchdatathat includespersonal informationorPHI.Formoreinformationonwhentoencryptdata,seetheGuidanceonWhentoEncryptData,inthe4.AdditionalResourcessection.


3. TechnologiesResearchers use both institutional and non-institutional tools and technology to conduct research. ITreviewstechnologytohelpnavigatetheresearchertothebestmediafortheresearchstudy.ITvetsthetechnologytominimizetherisksfortheresearchparticipantandcomplywithregulations. IRBsreviewprotocolsusingvettedandnon-vettedtechnology(technologythathasn’tbeenreviewedandapprovedby IT). This section describes several types of technologies used in research and each technology’srelatedriskconsiderationsandpossiblemitigationstrategies.

3a.LiveTwo-WayCommunication

Whatislivetwo-waycommunicationtechnology?Two-way communication technology enables simultaneous communication between two or moreindividuals through audio and visual communication channels. Commonlyused formsof live two-waycommunicationtechnologyincludetelephone,instantmessaging(e.g.,textmessaging,GoogleHangout,etc.), chat rooms (e.g., Yahoo Chat), and video telephony or internet phone (e.g., FaceTime, Skype,WebEx,usingwebcameras,etc.). Instantmessagingisacommunicationtoolthatallowsuserstosendtyped messages, pictures, files, and live video to one or more recipients. Chat rooms are similar toinstantmessagingbut insteadofone-to-onecommunication,users log intoavirtual roomorspacetocommunicatewithothersinthe“room”.1Videotelephonyorinternetphoneisareal-time,audio-visualcommunication tool. Live two-way communication technologies use telecommunication networksestablished through public switch-enabled telephone wires, cellular networks, and other analog anddigitaltechnologies.Prior to submitting an IRB applicationor amendment for research studiesusing live two-waycommunicationtechnology,thefollowingrisksandtechnologyconsiderationsshouldbeaddressed:

The confidentiality, integrity, and availability of data collected using live two-way communicationtechnologies may be susceptible to threats. Information risks associated with live two-waycommunication technologies can arise when the technology is susceptible to wiretapping orinterceptionofdata,orwhenthetechnologyorwebsitekeepstrackofauser’sactivities.Unlessdataisencryptedandaccesscontrolsare inplace,anyonewithphysicalaccess toa localareanetwork (LAN)could potentially connect monitoring tools and access the communications occurring across thatnetwork. Technologies that rely on wi-fi are vulnerable if not protected by updatedWi-Fi ProtectedAccess(WPA)usingAdvancedEncryptionStandards(AES)2.

Importantrisksassociatedwithlivetwo-waycommunicationtechnologies:

1. DataOwnership: Live two-way communication providersmay impose terms of service thatareburiedinfineprint.Thesetermsofservicemayunintentionallygrantthirdpartiesaccessorintellectualpropertyrightstodatainviolationofthecommunicatingparties’expectationsanddataprotectionobligations.

1http://www.familysafecomputers.org/imchat.htm,01/23/201622SeeNIST800-111


2. DataCollection:Communicationprovidersmayusesoftwarethatautomaticallycollectsdatafrom users. Technology vendors may, by default, set live two-way communicationtechnologiestocollectdatanotintendedornecessarytocollectfortheresearch.

3. DataAccess:Ifthelivetwo-waycommunicationproviderrecordscommunicationsorcollectsmetadata(e.g.,time,location,address,etc.),thendependingonthecompany’spolicies,youmaynothavearighttoaccesstheinformationthecompanyhascollected.

4. DataStorage:Thechosencommunicationtechnology,suchasasmartphone,maybeenabledto store or record live two-way communications. This presents a risk of unauthorizeddisclosureifthephoneislostorcompromised.Asaresult,aresearchteammayneedtoaddadditionaltechnologyandprotectionstoenablesuchrecordingsordatastorage.

5. DataTransmission:Livetwo-waycommunicationtechnologymaytransmitdatainavarietyofforms over wired or wireless networks, using various transmission technologies such asinternetprotocols,cellularphoneprotocols,orpublicswitchesandrouters.Dependingonthecircumstances,thesechannelsmaynotbeencryptedorsecure.Thetechnologysoftwaremaybevulnerableifnotregularlyupdatedandpatched.Wheneverpossible,don’ttransferfilesviaemail; instead use an encrypted USB or external drive. When using email, never use yourpersonalemailaccount,asitisnotsecure.Makesureyourworkemailissetuptobesecure.To ensure the security of data being transmission, you can type in the subject line “[sendsecure]”infrontofthesubjecttitle.NeverincludePHIinthesubjecttitle;subjecttitlesarenotsecure.

6. Data Sharing: Files and images can be shared through live two-way communicationtechnologies.Datasharing isaccomplishedovertelephonewires,wi-fi,Bluetooth,andotherdatatransmissiontechnologies.Dependingonthecircumstances,thesechannelsmaynotbeencryptedorsecure.Thetechnologysoftwaremaybevulnerableifnotregularlyupdatedandpatched.

7. DataRetention/Destruction:Vendorsoflivetwo-waycommunicationtechnologiesmaydenyuserstheabilitytoretainordestroydatacollectedbythecompany.Usersshouldaddressthisincontractualtermsifpossible.

Toeliminate,mitigateand/orreducerisk,investigatorscancommunicatewithIT,researchcomputing,orinformationsecuritytoensurethatnetworkinfrastructuresusedfortheresearchstudyhaveinplaceappropriate physical safeguards, access controls (collect and access only the minimum necessaryinformationtoconductthestudy),andencryption.

Aresearchercantakestepstoensuredataprotectionandprivacybymanagingpolicies,supportingrole-basedcontrols,andhavingITandresearchcompliancereviewresearchplans.Researchersshouldsharewiththeir institutional ITorresearchcomputingresourceanycontractsoragreementstheyhavewithdataprovidersaffectingrights,roles,andresponsibilitiespertainingtothedata.Eachuserhastheabilityto control some collaboration parameters through use of the role-based controls (i.e. granting logincredentials).ITcangrantprivilegesbasedontheuser’saffiliationsandroleintheresearchstudy.ITcanusegranularcontroltograntaccesstospecificservicesanddatabasedonroles,groups,ortheneedsofaparticularuser.

Livetwo-waycommunicationvendorsmayofferITtheabilitytomanagecollaborationprivilegesandtoenforceenterprisesecuritypolicies.Apolicy,contract,oragreementmayincludeprohibitingautomaticrecordingordisclosuresofidentifiableinformationtothirdpartieswithoutauthorization.


Appendix:Considerationstoeliminate,mitigate,orreducerisksrelatedtotheuseoflivetwo-waycommunicationtechnologiesinresearch

A. When developing research study design and methods, describe procedures andsafeguardsfor:

Collectingandrecordingresearchdata:

q Explainyourselectioncriteriaforthetechnologyintheresearchprotocol.q Providedetailedinformationaboutwhatthetechnologydoesanditsroleinthestudy.Include

informationaboutthetechnologymanufacturer,ifapplicable,suchasabrochure,screenshots,versiondates,orotherinformationforreviewers.

q Specifywhetheraparticipant’spersonaldeviceoradeviceprovidedbytheresearchstudywillbeused.

q Explainwhetherthetool/technologywillbepassword-protected.q Describe the method of data collection and how often the data will be collected. Specify

whetherthedatawillbetransmittedtoaserverbehindyourinstitution’sfirewallortoanothersite.

q Explainhowtheparticipantwillbeinformedthatthedataissubjecttothetechnology’stermsofagreement,andtoldhowthetermsmaychangeovertime.

Processing,coding,andmaintainingaccesstoresearchdata:

q Specifywhereandunderwhichconditionsindividualswillhaveaccesstothedata(whatwillbemadeavailableandtowhom).

q Listallparties,includingIT,thatwillhaveaccesstothedata.Makesurethislistisalwaysuptodate.

q If outside collaborators will be granted access, explain how this will be done. List theinformationtheywillhaveaccesstoandanyagreementsyouhaveinplace.

q Specify whether participants will be given a research code number to protect their identitywhenusingthistechnology.

Storageofresearchdata:

q Specifywherethedatawillbestoredandwhowillhaveaccessto it.Datashouldbekept inasecurelocation,aplaceonlythePIandauthorizedresearchstaffcanaccess(bothelectronicallyandphysically).

q Indicatehowthedatawillbeprotected.q Remove necessary subject identifiers from data files, and encrypt data files if stored

electronically.Identifiersshouldbestoredinaphysicallyseparateandsecurelocationfromthedatafiles,andassociatedwiththedatafilesthroughakeycodethatisalsostoredinaseparateandsecurelocation.Additionaljustificationmustbeprovidedtorationalizeretentionofsubjectidentifierstomeetthespecificneedsoftheresearchstudy.

q Specify whether the data will be stored or transmitted immediately. If not transmittedimmediately,explain.

Sharingandtransferringresearchdata:

q Fullydescribeanythird-partyinvolvement,includingtheiraccesstoand/orretentionofthedataandtheirplansforuseorreuse.Makesuretoincludeintheinformedconsentdocument.


q Specifywhichdataistransmittedtoaserver,andindicateifthatexchangeisencrypted.SeetheGuidanceonWhentoEncryptData.

q Indicatewhichsecuremodesoftransmissionofdatawillbeused(e.g.,VPN,securefiletransfer,etc.).

q Datasubmittedelectronicallyand/orsubject identifierssubmittedoverapublicnetworkmustbeencrypted.

q ConsultwithITiftherewillbeanyexternalcollaborators.

Researchdatadestructionandminimizingpotentialriskstosubject’sconfidentiality:

q Explainwherethedatawillgowhenthestudyisover(e.g.,deletedfromthesharedfolders,de-identifiedandstoredforfutureuse,etc.).

q If the data will be destroyed, explain how this will be done and by whom, and provide anestimatedtimeline.

q Specifyatwhatpointsubjectidentifiabledatawillbede-identifiedordestroyed.

B.ConsultwithITtoreviewthetechnology,institutionalpolicies,andanyrequiredagreements:

BegincommunicatingwithITearlyintheprocess,astheywillneedtoconducttheirownreviewofthetechnology.Thiscansometimesincludeworkingwiththetechnologyprovideronuseagreements.

Reviewthetechnologyandaccount:q Reviewyourinstitution’spolicyonsecuritycontrolsandsafeguardingdata.Determinewhether

datacanbeloadedontootherstoragedevicessuchasservers,disks,orportablemedia.Ensuresecuretransmissionofdatawithinaninstitution,andreviewhowdatasavedontheinstitutionalservershouldbeproperlydeleted.

q Conductariskassessmentonthetechnology.Reviewthechosentechnologyanddetermine ifanothertechnologywouldbetterfittheresearchstudyobjectives.

q Determine the electronic and physical storage methods. Specify how data will be stored ortransmitted.

q Reviewneedsforencryption.Ensureappropriateencryptionisinplace(e.g.,mail,internet,etc.).Determineplan(s)topreventinterceptionofdatabyathirdparty.SeetheGuidanceonWhentoEncryptData.

q If therewill be external collaborators, identify themanddetermine if the technology has thecapability to verify access. Specify how accesswill bemonitored and identifywhich data andsubsetsofdatarequireresearchaccess.

Reviewtheservicerandaccount:

q Reviewandverifythesecuritystandardsoftheservicer.q Determine who owns the data and howmuch data will be stored. Determine if the servicer

chargesbytheamountofdata.Determineifthereareadditionalcoststoprotectdata.q Determinewhethertheservicerwilldestroythedataorre-writethedataandatwhatpointthe

datawillbedestroyed.q Determinewhethertheservicerwillreturnthedata,andifyes,howthisisdone.q DeterminewhethertheserverisstoredoutsidetheUS,andwhethertheinformationissubject

tointernationalorexportrestrictions.


Consultwithappropriate individualsand/oroffices,whichmay include ITand legal,todetermine ifthe technology will require a Business Associate Agreement (BAA):The majority ofservicesrequirethat you sign their termsand conditionsprior tousing the service.Whenpossible, try tonegotiate acontractwiththeservicer.

q Reviewthepolicytounderstandhowyourresearchmightbeaffectedifanothercompanybuystheserviceprovider.Determineifthesalewouldaffectthedataownership,disasterrecovery,privacypolicies,orotherissues.

q Thetermsofservicesshouldaddress:q Privacyrulesandregulationsq Safetyofnon-publicinformation(SSN,creditcardinformation,etc.)q Valueofintellectualpropertyq Anygrantfundingrequirementsregardingsecurity,humansubjectsprivacyregulations,

orconfidentiality.q If applicable,addresswho reviewed theBAA,andwhowill continue to reviewupdatesof the

agreement.


3b.PhysicalStorage

Whatisphysicalstoragetechnology?Amediaoranytangiblematerial(portablemedia)usedtostoredata,includingbutnotlimitedtotapes(e.g., reel, cassette), flashdrive (e.g.,USB),magneticdisk storage,cartridges,disks,drums,CDs,DVDsetc. Ensure the conditions under which the information is stored protect against inappropriateinteraction with or inadvertent interception of participant information.3 Research records should bemaintained at the office, laboratory, or department where they were created or used, or on anelectroniccomputingsystemmaintainedbytheinstitution,preferablybehindafirewall.4

Prior to submitting an IRB application or amendment for research studies using physicalstoragetechnology,thefollowingrisksandtechnologyconsiderationsshouldbeaddressed:

Informationrisksassociatedwithphysicalstoragemediacanarisebecausethetechnologycanbeusedoverawirelessnetwork,makingthecommunicationsusceptibletowiretappingorinterceptionofdata.The most common threats are hackers, computer criminals, terrorists, industrial espionage, and/ordisgruntledemployees.5Naturaldisasterssuchasfloods,earthquakes,and/ortornados leavethedatavulnerable to loss or exposure to unauthorized parties. Many institutions have policies in placeregardingselectingphysicalstorage;checkwithyourITDepartmentaboutyourinstitutionpolicy.Importantrisksassociatedwithphysicalstoragetechnologies:

1. DataOwnership:Research data collected and stored on physical storagemedia is typicallyowned and/or governed by the investigator’s institution or by the sponsor of the research.Therefore,personaldataof thePIorresearchstaffshouldnotbestoredonor intermingledwithinstitutionalorworkcomputersystems.

2. DataCollection:Physicalstoragemediacollectsdatamanuallyorusessoftware(e.g.,cookiesandwebbeacons)toautomaticallycollectdatafromusers.Duringdatacollection,thereisariskofdatafailingtocorrectlysavetothemediaorofdataaccessrecordsinadvertentlybeingdeleted,whichwillmakethemostcurrentversionofthedataunavailable.

3. DataAccess:Datamaybeaccessed indifferent locationsdependingonthephysicalstoragemediaandtheplatformthroughwhichitisaccessed.Ifthephysicalstoragemediaisaccessedremotely,additionalprecautionsshouldbeinplacetoprotecttheinformation(e.g.,passwordprotected login, ability to logoff users after a set time, ability to lock access if password isenteredincorrectlyoverasetamountoftimes,etc.).Insomecases,usersmayoptinoroptout of services but by doing this, may sacrifice access to services and data. If opting intophysicalstorageservices,chooseonlytheminimumservicesnecessary,andlimitthenumberofstaffwhocanaccessthemedia.Physicalstoragemediamayallowforpasswordprotectedaccessandremotelockingcapabilities.

4. Data Storage: Data should be stored on the appropriate media specified to protect thesensitivityofthedata,withappropriateaccessrequirements.Accessrightsshouldbedefinedforallfoldersandfilesinthephysicalstoragemedia(e.g.,onlyselectresearchstaffhavetheauthority tomodify backup files). Removenecessary subject identifiers fromdata files, andencryptdatafilesifstoredelectronically.Identifiersshouldbestoredinaphysicallyseparate

3http://humansubjects.stanford.edu/hrpp/Chapter11.html4http://vpr.harvard.edu/search/site/storage%20media5http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf


andsecurelocationfromthedatafiles,andassociatedwiththedatafilesthroughakeycodethatisalsostoredinaseparateandsecurelocation.Thereisalsotheriskofmoreinformationbeing stored than is necessary. Data stored on physical devices (e.g., smart phones, harddrives,physicalservers,etc.)presenttheriskofunauthorizedhacking,copying,loss,theft,orother dissemination that violates data use and protection terms. Server ports should beactively monitored and secured as they pose a disclosure risk through the exposure oninternetsearchengines(e.g.,Google,Yahoo,etc.).

5. Data Transmission:Data is transmittedwhen the physical storagemedia is connected to adevicedesigned to read themedia.Forexample,data storedonaUSB is transmittedwhentheUSB isplugged intoadeviceequippedwith thenecessaryplugin to read thedata.Risksincludeaccessbyunauthorizedusers,mishandlingofdata,andfailuretoremovethedevicefrom the media when no longer in use. Whenever possible, don’t transfer files via email;insteaduseanencryptedUSBorexternaldrive.Whenusingemail,neveruseyourpersonalemailaccount,asitisnotsecure.Makesureyourworkemailissetuptobesecure.Toensurethe security of data being transmission, you can type in the subject line “[send secure]” infrontofthesubjecttitle.NeverincludePHIinthesubjecttitle;subjecttitlesarenotsecure.

6. Data Sharing: Files and images can be stored, shared, and saved through physical storagemedia. Data sharing is accomplished over telephonewires, wi-fi, Bluetooth and other datatransmission technologies. Depending on the circumstances, these channels may not beencryptedorsecure.Thetechnologysoftwaremaybevulnerableifnotregularlyupdatedandpatched.

7. Data Retention/Destruction: The duration of time the data will be stored on the physicalstoragemediashouldbetakenintoaccountwhendeterminingtherisks.Specialfiledeletionsoftware canbeused to overwrite data,makingdata recovery impossible. Additionally, themediashouldbereviewedtodetermine ifreading ispossiblewhilethedata isbeingstored.This isespeciallycritical for long-termstorageorarchiving.Accountforthefactthatstoragemedia products can have varied shelf lives, and may become obsolete (data can becomeunreadable to current technology, suchas zipdrives,ordegradewith storage time, aswithCDsandDVDs).

Toeliminate,mitigateand/orreducerisk,investigatorscancommunicatewithIT,researchcomputing,orinformationsecuritytoensurethatnetworkinfrastructuresusedfortheresearchstudyhaveinplaceappropriate physical safeguards, access controls (collect and access only the minimum necessaryinformationtoconductthestudy),andencryption.

Tomitigate theriskofmishandlingprivate information, investigatorsand IRBsmustconsider therisksassociatedwithphysicalanddigitalstorage,andevaluateandimplementmethodstoreducetheserisks.

A researchercan takesteps toensuredataprotectionandprivacybysharingwith institutional ITandresearchcomplianceallofthewrittenandoralagreementsandunderstandingstheyhavewithrespecttopre-existingresearchdataanddataintendedforcollection.ResearchersshouldworkcollaborativelywithITandresearchcomputinggroupstodesigninfrastructurethatprotectsthedataandadvancestheresearch.Forexample,researchITmaydecidethatportabledevicesorlaptopsshouldnotpersistentlystoresensitiveresearchdatabutmayaccessdataviasecurewebportals.

IT should be consulted on how andwhen the datawill be retained and destroyed once the physicalstoragemediaisnolongerinuse.Specifythetimeframefortheuseandstorageofthedata.


Appendix:Considerationstoeliminate,mitigate,orreduceriskrelatedtotheuseofphysicalstoragetechnologiesinresearch

A.Whendevelopingresearchstudydesignandmethods,describeproceduresandsafeguardsfor:


q Explainyourselectioncriteriaforthephysicalstoragetechnologyintheresearchprotocol.q Providedetailedinformationaboutwhatthetechnologydoesanditsroleinthestudy.Include


q Explainwhetherthephysicalstoragetechnologywillbepassword-protected.q Describe the method of data collection and how often the data will be collected. Specify

whether thedatawill be transmitted to a server behind your institution’s firewall or anothersite.

q Provideconfirmationthattheresearchstaffhassignedaconfidentialityagreement,agreeingtoprotectthesecurityandconfidentialityofidentifiableinformation.










q Specifywhetherthedatawillbestoredortransmittedimmediately.Ifnotimmediately,explain.


q Fullydescribeanythird-partyinvolvement(i.e.AmazonCloudservicesorresearchserviceusingacloudserviceprovider),includingtheiraccesstoand/orretentionofthedata,andtheirplansforuseorreuse.Makesuretoincludeintheinformedconsentdocument.




q ConsultwithITiftherewillbeanyexternalcollaborators.








datacanbeloadedontootherstoragedevicessuchasservers,disks,orportablemedia.Ensuresecuretransmissionofdatawithinaninstitution,andreviewhowdatasavedontheinstitutionalservershouldbeproperlydeleted.

q Conduct a risk assessment on the technology. Review the physical storage technology anddetermineifanothertechnologywouldbetterfittheresearchstudyobjectives.

q Determine the electronic and physical storage methods. Specify how will data be stored ortransmitted.




q Reviewandverifythesecuritystandardsofthephysicalstoragetechnology.q Determine who owns the data and howmuch data will be stored. Determine if the servicer

chargesbytheamountofdata.Determineifthereareadditionalcoststoprotectdata.q Determinewhethertheservicerwilldestroythedataorre-writethedataandatwhatpointthe

datawillbedestroyed.q Determinewhethertheservicerwillreturnthedata,andifyes,howthisisdone.q Determinewhether theserver storedoutside theUS,andwhether the informationsubject to

internationalorexportrestrictions.q ContactyourITofficeorInformationSecurityOfficertoensureyourphysicalstoragetechnology

choiceisappropriate.q Determineallphysicaldevicesthatwillstoreortransmitdata.q Checkforyourinstitutionalpolicyonsafeguardingdatafromunauthorizedintrusionornatural

disasters.


q Ensureyourworkstationsarelimitedtoauthorizedusersonlywhohaveappropriatevalidation.q Determine where paper-based records will be stored and who will be designated access to

records.q Research data access should be limited only to necessary research staff who are granted

privilegesandgainaccesstothedatabypassword.

Consult with appropriate individuals and/or offices, which may include IT and legal,todetermineifthetechnologywillrequireaBusinessAssociateAgreement(BAA):Themajorityofservicesrequirethatyousigntheirtermsandconditionspriortousingtheservice.Whenpossible,trytonegotiateacontractwiththeservicer.


q Thetermsofservicesshouldaddress:q Privacyrulesandregulationsq Safetyofnon-publicinformation(SSN,creditcardinformation,etc.)q Valueofintellectualpropertyq Anygrantfundingrequirementsregardingsecurity,humansubjectsprivacyregulations,

orconfidentiality.q If applicable,addresswho reviewed theBAA,andwhowill continue to reviewupdatesof the

agreement.


3c.MobileDevicesandApplications(Apps)

Mobile devices and applications or “apps” allow for remote subject monitoring and data collection.Through these technologies the access to data is improvedwhile potentially lowering costs and timecommitmentburdenonresearchsubjects.Whatisamobiledevice?Amobiledevice,(e.g.,laptop,tablet,“smart”phones,portablestoragemedia,etc.)isahandheldtabletorotherdevicethat ismadeforportability, intendedforremotelyaccessingorprocessingdata. Ifyouplantouseamobiledeviceasamedicaldevice,thenyouarerequestingtouseamobilemedicaldevice(e.g.,wirelesshomesleepapneatest,EKG,etc.).Transformingamobiledeviceintoaregulatedmedicaldeviceisdonebyusingattachments,sensors,orotherperipheraldevice.6Whatisanapp?Anapp, (e.g., fitness tracker,podcast channel, calendar), is a softwareapplication that isdesigned toperformaspecific function. Itcanberunonamobileplatform,oraweb-basedsoftwareapplication.7Apps are designed to run on the operating system of the platform or software it is being accessedthroughuntilitisclosedoutorexited.Insomecases,appsmayremainrunningandcollectdatainthebackground. You are able to control how apps refresh their contentwhen onwi-fi or cellular in thebackground.Forexample,iPhoneappscanbeupdatedintheBackgroundAppRefreshsetting.Hereyoucan close out apps and control when they update themselves. If you plan to use amobile app as amedicaldevice,thenyouarerequestingtouseamobilemedicalapp.IfyouthinkthedeviceorappmaymeetthedefinitionofanFDAregulateddevice,contacttheIRBearlyfor a consultation. Detailed FDA guidance is available at the FDA Regulations and Guidance.8 For acompletelistofwhatisclassifiedasamobilemedicaldeviceorapp,visittheFDAwebpage.Prior to submitting an IRB application or amendment for research studies using mobiledeviceorapp,thefollowingrisksandtechnologyconsiderationsshouldbeaddressed:Mobile devices are a high-risk technology because they are more susceptible to loss and theft,unauthorizedaccess,anduseofunsecuredwirelessservices. Informationrisksassociatedwithmobiledevicesandappscanarisebecause the technology isoftenusedwithawirelessnetwork,making thecommunicationsusceptibletowiretappingorinterceptionofdata.Risksassociatedwithmobiledevicesand apps can be mitigated by using secured wireless networks (e.g., virtual private network (VPN),encrypted mobile devices ,malware software9 The mobile device or app technology should beconfigured to only keep track of the users activities if it has been approvedwith the research study.Unlessdata isencryptedandaccess controlsare inplace,anyonewithphysical access toa local areanetwork (LAN) could potentially connect monitoring tools and tap into the communications.Technologiesthatrelyonwi-fimaybevulnerabletobeingcompromiseifnotprotectedbyupdatedWi-FiProtectedAccess(WPA)usingAdvancedEncryptionStandards(AES)1011(e.g.,anti-malware,IDPS,DLP,etc.).Dependingonthemobiletechnology,thedevicemayallowremotelockingordeletionofdata.6http://www.farmpd.com/Farm-Blog/bid/78079/Five-Promising-Medical-Device-Mobile-Apps02/02/167https://kb.wisc.edu/hsirbs/page.php?id=417718FDARegulationsandGuidance9(Houlding“HealthcareInformationatRisk”)10SeeFIPSStandardPublication19711SeeNIST800-111


Importantconsiderationsformobiledeviceandapptechnology:

1. DataOwnership-Researchdata collectedand storedonmobiledeviceandapp technology is

susceptibletoallorsomeofthedatabeingownedbythedeveloper.Dataownershipisoutlinedin the terms of service for each technology. When a mobile device and app technology is“running”or“open”,avarietyofdataisbeingcollectedwithoutshowingsignstotheuser.Thetechnologyshouldalwaysbeshutdownorclosedoutafterusesothatnoadditionaldatacanbecollected.Researchersshouldclarifyanydataownedbythedeveloper.

2. DataCollection-Mobiledeviceandapptechnologymaybesettoautomaticallycollectdatabytrackingcookies12andwebbeacons13.Thetechnologyvendornotifiestheuseroftheautomaticdatacollectioninthetermsofuse,whichmustbeacceptedwhenthedeviceisfirstusedthenperiodically. Recording elements include: geo-location information, activity, length of calls,durationofinternetconnection,numberofmessagessentandreceived:ShortMessageService(SMS) commonly known as “text message,” Multimedia Messaging Service (MMS) is a textmessagethat includesaphoto,video,oraudio(e.g., takingaphotowithacameraphoneandsendingthephototoanotherdevice).Settingsshouldbeconfiguredtorestrictadditionalapps,or other data resources from being downloaded onto the device being used for research,protectinganyrisksthatmayincur.

3. DataAccess-Datamaybeaccessedindifferent locationsdependingonthemobiledeviceandapptechnologyandtheplatformthroughwhichitisaccessed.Precautionsshouldbeinplacetoprotect thedevice and the information: encrypt thedevice, passwordprotected login (with astrongpasswordtypicallysixormorecharacters),“PIN”(personally identifiablenumber) login,abilitytologoffusersafterasettime,abilitytolockaccessordeletedataifpasswordisenteredincorrectlyovera setamountof times (typically this is set for three to tenattempts), remotelocking capabilities, etc. Antiviral software and updates should be consistently checked toensure the most recent safety precautions are applied to the technology. Failure to makeupdatesinatimelymannerincreasestheriskofdatabeingmishandled.Accesscontrolsshouldbepriortousebytheresearchparticipant.

4. DataStorage-Datathatisstoredonamobiledeviceorapptechnologyshouldbeencrypted,de-identified, or coded to protect the data. Mobile device and app technology allow for datastorage in many locations, including on the device or a third party (e.g., cloud). Automaticbackupsofthedevicesshouldalsobeencrypted,eitherinthecloudoronalocalPC.

5. Data Transmission-Mobile device and app technology transmit data through anothermobiledevice,wirelessnetwork,orotherdata transmission technology.Risks include interceptionbyan unauthorized user, mishandling of data, and failure to update and patch software to thelatestmodels andanti-virusprotection.Dependingon the circumstances, these channelsmaynotbeencryptedorsecure.Transfersensitivedatafromthemobiledeviceorapptechnologyassoonaspossibletoreducerisk.Toensuredatabeingtransmittedissecure,youcantypeinthesubjectline“[sendsecure]”infrontofthesubjecttitletomaketheemailsecure.NeverincludePHIinthesubjecttitle,thesubjecttitleisnotsecure.

12A text file placed on user’s computer by a website or web server. Often used to keep track of individuals as they navigate a site, and more broadly, the web. Internet-Based Research-CPHS University of California, Berkley Cphs.berkeley.edu/internet_research.pdf. Berkeley, CA: University of California, Berkeley, 07 July 2015. PDF.13An embedded object in a web page or email, typically transparent that tracks behavior or use of the web page or email. Web beacons can be detected by looking for tags that load from a different server then the one being used. Often web beacons are embedded with cookies. Beal, Vangie. "Web Beacon." What Is Web Beacon? Webopedia Definition. Webopedia. Web. 06 Apr. 2016. <http://www.webopedia.com/TERM/W/Web_beacon.html>.


6. DataSharing-Filesandimagescanbestored,shared,andsavedonthemobiledeviceandapptechnology or a third party. Data sharing is accomplished over wi-fi, Bluetooth, docking orpluggingintoacompatibledevicethatcantransmitthedata.Dependingonthecircumstances,thesechannelsmaynotbeencryptedorsecure.Researchdatashouldonlybesharedwhenthesecurityoftherecipient’ssystemsisknownandissatisfactorytothesensitivityofthedata.

7. DataRetention andDestruction- The duration of time the datawill be stored on themobiledeviceandapptechnologyshouldbetakenintoaccountwhendeterminingtherisks.Dependingon the mobile device or app company, data retention and destruction policies with differ,includinghowthedatawillbe retainedanddestroyed.Workwithyour ITand legaloffices todetermine if aBusinessAssociationAgreement (BAA)orother contract isneeded. If amobiledevicewillbeusedbymorethanoneresearchparticipantoverthecourseofthestudy,planforhowandwhendatashouldbetakenoffthedevicepriortothenextresearchparticipant’suseofthedevice.

Toeliminate,mitigate,and/orreducerisk,investigatorscancommunicatewithIT,researchcomputing,orinformationsecuritytoensurethatnetworkinfrastructuresusedfortheresearchstudyhaveinplaceappropriate physical safeguards, access controls (collect and access only the minimum necessaryinformationtoconductthestudy),andencryption.“Inordertomitigatetheriskassociatedwithmobiledevices and apps, it is important to know the differences in risks between personal use and mobiledevices and apps used for research. Personal mobile devices are less manageable than corporatedevices”14.Ifapersonalmobiledevice,alsocalled“BringYourOwnDevice”,orBYOD(e.g.,smartphone,iPad,etc.), isusedtocaptureorshareinformationitmustbesecuredappropriatetothesensitivityofthedata.Toreducerisk,amobiledevicemanagement,orMDM,infrastructurecanbeimplementedtoisolatetheapplicationfromtherestofthemobiledeviceandappoperatingsystem.Tomitigate theriskofmishandlingprivate information, investigatorsand IRBsmustconsider therisksassociated withmobile device and app technology, and evaluate and implementmethods to reducetheserisks.

A researchercan takesteps toensuredataprotectionandprivacybysharingwith institutional ITandresearchcomplianceallofthewrittenandoralagreementsandunderstandingstheyhavewithrespecttopre-existingresearchdataanddataintendedforcollection.ResearchersshouldworkcollaborativelywithITandresearchcomputinggroupstodesigninfrastructurethatprotectsthedataandadvancestheresearch.Forexample, research ITmaydecideonparameters through theuseof role-basedcontrols,granting privileges based on the user’s affiliation and role in the research study. Remote accesstechnologymaybesetuptodeleteorlockdataintheeventoftheftorloseofthetechnology.Researchdatashouldneverbestoredonunencrypteddevicesasthesedevicesaresusceptibletolossortheft.

ITshouldbeconsultedonhowandwhenthedatawillberetainedanddestroyedoncethemobiledeviceandapptechnologyisnolongerinuse.Specifythetimeframefortheuseandstorageofthedata.

14(Houlding“HealthcareInformationatRisk”)


Appendix:Considerationstoeliminate,mitigate,orreduceriskwithmobiledeviceandappstechnologiesinresearch



q Explainyourselectioncriteriaforthemobiledeviceorappintheresearchprotocol.q Providedetailedinformationaboutwhatthemobiledeviceorappdoesanditsroleinthestudy.

Include information about the mobile device or app manufacturer, if applicable, such as abrochure,screenshots,versiondates,orotherinformationforreviewers.

q Specifywhetheraparticipant’spersonaldeviceoradeviceprovidedbytheresearchstudywillbeused.

q Explainwhetherthemobiledevice/apptechnologywillbepassword-protected.q Describe the method of data collection (e.g., audio recording, fitness tracker, etc.) and how

oftenthedatawillbecollected.Specifywhetherthedatawillbetransmittedtoaserverbehindyourinstitution’sfirewallortoanothersite.

q Explainhowtheparticipantwillbeinformedthatthedataissubjecttothetechnology’stermsofagreement,andtoldhowthetermsmaychangeovertime.

q Specify ifyourstudy includestheuseofamobilemedicalapp. If so, itmaybesubject toFDAregulations. Detailed FDA guidance is available at the FDA Regulations and Guidance. For acomplete list of what is classified as a mobile medical device, visit the FDA webpage. It isrecommendedtoconsultwiththeIRBearlyintheresearchstudydesignprocess.





q Specifywhetherparticipantswillbegivenaresearchcodenumbertoprotecttheiridentitywhileusingthemobiledeviceorapp.


q Specifywherethedatawillbestoredandwhowillhaveaccessto it.Datashouldbekept inasecure location, a place where only the PI and authorized research staff can access (bothelectronicallyandphysically).






q Fully describe any third-party involvement by the mobile device or app developer, includingtheir access to and/or retention of the data and their plans for use or reuse. Make sure toincludeintheinformedconsentdocument.



q IfyourfunderisNIHorNSF,indicatehowyouhaveplannedfortheirdata-sharingrequirements(e.g.,TheNIHadvisesthatpersonallyidentifiable,sensitive,andconfidentialinformationaboutNIH-supportedresearchorresearchparticipantsnotbehousedonportableelectronicdevices).








datacanbeloadedontootherstoragedevicessuchasservers,disks,orportablemedia.Ensuresecuretransmissionofdatawithinaninstitution,andreviewhowdatasavedontheinstitutionalserver,shouldbeproperlydeleted.

q ListifautomaticbackupofthedatawillbeimplementedtoeitheraserverorPC.q Conductariskassessmentonthetechnology.Reviewthemobiledeviceandapptechnologyand

determineifanothertechnologywouldbetterfittheresearchstudyobjectives.q Determine the electronic and physical storage methods and how the data will be stored or

transmitted.q Reviewneedsforencryption.Ensureappropriateencryptionisinplace(e.g.,mail,internet,etc.).

Determineplan(s)topreventinterceptionofdatabyathirdparty.SeetheGuidanceonWhentoEncryptData.


Reviewthemobiledeviceorapptechnologyandaccount:

q Reviewandverifythesecuritystandardsforthemobiledeviceorappservicer.


q Determine who owns the data and howmuch data will be stored. Determine if the servicerchargesbytheamountofdataandifthereareadditionalcoststoprotectdata.

q Determinewhethertheservicerwilldestroythedataorre-writethedataandatwhatpointthedatawillbedestroyed.

q Determinewhethertheservicerwillreturnthedata.Explainhowwillthisisbedone.q DeterminewhethertheserverisstoredoutsidetheUSandwhethertheinformationsubjectto

internationalorexportrestrictions.



q Thetermsofservicesshouldaddress:q Privacyrulesandregulationsq Safetyofnon-publicinformation(SSN,creditcardinformation,etc.)q Valueofintellectualpropertyq Anygrantfundingrequirementsregardingsecurity,humansubjectsprivacyregulations

orconfidentiality.q If applicable, addresswho reviewed theBAAandwhowill continue to reviewupdates of the

agreement.


3d.SurveyTools

Whatissurveytooltechnology?

Atechnologythatenablesthecollectionofdatathroughaseriesofquestionsrelevanttotheaudienceinvitedtocompletethesurvey.Researchersconductsurveyresearchbyusingweb-basedsurveytools(e.g.,usingtheinternet,ausercanlog-ontoasiteandfilloutthesurvey),andexternallyhostedonlinesurveys tools. The most common survey tools used for research include REDCap, Research Use,Qualtrics,LimeSurvey,andSurveyMonkey.

Prior to submitting and IRB application or amendment for research studies using surveytools,thefollowingrisksandtechnologyconsiderationsshouldbeaddressed:Information risks associated with some survey tools arise because the technology functions over awirelessnetworkandthroughathird-partyplatform.Thewirelessnetworkmakesthedatasusceptibletowiretappingorinterceptionofdata.Thetechnologyorwebsitemaykeeptrackoftheuser’sactivities.When determining the risks to subjects’ privacy and confidentiality, the sensitivity of the data beingcollected must be considered. If an invasion of privacy or a breach of confidentiality would placesubjectsatriskofembarrassmentorharm(includingcriminalorcivilliability),orcouldbedamagingtotheir financial standing, employability, insurability, reputation, or be stigmatizing, it may beunacceptabletocollectsensitivedataonlineviatheinternetwithoutencryptionorothermethodsthatguarantee anonymity.15 Consult with your IT Department if the survey tool technology will collectidentifiableinformation(e.g.,name,address,email,IPaddress,etc.).

Importantrisksassociatedwithsurveytooltechnology:

1. DataOwnership-According to their termsof service, survey toolsmayownsomeof thedataandmayalsocollectavarietyofdatathatthecompanydoesnotconsiderownedbytheuser.Companiesoftenharvestsensitivedataforadvertisingprofiling.

2. Data Collection- Survey tools collect data manually or use software (e.g., cookies and webbeacons)toautomaticallycollectdatafromusers.maybesettocollectunintendeddatabythetechnology vendor. Depending on the survey design identifiable datamay be collected (e.g.,Intellectual Property (IP) addresses, email addresses, etc.) thus allowing survey sites to tracesurveyresponsedatabacktoindividualresponders.

3. DataAccess-Datamaybeaccessedindifferentlocationsdependingonthesurveytool.Ifonapersonal device, additional risks may be considered (e.g., the terms of agreement for thepersonal device were accepted under personal terms not considering the use for research).Accessrightsshouldbedefinedforallfoldersandfilesinthephysicalstoragemedia(e.g.,onlyselect research staff have the authority to modify backup files). Remove necessary subjectidentifiers fromdata files, and encrypt data files if stored electronically. Identifiers should bestoredinaphysicallyseparateandsecurelocationfromthedatafiles,andassociatedwiththedatafilesthroughakeycodethatisalsostoredinaseparateandsecurelocation.Thereisalsothe risk ofmore information being stored than is necessary. Data stored on physical devices(e.g.,smartphones,harddrives,physicalservers,etc.)presenttheriskofunauthorizedhacking,copying, loss,theft,orotherdisseminationthatviolatesdatauseandprotectionterms.Server

15PartnersHumanResearchCommittee


ports should be actively monitored and secured as they pose a disclosure risk through theexposureoninternetsearchengines(e.g.,Google,Yahoo,etc.).

4. Data Storage- Data should be stored on the appropriate media specified to protect thesensitivityofthedata,withappropriaterole-basedaccess.Datafromasurveytoolcanbestoredonsurveysoftware,ontheplatformusedtoaccessthesurvey,witha3rdparty(e.g.,Cloud),oryour institution’s server. A research team may need to add additional technology andprotectionstoenablethedatastorage.

5. DataTransmission-Data transmissionrefers todata inmotion fromthemachineordevice toanother. Research datamay be transmitted in a variety of ways such as export from surveysoftwaretosecuredfile,overwirelessnetwork,etc.Dependingonthesurveytool,therisklevelmayincreasebasedonthemethodusedtotransferdata(e.g.,wirelesstransferinterceptedbyunauthorizedparties)andifthesurveytoolsoftware isnotuptodate.Surveytoolsshouldbeencryptedandprotectedbya strongpassword. Ifpossible,also set-upa timed lockoutof thesurveytoolafterasettimeof inactivity.Whensendingouta linktothesurvey,therisk levelsincreasewiththepossibilityofinterceptionofdatathroughemailandtextchannels.

6. DataSharing-Surveydataandanalysiscanbesharedwithinthesurveyplatformtoauthorizedusers,byrequestingtheplatformtoemail thesurveydataandreportsbysendingthedataorsendingalinktothedata,orbysavingthedatatoyourserver.Accessshouldbegiventhroughproperaccesscontrolssuchas:passwordprotection,encryptedfiles,etc.Researchdatashouldbesharedonlywhenthesecurityoftherecipient’ssystemisknownandisappropriateforthesensitivity of the data. When possible, don’t transfer files through email. Instead use anencryptedUSBorexternaldrive.Whenusingemail,neveruseyourpersonalemailaccountasitisnotsecured.Yourworkemailshouldbesetuptobesecure.Toensuretheemailissecureyoucantypeinthetitlebox“[sendsecure]”tothefrontoftheemailtitletomaketheemailsecure.NeverincludePHIinthesubjecttitle,thesubjecttitleisnotsecure.

7. DataRetentionandDestruction-Dependingon thesurvey toolauthorizeduserswillbegivenread,write,edit,ordeleteaccess.Makesureappropriateaccessisgivenbasedontheresearchstaffmembersroleandalwaystransferdatawhenstaffleave;removingtheiraccesscompletely.Ifdataneedstobestoredforalongperiodoftime,thesurveytoolchosenshouldbeassessedfor long-term access for personnelmonitoring and the formofmedia. Data that is no longerneededforaresearchstudyshouldbedestroyed.Aproperdisposalmayincluderemovingthedatafromthesurveytool,sharedfilesservers,etc.

Toeliminate,mitigateand/orreducerisk, investigatorscancommunicatewithIT,researchcomputingorinformationsecuritytoensurethatnetworkinfrastructuresusedfortheresearchstudyhaveinplacethe appropriate physical safeguards, access controls (collect and access only theminimum necessaryinformationtoconductthestudy),andencryption.Internet-basedresearchmustmeetthesamecriteriafor IRB approval and offer the same level of protections to human research subjects as researchconducted through more traditional methods. Consider whether the web-based survey tool affordsadequate privacy and confidentiality protections and ensures that additional risks related to Internetresearch are minimized The IRB should work with IT to develop a list of vetted survey tools forresearcherstouse.WhentheIRBreviewstheuseofweb-basedsurveytools,theIRBmustspecifically.Inorder tomitigate the risksassociatedwith survey tools, it is important tounderstand thedifferentrisksassociatedwithweb-basedandexternallyhostedsurveytools.Ifapersonaldeviceisusedtoaccessthe survey tool itmust be secured in the samemanner as an institutional device. Consultwith IT todetermine theability to trace responsesback to individuals via their e-mail address, their IntellectualProperty(IP)address,orotheridentifyinginformationcapturedwhilevisitingthesurveywebsite.


Aresearchercantakestepstoensuredataprotectionandprivacybymanagingpolicies,supportingrole-basedcontrols,andhavingITandresearchcompliancereviewresearchplans.Researchersshouldsharewiththeir institutional ITorresearchcomputingresourceanycontractsoragreementstheyhavewithdataprovidersaffectingrights,roles,andresponsibilitiespertainingtothedata.Eachuserhastheabilityto control some collaboration parameters through use of the role-based controls (i.e. granting logincredentials).ITcangrantprivilegesbasedontheuser’saffiliationsandroleintheresearchstudy.ITcanusegranularcontroltograntaccesstospecificservicesanddatabasedonroles,groups,ortheneedsofaparticularuser.

SurveytoolvendorsmayofferITtheabilitytomanagecollaborationprivilegesandtoenforceenterprisesecurity policies. A policy, contract, or agreement may include prohibiting automatic recording ordisclosures of identifiable information to third parties without authorization. Survey tool technologyshould be chosen based on the best option for the research study. Consider offering alternativemethodsofparticipatinginthestudyifsubjectsprefernottosubmittheirinformationonline.


Appendix:Considerationstoeliminate,mitigate,orreduceriskrelatedtotheuseofsurveytooltechnologyinresearch


It is important to knowhow to create a survey toensure compliancewith the regulations associatedwithhumansubjectprotections.Theseincludeofferinganalternativemeanstocompletingthesurvey,suchasprintingthesurveyormailingitin,designingthesurveysothatparticipantscanskipquestionsordecidenottoanswer,andprovidingtheoptiontosubmitthedataordiscardthedata,ensuringthataparticipanthastherighttowithdrawalatanypointandhavetheirdataremovedfromthestudy.Collectingandrecordingresearchdata:

q Explainyourselectioncriteriaforthesurveytoolintheresearchprotocol.q Providedetailedinformationaboutwhatthesurveytooldoesanditsroleinthestudy.Include


q Explainwhetherornotthesurveytoolwillbepasswordprotected.Indicatewhetherthesurveyisbyinvitationonly,withacode(login/password)oravailabletothepublic.

q Specifywhetheraparticipantwillbeaskedtousetheirowndevicetocompletethesurveyorifadeviceprovidedbytheresearchstudywillbeused.

q Describethemethodofdatacollection(e.g.,emaillinktoparticipants,postlinktowebsite,etc.)andhowoftenthedatawillbecollected(e.g.,isthisaone-timeresponsesurvey).Considerthevalidityofdataandthepossibilityofpeoplecompletingsurveysmultipletimes.

q Explain whether the data is transmitted to a server behind your institution’s firewall or toanothersite.

q Explainhowtheparticipantwillbeinformedthatthedataissubjecttothesurveytool’stermsofagreement,andtoldhowthetermsmaychangeovertime.


q Specifywhereandunderwhichconditionsindividualswillhaveaccesstothedata,whatwillbemadeavailable,andtowhom.







electronically.Identifiersshouldbestoredinaphysicallyseparateandsecurelocationfromthe


datafiles,andassociatedwiththedatafilesthroughakeycodethatisalsostoredinaseparateandsecurelocation.Additionaljustificationmustbeprovidedtorationalizeretentionofsubjectidentifierstomeetthespecificneedsoftheresearchstudy.



q Fullydescribeanythird-partyinvolvement,includingaccesstoand/orretentionofthedata,andtheirplansforuseorreuse.Makesuretointheinformedconsentdocument.



q Datasubmittedelectronicallyand/orsubject identifierssubmittedoverapublicnetworkmustbeencrypted.



q If the data will be destroyed, explain how this will be done and by whom and provide anestimatedtimeline.





datacanbeloadedontostoragedevicessuchasservers,disks,orportablemedia.Ensuresecuretransmissionofdatawithinaninstitution,andreviewhowdatasavedontheinstitutionalservershouldbeproperlydeleted.

q Conduct a risk assessment on the technology. Review the chosen survey technology anddetermineifanothersurveytoolwouldbetterfittheresearchstudyobjectives.



q Determine if thetechnologyhas thecapability toverifyaccess,howaccesswillbemonitored,whatdataandsubsetsofdatarequireresearchaccess.


q Reviewandverifythesecuritystandardsofthesurveytoolservicer..q Determine who owns the data and howmuch data will be stored. Determine if the servicer

charges by the amount of data. Determine if there are additional costs to protect data.


Determinewhethertheservicerwilldestroythedataorre-writethedataandatwhatpointthedatawillbedestroyed.

q Determinewhethertheservicerwillreturnthedata,ifyes,howthisisdone.q DeterminewhethertheserverisstoredoutsidetheUSandwhethertheinformationissubject


Consult with appropriate individuals and/or offices, which may include IT and legal, todetermineifthetechnologywillrequireaBusinessAssociateAgreement(BAA):Themajorityofservicesrequirethatyousigntheirtermsandconditionspriortousingtheservice.Whenpossible,trytonegotiateacontractwiththeservicer.


q Thetermsofservicesshouldaddressthefollowing:q Privacyrulesandregulationsq Safetyofnon-publicinformation(SSN,creditcardinformation,etc.)q Valueofintellectualpropertyq Anygrantfundingrequirementsregardingsecurity,humansubjectsprivacyregulations,

orconfidentiality.q If applicable, addresswho reviews the BAA, andwhowill continue to review updates of the

agreement.


3e.CloudServiceandStorage

Whatisacloudserviceandstoragetechnology?

Cloud service and storage generally refers to a set of technologies that enable the collection, andprocessingand storageofdata througha setof servicesor infrastructurewherea third-party vendormanages computing resources on behalf of a data customer. Cloud computing services are everevolving.Whiletherearemanytypesofconfigurations,thecloudmaybestbeunderstoodasadiversenetworkofcomputingresources(e.g.,servers,smartphones,PCs,tablets)linkedthroughtheinternet,whichmaybeused inconcert toperformagivensetofcomputing tasks.Throughthe internet,cloudservices can leverage massive data centers and a variety of software capabilities around the world,enabling flexible, scalable, and interoperable access to data and data services from any location.Commonly used cloud service and storage companies include Google Cloud, Amazon Web Services(AWS),MicrosoftAzure,Dropbox,Netflix,Flickr,SyncplicityforEMC,andMicrosoft365.

Prior to submitting an IRB application or amendment for research studies using cloudserviceandstoragetechnology,thefollowingrisksandtechnologyconsiderationsshouldbeaddressed:

Informationrisksassociatedwithcloudservicesandstoragecanarisebecausethetechnologyfunctionsoverawirelessnetworkandthroughathird-partyplatform,makingthecommunicationsusceptibletowiretappingorinterceptionofdata.Thesensitivityofthedatabeingcollectedmustbeconsideredwhendetermining the risks to subjects’ privacy and confidentiality. Be conservative about storing criticalinformation in the cloud; without an appropriate contract, you should only use cloud storage forinformation that can be replaced with little or no consequence. In determining the best servicer,consider effectivemanagement controls (e.g., oversight of third parties, adequate insurance, disasterrecovery,etc.).Also,considerthepossibilitythatanothercompanymightpurchasethecloudservicersand how that would affect data stored in the cloud service provider (e.g., data ownership, disasterrecovery, privacy policies, etc.). Assess the relevance of federal privacy regulations, federal laws,contractual obligations, and grant restrictions beforemoving institution-related files and data to anycloudserver.Forfinancialreasons,manycloudproviderslocatesomeoftheirserversoutsidetheUS.Inthis case, since youwon’t know the physical location of the servers onwhich a provider stores yourinformation,youshouldexercisecaution ifanyof the informationyoustore in thecloud is subject toanyinternationalorexportrestrictions.

Importantrisksassociatedwithcloudserviceandstoragetechnology:

1. DataOwnership–Researchdatacollectedandstoredoncloudserviceandstoragetechnologiesis typically owned and/or governed by the investigator’s institution or by the sponsor of theresearch. Factors affecting ‘ownership’ status includes, among others, who contributed thedata,agreementsassociatedwithdatacreationanddistribution,contractterms,andintellectualproperty rights.Acloudserviceprovidermay includeterms in itsvendorcontractorenduserlicense agreement (EULA) that automatically transfers some or all ownership rights to theprovider.Failure toproperly reviewthecontractsandagreementsmay result inunintentionalforfeiture of intellectual property rights or inability to retrieve data. Understand the cloudvendor accessanddatarights.Thetwocategoriesofclouddataaredatacreatedbytheuserbeforeuploadingitinthecloudanddatacreatedonthecloudplatformitself.

2. Data Collection- Cloud service and storage technology collects data manually with wired or


wireless access to the server. During collection, there may be risks to the confidentiality,integrity,andavailabilityofdata.

3. Data Access- Data may be accessed in different locations. If data is accessed on a personaldevice,additionalrisksmaybeconsidered(e.g.,thetermsofagreementforthepersonaldevicewere accepted under personal terms not considering the use for research). Additionalprecautionsshouldbeinplacetoprotecttheinformation(e.g.,passwordprotectedlogin,abilitytologoffusersafterasettime,abilitytolockaccessifpasswordisenteredincorrectlyoverasetamountoftimes,etc.).Insomecases,usersmayoptinoroptoutofservicesbutbydoingthis,maysacrificeaccesstoservicesanddata.Ifoptingintocloudserviceandstorage,chooseonlytheminimumservicesnecessary,andlimitthenumberofstaffwhocanaccessthemedia.Cloudstoragemediamayallowforpasswordprotectedaccessandremotelockingcapabilities.

4. DataStorage-Datashouldbestoredontheappropriatecloudstoragetechnologyspecifiedtoprotect thesensitivityof thedata,withappropriateaccess requirements.Datastorageshouldnotbedoneinpersonalaccounts;youshouldsetupnewaccountsspecificallyfortheresearchstudy.Accessrightsshouldbedefinedforallfoldersandfiles inthecloudstoragemedia(e.g.,onlyselectresearchstaffhavetheauthoritytomodifybackupfiles).Removenecessarysubjectidentifiers from data files, and encrypt data files. Identifiers should be stored in a physicallyseparateand secure location fromthedata files, andassociatedwith thedata files throughakey code that is also stored in a separate and secure location. There is also the risk ofmoreinformation being stored than is necessary. Server ports should be actively monitored andsecured as they pose a disclosure risk through the exposure on internet search engines (e.g.,Google,Yahoo,etc.).The longerdataare leftunused instorage, themore likelyunauthorizedindividualsoutsidethenetworkcanretrieveit.Regulationshaverequirementsonhowdatacanbe accessed and where it can be stored. For example, it is not appropriate to store dataregulated by the Health Insurance Portability and Accountability Act (HIPAA) or the FamilyEducationalRightsandPrivacyAct(FERPA)inDropBoxorothercloudservices.

5. Data Transmission-Data is transmittedwhen the cloud service and storagemedia account isaccessedandadatatransferrequestismade(e.g.,requesttodownload,sharefiles,etc.).Risksincludeaccessbyunauthorizedusers,mishandlingofdata,andfailuretologoutfromthemediawhen no longer in use. Whenever possible, don’t transfer files via email; instead use anencryptedUSBorexternaldrive.Whenusingemail,neveruseyourpersonalemailaccount,asitisnotsecure.Makesureyourworkemailissetuptobesecure.Toensurethesecurityofdatabeingtransmission,youcantypeinthesubjectline“[sendsecure]”infrontofthesubjecttitle.NeverincludePHIinthesubjecttitle;subjecttitlesarenotsecure.Checkthetechnologytoseeifthe channels are encrypted, secured, and how often the software is updated and patched.Whenever possible, don’t transfer files via email; instead use an encrypted USB or externaldrive.Whenusingemail,neveruseyourpersonalemailaccountas it isnotsecure.Makesureyourworkemailissetuptobesecure.Toensuredatabeingtransmittedissecure,youcantypeinthesubjectline“[sendsecure]”infrontofthesubjecttitletomaketheemailsecure.NeverincludePHIinthesubjecttitle,thesubjecttitleisnotsecure.

6. DataSharing-Datasharingoncloudserviceandstoragetechnologyshouldbelimitedbyproperaccess controls (e.g., passwordprotection, encrypted files, etc.). Prior to sharingdata, ensurethe location andmethod for sharing is secured and protected based on the sensitivity of thedata. A cloud provider may be configured to includeprotections, but if the researcherdownloadsor syncs that data to theirenddevice such as a laptopor smartphone, thedevicemaynotbesecure.

7. Data Retention and Destruction- The duration of time the data will be stored on the cloudserviceandstoragemediashouldbetakenintoaccountwhendeterminingtherisks.Themedia


should be reviewed to determine if reading is possiblewhile the data is being stored. This isespecially critical for long-term storage or archiving. Account for the fact that cloud storagemediaproductscanhavevariedshelflives,andmaybecomeobsolete.Dependingonthecloudstorage company policy, they may have rights to the data, including how the data will beretainedanddestroyed.

Toeliminate,mitigate,and/orreducerisk,investigatorscancommunicatewithIT,researchcomputing,orinformationsecuritytoensurethatfortheresearchstudy,networkinfrastructureshaveappropriatephysical safeguards, access controls (collect and access only the minimum necessary information toconductthestudy),andencryptioninplace.

Tomitigate theriskofmishandlingprivate information, investigatorsand IRBsmustconsider therisksassociatedwithcloudserviceandstorage,andevaluateandimplementmethodstoreducetheserisks.

A researchercan takesteps toensuredataprotectionandprivacybysharingwith institutional ITandresearchcomplianceallofthewrittenandoralagreementsandunderstandingstheyhavewithrespecttopre-existingresearchdataanddataintendedforcollection.ResearchersshouldworkcollaborativelywithITandresearchcomputinggroupstodesigninfrastructurethatprotectsthedataandadvancestheresearch. Research data with restrictions on the participation of foreign nationals, publication (priorapproval or prior review), or imposed by non-disclosure agreements should not be stored on acommercialcloudservice.

The cloud service and storage technology should afford adequate privacy and confidentialityprotections,andensures thatadditional risks related tocloudserviceandstorageareminimized.TheIRBshoulddeterminewhethertheywantresearcherstoexplicitlynoteintheconsentformthestoragelocation, or simply specify how the data will be protected. Noting the verbage, “cloud storage” cancauseconfusiontosomesubjects.


Appendix:Considerationstoeliminate,mitigate,orreduceriskrelatedtotheuseofcloudserviceandstoragetechnologiesinresearch:



q Explainyourselectioncriteriaforthecloudserviceandstoragevendorintheresearchprotocol.SeethePointstoConsiderWhenChoosingaCloudServiceProvider.

q Providedetailedinformationaboutwhatthecloudserviceandstoragetechnologydoesanditsroleinthestudy.Includeinformationaboutthetechnologymanufacturer,ifapplicable,suchasabrochure,screenshots,versiondates,orotherinformationforreviewers.

q Specifyifresearchdatawillbecreatedbeforeuploadingtothecloudorifthedatabecreatedonthecloudplatformitself.

q Indicate whether the cloud service and storage access is by invitation only, with a code(login/password),orifitisavailabletothepublic.

q Explainwhetherthecloudserviceandstoragewillbepassword-protected.q Describe themethod of data collection (e.g., survey, uploading of pre-existing database) and

howoftenthedatawillbecollected.Specifywhether thedatawillbe transmittedtoaserverbehindyourinstitution’sfirewallortoanothersite.

q Provide the account information the data will be collected and stored under. Do not storeresearchdatainpersonalaccounts;useonlyabusinessaccount.

q Explain how the participant will be informed that the data is subject to the cloud service orstoragetechnology’stermsofagreement,andtoldhowthesetermsmaychangeovertime.





q Listallvendorcertifications.q Specify whether participants will be given a research code number to protect their identity

whenusingthistechnology.


q Specifywherethedatawillbestoredandwhowillhaveaccessto it.Datashouldbekept inasecure location, a place where only the PI and authorized research staff has access (bothelectronicallyandphysically).

q Indicatehowthedatawillbeprotected.q Remove necessary subject identifiers and encrypt data files. Identifiers should be stored in a

physically separate and secure location from thedata files, andassociatedwith thedata filesthroughakeycodethatisalsostoredinaseparateandsecurelocation.Additionaljustificationmustbeprovidedtorationalizeretentionofsubjectidentifierstomeetthespecificneedsoftheresearchteam.


q Explainplansforcloudserviceandstoragerentalcosts.Sharingandtransferringresearchdata:

q Fully describe the cloud service and storage provider involvement, including access, data

retentionandplansforuseorreuse.Makesuretoincludeintheinformedconsentdocument.q Specifywhichdataistransmittedtoaserverandifthatexchangeisencrypted.SeetheGuidance

onWhentoEncryptData.q Indicatewhichsecuremodesoftransmissionwillbeused(e.g.,VPN,securefiletransfer,etc.).


q Explainwherethedatawillgowhenthestudyisover(e.g.,deletedfromthesharedfolders,de-identified,andstoredforfutureuse).

q Ifthedatawillbedestroyed,explainhowthiswillbedoneandwhom,andprovideanestimatedtimeline.


B.ConsultwithITtoreviewthetechnology,institutionalpolicies,andanyrequiredagreements


Reviewthetechnologyandaccount:

q Review your institution’s policy on security controls and safeguarding data. Ensure securetransmissionofdatawithinaninstitution,andreviewhowdatasavedontheinstitutionalservershouldbeproperlydeleted.

q Conduct a risk assessment on the technology. Review the chosen cloud service and storagetechnologyanddetermineifanothertechnologywouldbetterfittheresearchstudyobjectives.


q Review needs for encryption. Ensure appropriate encryption is in place (e.g., mail, internet,etc.).Determine plan(s) to prevent interception of data by a third party. See theGuidance onWhentoEncryptData.

q Specify how access will be monitored and identify which data and subsets of data requireresearchaccess.


q Reviewandverifythesecuritystandardsofthecloudserviceandstoragetechnologyprovider.q Determinewhoownsthedataandhowmuchdatawillbestored.Determineifthetechnology

providerchargesbytheamountofdata.Determineifthereareadditionalcoststoprotectthedata.

q Determinewhether the technologyproviderwill destroy thedataor re-write thedata andatwhatpointthedatawillbedestroyed.

q Determinewhetherthetechnologyproviderwillreturnthedata,andifyes,howthisisdone.q DeterminewhethertheserverstoredisoutsidetheUS,andwhethertheinformationissubject





q Thetermsofserviceshouldaddress:q Privacyrulesandregulationsq Safetyofnon-publicinformation(SSN,creditcardinformation,etc.)q Valueofintellectualpropertyq Anygrantfundingrequirementsregardingsecurity,humansubjectsprivacyregulations

orconfidentiality.q If applicable, identifywho reviewed theBAA,andwhowill continue to reviewupdatesof the

agreement.

ContractwithCloudServiceProvider:

q Include the right to audit and inspect the technology provider’s data security practices (e.g.,third-partyauditreports).

q Where human subject protections and data privacy law apply, ensure that the technologyprovideriscontractuallyboundtoapplydataprotectionsafeguardsthatmeettheresearchers’obligations under contract or law (e.g., HIPAA requirement to execute business associateagreementswithsubcontractors).

q Ensure that the technology provider adheres to most current data security frameworks thatapplyadministrative,physical,andtechnicalsafeguards(e.g.,FISMA,ISO27001,NIST800-53).

q Confirm that technology provider can comply with contractual or legal obligations on dataaccess(e.g.,reportsondisclosuresorlawenforcementaccess).

q Determine the roles and responsibilities of the researcher, research institution, and cloudserviceprovider.

q Review the cloud service provider’s capacity to comply with conditions of IRB oversight andhumansubjectprotectionregulations.


4.AdditionalResources4a.InvestigatorChecklistforSecuringResearchData

• Ensurethatthewebsitewhereyouaretypingyourlogincredentials(usernameandpassword)usesSSL (securesocket layers).Youcandeterminethisby lookingatthewebpageaddress. Itshouldbeginwithhttps://ordisplayaniconofapadlockbesidetheURL.

• Remember tocreate strongpasswords.Avoidusingwords found inanydictionary.16Combinemixed case and symbol(s), and make the password at least six characters. Use a uniquepassword foreachaccount.Consider two factorauthentication/multi-factorauthenticationonsensitiveaccounts,whereavailable.Passwordmanagers(suchasLastPassor1Password)maybeusedtosecurelystoreyourpasswords.AdditionalpasswordsguidelinesmaybegivenbyyourITdepartment.

• Whenever possible, avoid storing subject identifiable dataonportable devices such as laptopcomputers, digital cameras, portable hard drives including flash drives, USB memory sticks,iPods, smartphones or similar storage devices, as they are particularly susceptible to loss ortheft.Ifitisnecessarytouseportabledevicesforinitialcollectionofsubjectidentifiers,thedatafiles must be encrypted, and subject identifiers transferred to a secure system as soon aspossibleandsecurelydeletedfromthedeviceaftertransfer.

• Ensureyourworkstationsarelimitedtoauthorizeduserswhohaveappropriatevalidationo Designateasecurelocationwithlimitedaccessforpaper-basedrecordso Priortoreceiptofstudy-relatedinformation,setupaccessprivilegesandpasswords.

• Questionstoaskwhensharingaccesstoonlinefolders:o Doesthepersonhaveread-onlyaccessoraretheyauthorizedtochangeordeletethe

folder?o Willyouhavetheabilitytoknowwhenthefilesareaccessedandchangesaremade?o Whowill you be sharing the filewith?Have they been listed/approved to access the

data?Whoisresponsibleformanagingtheadministrativeaccessofthefolders?Arethefolderspassword-protected?Aretheyonasecurenetwork?17

• Restrictaccesstothefollowingareastoincreasethesecurityofprivatedata:1. Ensureyourphysicalenvironmentissecure:

q Lockofficesorworkarea(s).q Securelaptopsatdesks/workstations(useacablelockwhenpossible).q Keeppaperfilescontainingprivatedatainlockedfilecabinetsand/orinlocked

offices.q Retrieveimmediatelyprint-outsandfaxesthatcontainprivatedata.q Makesurecomputersarenotleftunattendedforlongperiodsoftime,andturn

offwhennolongerinuse.q Always dispose of documents containing private information by shredding or

placing in secure, confidential recycling bins (check with your institutionregardinganyquestionsaboutdisposal).

16http://www.american.edu/oit/security/IRB-Mobile-Phone.cfm17http://www.albany.edu/orrc/assets/Institutional_Review_Board_Data_Management_Policy_v_1_0.pdf


q Adjust yourmonitor or use a screen filter to protect privatedata frompryingeyes.

2. Secureyourtechnicalenvironment:q Usestrongpasswordsandneversharethemwithothers.q Changes to computer settings can cause changes in security; consult with IT

beforechangingsettings.q Secureworkstationsby:

o Installinganti-virussoftwareandsetittoupdateautomatically.o Installapassword-protectedscreensaver.o Turnonautomaticupdatestokeepcomputeroperatingsystems(e.g.MS

Windows,MACOSX)current.o EnableautomaticupdatesforothersoftwaresuchasAdobeandAcrobat.o Enableafirewallforyouroperatingsystem.

3. Learnyourworkprocesses:q Learn and apply your institution policy and procedural requirements for

safeguardingdata.q Updateyourknowledgeofsafecomputingpractices.q Understandtherisksassociatedwithaninadequatelysecuredworkarea.q Bediscreetwhenleavingaudiomessagesaboutprivatematters.q AlwaysreportsecurityviolationstoIT,yoursupervisor,ortheappropriateoffice

atyourinstitution.

4. Takestepstosecuringyouremail,internet,andhomecomputer:q Never open an email attachment from an unknown source. If you know the

senderbuttheemailstillseemssuspicious,youmaywanttocontactthesendertoverifytheattachmentbeforeopening.

q Donotusepersonalemailaccountstosendwork-relatedinformation.q ReportanyemailwithurgentrequestsforpersonalfinancialinformationtoIT.q Contact IT if you use your home computer to access systems containing

personal information as it’s important to keep your computer secure andregularlyupdateyoursoftware.


4b.GuidanceonWhentoEncryptData18

Whatisencryption?

Encryptionistheconversionofdataintoaformatthatisnoteasilyunderstoodbyunauthorizedviewers.Encryptioncanbeappliedtostoragedevices(data"atrest")andtonetworkdata(data"intransit").Thetype of computing device and network communicating from/to, and if personal or Protected HealthInformation(PHI)isinvolvedwilldictatewhetherornotencryptionisrequired.

EncryptionisnotnecessaryifyoudonotstoreorworkwithresearchdatathatincludespersonalorPHI.Therefore,itisbestnottocollectanyofthisinformationunlessitisactuallynecessary.Alwayscontactyour help desk to ensure you are doing everything required. Password-protected is not the same asencryption–youmustdobothtoprotectdata.

Scenarios inwhich storage encryption is required – possession of research data that includespersonaland/orProtectedHealthInformationandoneormoreofthefollowing:

• Computingdeviceisamobiledeviceor• Computingdeviceisapersonalsystemor• Storagedeviceisremovable(portable)or• Accesstothestoragedeviceisnotinaphysicallysecureenvironment.

Scenariosinwhichnetworkencryptionisrequired–usageofresearchdatathatincludespersonaland/or Protected Health Information over a network. The information is not already encrypted bymeansofstorageencryptionandoneormoreofthefollowing:

• AnypartofthedatatransmissionisoutsideofatrustednetworkOR• Accesstoasystemcontainingresearchdatathatispersonaland/orincludesProtected

HealthInformationthatisnotentirelyoveratrustednetwork.

Additionalexampleswhenencryptionisrequired–useofelectronicresearchdatathatincludespersonaland/orPHIANDtheinformationisbeingsentby:

• EmailOR• WebmailOR• WebbrowserOR• USmailOR• CourierOR• InstantmessengerOR• Peer-to-peernetworkOR• Wireless(wi-fi,smartphone,etc.)OR• Backupoftheinformationiscreated

18AdaptedfromtheUniversityofCalifornia,IrvineOfficeofResearch<http://www.research.uci.edu/compliance/human-research-protections/researchers/data-security.html>


4c.PointstoConsiderWhenChoosingaCloudService19

Bediligentwhenconsideringusingthecloudsinceitisverycomplex,coveringmanydifferenttools,offerings,andconfigurations.Cloudusersneedtobeinformedthelinebetweentheprovider’sresponsibilitiesandtheirown.Inusingthecloud,youshouldbeawareofthelifecycleoftheresearcher’sdata,tracingwherethepathofitsflow.Acloudprovidermayofferprotections,andbeconfiguredtodoso,butiftheresearcherdownloadsand/orsyncsthatdatatotheirenddevicesuchasalaptoporsmartphonethesamelevelofprotectionisnotavailable.Makesuretobecomeeducatedthecommontermsusedbycloudprovidersregardingtheiroptionsforservices.BeawarethetermsSoftwareasaService(SaaS),InfrastructureasaService(IaaS),andPlatformasaService(PaaS).*Definedintheglossary

1. Aretheirsecuritystandardsappropriate?Makesurethatthecompanyhasagoodreputationandsolidsecuritypolicies.Remember,you are trusting this company to store your personal information. Be sure the level ofservicematchesthesensitivityofthedata.

2. Howmuchdatawillyoubestoring?Search with a realistic expectation of the size you need to store all your files. Manycompanieschargebytheamountofstorageyouarerequesting.

3. Isyourdataencryptedwhenbeinguploadedto,ordownloadedfrom,thecloud?Make sure yourbrowseror app requires anencrypted connectionbefore youuploadordownloadyourdata.Lookforthe“https://”orthepadlockimagebesidetheURLinyourbrowser.

4. Isyourdataencryptedwhenstoredinthecloud?Thisanswerwillbeinthetermsofservice,butyoucanexpectyourdatawillbestoredonthecloudserverwithnoencryption,whichmeansthatanyonewhohas(orcanget)high-levelaccesstothatserverwillbeabletoreadyourfiles.Thismaynotbeanissueforsomefiles,butyoushouldcarefully consider the informationyouare storing in thecloud,andwhetherornotyouarecomfortablewithothersaccessingit.Ataminimum,nodatathatisprotected by law (medical information, personal identifiers, financial data) should bestored in the cloud unless the storage solution is encrypted and you identify who isallowedtodecryptit,andforwhatreason.Accessshouldonlybegrantedtoyouorotherswithinyourorganization.

5. Understandhowaccessissharedwithyourcloudfolder.Severalcloudstorageprovidersallowyoutoshareaccesstoyouronlinefolderswithotherpeople.Besuretounderstandallthedetailsonhowthisworks.Willtheybeallowedonlyread-onlyprivilegesorcantheymakeedits?Willyouknowwhoalteredafilelast?Ifyousharethefilewithagroup,doyouknowallthemembersofthegroup?Areyounotifiedifthegroupmembershipchanges?Doestheserviceallowyoutomakefilespublic?Ifmade

19http://www.bu.edu/infosec/howtos/how-to-safely-store-your-data-in-the-cloud/


public, is personal information (name, account, email, etc.) attached to that file for thepublictoview?

6. Understandyouroptionsifthecloudproviderishackedorlosesyourdata.Cloud services require that you sign their termsand conditionsbefore youcan start theservice.Inthevastmajorityofcases,theseconditionsstatethatyouhaveverylittle,ifany,remedyifthereareanydatabreaches.Beawareofthetermsyouareagreeingto.


4d.GlossaryofCommonTermsforTechnologiesUsedinResearch

A

Access: The ability to get to what you need. Data access is the ability to get to (usually withpermission to use) specific data on a computer.Web accessmeans a connection to the internetthroughanaccessprovideroranonlineserviceprovider.

Accessmarker:Representsasinglevalueorpieceofdata.

AdvancedEncryptionStandards(AES):AnalgorithmdesignedtoencryptdatadevelopedbytheUSgovernment,thesestandardsareusedtoprotectclassifiedinformation.

Anti-malware: A software program designed to prevent, detect, and remediate maliciousprogrammingonindividualcomputingdevicesandITsystems.

Application (App): An application is a software program that’s designed to perform a specificfunctiondirectlyfortheuseror,insomecases,foranotherapplicationprogram.

B

Box:Aservicethatoffersonlinesecurecollaborationoffilesharing.

Bring your own device (BYOD): A commonly used term that refers to bringing your personallyowneddevicetoyourworkplaceand/ortobeusedtofacilitateresearch.

C

Cachememory:Atypeofmemorytoholdfrequentlyuseddata.Webbrowsersusecachememorytosavecopiesofpreviouslyviewedwebpages.

CertainSafe:Aserviceproviderthatofferssecuremanagementofsensitiveinformation.

Cloudcomputing:Asthistermrelatestoresearchdata, itmeansmovingsensitivedataoutofthehealthcare organization and into the data centers of cloud providers, whichmight be located inmultipleregionsaroundtheworldandsubjecttoarangeoflocalregulations.

Code42:Dataprotectionservicethatbacksupdistributedend-userdatainasingle,secureplatform.Alsoknownasthe“SaaS”solution.

CommonRule:Basicprovisions for IRBs, informedconsentandassurancesof compliance.Humansubjectresearchconductedorsupportedbyeachfederaldepartmentoragencyisgovernedbytheregulationsofthatdepartmentoragency.

Confidentiality: Pertains to the treatment of information that an individual has disclosed in arelationship of trust, and with the expectation that it will not be divulged to others withoutpermissionandinanywaysthatisinconsistentwiththeoriginaldisclosure.

Containerization:Alightweightalternativetofull-machinevirtualization(virtualversionofadeviceor resource) that involves encapsulating an application into a container with its own operatingenvironment.


Cookies:A text file placedon auser’s computerby awebsiteorweb server.Oftenused to keeptrackofindividualsastheynavigateasite,andmorebroadly,theweb.

CrashPlan:Aprivateandpubliccloud-basedservicethat isadatabackupsolutionaccessible fromanylocation.

D

Data:Acollectionof facts.Datacanexist inmanydifferent formsandbetranslated intodifferentformstohelpanalyzeandcategorizeit.

Dataatrest:Alldataincomputerstorage,excludingdatathatistraversinganetworktemporarilyorreference files that are rarely changed. It also refers to data that is subject to regular, but notconstantchange.

Data collection: A systematic approach to gatheringandmeasuring information froma varietyofsourcestogetacompleteandaccuratepictureofanareaofinterest.

Datamining:Alsocalled“knowledgediscovery”whenreferringtoadatabase.Referstotheprocessofdiscoveringinterestingandusefulpatternsandrelationshipsinlargevolumesofdata.

Datainmotion:Theprocessoftransferringdataamongalloftheoriginalfiles.

Dataretention:Thecontinuedstorageofdataforcompliance,alsocalledrecordsretention.

Datasubset:Aportionofatotaldataset,generallycorrespondingtoaspecificaspectofthedataorstructure.

Device: In a general context, a device is a machine designed for a purpose, such as a phone orcalculator.Inthecontextofcomputertechnology,adeviceisaunitofhardwarethatprovidesinputto the computer and/or receives output, such as keyboards, mouse, display monitors, CD-ROMplayers,printers,audiospeaker,microphones,etc.

DOD Information Assurance Certification and Accreditation Process (DIACAP): A systematicprocessthatensuresonlyaccreditedinformationsystemtoolsandtechnologiesareusedwithintheUSDepartmentofDefense(DoD)'sITinfrastructure.

Disk storage: Storage on a disk usingmagnetic read/write technology (used formedium to long-termstorage).

DropBox: A private serice provider that offers a cloud service for file sharing and collaboration.Allowsaccountstobesetupforbothbusinessandpersonaluse.

E

Encryption:Theconversionofelectronicdataintoanotherform,called“ciphertext”,whichcannotbeeasilyunderstoodbyanyoneexceptauthorizedparties.

End User License Agreement (EULA):A legal contract between a software application author orpublisher,andtheuserofthatapplication.


External collaborators: Provide a service or resource but are not directly controlled by theperson/company thathired them.Examples include: services, repositories,presenters, frameworkclasses,emailsenders,loggers,andfilesystemwrappers.

Federal Information Processing Standards (FIPS): A set of standards that describe documentprocessing,encryptionalgorithms,andotherinformationtechnologystandardsforusewithinnon-military government agencies and by government contractors and vendors whoworkwith theseagencies.

Federal Information Security Management Act (FISMA): US legislation that defines acomprehensive framework to protect government information, operations, and assets againstnaturalormanmadethreats.

FederalRiskandAuthorizationProgram(FedRAMP):Federalregulationforcloudproviderswhichallowsthegovernmenttouseaparticularcloudsystemwithouthavingtovalidatephysicalaccess

Flash memory: A popular, non-volatile and rewritable memory chip. Extremely durable, flashmemory is used in just about every electronic device, including USB drives, cameras, iPods,smartphones,andtablets.Inaddition,flash-basedsolid-statedrives(SSDs)areincreasinglyreplacingharddisksinlaptops,desktops,andservers.

H

Hightail:FormerlyYouSendIt,aprivatecloudservicethatallowsuserstosend,receive,anddigitallysignandsynchronizefiles.

HIPPA:Health Insurance Portability andAccountability Act of 1996 is US legislation that providesprivacy standards to protect patients' medical records and other health information provided tohealthplans,doctors,hospitals,andotherhealthcareproviders.

I

Identifiers: Identifiersaresymbolsusedtouniquely identifyaprogramelement in thecode.Theyarealsousedtorefertotypes,constants,macros,andparameters.

IDrive:Aprivatecloud-basedbackupserviceproviderforconsumersandsmallbusinesses.

Infrastructure as a Service (IaaS): A service model that delivers computer infrastructure on anoutsourcedbasistosupportenterpriseoperations.Itprovideshardware,storage,serversanddatacenterspaceornetworkcomponents,aswellassoftware.

ISO27001:Aspecificationforaninformationsecuritymanagementsystem(ISMS).

LLocalareanetwork(LAN):LAN isacomputernetworkforsharingdataanddeviceswithinasmallgeographicalareasuchasahome,school,computerlaboratory,orofficebuilding(s).

MMalwareattacks:Malicoussoftwarethattakesoveracomputertospreadthebugorvirustoother


devices.

Maninthemiddleattack(MitM):Incomputersecurity,thistermreferstoanattackerthatsecretlyinterceptsandrelaysmessagesbetweentwopartieswhobelievetheyarecommunicatingdirectlywitheachother.MicrosoftOneDrive:FormerlySkyDrive,acloud-basedbackupserviceunderWindowsEssentials,itenablesMicrosoftaccountholderstostorefiles,images,andotherdataonlineandoffline,andsyncandaccessthatdatafrombothcomputersandmobiledevices.

Mobile Device Management (MDM): The administrative area dealing with deploying, securing,monitoring,integrating,andmanagingmobiledevicesintheworkplace.MobileMedicalApplication(MMA):TheFDAdefinesMMAasa“softwareapplicationthatcanbeexecuted(run)onamobileplatformoraweb-basedsoftwareapplicationthatistailoredtoamobileplatformbutisexecutedonaserver,”wherethatsoftwarealreadymeetsthegeneraldefinitionofamedicaldeviceasfoundin210(h)oftheFederalFood,Drug,andCosmetic(FD&C)Act.

N

NationalInstituteofStandardsandTechnology(NIST):Anon-regulatoryfederalagencywithintheUSDepartmentofCommercethatpromotesinnovationandindustrialcompetitivenessbyadvancingmeasurementscience,standards,andtechnologyinwaysthatenhanceeconomicsecurity.

O

Opticalstorage:Thestorageofdataonanopticallyreadablemedium,meaningitcanbereadwiththeaidoflight(e.g.,CD-ROM).

PPaymentCardIndustryDataSecurityStandard(PCI-DSS):Asetofpoliciesandproceduresintendedtooptimizethesecurityofcreditanddebittransactions,andprotectcardholdersagainstmisuseofpersonalinformation.

Personally Identifiable Information (PII):Anydataor information that canbeused todistinguishonepersonfromanotherandcouldpotentiallyidentifyaspecificindividual.

Physical security: The protection of personnel, hardware, programs, networks, and data fromphysical circumstances and events that could cause serious losses or damage to an enterprise,agency, or institution. This includes protection from fire, natural disasters, burglary, theft,vandalism,andterrorism.

Physicalstorage:Thestorageonphysicaldiskswithindiscoveredenclosures.

PlatformasaService(PaaS):Cloudcomputingmodelthatdeliversapplicationsovertheinternet.Privacy:Inregardstodata,itistherighttokeeppersonalinformationprotectedfromthepublic.

S

SecureFileTransferProtocol(SFTP):Anetworkthatenablesfileaccess,transfer,andmanagementoverasecuredfiletransferringsystem.

ServiceOrganizationControl2(SOC2):Auditstandardswhichreportsonissuesrelatedtosecurity,


availability,processingintegrity,confidentiality,orprivacy.

Snooping:Inasecuritycontext,unauthorizedaccesstoanotherperson'sorcompany'sdata.Softwareasaservice(SaaS):Asoftwaredistributionmodelthathostsapplicationsandmakesthemavailabletocustomersovertheinternet.

StructuredQueryLanguage (SQL) injection:Asecurityexploit inwhich theattackeradds theSQLcodetoawebforminputboxtogainaccesstoresourcesormakechangestodata.SecureSocketLayer(SSL):Atechnologythatmanagesserverandclientauthenticationtoestablishencryptedtransmissionofcommunicationsovertheinternet.

SSLEncryption:Apopularimplementationofpublic-keyencryption.

Storage device:Any computing hardware used for storing, porting, and extracting data files andobjects.

Storedataordatastore:Arepositoryfordatasuchasadatabase,filesystem,ordirectory.

SugarSync:Aprivateonlinesync-and-sharefilesserviceforuserstoupload,access,andsharefiles.

T

Tapestorage:Storageusingmagneticreeltapeoftenusedforarchivesorbackup.Thirdparty:Web-basedtechnologiesthatprovideservicesforpayment.Oftenathird-partyserviceagreement isnegotiatedandsigned,defining the termsandconditions for the services. Formoreinformationonthird-partyservicespleaseseetheFederalTradeCommissionwebsite.

Transmit data or data transmission: The process of sending digital data to computing, network,communication,orelectronicdevices.

UUniformresourcelocator(URL):Theglobaladdressofdocumentsandotherresourcesontheworldwideweb.

VVirtualmachine:Inregardstocomputers,avirtualmachineisanemulationofaparticularcomputersystem.

Virtualprivatenetwork(VPN):Aprivatenetworkbuiltoverapublicinfrastructurethatallowsuserstosecurelyaccessthenetworkontheinternet.Volatilityofstorage:Extenttowhichdatamaybelostifpowerislost.

WWebbeacon:Anembeddedobject inawebpageoremail that is typically transparentandtracksbehaviororuseof thewebpageoremail.Webbeaconscanbedetectedby looking for tags thatloadfromanalternateserverthen.Oftenwebbeaconsareembeddedwithcookies.

Wi-FiProtectedAccess(WPA):Animprovedsecuritystandardforcomputersequippedwithwi-fi.


5.Attribution,Sharing,andAdaptingWeencourageyouto:

▪ Request–emailusandrequestthematerials▪ Share–copy,distribute,andtransmitthework▪ Adapt–adapttheworktosuityourneeds▪ Contribute– shareyourguidanceorbestpracticeson technologies listed in thedocumentor

newtechnologiestoadd.

Underthefollowingconditions:

▪ Attribution:Weencouragethebroaddisseminationofthistool.Infreelyusingthematerialsorwhencitingthistool,werequirethatyouacknowledgeHarvardCatalyst|TheHarvardClinicalandTranslationalScienceCenteras thepublisher,and thatyougiveappropriatecredit toanyindividualauthors.

▪ Suggested citation:Thismaterial is thework of theHarvard Catalyst IRB-IT Task Force of theRegulatoryFoundations,Ethics,andLawProgram.ThisworkwasconductedwithsupportfromHarvard Catalyst | The Harvard Clinical and Translational Science Center (National Center forResearch Resources and the National Center for Advancing Translational Sciences, NationalInstitutes of Health Award 8UL1TR000170-05 and financial contributions from HarvardUniversityanditsaffiliatedacademichealthcarecenters).Thecontentissolelytheresponsibilityoftheauthors,anddoesnotnecessarilyrepresenttheofficialviewsofHarvardCatalyst,HarvardUniversity,anditsaffiliatedacademichealthcarecenters,ortheNationalInstitutesofHealth.

Withtheunderstandingthat:

▪ Wemight contact you: We are interested in gathering information on those who are usingthese materials and how they are using it. We may contact you by email about this, or torequestcollaborationsorinputonfutureactivities.

▪ Whenreusingordistributing,makecleartheaboveterms:Foranyreuseordistribution,youmustmakecleartoothersthetermsofthiswork.Thebestwaytodothisisincludetheweblinkforthisguide.

▪ Whenadapting:Pleaseshareimprovementsyou’vemadetothisguidewithussothatwemaylearnfromyourfeedback,andmodifyourmaterials.


6.AcknowledgmentsandContactUs


7.Bibliography"AboutUs-FreetheWorld'sCreativity."Hightail.Hightail,n.d.Web.24May2016. <https://www.hightail.com/about>.

"CertainSafe®DigitalVault-AdvancedCyberSecurityForDataAtRestAndInMotion."CertainSafe. Web.08Apr.2016.<https://certainsafe.com/>.

"DefinitionsforPhysicalStorageTerms."Veritas,21Oct.2015.Web.20May2016. <https://www.veritas.com/support/en_US/article.000062514>.

"FederalPolicyfortheProtectionofHumanSubjects('CommonRule')."HHS.gov.18Mar.2016.Web.25 Apr.2016.

"HIPAA."MedicineNet.14June2012.Web.06Apr.2016. <http://www.medicinenet.com/script/main/art.asp?articlekey=31785>.

"IDriveInc.IsanOnlineBackupServiceProvider,BasedinCalabasas,CA."IDrive.IDrive,n.d.Web.25 May2016.<https://www.idrive.com/online-backup-company>

"IndianaUniversityIndianaUniversityIndianaUniversity."WhatIsSFTP,andHowDoIUseIttoTransfer Files?17Feb.2016.Web.06Apr.2016.<https://kb.iu.edu/d/akqg>.

"PrivacyandConfidentiality."PrivacyandConfidentiality.UniversityofCalifornia,IrvineOfficeof Research.Web.06Apr.2016.<http://www.research.uci.edu/compliance/human-research protections/researchers/privacy-and-confidentiality.html>.

"Q&A:WhatIsMeantbytheTermsDataatRestandDatainMotion?"WhatIsMeantbytheTerms DataatRestandDatainMotion?Waytek,n.d.Web.20May2016.<http://waytek.com/q-what meant-terms-data-rest-and-data-motion>.

"Third-PartyServices."Third-PartyServices.FederalTradeCommission,31Mar.2016.Web.06Apr. 2016.<http://www.ftc.gov/site-information/privacy-policy/third-party-services>.

"WeAreCode42."Code42-Protecting&ManagingYourDigitalLife.Code42,n.d.Web.24May2016. <http://www.code42.com/about/>.

"WhatIsaLocalAreaNetwork(LAN)?-DefinitionfromTechopedia."Techopedia.com.Techopedia,n.d. Web.20May2016.<https://www.techopedia.com/definition/5526/local-area-network-lan>.

"WhatIsaStorageDevice?-DefinitionfromTechopedia.Techopedia.com."Techopedia,n.d.Web.20 May2016.<https://www.techopedia.com/definition/1119/storage-device>.

"WhatIsaVirtualMachine(VM)?-DefinitionfromTechopedia."Techopedia.com.Techopedia,n.d. Web.20May2016.<https://www.techopedia.com/definition/4805/virtual-machine-vm>.


"WhatIsaVirtualPrivateNetwork(VPN)?-DefinitionfromTechopedia."Techopedia.com.Techopedia, n.d.Web.20May2016.<https://www.techopedia.com/definition/4806/virtual-private-network-vpn>.

"WhatIsanIdentifier?-DefinitionfromTechopedia."Techopedia.com.Techopedia,n.d.Web.20May 2016.<https://www.techopedia.com/definition/1810/identifier-c>.

"WhatIsCache?"WhatIsCache?ComputerHope.Web.08Apr.2016. <http://www.computerhope.com/jargon/c/cache.htm>.

"WhatIsDataTransmission?-DefinitionfromTechopedia."Techopedia.com.TechTarget,n.d.Web.20 May2016.<https://www.techopedia.com/definition/9756/data-transmission>.

"WhatIsDODInformationAssuranceCertificationandAccreditationProcess(DIACAP)?-Definitionfrom Techopedia."Techopedia.com.N.p.,n.d.Web.20May2016. <https://www.techopedia.com/definition/25825/dod-information-assurance-certification-and accreditation-process-diacap>.

"WhatIsInfrastructureasaService(IaaS)?-DefinitionfromTechopedia."Techopedia.com.Techopedia, n.d.Web.20May2016.<https://www.techopedia.com/definition/141/infrastructure-as-a service-iaas>.

"WhatIsSkyDrive?-DefinitionfromTechopedia.Techopedia.com."Techopedia,n.d.Web.20May 2016.<https://www.techopedia.com/definition/29075/skydrive>.

"WhatIsVolatileStorage?-DefinitionfromTechopedia."Techopedia.com.Techopedia,n.d.Web.20 May2016.<https://www.techopedia.com/definition/9966/volatile-storage>.

Barnett,Emma."WhatIstheDifferencebetweenSpam,MalwareandPhishing?"TheTelegraph. TelegraphMediaGroup,19Jan.2011.Web.20May2016. <http://www.telegraph.co.uk/technology/8267578/What-is-the-difference-between-spam malware-and-phishing.html>.

Beal,Vangie."Data."WhatIsData?WebopediaDefinition.Webopedia.Web.08Apr.2016. <http://www.webopedia.com/TERM/D/data.html>.

Beal,Vangie."NIST."WhatIs?WebopediaDefinition.Webopedia,n.d.Web.20May2016. <http://www.webopedia.com/TERM/N/NIST.html>.

Beal,Vangie."URL-UniformResourceLocator."WhatIsURL(UniformResourceLocator)?Webopedia Definition.N.p.,n.d.Web.20May2016.<http://www.webopedia.com/TERM/U/URL.html>.

Beal,Vangie."WebBeacon."WhatIsWebBeacon?WebopediaDefinition.Webopedia.Web.06Apr. 2016.<http://www.webopedia.com/TERM/W/Web_beacon.html>.


Beal,Vangie."WhatIsCloudComputing?WebopediaDefinition."WhatIsCloudComputing?Webopedia Definition.Web.06Apr.2016.<http://www.webopedia.com/TERM/C/cloud_computing.html>.

Brandt,JeffreyL.,andStacieDurkin."MobileMedicalApp&MedicalDeviceRegulations."Mobile MedicalApp&MedicalDeviceRegulations.HealthcareInformationandManagementSystems. Web.06Apr.2016. <http://www.himss.org/ResourceLibrary/GenResourceDetail.aspx?ItemNumber=30334>.

Clifton,Christopher."DataMining."EncyclopediaBritannicaOnline.EncyclopediaBritannica,n.d.Web. 20May2016.<http://www.britannica.com/technology/data-mining>.

Delvaux,Damien."DataSubsetManagement."DamienDELVAUXDeFENFFE,Apr.2010.Web.20May 2016.<http://www.damiendelvaux.be/Tensor/UserGuides/Win_Tensor-UserGuide_Subset_ Management.pdf>.

DiskStorage.Definitionof“diskStorage”.CollinsEnglishDictionary,n.d.Web.20May2016. <http://www.collinsdictionary.com/dictionary/english/disk-storage>.

Internet-BasedResearch-CPHSUniversityofCalifornia,Berkley Cphs.berkeley.edu/internet_research.pdf.Berkeley,CA:UniversityofCalifornia,Berkeley,07 July2015.PDF.

IT@Cornell."IT:WorkingDefinitionofPrivacy."TeachPrivacy,LLC,17May2011.Web.20May2016. <http://www.it.cornell.edu/policies/infoprivacy/definition.cfm>.

Ross,Tim."InternalAndExternalCollaborators."TimRossSoftwareDeveloper.WorldPress,02Sept. 2009.Web.20May2016.<https://timross.wordpress.com/2009/09/02/internal-and-externa-l collaborators/>.

Rouse,Maragret,andIvyWigmore."WhatIsBYOD(bringYourOwnDevice)?-Definitionfrom WhatIs.com."WhatIs.com.TechTarget,Oct.2012.Web.08Apr.2016. <http://whatis.techtarget.com/definition/BYOD-bring-your-own-device>.

Rouse,Maragret,andMichaelCobb."WhatIsAdvancedEncryptionStandard(AES)?-Definitionfrom WhatIs.com."SearchSecurity.TechTarget,Nov.2014.Web.08Apr.2016. <http://searchsecurity.techtarget.com/definition/Advanced-Encryption-Standard>.

Rouse,Maragret."WhatIsAccess?-DefinitionfromWhatIs.com."WhatIs.com.TechTarget,Aug.2005. Web.08Apr.2016.<http://whatis.techtarget.com/definition/access>.

Rouse,Maragret."WhatIsDataatRest?-DefinitionfromWhatIs.com."SearchStorage.TechTarget,Aug. 2010.Web.08Apr.2016.<http://searchstorage.techtarget.com/definition/data-at-rest>.

Rouse,Maragret."WhatIsSecureSocketsLayer(SSL)?-DefinitionfromWhatIs.com."SearchSecurity. TechTarget,Nov.2014.Web.06Apr.2016. <http://searchsecurity.techtarget.com/definition/Secure-Sockets-Layer-SSL>.


Rouse,Margaret."WhatIsAntimalware(anti-malware)?-DefinitionfromWhatIs.com."SearchSecurity. TechTarget,Nov.2013.Web.20May2016. <http://searchsecurity.techtarget.com/definition/antimalware>.

Rouse,Margaret."WhatIsApp?-DefinitionfromWhatIs.com."SearchMobileComputing.Nov.2011. Web.08Apr.2016.<http://searchmobilecomputing.techtarget.com/definition/app>.

Rouse,Margaret."WhatIsBox(Box.net)?-DefinitionfromWhatIs.com."SearchMobileComputing. TechTarget,June2012.Web.20May2016. <http://searchmobilecomputing.techtarget.com/definition/Box-Boxnet>

Rouse,Margaret."WhatIsDataCollection?-DefinitionfromWhatIs.com."SearchCIO.TechTarget,May 2016.Web.20May2016.<http://searchcio.techtarget.com/definition/data-collection>.

Rouse,Margaret."WhatIsDataRetention?-DefinitionfromWhatIs.com."SearchStorage.TechTarget, Feb.2014.Web.20May2016.<http://searchstorage.techtarget.com/definition/dataretention>.

Rouse,Margaret."WhatIsDataStore?-DefinitionfromWhatIs.com."WhatIs.com.TechTarget,June 2013.Web.20May2016.<http://whatis.techtarget.com/definition/data-store>.

Rouse,Margaret."WhatIsDevice?-DefinitionfromWhatIs.com."WhatIs.com.TechTarget,Apr.2005. Web.20May2016.<http://whatis.techtarget.com/definition/device>.

Rouse,Margaret."WhatIsDropbox?-DefinitionfromWhatIs.com."SearchMobileComputing. TechTarget,Nov.2011.Web.20May2016. <http://searchmobilecomputing.techtarget.com/definition/Dropbox>.

Rouse,Margaret."WhatIsEncryption?-DefinitionfromWhatIs.com."SearchSecurity.TechTarget,Nov. 2014.Web.20May2016.<http://searchsecurity.techtarget.com/definition/encryption>

Rouse,Margaret."WhatIsEndUserLicenseAgreement(EULA)?-DefinitionfromWhatIs.com." SearchCIO.TechTarget,Sept.2005.Web.20May2016. <http://searchcio.techtarget.com/definition/End-User-License-Agreement>.

Rouse,Margaret."WhatIsFederalInformationSecurityManagementAct(FISMA)?-Definitionfrom WhatIs.com."SearchSecurity.TechTarget,May2013.Web.20May2016. <http://searchsecurity.techtarget.com/definition/Federal-Information-Security-Management- Act>.

Rouse,Margaret."WhatIsFederalRiskandAuthorizationProgram(FedRAMP)?-Definitionfrom WhatIs.com."WhatIs.com.TechTarget,May2014.Web.20May2016. <http://whatis.techtarget.com/definition/Federal-Risk-and-Authorization-Program-FedRAMP>.


Rouse,Margaret."WhatIsFIPS(FederalInformationProcessingStandards)?-Definitionfrom WhatIs.com."WhatIs.com.TechTarget,Mar.2011.Web.20May2016. <http://whatis.techtarget.com/definition/FIPS-Federal-Information-Processing-Standards>.

Rouse,Margaret."WhatIsFlashMemory?-DefinitionfromWhatIs.com."SearchStorage.TechTarget, Mar.2015.Web.20May2016.<http://searchstorage.techtarget.com/definition/flashmemory>.

Rouse,Margaret."WhatIsISO27001?-DefinitionfromWhatIs.com."WhatIs.com.TechTarget,Sept. 2009.Web.20May2016.<http://whatis.techtarget.com/definition/ISO-27001>.

Rouse,Margaret."WhatIsMan-in-the-middleAttack(MitM)?-DefinitionfromWhatIs.com."IoT Agenda.TechTarget,Dec.2015.Web.20May2016. <http://internetofthingsagenda.techtarget.com/definition/man-in-the-middle-attack-MitM>.

Rouse,Margaret."WhatIsMobileDeviceManagement(MDM)?-DefinitionfromWhatIs.com." SearchMobileComputing.TechTarget,June2013.Web.20May2016. <http://searchmobilecomputing.techtarget.com/definition/mobile-device-management>.

Rouse,Margaret."WhatIsOpticalStorage?-DefinitionfromWhatIs.com."SearchStorage.TechTarget, Sept.2005.Web.20May2016.<http://searchstorage.techtarget.com/definition/opticalstorage>.

Rouse,Margaret."WhatIsPCIDSS(PaymentCardIndustryDataSecurityStandard)?-Definitionfrom WhatIs.com."SearchFinancialSecurity.TechTarget,May2009.Web.20May2016. <http://searchfinancialsecurity.techtarget.com/definition/PCI-DSS-Payment-Card-Industry-Data- Security-Standard>.

Rouse,Margaret."WhatIsPersonallyIdentifiableInformation(PII)?-DefinitionfromWhatIs.com." SearchFinancialSecurity.TechTarget,Jan.2014.Web.24May2016. <http://searchfinancialsecurity.techtarget.com/definition/personally-identifiable-information>.

Rouse,Margaret."WhatIsPhysicalSecurity?-DefinitionfromWhatIs.com."SearchSecurity.TechTarget, Dec.2005.Web.20May2016.<http://searchsecurity.techtarget.com/definition/physical- security>.

Rouse,Margaret."WhatIsPlatformasaService(PaaS)?-DefinitionfromWhatIs.com." SearchCloudComputing.TechTarget,Jan.2015.Web.20May2016. <http://searchcloudcomputing.techtarget.com/definition/Platform-as-a-Service-PaaS>.

Rouse,Margaret."WhatIsSnooping?-DefinitionfromWhatIs.com."SearchSecurity.TechTarget,June 2007.Web.20May2016.<http://searchsecurity.techtarget.com/definition/snooping>.


Rouse,Margaret."WhatIsSoc2(ServiceOrganizationControl2)?-DefinitionfromWhatIs.com." SearchCloudSecurity.TechTarget,Apr.2012.Web.20May2016. <http://searchcloudsecurity.techtarget.com/definition/Soc-2-Service-Organization-Control-2>.

Rouse,Margaret."WhatIsSoftwareasaService(SaaS)?-DefinitionfromWhatIs.com." SearchCloudComputing.TechTarget,May2016.Web.20May2016. <http://searchcloudcomputing.techtarget.com/definition/Software-as-a-Service>.

Rouse,Margaret."WhatIsSQLInjection?-DefinitionfromWhatIs.com."SearchSoftwareQuality. TechTarget,Jan.2010.Web.20May2016. <http://searchsoftwarequality.techtarget.com/definition/SQL-injection>.

Rouse,Margaret."WhatIsSugarSync?-DefinitionfromWhatIs.com."SearchCloudStorage.TechTarget, June2014.Web.20May2016. <http://searchcloudstorage.techtarget.com/definition/SugarSync>.

Rouse,Margaret."WhatIsWi-FiProtectedAccess(WPA)?-DefinitionfromWhatIs.com." SearchMobileComputing.TechTarget,Nov.2005.Web.20May2016. <http://searchmobilecomputing.techtarget.com/definition/Wi-Fi-Protected-Access>.

Stroud,Forrest."Containerization?"WhatIsContainerization?WebopediaDefinition.Webopedia.Web. 08Apr.2016.

information risks & irb strategies for technologies used ......prior to submitting an irb...

Documents