Security in the Context of Generic Clinical Study Data Management Systems Prakash Nadkarni Rohit Gadagkar Charles Lu Aniruddha Deshpande Kexin Sun Cynthia Brandt Yale Medical School.
Download ReportTranscript Security in the Context of Generic Clinical Study Data Management Systems Prakash Nadkarni Rohit Gadagkar Charles Lu Aniruddha Deshpande Kexin Sun Cynthia Brandt Yale Medical School.
Security in the Context of Generic Clinical Study Data Management Systems Prakash Nadkarni Rohit Gadagkar Charles Lu Aniruddha Deshpande Kexin Sun Cynthia Brandt Yale Medical School What is a “Generic” Clinical Study Data Management System (CSDMS)? A database designed for managing data generated by an arbitrary number of clinical studies and patients. Can handle an arbitrary range of clinical domains/specialties. The schema does not change. Uses an Entity-Attribute-Value data model for clinical data, similar to clinical patient record systems. Security Issues for CSDMSs: Differences vs. CPRSs (1) CSDMS differ from CPRSs in the concept of a “study”. In a generic CSDMS, the same set of tables manages an arbitrary number of studies. Therefore security must be implemented at a row level. Done by tagging rows directly or indirectly with user/group ID as well as study ID, and defining privileges of individual users with respect to a study. Security Issues for CSDMSs: Differences vs. CPRSs (2) In a generic CSDMS, the vast majority of users must typically be unaware of even the existence of studies other than the ones that they have access to. Somewhat easier to define policies, because various Roles are somewhat clearer. E.g., read/only, edit, deletion, locking at various levels (form / patient / entire study). Security Issues for CSDMSs: Differences vs. CPRSs (3) The Chinese (Afghan) Warlord Scenario – Many studies are multi-centric and performed by consortia of investigators. These consortia are often marriages of convenience. – Even if no PHI were stored, investigators may not really trust one another, so each gets to see and operate only their own patients. Security Issues for CSDMSs: Differences vs. CPRSs (4) The Issue of Paranoia – Distrust of the Informatics Investigator - may be regarded as closer to one or two research investigators than to others. It is important to be neutral- consortia have failed if the informatics investigator attempts to mine the data on one’s own for research purposes. – Distrust of the System/ Technology – old habits die hard, and investigators sleep better at night if they can download their own data securely and store it locally on demand. CSDMSs: Genetics & Genomics Many genetic conditions of research interest are statistically rare. So, even staying within the bounds of HIPAA, and without storing PHI, it is still possible to de-identify individuals. – Jimmy Carter pedigree – a cluster of three individuals in a nuclear family who have died of pancreatic cancer. – If an individual is typed for an adequate number of genetic loci that are highly polymorphic (i.e., have multiple variants), the full profile can act as a “fingerprint”. Recording PHI in CSDMSs: Issues (1) Retrospective studies vs. Prospective studies. Studies involving clinical interventions with significant risk – Laparoscopy in patients with elevation of a serum marker for a specific cancer – Dose escalation in cancer chemotherapy trials – PHI acts as an additional safeguard against a risky intervention being accidentally performed on the wrong patient. PHI Issues in CSDMSs (2) PHI can ensure Investigator Accountability – The Fictitious Patient Scenario PHI is sometimes the only way to link CSDMS data reliably with that in external systems (e.g., using MRUN) – Unforeseen interventions (e.g., blood transfusion, marrow transplant) – Interposing manual steps is a source of delay and error PHI Issues in CSDMSs (2) A major benefit of CSDMS – facilitation of logistic operations – is lost if PHI is not captured. – In studies performed on an out-patient basis, generation of form letters / mail merge / E-mail – Bulk import of data from external systems – e.g., lab tests. Overall approach to CSDMS security Clear-cut definition of security policies – software can deal only with the technical aspects of security. Need to know - even when PHI is stored, all persons with access to the study need not access PHI (e.g., biostatisticians). Storage of all PHI in database encrypted form, with encryption / decryption performed on a separate middle tier- 2-administrator scenarioone for DBMS, one for middle tier. IRB Barriers Many IRBs look askance at PHI being stored at an extra-institutional site – Roots of suspicion date back to WWII, when Japanese-Americans were identified through census data and placed in concentration camps. – Concerns about extra-institutional PHI storage stem as much from investigator/institutional concerns about intellectual property/ poaching. – Need to be educated about risks due to absence of PHI – Race, age and sex often not enough for identity confirmation (e.g., in a study of Ashkenazi Jewish women with Breast Cancer mutations).