SEER-MHOS Policy on Encryption & Data Security: Portable Devices & Removable Media
There have been a growing number of reports of stolen laptops that have contained sensitive personal data about patients in clinical studies. Because of the potentially sensitive nature of the SEER-MHOS data, the National Cancer Institute (NCI) implemented a new policy, effective June 2008, related to how the SEER-MHOS may be stored, transferred or used on portable devices and removable media.
Definitions of Portable Devices & Removable Media
- A portable device includes any non-fixed equipment that contains an operating system which may be used to create, access or store SEER-MHOS data. This includes but is not limited to laptops, personal digital assistants (PDAs), and smart phones.
- Removable media includes, but is not limited to: CDs, DVDs, MP3 players, removable memory, and USB drives (thumb drives).
Policy
Any investigator who has obtained the SEER-MHOS data (including all persons with access to the data) must take all reasonable measures to ensure the safety and confidentiality of the data that are downloaded to any portable device or removable media. Reasonable measures include storing large files only on network drives or password-protecting data AND encrypting any data on a portable device or removable media. Encryption is a method used to protect the confidentiality, integrity, and authenticity of the data. SEER-MHOS data stored on portable devices or removable media must be encrypted using one of the following approved encryption standards: Data Encryption Standard (DES) that uses a 64-bit input-output block size; Advanced Encryption Algorithm (AES) that uses a 128, 192, or 256-bit key size; or International Data Encryption Algorithm (IDEA) that uses a 128-bit key size. If any portable device or removable media containing SEER-MHOS data are lost or stolen, the investigator must report the loss to the SEER-MHOS contact within 24 hours/first business day of discovering the loss.