209649 Improving data security and maintaining patient confidentiality in a time of evolving information technology (IT) and limited resources

Tuesday, November 10, 2009: 11:10 AM

Jeannette Jackson-Thompson, MSPH, PhD , Health Management & Informatics, University of Missouri-Columbia, Columbia, MO
Nancy Cole, BS, CTR , Missouri Cancer Registry, University of Missouri-Columbia, Columbia, MO
Background: In the United States and Canada, all states and provinces maintain a central cancer registry (CCR) that collects information on new cases of cancer occurring among residents of the state/territory that is used for public health surveillance (e.g., cancer incidence/trends by gender, age group, specific site, stage at diagnosis), program evaluation, research, etc. While registries may collect additional information, at a minimum each CCR collects demographic, tumor and treatment data, using text and standard codes in a standard data layout. CCRs are expected to meet national standards for completeness, timeliness and quality. CCRs must maintain the security of their data and protect patient and provider confidentiality, often with limited resources.

Purpose: To describe steps taken by one CCR to assess and improve the security of data, systems and processes.

Methods: We reviewed general security processes and procedures and requested that the University of Missouri's IT security team audit our systems and business practices (hard drive security, data flow, applications, firewall issues with individual computers, hardening operating system, laptop encryption, desktop risks, etc.). Web-based reporting, considered our most vulnerable area, was selected for the first phase of auditing.

Results: We developed an inventory of all systems (web servers, file servers, etc.); set up an annual review of data confidentiality and security measures; changed our paper handling practices; arranged for security awareness training for all staff; and updated policy and procedure manuals. The initial web-based reporting system audit took 52 hours to run. Four instances of vulnerabilities rated as high were identified along with a number of medium-risk issues; these have now been fixed by CDC's Web Plus development team. Results of other systems audited will be presented.

Conclusions: Frequent review of security processes and business practices is needed to maintain data security. Many improvements involve minimal cost; others require funding.

Learning Objectives:
1. Describe two steps taken to improve data security. 2. Identify the main criterion used in selecting the first system to be audited. 3. List 3 data security measures that can be carried out at minimal cost.

Keywords: Health Information Systems, Data/Surveillance

Presenting author's disclosure statement:

Qualified on the content I am responsible for because: I am the Operations Director of the central cancer registry described in the abstract and a Research Associate Professor in Health Management & Informatics at the University of Missouri-Columbia.
Any relevant financial relationships? No

I agree to comply with the American Public Health Association Conflict of Interest and Commercial Support Guidelines, and to disclose to the participants any off-label or experimental uses of a commercial product or service discussed in my presentation.