Security in the Context of Generic Clinical Study Data Management Systems

1
Security in the Context of Generic Clinical Study
Data Management Systems

• Prakash NadkarniRohit GadagkarCharles Lu
• Aniruddha Deshpande
• Kexin Sun
• Cynthia Brandt
• Yale Medical School

2
What is a Generic Clinical Study Data
Management System (CSDMS)?

• A database designed for managing data generated
  by an arbitrary number of clinical studies and
  patients.
• Can handle an arbitrary range of clinical
  domains/specialties.
• The schema does not change.
• Uses an Entity-Attribute-Value data model for
  clinical data, similar to clinical patient record
  systems.

3
Security Issues for CSDMSs Differences vs. CPRSs
(1)

• CSDMS differ from CPRSs in the concept of a
  study.
• In a generic CSDMS, the same set of tables
  manages an arbitrary number of studies. Therefore
  security must be implemented at a row level.
• Done by tagging rows directly or indirectly with
  user/group ID as well as study ID, and defining
  privileges of individual users with respect to a
  study.

4
Security Issues for CSDMSs Differences vs. CPRSs
(2)

• In a generic CSDMS, the vast majority of users
  must typically be unaware of even the existence
  of studies other than the ones that they have
  access to.
• Somewhat easier to define policies, because
  various Roles are somewhat clearer. E.g.,
  read/only, edit, deletion, locking at various
  levels (form / patient / entire study).

5
Security Issues for CSDMSs Differences vs. CPRSs
(3)

• The Chinese (Afghan) Warlord Scenario
• Many studies are multi-centric and performed by
  consortia of investigators. These consortia are
  often marriages of convenience.
• Even if no PHI were stored, investigators may not
  really trust one another, so each gets to see and
  operate only their own patients.

6
Security Issues for CSDMSs Differences vs. CPRSs
(4)

• The Issue of Paranoia
• Distrust of the Informatics Investigator - may
  be regarded as closer to one or two research
  investigators than to others. It is important to
  be neutral- consortia have failed if the
  informatics investigator attempts to mine the
  data on ones own for research purposes.
• Distrust of the System/ Technology old habits
  die hard, and investigators sleep better at night
  if they can download their own data securely and
  store it locally on demand.

7
CSDMSs Genetics Genomics

• Many genetic conditions of research interest are
  statistically rare. So, even staying within the
  bounds of HIPAA, and without storing PHI, it is
  still possible to de-identify individuals.
• Jimmy Carter pedigree a cluster of three
  individuals in a nuclear family who have died of
  pancreatic cancer.
• If an individual is typed for an adequate number
  of genetic loci that are highly polymorphic
  (i.e., have multiple variants), the full profile
  can act as a fingerprint.

8
Recording PHI in CSDMSs Issues (1)

• Retrospective studies vs. Prospective studies.
• Studies involving clinical interventions with
  significant risk
• Laparoscopy in patients with elevation of a serum
  marker for a specific cancer
• Dose escalation in cancer chemotherapy trials
• PHI acts as an additional safeguard against a
  risky intervention being accidentally performed
  on the wrong patient.

9
PHI Issues in CSDMSs (2)

• PHI can ensure Investigator Accountability
• The Fictitious Patient Scenario
• PHI is sometimes the only way to link CSDMS data
  reliably with that in external systems (e.g.,
  using MRUN)
• Unforeseen interventions (e.g., blood
  transfusion, marrow transplant)
• Interposing manual steps is a source of delay
  and error

10
PHI Issues in CSDMSs (2)

• A major benefit of CSDMS facilitation of
  logistic operations is lost if PHI is not
  captured.
• In studies performed on an out-patient basis,
  generation of form letters / mail merge / E-mail
• Bulk import of data from external systems
  e.g., lab tests.

11
Overall approach to CSDMS security

• Clear-cut definition of security policies
  software can deal only with the technical aspects
  of security.
• Need to know - even when PHI is stored, all
  persons with access to the study need not access
  PHI (e.g., biostatisticians).
• Storage of all PHI in database encrypted form,
  with encryption / decryption performed on a
  separate middle tier- 2-administrator scenario-
  one for DBMS, one for middle tier.

12
IRB Barriers

• Many IRBs look askance at PHI being stored at an
  extra-institutional site
• Roots of suspicion date back to WWII, when
  Japanese-Americans were identified through census
  data and placed in concentration camps.
• Concerns about extra-institutional PHI storage
  stem as much from investigator/institutional
  concerns about intellectual property/ poaching.
• Need to be educated about risks due to absence of
  PHI Race, age and sex often not enough for
  identity confirmation (e.g., in a study of
  Ashkenazi Jewish women with Breast Cancer
  mutations).