Frequently Asked Questions about Data Security
Policies and Standards
NPCR registries are subject to the following policies and procedures—
- North American Association of Central Cancer Registries (NAACCR) Standards for Completeness, Quality, Analysis, Management, Security, and Confidentiality of Data
- Veterans Health Administration Directive 2014-1072
- Health Insurance Portability and Accountability Act (HIPAA)
- Office of Management and Budget Protection of Sensitive Agency Information memo [PDF-118KB]
NPCR registries may use funds to enhance data security or facilitate data reporting. A detailed justification and cost breakdown should be included in the annual budget. CDC will provide NPCR registries with support to address data security issues by telephone and email.
Yes. The following language applies to all laptops and mobile devices that are owned by contractors and subcontractors and contain registry data. The contractor should comply with the registry’s encryption standards before any registry data are stored on a contractor’s laptop or mobile device.
- All laptops used on behalf of the registry should be secured using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product should be tested and validated under the Cryptographic Module Validation Program.
- All mobile devices, including non-registry laptops and portable media, that contain sensitive registry information shall be encrypted using a FIPS 140-2 compliant product.
- A FIPS 140-2 compliant key recovery mechanism should be used so that encrypted information can be decrypted and accessed by authorized personnel. Key recovery is required by OMB Guidance to Federal Agencies on Data Availability and Encryption [PDF-18KB].
- Encryption key management should comply with all registry policies and provide adequate protection to prevent unauthorized decryption of the information.
- All media used to store information shall be encrypted until they are sanitized or destroyed in accordance with registry policy and procedures.
Protecting Data at Rest
OMB memorandum M-06-16 [PDF-118KB] recommends that all federal agencies protect sensitive information and provides a security checklist to support this process. The checklist includes specific actions for protecting personally identifying information (PII) collected by third parties (including cancer registries) that use federal funds.
All PII should be stored in a partition on the hard drive that is encrypted with FIPS 140-2 validated software and capable of key recovery. A copy of the encryption key(s) should be stored in multiple secure locations.
Databases stored on standalone (non-networked) computers need to have the same security as databases stored on networked computers because of the dangers of the computer being stolen, discarded, sold as surplus with the data improperly erased, used by someone without authorization, or connected to a network.
A database that resides within a secure domain requires the same security as a database on an organization’s network.
The following equipment used to process or store PII should be encrypted—
- Laptops and tablets.
- Desktop computers, if they are at a high risk for theft or misuse.
- Portable electronic media.
No. Registry data should NEVER be stored on personally owned equipment.
You can contact the registry’s IT department for help.
Any portable or handheld computer with an operating system, including a laptop, tablet, flash drive, USB key, or portable hard drive.
Portable electronic media include floppy disks, compact discs (CDs), digital versatile discs (DVDs), tapes, secure digital (SD) cards, and compact flash (CF) cards.
All laptops and tablets should be encrypted. Whenever possible, platforms should be changed to one supported by a FIPS 140-2-certified whole-disk encryption package. If the platform cannot be changed, the laptop or tablet should be secured with compensating controls and validated by NIST.
Software is available that can encrypt individual files. Each registry must determine which encryption products are supported.
If a laptop does not have a FIPS 140-2 certified whole-disk encryption solution, it should not be used to store PII or sensitive information.
- All PII stored on non-encrypted laptops should be removed and stored on either a managed server or a FIPS 140-2-certified storage device.
- Approved FIPS 140-2 encryption software is available on the NIST website.
- Each registry should determine which encryption products will be supported.
Simply deleting a file is not sufficient. Use disk sanitization software. Each registry must determine which disk sanitation products are supported.
If a laptop or tablet is connected to a scientific device and meets specific registry security policy criteria, it may be eligible for a waiver from the registry or supporting organization. These criteria include, but are not limited to, compensating controls, such as being physically secured and labeled appropriately. A detailed explanation of why the laptop cannot function with encryption software must be included. All waiver requests should be sent to the registry’s security steward. See the next question for more information.
Fill out and sign the laptop encryption waiver form. The waiver must be approved by the registry’s security steward.
- Describe why implementing the encryption requirement is not feasible or technically possible while supporting the registry’s scientific mission or business function.
- Confirm that the laptop or tablet does not, and will not, access or store PII or other sensitive data. If it does store PII or other sensitive data, additional compensating controls may be required.
- Describe the technical, operational, and management security controls that will offset the risk of not implementing the encryption requirement. For example, the device is not portable and is attached securely to an instrument or bench with a cable lock.
- List the device’s location, serial number, and registry decal number.
NPCR is not permitted to recommend specific software. See the Cryptographic Module Validation Program for FIPS 140-2-compliant encryption solutions. Acquisition agreements in the US General Services Administration’s blanket purchase agreements can help registries get certified software solutions.
Yes. Microsoft BitLocker is FIPS 140-2 certified and can be used in FIPS mode on the Microsoft operating system. Each registry must determine which encryption products will be supported.
Protecting Data in Motion
“Data in motion” is a common term for data that are being transmitted across a local or wireless network or the Internet. Encrypting data in motion hides information as it moves across the network between the database and the client. Encrypting data before transmission prevents—
- Interception of confidential data as they move between the client and database.
- Session hijacking (redirecting data).
- Replay attacks (replaying an authentication session to fool a computer into granting access).
Standards for encrypting data in motion include Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Internet Protocol Security (IPSEC).