November 6, 2015
Abt Associates Director of IT Security, Client Technology Center
Abt Associates Director of Research Ethics, Institutional Review Board Pointing fingers and saying, “They did it,” is not an acceptable response during a data security incident, especially when it involves research sponsored by the federal government.
Today, study participants’ personal data is widespread across many entities such as grantees, contractors, and their subcontractors. With the sensitivity of that data ranging from the benign to protected health information, the risks are great.
Abt Associates conducts policy research and evaluation in partnership with several hundred federal government grantees and subcontractors. We regularly deal with data security incidents due to grantees emailing us un-encrypted personally identifiable information (PII). As a federal contractor, we are subject to the federal security requirements and invest in a comprehensive security program to remediate incidents that occur as a result of actions by Abt staff or subcontractors. However, our contracts do not include resources to build the security capacity of grantees.
We have observed that grantees often operate with limited resources and insufficient or no IT support staff, let alone security support staff. This means that many of the processes in place represent a best effort to protect the data, but fall far short of the protections the federal government would employ to protect similar data.
While our evaluation contracts do not have the requirement to strengthen the grant site’s security processes, we help grantees use more secure methods to protect the evaluation data within our limited scope of work. The lack of requirements and funding to remediate poor security practices presents a risk to federal data.
Programmatic support and technical support are two avenues that need to be addressed.
Grantees have limited knowledge of the contractual security requirements for the data grantees process. The procedures practiced do not support the “need to know” principle or single point of failure due to one person knowing the secure procedure for processing the data. However, there are practical solutions to these problems that grantees can use to reduce the risk considerably.
Abt has found success in addressing programmatic deficiencies through:
- Explicit security requirements in contracts and data agreements;
- Training of grantees on data security procedures and responding to incidents; and
- Providing a detailed data security plan outlining step-by-step procedures to protect research participant data while stored and in transmission.
Our strategies target three key areas of security in program implementation, starting with the contract and data agreements. We have required language built into our sub-contracts that describes the required data security procedures, such as transferring data via secure web portal and encrypting data. The subcontract also defines the expectations we have if participant data is lost. We then conduct in-depth in person training for all partners who handle research participants' PII. The training reviews the project specific procedures to be followed as well as the background, history, and purpose of data security using real examples of data breaches and their consequences.
At the end of training, staff members sign a confidentiality agreement to pledge their commitment to the procedures they learned. For longitudinal studies, we conduct low-cost refresher training to reinforce the importance of data security via webinars, bulletins, tailored posters, and focused one-on0-one re-training as needed. To make the secure transfer of PII easy, we setup a user-friendly portal with clear user guidance. Internally, we systematically track all PII using data security plans, several methods of checks and balances, and quick incident response if it appears PII has been disclosed or misplaced.
The deficiencies we identified were in the use of basic security technologies like patch management tools, centralized antivirus, standardized security configurations for workstations, and account management. These fundamental security technologies are not complicated or expensive to implement, but grantees often choose to push the limits of their funding to make a meaningful impact to greatest number of individuals, over securing data.
Technical support could be made available in two ways: enforcement via a grant requirement or another agency requirement. In addition, technical support could be provided directly by the agency through the agency’s security support staff. They could identify and implement sound security processes and technologies to protect the data. The agency could provide a cloud solution that all grantees use for participant support, such as a customer relationship management tool.
Given that many of the grantees have related needs, the agency could offer a customer relationship management (CRM) solution that benefits from the agency’s buying power. The technology would have accompanying procedures that tie into the programmatic changes needed to reduce the number of incidents. Making use of a CRM tool a contractual requirement would encourage adoption of the tool and new procedures to support it.
Protecting participant data in federal grantee programs is essential for the continuing success of those programs and the program’s mission. The government should step in to support its grantees to prevent and respond to data security incidents.