2020 DAC Annual Security and Compliance Training
Stephanie Tomlin, MS, MPADAC DirectorDartmouth Data Analytic CoreApril 2020
Security and Compliance Training Overview
tdi.dartmouth.edu
User Knowledge
Cybersecurity
Mitigating Risk
HIPPA Identifiers
Data Suppression
Data Use Agreements
Reportable Incidents
Primary Objective of this Training
tdi.dartmouth.edu
DAC Information
Security
Availability
Provide DAC Users with the knowledge to protect the...
...of DAC Data and
Information Systems
This training fulfills the CMS DUA required trainings requirements for compliance with • OMB Circular No. A-130, Appendix III – Security of Federal Automated Information Systems• Federal Information Processing Standard (FIPS) 200 – Minimum Security Requirements for Federal Information Systems• Special Publication 800-53 – Recommended Security Controls for Federal Information Systems• CMS Suppression Requirements
The Human Element• Personnel are the weakest link in a security chain.
• We must all take responsibility to minimize the cost of security incidents.
• DAC Users have extraordinary access to highly sensitive data that is shared across multiple project teams.
• A single incident by only one person can jeopardize access to all research at Dartmouth using CMS data AND more importantly, risk harm to the public.
tdi.dartmouth.edu
Key Cybersecurity Concepts
tdi.dartmouth.edu
Threats – the potential to cause unauthorized disclosure of data, changes, or destruction to an asset.
Vulnerabilities – any flaw or weakness that can be exploited and could result in a breach or a violation of a system’s security policy.
Risk – the likelihood that a threat will exploit a vulnerability.
Threat: Social Engineering
tdi.dartmouth.edu
The use of deception to manipulate individuals into divulging confidential information that the social engineer may use for fraudulent purposes.
Vishing Phishing
Smishing Impersonation
Vectors
The fraudulent practice of sending emails
purporting to be from reputable companies in
order to induce individuals to reveal
personal information.
Pretending or pretexting to be another person
with the goal of gaining physical access to a system or building.
“Voice Phishing” – using a telephone system to gain access to private
personal information and used to gather
intelligence on a target organization.
Use of SMS Text Messaging to gain
access to information, often by clicking on a
malicious link or divulging information.
Threat: Social Engineering Examples
tdi.dartmouth.edu
Vishing Phishing
Smishing Impersonation
Vectors
Mitigating Risk of Social Engineering Examples
tdi.dartmouth.edu
Never share your password with anyone, including colleaguesSharing Passwords
Avoid clicking on attachments from unknown sourcesClicking on Attachments
Avoid befriending people you don’t know on social mediaBefriending Strangers
Be aware of offers that are “too good to be true”Too Good to be True
Social Engineering Threat: Social Media
tdi.dartmouth.edu
Do not associate your relationship in the DAC with your
social media accounts.
A social engineer may aggregate and use multiple posts about your role with malicious intent.
Hey! We’ve got Medicare data in the DAC!
Passwordidea?
Only accept friend requests from
people you know.
Vulnerabilities
tdi.dartmouth.edu
HARDWARE –SUSCEPTIBILITY TO
HUMIDITY, DUST, SOILING,
UNPROTECTED STORAGE
SOFTWARE –INSUFFICIENT
TESTING, LACK OF AUDIT TRAIL, DESIGN
FLAW
NETWORK –UNPROTECTED
COMMUNICATION LINES, INSECURE
NETWORK ARCHITECTURE
PERSONNEL –INADEQUATE
SECURITY AWARENESS
PHYSICAL SITE –AREA SUBJECT TO
FLOOD, UNRELIABLE POWER SOURCE
ORGANIZATIONAL –LACK OF REGULAR AUDITS, LACK OF
CONTINUITY PLANS, LACK OF SECURITY
These are all potential vulnerabilities the DAC considers in its annual risk assessment and mitigation implementation. As indicated previously, personnel are the weakest link. This training is vital to ensuring YOU, the User, understand your roles and responsibilities to safeguard the DAC Information System and Data.
Mitigating Risks with Required Access Controls
tdi.dartmouth.edu
Identity Protection
• Wear your badge• No tailgating
(letting people follow you into the DAC)
• Limit visitors
Password Management
• A passphrase is more secure than a passoword
• At least 10 characters
• Contains upper & lower case characters
• Includes digits and special characters
Laptop Protection
• 15-minute session lock required (screensaver)
• Computer encryption required (Bitlocker for Windows and FileVault for MACs)
Working outside the office
• Don’t allow shoulder surfing when in public
• Access to DAC Information System is only allowed within United States
Password• A sequence of words or texts used to
access a computer system, program or data.
• Incorporates uppercase and lowercase letters; symbols/characters; longer than a password; and consists of a phrase the user can more easily remember.
• Passphrases usually have space but not all organizations support this. Using an underscore is one way to address this.
• Passphrase Examples:– $0_d0ne_With_wint3R– Spr1ng sh0w3rs M4y Fl0wer$
• Passphrase Generatortdi.dartmouth.edu
• A sequence of letters and characters used to access a computer system, program or data.
• Incorporates uppercase and lowercase letters; symbols/characters; harder to remember for the user and easier to crack than a passphrase
PassphraseVs.
HIPAA Identifiers(18)
tdi.dartmouth.edu
The obvious identifiers….
Less obvious and most
misunderstood identifiers
Names Telephone numbers Fax numbers E-mail addresses Social security numbers Medical record numbers Health plan beneficiary
numbers Account numbers Certificate/license numbers Vehicle identifiers and serial
numbers Device identifiers and serial
numbers Web URLs Internet Protocol (IP) address
numbers Biometric identifiers, including
finger and voice prints Full face photographic images
and any comparable images
Geographic subdivisions smaller than a State (includes zip codes!)
Dates (except year) directly related to patient
Any other unique identifying number, characteristic, or code, except as permitted under HIPAA to re-identify data
Misunderstood HIPAA Identifier: Elements of Dates
tdi.dartmouth.edu
Includes all elements of dates except year.May not disclose days or months. Year can be tricky if it implies age. Common Examples:• birth date• admissions/discharge date
death date• all ages over 89 (may be
aggregated into a single category of age 90 or older)
HIPAA Identifier Unacceptable AcceptableElements of Dates that include day and/or month
January 1, 2009 2009
Date of service that implies age
Dataset contains both: Age explicitly
stated, or implied, as over 89 years old
year of health service = 2010
Change dataset to reflect: Age =>90 Year of birth
“on or before 1920”
Dates associated with tests/procedures
None strip
Misunderstood HIPPA Identifier: Other Unique Identifiers
tdi.dartmouth.edu
Identifying Characteristics• Distinguishes an individual that
allows for identification.
Identifying Number• Derived from an identifier
Clinical Trial Number
Identifying Code• Derived from a non-secure
encoding mechanismHash-based authentication code
Occupation (POTUS)
Examples
Consider a combination of non-HIPAA characteristics, such as, gender, race ethnicity, age, marital status. These may, in combination, be enough to link them to a publicly available dataset, such as voting records.
Misunderstood HIPAA Identifier: Geographic Subdivisions Smaller than State (includes counties and zip codes)
tdi.dartmouth.edu
But wait, we have county and zip code level data published on the Atlas! Because we
aggregate our data up according to the CMS Suppression
Rule!!!!
CMS Suppression Policy Applying the Expert HIPAA De‐Identification Method
tdi.dartmouth.edu
• Language in all CMS Data Use Agreements (contracts), “…no cell (e.g. admittances, discharges, patients, services) 10 or less may be displayed. Also, no use of percentages or other mathematical formulas may be used if they result in the display of a cell 10 or less.”
• ResDAC policy clarification - The policy stipulates that no cell (e.g. admissions, discharges, patients, services, etc.) containing a value of 1 to 10 can be reported directly. A value of zero does not violate the minimum cell size policy. In addition, no cell can be reported that allows a value of 1 to 10 to be derived from other reported cells or information. For example the use of percentages or other mathematical formulas that, in combination with other reported information, result in the display of a cell containing a value of 1 to 10 are prohibited. The cell suppression policy also applies to the reporting of excluded cases.
CMS Suppression: Specific Inquiry Examples
tdi.dartmouth.edu
TDI Researcher Inquiry: Amongst 97 Nursing Homes, what proportion of patients are ACO patients in each nursing home?• Numerator = # of patients in ACO• Denominator = # of patients in nursing homeWe are interested in statistics such as the 25th
percentile of the 97 nursing homes. If this percentile = 2, without specifying the area or nursing home itself, can we report this out?
ResDAC response: “The denominator is known and therefore one can derive Ns<11 which is a violation. It does not matter whether you are not specifying the area or the nursing home, as long as I know that the count of beneficiaries is less than 11, then it is a violation.”
TDI Researcher Inquiry: One of our programmers has a table that includes the minimum, maximum, and sum event count of readmissions in nursing homes. The sum is 14 but the maximum is <11 and the team wants to be able to report the true maximum. Can we release this outside of our secure server. Obviously, you couldn’t easily re-identify a specific person here, but it does represent a count of people with <11 of the maximum event.
ResDAC response: “Unfortunately, this would not be able to be reported, as it would violate the cell suppression policy.”
Diagnosis CountDiabetes 20
CHF 35
Cancer -99999
Overall 60
Diagnosis CountDiabetes -99999 (suppressed)
CHF 35
Cancer -99999 (suppressed)
Overall 60
CMS Suppression: Example 1 ‐ Count Derived from Total
tdi.dartmouth.edu
THIS IS A VIOLATION OF CMS SUPPRESSION RULES
From this table, the number of people with cancer was suppressed. However, we can back into the number of people with cancer:Overall (60) – CHF (35) – Diabetes (20) = 5The number of people with cancer = 5.
Diagnosis Count
Diabetes 20
CHF 35
Cancer -99999 (suppressed)
Overall -99999 (suppressed)
Solution 1: Suppress Overall Solution 3: Suppress by Grouping DiagnosesSolution 2: Suppress Next Smallest
Diagnosis Count
Diabetes 20
CHF & Cancer
40
Overall 60
Diagnosis Male Count Female Count Total Count
Diabetes 20 30 50
CHF 35 15 50
Cancer -99999 -99999 25
Overall 60 65 125
CMS Suppression: Example 2 ‐ Two‐Way Table
tdi.dartmouth.edu
THIS IS A VIOLATION OF CMS SUPPRESSION RULES
The user assumed they suppressed the data by suppressing in the row. However, it is still possible to identify the number of males and females with cancer because the columns are identifiable.
Solution 1: Suppress Overall (in at least 2 columns/rows)
Solution 2: Suppress by Grouping
Diagnosis MaleCount
Female Count
Total Count
Diabetes 20 30 50
CHF 35 15 50
Cancer -99999 -99999 25
Overall -99999 -99999 125
Diagnosis MaleCount
Female Count
Total Count
Diabetes 20 30 50
CHF & Cancer
40 35 55
Overall 60 65 125
CMS Suppression: Example 3 – Dealing with Percentages
tdi.dartmouth.edu
THIS IS A VIOLATION OF CMS SUPPRESSION RULES
The user assumed they suppressed the data by suppressing 2 counts in the same column. However, it is still possible to identify the count of people with cancer using the percentages.
Solution: Suppress Percentages AND Counts
Diagnosis Count Percent
Diabetes -99999 33%
CHF 35 58%
Cancer -99999 8%
Overall 60 100%
Diagnosis Count Percent
Diabetes -99999 -99999
CHF 35 58%
Cancer -99999 -99999
Overall 60 100%
Purpose of a CMS Data Use Agreement
- Defines the limitations on use of the data
- Details the obligations to safeguard the data
- Binds the requester to liability for harm arising from the use of the data
tdi.dartmouth.edu
Funding Drives the Requirement for a Data Use Agreement
tdi.dartmouth.edu
• Per CMS/ResDAC, all Grants (federal & non-federal) are required to obtain their own DUA– If federal, the Federal Project Officer must approve & submit a letter of support in the new DUA
request packet.– If non-federal (private), the notice of award letter must be submitted in the new DUA request packet.– CMS does not allow the use of “internal” or “private funding” to support or supplement federally
funded DUAs, unless they meet the exception criteria below.
• CMS allows an exception to the above rule if the award meets the following criteria: 1. The award (federal or non-federal) is made to the broader organization/center;2. The award notice does not include a specific research project title; 3. The award notice does not include specific Principal Investigator names; and 4. The award indicates that the funding is discretionary.
DUA Requesting Organization• DUAs originate from the institution/organization that received the original/primary award. • Organizations receiving a sub-contract may not submit the request as a Requestor/User• All externally funded entities must have a Dartmouth College collaborator to use
Dartmouth housed CMS data
NIHWell Funded
College
College holding CMS data
DUA Requestor DUA CustodianDUA Collaborator
All 3 entities are on
the DUA
DUA Request Types
tdi.dartmouth.edu
New Use – New data purchase of data from CMS. (CMS Data Fee List)
Reuse – Using data that is already held by the Institution ($2000/request)
Amendments – Add new data type, add new data years, update Data Management Plan, change users, & add/remove study personnel (Managing your existing DUA)
Extension – Required annually. (CMS Extension process)
Closure – All datasets destroyed with FPO approval (CMS Closure process)
CMS DUA Request Timeline
CMS DUAs are “Project Specific”
tdi.dartmouth.edu
“the User agrees to use the data only for purposes that support the User’s study, research or project referenced in this Agreement”
“But, what if.....….it’s within scope or under the umbrella of another DUA”…..my aims and objectives are within or similar to an existing DUA”…..I work under an approved DUA with its associated funding until my DUA is approved”
Important note: Amending a DUA to add new datasets (not previously approved), new funding, and/or new personnel, is considered a flag for justifying a change to the scope and will increase the turn-around time for review/approval.
All student projects using CMS data require their own DUA
tdi.dartmouth.edu
• Per ResDAC– “CMS will allow students (both PhD and Masters level) to use the data to complete their degree
projects. They need their own DUAs.”– “Students doing research as a research assistant and the work is not related to the degree project,
the standard DUA guidelines would apply.”• What does this mean for my PhD or Masters project if I want to use CMS data?
– All student related projects must secure their own DUA. CMS does not charge a reuse fee for students, but DAC fees apply.
– The DAC is unable to provide free mentorship or waive DAC fees for students. Therefore, the department or faculty mentor will need to provide funding support for DAC fees.
– Student lead DUAs must have a Dartmouth faculty mentor who is responsible for overseeing the student’s project.
Part B Carrier File Request Limitations & Costs
tdi.dartmouth.edu
• Effective Dec. 2017, CMS no longer allows researchers to request a reuse for the ability to use the full 100% carrier file.
• Researchers may request a reuse of the 100% Carrier file to build a cohort that represents no more than 20% beneficiaries (included in $2,000 reuse fee)
• Expected sample sizes must be completely described in the CMS DUA with estimated #s of beneficiaries based on referenced data.
• Users working directly with the Carrier file must ensure they do not exceed the 20% threshold of benes (see below).
Year 2010 2011 2012 2013 2014 2015 2016 2017 2018
Total Enrollment 45,826,207 46,984,250 48,722,929 50,484,675 52,005,389 53,499,449 55,330,965 56,800,280 59,869,402
20% threshold for Part B Carrier cohort build
9,165,241 9,396,850 9,744,586 10,096,935 10,401,078 10,699,890 11,066,193 11,360,056 11,973,880
Source: kff.org
CMS DUA Limitations of Data Use
tdi.dartmouth.edu
May not link to other individually identifiable data without CMS approval
May not disclose direct findings, listings or information derived from files in section 5 of the DUA with or without direct identifiers if they can be used to deduce an individual’s identity
Age>89, sex, diagnosis and procedure, admissions/discharge dates, or date of death
No cell (admittances, discharges, patients, services) <=10 may be displayed AND no percentages or other mathematical formulas used if they result in a
display of a cell <=10
Only data files listed in the DUA & Executive Summary may be accessed/used for the specific project detailed in the DUA.
Reportable Incidents
tdi.dartmouth.edu
• Loss, damage, theft, improper disposal of equipment, media, or papers containing PHI
• Accidentally sending a report/file/email containing PHI outside of the secure system or to someone not authorized to view the information
• Allowing knowingly or unknowingly unauthorized use of a computer accessing DAC Information Systems
• Discussing work related information (someone’s medical records) in a public area
• Accessing private records of friends, neighbors, celebrities, etc..
Incidents impact all DAC research teams
If an incident is suspected, the DAC may be required to: • Submit a formal response to CMS of
an allegation of unauthorized use, reuse, or disclosure
• Submit a corrective action plan to CMS with steps designed to prevent future unauthorized uses, reuses, or disclosures
• Return data files to CMS or destroy the data files
tdi.dartmouth.edu
Inability for the DAC to do its
work (CMS may freeze a specific DUA or all Dartmouth DUAs)
Disruption to day to day operations
(substantial amount of time investment across
many people)
Damage to the DAC’s
reputation (a report is required to
go to OGC & CMS)
Harm to an individual/s health or financial status
Criminal Consequences of an Incident
tdi.dartmouth.edu
Criminal penalties• For unauthorized disclosure - §1106(a) of the Social Security Act (42 U.S.C. § 1306(s))
- Up to $10,000 or- Imprisonment up to 5 years
• For knowingly and willfully obtaining the file under false pretenses - Privacy Act (5 U.S.C. §552a(i) (3))
- Up to $10,000 or- Imprisonment up to 5 years
• For taking or converting to his/her own data file, or received the file knowing it was stolen or converted
- Fined under Title 19- Imprisonment up to 10 years
Incident Reporting Requirements
tdi.dartmouth.edu
It is important to respond appropriately in the event of an incident:– Unauthorized use or reuse– Disclosure of PHI or PII– Determined Breach
1. Promptly investigate and report details of any alleged or actual unauthorized use, reuse, or disclosure to the DAC Security Team (see next slide)
2. In the event that a Security Team member cannot be reached, contact CMS Action Desk within 1 hour of known disclosure (410) 786-2850
DAC IT and Data Security Governance Contacts
tdi.dartmouth.edu
DAC Security Team Contacts• [email protected]
DAC Director and CMS Data Custodian• [email protected]
DAC Research Compliance Coordinator and DUA Point of Contact with CMS
• [email protected] Infrastructure Programmer/Analyst
• [email protected] Infrastructure Programmer/Analyst
Dartmouth College Security Team Contacts• [email protected]
DUA User • [email protected]
CISO• [email protected]
Reference Definitions & Abbreviations
tdi.dartmouth.edu
Centers for Medicare & Medicaid Services (CMS) – a federal agency that administers the nation's major health care programs including Medicare and Medicaid. Also the primary DACdata source for Medicare/Medicaid Research Identifiable Files. CMS Data Use Agreement (DUA) - is a contractual document used for the transfer of Identifiable Data Files (IDFs) containing PHI and/or PII and thus, subject to restrictions on its use.CMS Data Management Plan – An appendix document to the CMS DUA that details the DAC safeguards for protecting CMS data, specifically with regard to: physical possession and storage of CMS data; data sharing, electronic transmission, and distribution; data breaches, reporting and publication; and, completion of research tasks and data destruction. CMS DUA Certificate of Disposition (COD) – CMS form to certify destruction of data at the closure of DUA.Data Analytic Core (DAC) – health claims laboratory for health services research using large administrative health care datasets, primarily CMS data, in a highly secure information system at Dartmouth College.DAC Information System - Any application or information system that directly or indirectly supports research projects using data covered by a Data Analytic Core (DAC) Data Management Plan. Sensitive Information - information whose unauthorized disclosure may have serious adverse effect on Dartmouth’s reputation, resources, services, or individuals. Includes information protected under federal/state regulations (CMS data), PHI, PII, and any other information designated as sensitive and therefore contained within the DAC Information Systems. DAC User - anyone with access to or in a position of oversight for someone with access to the DAC Information System. This includes:• anyone listed on a CMS DUA with the box checked that they will have access to cell sizes <11;• anyone with access to the DAC servers;• anyone in a position of oversight or giving direction to someone with access to the DAC servers; and/or• anyone who is viewing information in the DAC Information System either over the shoulder or in a meeting.PHI – Protected Health Information (45 CFR § 160.103)• Created or received by health plan, employer or healthcare clearinghouse.• Relates to past, present, or future health/healthcare/payment for healthcare of an individual.• There are 18 Identifiers: Examples: names, phone #s, social security #, date of birth, biometrics, etcPII – Personally Identifiable Information (defined by OMB M-07-16)• Can be used to distinguish an individual’s identity and is linked or linkable to that individual (medical, financial, employment).• Linkable to date of birth, place of birth, race, religion, weight, activities, geography, employment info, medical info, and education information.• Identifier Examples: names, passport #, social security #, license #, tax identification #, patient ID, financial account #, vehicle identification #s, etc. (see full list on next slide)