Working Group on IT Security and Privacy in VA and NIH Sponsored Research (Joel Kupersmith, MD)

1
Working Group on IT Security and Privacy in VA
and NIH Sponsored Research
Joel Kupersmith, MD Chief Research Development
Officer
2
Background

• VA research depends on close collaboration with
  medical schools and their Universities
• Virtually all researchers have University
  appointments
• Memorandum 2, Affiliation Agreements and more
  recently the Blue Ribbon Panel have underscored
  this fundamental VA collaboration

3
Background (cont)

• Clinical data is essential to research
• Data IT systems are essential to clinical and
  health services research
• Data sharing is in turn essential to attain
  clinical and health services research goals
• Veterans opinions Survey
• Veterans strongly support VA research and
  maintenance of its privacy and security
• Veterans also support sharing of data with
  medical schools

4
Establishing the Working Group

• Because of the strong need for IT security and a
  breach of VA data, representatives of medical
  schools and the AAMC met with VA and VHA
  leadership regarding data security and research
• Meeting included USH and Assistant Secretary for
  IT
• Addressed serious problems in the affiliations
• Out of this meeting ultimately can the Working
  Group on Information and Technology Security and
  Privacy in VA and NIH-Sponsored Research
• Working Group consisted of
• VA, including VHA and OIT
• Medical School representatives
• NIH
• AAMC as conveners

5
Working Group Charge

• To examine and develop standard practices and
  processes that assure data security yet allow
  appropriate use of data in research

6
Initial Working Group Determination

• All the participating organizations uphold a
  strong commitment to data security and continue
  to seek out effective means of implementation
• Implementation and enforcement varies across
  organizations, regions and campuses
• There is a clear need to improve communication
  about security policies
• Security requirements should be standardized

7
Working Group Principles

• Ensure patient-centered security and privacy
  protection of all data
• Maximize ability to conduct research at
  appropriate level of security risk
• Foster inter- and intra-institutional
  collaboration
• Make IT security and privacy requirements
  transparent
• Ensure applicable, scalable and consistent
  security controls across organizations
• Incorporate continuous improvement and
  flexibility into the security model
• Have systems that ensure principles are
  implemented
• Consider efficiency and effective use of
  resources

8
Working Group Report Inclusions

• Included in the Working Group Report
• Statement that policies need to be consistent
  across VA
• Recommendations on databases attained with
  research subject consent
• Recommendations on databases where IRBs
  determined that it is unreasonably difficult to
  obtain consent
• Identified and de-identified
• Statement on importance of FIPS (Federal
  Information Processing Standards) 199

9
Working Group Report Tools

• Pathways for disclosing data to academic
  affiliates for research purposes (Appendix 1)
• Sample provisions for Data Use Agreements
  (Appendix 2)
• Information security and privacy assessment tool
  for research and data sharing between VA and
  Academic Affiliates (Appendix 3)

10
Working Group on ITConclusion

• IT Working Group brought together relevant
  Offices of VA, Universities and NIH to develop
  uniform procedures to ensure security and privacy
  protection of all data
• VA has concurred on this report