Introduction to Data Security
Data security is the process of making sure data are available only to those who need to use it for a legitimate purpose. Controlling access to data helps ensure privacy, and is required by various federal agency policies and regulations.
Cancer registry data are especially valuable as they contain a wealth of personally identifying information that can be used for numerous illicit purposes. The most obvious is identity theft. Full names, addresses, telephone numbers, Social Security numbers, birthdates, and other personal information provide criminals the keys to obtain credit and purchase goods and services fraudulently.
A person’s medical history, including diagnoses, treatments, and prescriptions, can be used to obtain prescription medication fraudulently, to embarrass or blackmail the person, or to increase insurance premiums.
Health care providers could use this breached data to enhance their ability to analyze market share and perform studies on costs, charges, and clinical services, giving the provider a competitive advantage in the market.
Lax data security can allow external hackers to obtain unauthorized access to data online. However, identity thieves obtain data more frequently through low-tech means: by stealing laptop computers, backup tapes, CDs, USB flash drives, personal digital assistants (PDAs), external hard drives, and other media containing sensitive data, and by rummaging through garbage for printed copies or discarded equipment.
Employees with access to sensitive data pose a security risk that cannot be overlooked. If they discard old hardware without ensuring data are erased, personally identifying information can end up in the hands of the public when the equipment is sold as surplus. Employees, particularly disgruntled and ex-employees, may provide data to unauthorized people maliciously.
The foundation for data security is the security document. This document includes an assessment of the risks to your registry’s data, policies for mitigating those risks, and procedures for handling a security breach.
DISCLAIMER: These pages are not intended to be the sole source of information or to suggest practice to establish cancer registry security policy, but rather to provide general guidance to cancer registries addressing data security concerns. These pages are not a substitute for a rigorous risk assessment and evaluation by professional information technology staff.