Frequently Asked Questions about Data Security
Policies and Standards
Q1. What policy changes affect National Program of Cancer Registries (NPCR) programs?
The Office of Management and Budget (OMB) released a memorandum (M-06-16 [PDF-120KB]) recommending all federal agencies protect sensitive information, and provide a security checklist. This requirement includes personally identifying information (PII) collected by third parties (i.e., cancer registries) using federal funds.
The Veterans Health Administration (VHA) issued Directive 2007-023 requiring cancer registries to establish a Data Transfer Agreement (DTA) and to encrypt all PII. The encryption software must be validated by the National Institute of Standards and Technology (NIST) to meet the current version of Federal Information Processing Standards (FIPS) 140, which is 140-2.
Q2. What are PII and sensitive information?
Q3. What are NPCRs data security standards?
NPCR programs are subject to policies and procedures for data security established by leading organizations in the central cancer registry and health care fields. These standards are outlined in the bulleted list below and referenced in the November 2008 NPCR funding opportunity announcement (FOA)—
- North American Association of Central Cancer Registries (NAACCR) Standards for Cancer Registries Vol. III: Standards for Completeness, Quality, Analysis, and Management of Data.
- VHA Directive 2007-023.
- The Health Insurance Portability and Accountability Act (HIPAA).
- OMB Protection of Sensitive Agency Information memo [PDF-118KB].
Q4. Did NPCRs data security standards change?
Q5. Does the North American Association of Central Cancer Registries (NAACCR) have data security standards?
NAACCR provides central registry structural requirements, process standards, and outcome measures for data access and completeness in Standards for Cancer Registries Vol. III: Standards for Completeness, Quality, Analysis, and Management of Data. This document provides an excellent overview of confidentiality and security for central registries.
Q6. Will NPCR provide funds to the programs to implement encryption?
NPCR has not proposed or instituted any new data security requirements, but because of the increased national emphasis on data security, NPCR has developed data security guidance information and amended the DP07-703 Funding Opportunity Announcement accordingly.
The amendment allows NPCR programs to use funds to enhance data security or facilitate data reporting. At this time, CDC has no new funds to distribute for this purpose. If a program plans to use NPCR funds, a detailed justification and cost breakdown should be included in the annual budget. This allows programs to identify and substantiate costs associated with enhanced data security so the NPCR Program can inform CDC senior management of actual and projected costs.
CDC is willing to help NPCR programs as they address data security issues. Support is provided exclusively by telephone and e-mail.
Q7. Is sample contract language available to request contractors to adhere to the registrys data encryption standards?
Yes. The following language applies to all contractor and subcontractor-owned laptop computers and mobile devices containing registry data at rest and in motion. The contractor should comply with the registry's encryption standards before any sensitive data are stored on a contractor's laptop computer or mobile device.
- All laptop computers used on behalf of the registry should be secured using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product ought to be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS PUB 140-2 (as amended). For additional information, refer to National Institute of Standards and Technology's (NIST) Security Management and Assurance.
- All mobile devices, including non-registry laptops and portable media (i.e., USB storage devices, thumb drives), that contain sensitive registry information shall be encrypted using a FIPS 140-2 compliant product. Data at rest include all registry data regardless of where they are stored.
- A FIPS 140-2 compliant key recovery mechanism should be used so that encrypted information can be decrypted and accessed by authorized personnel. Use of encryption keys which are not recoverable by authorized personnel should be avoided. Key recovery is required by “OMB Guidance to Federal Agencies on Data Availability and Encryption, [PDF-7KB]” November 26, 2001.
- Encryption key management should comply with all registry policies and shall provide adequate protection to prevent unauthorized decryption of the information.
- All media used to store information shall be encrypted until it is sanitized or destroyed in accordance with registry policy and procedures.
Example: The registry receives CDs or DVDs with sensitive information from other non-registry entities under the contract. Patient sensitive information is stored on CDs or DVDs and mailed to the registry. How do you propose to resolve this issue, because the research is done on behalf of the registry?
All CDs, DVDs, and other media containing sensitive information for the registry or by a contractor on behalf of the registry should be encrypted. Registry policy states "registry-approved language shall be included in contracts to ensure that sensitive registry data are appropriately encrypted." Procedures and practices ought to be changed and the contract should be modified to bring it into alignment with registry policy.
Q8. Should registries track all Universal Serial Bus (USB) encrypted drives?
There is currently no central tracking or reporting for USB drives, but registry policy should include a key recovery mechanism for all encrypted registry data to enable the registry to track and manage these devices.
Protecting Data at Rest
Q9. What types of data should be encrypted?
The Veterans Health Administration (VHA) issued Directive 2007-023 requires cancer registries to encrypt Veterans Affairs (VA) data, and the OMB requires all federal agencies to protect sensitive information. See question 1 for more information.
Q10. Should only the database containing PII, or is the entire disk required to be encrypted?
The Veterans Health Administration (VHA) issued Directive 2007-023 addresses this issue. All PII should be stored in an encrypted partition on the hard drive and must be encrypted with FIPS 140-validated software, which ought to be capable of key recovery. A copy of the encryption key(s) should be stored in multiple secure locations.
Q11. Should backups be encrypted?
Q12. Can databases containing PII be stored unencrypted on standalone computers?
Databases stored on standalone (non-networked) computers need to have the same security as databases stored on networked computers due to the dangers of the computer being stolen, discarded, or sold as surplus with the data improperly erased, used by someone without authorization, or connected to a network.
Q13. Should a database that resides within a secure domain with exclusive control to the central registry be encrypted?
A database that resides within a secure domain requires the same security as a database on an organization-wide network.
Q14. What equipment should be encrypted?
The following registry-owned equipment used to process or store PII should be encrypted—
- Laptops and tablet PCs.
- Desktop computers, if they are considered to be at a high risk for theft or misuse.
- Portable electronic media, such as USB flash drives, thumb drives, external hard drives, and personal digital assistants.
Note: Vendor-owned equipment is subject to the same security requirements as that owned by federal employees. Registry policy must include a key recovery process for all encrypted registry data.
Q15. Can PII or registry-owned sensitive information be stored on personally owned equipment?
No. Registry data should NEVER be stored on personally owned equipment.
Q16. What equipment cannot be encrypted?
BlackBerry® or similar devices should be configured with an access password. Anyone who loses a BlackBerry must report the loss immediately to the registry Information Technology (IT) group; often, data can be erased from the BlackBerry remotely. Encryption on these devices will be enabled in the near future.
Q17. How do I know if my computer has been encrypted?
You can contact the registry's IT department for assistance.
Q18. Are mobile devices and portable media that contain PII required to be encrypted?
See question 1 for more information.
Q19. What is a mobile device?
Any portable or handheld computer with an operating system, including a laptop, tablet, BlackBerry, PDA, MP3, flash drive, USB key, or portable hard drive.
Q20. What are portable media?
Portable media include floppy disks, compact discs (CDs), digital versatile disks (DVDs), tapes, secure digital (SD) cards, and compact flash (CF) cards.
Q21. What should be done for platforms and operating systems that are not supported by FIPS 140-2-certified encryption?
All laptops and tablets ought to be encrypted. Whenever possible, platforms should be changed to one supported by a FIPS 140-2-certified whole-disk encryption package. If the platform cannot be changed, the laptop or tablet should be secured with compensating controls and validated by NIST.
Software such as Pointsec® Media Encryption (PME) can be used to encrypt files individually. PME allows encrypted files to be sent to non-PKI recipients via e-mail. The USB capability is useful as well. Both functions are included in the Pointsec Full-Disk Encryption (FDE) license. Each registry ought to determine which encryption products will be supported.
Q22. If my laptop is not encrypted, what should I do to safeguard the data?
If a laptop does not have a FIPS 140-2 certified whole-disk encryption solution, it should not be used to store PII or sensitive information.
- All PII stored on non-encrypted laptops should be removed and stored on either a managed server or a FIPS 140-2-certified storage device.
- Approved FIPS 140-2 encryption software for Apple Macintosh laptops is now available on the NIST Web site.
- Each registry should determine which encryption products will be supported.
Q23. How should I remove PII or sensitive information?
Simply deleting a file is not the approved method for removing PII or sensitive information. Disk sanitization software such as BCWIPE can be used on Intel®-based hard disks. Each registry ought to determine which disk sanitation products will be supported.
Q24. Does a non-portable laptop or tablet that is connected to a scientific device need to be encrypted?
If a laptop or tablet is connected to a scientific device and meets specific registry security policy criteria, it may be eligible for a waiver from the central cancer registry or supporting organization. These criteria include, but are not limited to, such compensating controls as being physically secured and labeled appropriately. Additionally, a detailed explanation of why the laptop cannot function with encryption software must be included. If a waiver is requested for a system containing PII or sensitive information, this should be identified to the registry security steward and the request requires details of the compensating controls.
Q25. What is the potential waiver process for exempting a laptop or tablet from using encryption software?
Fill out and sign the laptop encryption waiver form. The waiver must be approved by the registry's information systems security officer.
- Describe why implementing the policy is not feasible or technically possible while supporting the scientific mission or business function.
- Confirm the laptop or tablet does not, and will not, access or store PII or sensitive data. If it does store PII or sensitive data, additional compensating controls may be required.
- Describe the technical, operational, and management security controls which offset the risk of not implementing this policy; for example, the machine is not portable and is attached securely to an instrument or bench with a cable lock.
- List the machine's location, serial number, and registry decal number.
Q26. Are the data in databases used by Registry Plus™ applications encrypted?
Q27. What encryption solutions comply with FIPS 140-2?
Q28. Does NPCR recommend specific encryption software?
NPCR is not permitted to recommend specific software solutions. See Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules for FIPS 140-2-compliant encryption solutions. Acquisition agreements at the U.S. General Services Administration SmartBUY Program Overview and Data at Rest (DAR) Encryption Fact Sheet [DOC-56KB] can help programs obtain certified software solutions.
Q29. Is there mandatory encryption software?
CDC uses Pointsec on department equipment. However, registries are not required to use Pointsec as long as the chosen encryption solution is FIPS 140-2-certified, is whole-disk, and provides for key recovery. Each registry should determine which encryption products will be supported.
Q30. Can Microsoft® BitLocker® be used to encrypt laptops running Windows® Vista®?
Yes. Although the latest version of Pointsec also supports Windows Vista, Microsoft BitLocker is FIPS 140-2-certified and can be used in FIPS mode on Windows Vista machines in place of Pointsec. Each registry must determine which encryption products will be supported.
Q31. Does Microsoft SQL Server 2008 comply with FIPS 140-2?
Protecting Data in Motion
Q32. What does "transmitting data" mean?
"Data in motion" is a commonly used term for data that are being transmitted across a local or wireless network or the Internet. Encrypting data in motion hides information as it moves across the network between the database and the client. Encrypting data before transmission prevents—
- Interception of confidential data as they move between the client and database.
- Session hijacking (redirecting data).
- Replay attacks (replaying an authentication session to fool a computer into granting access).
Standards for encrypting data in motion include Secure Socket Layer (SSL), Transport Layer Security (TLS), and Internet Protocol Security (IPSEC).
Q33. Is storing and processing VA data outside of normal processing a solution?
Some programs feel that they should develop a solution outside their normal processing system to handle VA data, so that the VA data can be stored on an encrypted personal computer (PC). That can be done with this method, but VA data would be exposed when consolidating records, and this is extra work for the registry.