Data Protection Recommendations and Resources

Department of Biostatistics Data Security Policy

Introduction

Given the high risk of information exposure, specific tools and resources to mitigate this risk are provided here.

PII/PHI Approved Storage

Research Drive

When individuals need access to the research drive, the PI will make the request, to Bashar Shakhtour.

Folder Structure:

Mounting/mapping the Research Drive

Windows:

From This PC select Computer Map Network Drive in the folder \\cqsresearch\research drive

MacOS:

From Finder select Go Connect to Server smb://cqsresearch/research drive

Linux:

edit /etc/fstab add this line //cqsresearch/research\040drive /mnt/location cifs rw,auto,user,uid=1001,gid=1001,credentials=/home/homedirectory/.pwdfile

And in your home directory add the file ~/.pwdfile

username=vanderbilt\vunetid password=yourepassword

Biostatistics NAS

The department operates network attached storage (NAS) that is hosted on VUMC resources. While the preferred storage solution is OneDrive for individual needs and SharePoint for collaborations, NAS storage may be needed in some situations. Access to the NAS is authenticated using the VUMCid so is available only to VUMC faculty and staff. Contact the IT staff for more details.

OneDrive / SharePoint

VUMC has approved storage of PHI/PII in OneDrive and SharePoint when using your VUMC-issued credentials and account in Microsoft 365. See https://www.vumc.org/it/communicate-and-collaborate for more details. It is recommended to move usage away from Box. Be sure that data is not set to "local sync."

Project Specific

A given project by its data-sharing agreement may specify data handling requirements. For example, AllOfUs has data stored in a GCP and a dedicated team for controlling access. Its members are not allowed to store any of the identifying data externally to the project on any device not approved by that project.

Tabula Rasa Strategy

Years of research can accumulate on a local device and, in the past, one might not have followed these security practices in compliance with current requirements. A "tabula rasa" (blank slate) strategy is a method to ensure compliance. To accomplish this, take all locally stored research folders and upload them all an approved storage location. Upon completing the upload, and double checking to confirm that it was successful, delete all folders locally. Then, as needed, take one folder at a time from storage and inspect to make sure no PHI/PII is present. This will allow you to answer "no" if asked if PHI/PII are present on your device with confidence. Eventually, your local computing device will be repopulated with what you need in a compliant manner.

Password Encryption

IMPORTANT NOTE: An API Key is a username / password rolled into one string. It must be treated with the same care as a password. Never write an API Key in code.

There are commercially available tools (such as 1Password, KeePass, or Dashlane) that keep passwords in a cryptolocker or keyring. The providers of these services store the encrypted information only in the cloud and follow good security practices. The downside of this approach is that these tools do not integrate well with automated code.

Keyrings are currently best practice for managing API Keys and passwords. and several resources are available for one's personal code and projects. There are system-provided keyrings and local file keyrings. The local file option is generally the best for consistency because OS manufacturers frequently change their interfaces. Using a local file version will give consistent behavior across platforms and upgrades. It is recommended that all staff and faculty working with PII/PHI learn and utilize some type of keyring software.

A keyring requires a password to unlock, the benefit being that one can use a single password to unlock a large number of passwords. One could utilize a single keyring on their device if needed.

REDCap in R

The R package `redcapAPI` has keyring management built in via the function `unlockREDCap`.

library(redcapAPI)
options(keyring_backend=keyring::backend_file) # Put in .Rprofile
unlockREDCap(c(rcon = '<MY PROJECT NAME>'),
  keyring = 'API_KEYs',
  envir = globalenv(),
  url = 'https://<REDCAP_URL>/api/')

This will automatically walk the user through the usage of storing REDCap API Keys in a keyring. See the documentation of unlockREDCap for more details.

R keyring

The R package `keyring` provides the necessary tools for manipulating keyrings. Here is some example usage for the AllOfUs project:

Set R to always use a local file, by putting this in .Rprofile

options(keyring_backend=keyring::backend_file) 

Create a keyring to use at the R console, with a new password to save for PDR Access in the AllOfUs keyring:

keyring_create("AllOfUs")
key_set_with_value("AllOfUs", "PDR", password="<PASSWORDHERE>", "AllOfUs")

In the report code, this is the automated snippet to pull the password:

if(keyring_is_locked("AllOfUs"))
 keyring_unlock("AllOfUs", getPass::getPass())
con <- dbConnect(RPostgres::Postgres(),
  dbname="drc",
  host="localhost", port=7000,
  user="<your userid>",
  password=keyring::key_get('AllOfUs', 'PDR', "AllOfUs"))

Other languages

Python: https://pypi.org/project/keyring/

Ruby: https://github.com/fcheung/keychain

VUMC pages

VUMC Enterprise Cybersecurity - Home
VUMC Enterprise Cybersecurity - Information Protection
Topic revision: r5 - 31 Jan 2024, DalePlummer
This site is powered by FoswikiCopyright &© 2013-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Vanderbilt Biostatistics Wiki? Send feedback