Planning for Data Security
External hackers and internal employees and former employees threaten the integrity of cancer registry data. To address these risks, organizations need to know—
- Who has access to the databases?
- How are administrative passwords stored?
- What are the policies for auditing system security and looking for suspicious activity?
- What is the procedure if security is breached?
Preventive security measures such as encryption, access control, and strong user identification technologies help protect sensitive data from external and internal threats.
Developing a Security Policy
All registries that submit data to the National Program of Cancer Registries (NPCR) should have a security policy that is specific to the needs of the registry and the organization in which the registry operates. This includes registries that are a part of a larger public health department, a university, or an institution that provides information technology support for several programs. The security policy of the organization in which the registry operates must meet or be modified to accommodate the specific concerns of the cancer registry.
CDC's Division of Cancer Prevention and Control has compiled the following information in support of CDC's NPCR to help cancer registries create or audit their current security policy. This information is not intended establish cancer registry security policy, but to guide cancer registries as they address security issues.
Many NPCR programs are part of a larger public health department, university, or institution that provides technical support for several programs and usually has a security policy in place. Each NPCR program and its organization's technical support staff are responsible for making cancer registry data secure. Both will devote time to security training and monitoring, and to reviewing and updating the security document. CDC's NPCR staff will work cooperatively to find solutions and develop best practices.
- Designate a CTO. The first step is to identify or designate a person who works directly with the registry director to ensure data security. This person is often called the Chief Technology Officer (CTO), and is typically a senior information technology professional supporting the cancer registry.
- Find out if you have a security policy. Next, the registry should determine if a security policy has been written. If so, the CTO should review it and identify any needed updates. If not, the CTO should lead the development of a new policy specific to the needs of the registry.
- Develop a new security policy, if needed. The CTO will obtain existing institutional security documents and work with registry staff to develop a single security document detailing national, institutional, and NPCR security policies and standards.
- Execute the policy. Technical support and registry staff should work together to execute the security plan and enforce security policies.
- Review and update the policy. At a minimum, the security document should be updated annually to include advances in technology and updates to prevailing standards.
The Security Document
Each registry should have a comprehensive security document that describes in detail the data security risks, policies, and procedures specific to that registry. Components of the security document include—
- Standards from—
- The National Institute of Standards and Technology (NIST).
- Federal Information Processing Standard 140 (FIPS).
- The North American Association for Central Cancer Registries (NAACCR) Standards for Cancer Registries Volume III, chapter 6, "Security and Confidentiality."
- Certification and Accreditation Process Guide, as referenced in the CDC Unified Process.
- Risk assessment and management.
- Networking and privacy security policies.
- Plans for encryption of data on mobile services and portable media.
- Plans for encryption of data in databases.
- Disaster recovery plans.
- Ongoing security training.
- Requirement to audit security policies regularly.
- Plans for vulnerability and source code security scan and archiving of log files.
- Requirement to review and update the security document annually based on changes to risk factors, technology, and policy.
The registry's security document must accommodate the specific concerns of the NPCR program. It should ensure that security responsibilities are assigned to organization technical support and NPCR program staff, and authorize all information technology systems and software applications processing prior to installation.
Periodic internal auditing is key to maintaining the security document. Auditors review the major components of the security document and provide objective opinions to the registry on the degree to which risk management, control, and governance (which comprise the registry's policies, procedures, and operations) support—
- Achievement of the parent organization's objectives.
- Appropriate assessment of risk.
- Reliable internal and external reporting.
- Compliance with applicable laws and regulations.
- Compliance with NPCR's standards for the registry.
These assessments help maintain or improve the efficiency and effectiveness of the registry's information technology risk management, internal controls, and security. In addition, auditors' recommendations benefit line management. As stated in NAACCR's Standards for Cancer Registries Volume III: Standards for Completeness, Quality, Analysis, Management, Security and Confidentiality of Data, the registry's parent organization may fulfill this function.
FIPS 140-2 defines four levels of security—
- FIPS 140-2 Level 1: Provides the lowest level of security.
- FIPS 140-2 Level 2: Enhances the physical security mechanisms of level 1 by adding the requirement for tamper-evidence.
- FIPS 140-2 Level 3: Requires physical security mechanisms that have a high probability of detecting and responding to attempts at physical access, use, or modification of the cryptographic module.
- FIPS 140-2 Level 4: Provides the highest level of security defined in this standard. At this security level, the physical security mechanisms protect the cryptographic module completely, with the intent of detecting and responding to all unauthorized attempts at physical access.
Please visit FIPS 140-2 [PDF-1.4MB] for more information.