Frequently Asked Questions about Data Security

See the Guide to Protecting the Confidentiality of Personally Identifiable Information.

NPCR programs are subject to policies and procedures for data security established by leading organizations in the central cancer registry and health care fields. These standards are outlined in the bulleted list below—

• North American Association of Central Cancer Registries (NAACCR) Standards for Cancer Registries Vol. III: Standards for Completeness, Quality, Analysis, and Management of Data.
• VHA Directive 2014-1072.
• The Health Insurance Portability and Accountability Act (HIPAA).
• OMB Protection of Sensitive Agency Information memo [PDF-118KB].

No.

NAACCR provides central registry structural requirements, process standards, and outcome measures for data access and completeness in Standards for Cancer Registries Vol. III: Standards for Completeness, Quality, Analysis, and Management of Data. This document provides an excellent overview of confidentiality and security for central registries.

NPCR has not proposed or instituted any new data security requirements, but because of the increased national emphasis on data security, NPCR has developed data security guidance information.

NPCR programs may use funds to enhance data security or facilitate data reporting. A detailed justification and cost breakdown should be included in the annual budget. This allows programs to identify and substantiate costs associated with enhanced data security so the NPCR Program can inform CDC of actual and projected costs.

CDC is willing to help NPCR programs as they address data security issues. Support is provided exclusively by telephone and e-mail.

Yes. The following language applies to all contractor and subcontractor-owned laptop computers and mobile devices containing registry data at rest and in motion. The contractor should comply with the registry’s encryption standards before any sensitive data are stored on a contractor’s laptop computer or mobile device.

• All laptop computers used on behalf of the registry should be secured using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product ought to be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS PUB 140-2 (as amended). For additional information, refer to National Institute of Standards and Technology’s (NIST) Security Management and Assurance.
• All mobile devices, including non-registry laptops and portable media, that contain sensitive registry information shall be encrypted using a FIPS 140-2 compliant product. Data at rest include all registry data regardless of where they are stored.
• A FIPS 140-2 compliant key recovery mechanism should be used so that encrypted information can be decrypted and accessed by authorized personnel. Use of encryption keys which are not recoverable by authorized personnel should be avoided. Key recovery is required by “OMB Guidance to Federal Agencies on Data Availability and Encryption,” November 26, 2001.
• Encryption key management should comply with all registry policies and shall provide adequate protection to prevent unauthorized decryption of the information.
• All media used to store information shall be encrypted until they are sanitized or destroyed in accordance with registry policy and procedures.

Example: External researchers mail sensitive patient information to the registry on storage media. How do you propose to resolve this issue, because the research is done on behalf of the registry?

All media containing sensitive information for the registry or by a contractor on behalf of the registry should be encrypted. Registry policy states “registry-approved language shall be included in contracts to ensure that sensitive registry data are appropriately encrypted.” Procedures and practices ought to be changed and the contract should be modified to bring it into alignment with registry policy.

Registry policy should include a key recovery mechanism for all encrypted registry data to enable the registry to track and manage these devices.

The Office of Management and Budget (OMB) released a memorandum (M-06-16 [PDF-118KB]) recommending all federal agencies protect sensitive information, and provide a security checklist. This requirement includes personally identifying information (PII) collected by third parties (including cancer registries) using federal funds.

All PII should be stored in an encrypted partition on the hard drive and should be encrypted with FIPS 140-validated software, which ought to be capable of key recovery. A copy of the encryption key(s) should be stored in multiple secure locations.

Yes.

Databases stored on standalone (non-networked) computers need to have the same security as databases stored on networked computers due to the dangers of the computer being stolen, discarded, or sold as surplus with the data improperly erased, used by someone without authorization, or connected to a network.

A database that resides within a secure domain requires the same security as a database on an organization-wide network.

The following registry-owned equipment used to process or store PII should be encrypted—

• Laptops and tablet PCs.
• Desktop computers, if they are considered to be at a high risk for theft or misuse.
• Portable electronic media.

Note: Vendor-owned equipment is subject to the same security requirements as that owned by federal employees. Registry policy must include a key recovery process for all encrypted registry data.

No. Registry data should NEVER be stored on personally owned equipment.

You can contact the registry’s IT department for assistance.

See question 1 for more information.

Any portable or handheld computer with an operating system, including a laptop, tablet, flash drive, USB key, or portable hard drive.

Portable media include floppy disks, compact discs (CDs), digital versatile disks (DVDs), tapes, secure digital (SD) cards, and compact flash (CF) cards.

All laptops and tablets ought to be encrypted. Whenever possible, platforms should be changed to one supported by a FIPS 140-2-certified whole-disk encryption package. If the platform cannot be changed, the laptop or tablet should be secured with compensating controls and validated by NIST.

Software is available that can encrypt individual files. Each registry must determine which encryption products are supported.

If a laptop does not have a FIPS 140-2 certified whole-disk encryption solution, it should not be used to store PII or sensitive information.

• All PII stored on non-encrypted laptops should be removed and stored on either a managed server or a FIPS 140-2-certified storage device.
• Approved FIPS 140-2 encryption software for Apple Macintosh laptops is available on the NIST Web site.
• Each registry should determine which encryption products will be supported.

Simply deleting a file is not the approved method for removing PII or sensitive information. Use disk sanitization software. Each registry must determine which disk sanitation products are supported.

If a laptop or tablet is connected to a scientific device and meets specific registry security policy criteria, it may be eligible for a waiver from the central cancer registry or supporting organization. These criteria include, but are not limited to, compensating controls such as being physically secured and labeled appropriately. A detailed explanation of why the laptop cannot function with encryption software must be included. All waiver requests should be identified to the registry’s security steward.

Fill out and sign the laptop encryption waiver form. The waiver must be approved by the registry’s security steward.

• Describe why implementing the policy is not feasible or technically possible while supporting the scientific mission or business function.
• Confirm the laptop or tablet does not, and will not, access or store PII or sensitive data. If it does store PII or sensitive data, additional compensating controls may be required.
• Describe the technical, operational, and management security controls which offset the risk of not implementing this policy; for example, the machine is not portable and is attached securely to an instrument or bench with a cable lock.
• List the machine’s location, serial number, and registry decal number.

No.

See Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules.

NPCR is not permitted to recommend specific software solutions. See Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules for FIPS 140-2-compliant encryption solutions. Acquisition agreements at the U.S. General Services Administration’s Software Purchase Agreements can help programs obtain certified software solutions.

No. Each registry should determine which encryption products are supported.

Yes. Microsoft BitLocker is FIPS 140-2-certified and can be used in FIPS mode on the current supported Microsoft operating system. Each registry must determine which encryption products will be supported.

“Data in motion” is a commonly used term for data that are being transmitted across a local or wireless network or the Internet. Encrypting data in motion hides information as it moves across the network between the database and the client. Encrypting data before transmission prevents—

• Interception of confidential data as they move between the client and database.
• Session hijacking (redirecting data).
• Replay attacks (replaying an authentication session to fool a computer into granting access).

Standards for encrypting data in motion include Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Internet Protocol Security (IPSEC).

Some programs feel that they should develop a solution outside their normal processing system to handle VA data, so that the VA data can be stored on an encrypted personal computer. That can be done with this method, but VA data would be exposed when consolidating records, and this is extra work for the registry.