Protecting Research Data: What Works?Moffitt Cancer Center Security Leader Describes Challenges, Solutions
One of the most difficult challenges in protecting sensitive patient data, including genetic information, that's used in medical research is educating researchers and other clinicians who share that data about potential privacy issues, says Dave Summitt, director of information security at Moffitt Cancer Center in Tampa, Fla.
"Incorporating data and computer security into the cultures of other professions is very difficult to do," Summitt says in an interview with Information Security Media Group. "Clinicians, including doctors, nurses, [medical] technicians and others ... are here to do something very specific - that is to care for, heal and make [patients] comfortable," he says. "The process to protect information generated [about] those patients is not their priority, and that's putting it very respectfully."
In the medical research world, protecting patient privacy is especially challenging "because research data is wanted and needed to be shared for research - not hoard it or hide it, which we in security have a tendency to do," he says. Security professionals need to work collaboratively with researchers "so researchers are allowed to do what they need to do, while that data is secured as best as possible, or reducing the risk to acceptable levels," he says.
"It's very important the security organization becomes embedded in the whole workflow process and the different departments within an organization to help them understand 'we're here to help you and have minimal impact on what you need to get done.'"
When it comes to protecting patient data that's used for research, "the massive amount of data on the DNA side is probably the biggest challenge," he says. "The challenge is how to educate the researchers that we still have to protect this data. Researchers have such a wide range of people that they need to share ... data with. They are so focused on the research that they're forgetting that the data is still private data in a lot of cases and needs to be protected."
The challenge for Summitt's team is to offer secure methods for researchers to work with sensitive data and share it with other reseachers, he says. "I want to help the researchers do what they have to do, but I want to make sure they're getting it done securely," he says.
In the interview, Summitt also discusses:
- The potential impact on Moffitt's privacy policies if the 21st Century Cures bill, which proposes changes to the HIPAA Privacy Rule for the use and disclosure of protected health information for research purposes, becomes law;
- The latest trends in data breaches in healthcare, and lessons learned;
- Steps Moffitt is taking to safeguard data from the uptick in hacker and phishing attacks targeting the healthcare sector.
Summitt is director of information security and HIPAA security officer for Moffitt Cancer Center & Research Institute. Before joining Moffitt, he was CISO for UAB Health System in Birmingham, Ala., and was as an IT and network security manager and HIPAA security officer at Bayfront Health System in St. Petersburg, Fla. Earlier, Summitt had a 20-year career at the Department of Defense, where he held various positions, including information security officer and a data security custodian for a major missile defense system.