Identify who has access to the data |
Identification, Authentication, and Access Methods: The actors in the study/use case need to be identified and roles established. Methods for identification and subsequent authentication should be defined. Access should be monitored, either individually or through the researcher’s organization. |
Non-repudiation: Did the communication come from the designated person? |
Identify who is maintaining confidentiality of the data |
Data Governance: What data is being collected, what is the expected behavior (such as how many responses per day), and what are the data sharing policies and procedures across all data sources that will be correlated in the study? |
Describe measures for protecting physical and software security of the data |
Data Confidentiality and Integrity: How is the data stored and how is it encrypted? What are the de-identification rules and methods and what is the chance of re-identification? |
Application Confidentiality and Integrity: Same set of questions, including evaluation of the mobile apps that may be deployed. |
Ensure authentication and authorization are required for those who have access to medical data by providing firewalls, data encryption, and password protection |
Data use and data sharing agreements, implementation of policy around data. Have an action plan around data re-identification that includes both known and unknown (ancillary) methods. Protect the metadata that establishes relationships. |
Contingency plan for dealing with any breach of confidentiality |
Availability and service levels: Establish contractual terms with the cloud provider as embodies in service level agreement-how long does it take to response to a service request? How long to resolve? |