Cyber security will be this decade's key issue
Cyber security will be this decade's key issue
Who is responsible party?
Cybercrime and data exposure pose a relatively new risk to research participants. IRBs have been addressing this threat in recent years, but they haven't given as much thought to their own responsibility and risk from wireless technology, an expert says.
"Sixty-five percent of people who use information online will have a cyber-attack in their lifetime," says Eric Allen, CIP, director of research compliance at the University of North Carolina Greensboro.
"It's easier to target data floating around on the Internet," he says. "Even when something is considered anonymous, there are small risks that will build up for individuals over time."
IRB offices need to be aware that any electronic exchange of data poses security risks. While all research institutions install firewalls in their electronic systems, these are not airtight, particularly if they are not regularly updated, he notes.
"If you are sharing data online, are you informing the people you communicate with that you are working in a virtual environment and they need to be sensitive to privacy and confidentiality?" Allen says.
Also, IRBs should be concerned about what happens with data after it's archived and inactive.
"How long do you keep it? How long do people have access to your data?" Allen asks. "When they leave, do they take the data with them?"
In this era of instant connectivity to large communities and populations, IRBs and research institutions also face immediate and widespread risk and exposure from mistakes.
"If you make an ethical mistake in research now, it is no longer confined to a few people in the neighborhood," Allen says. "You could have the whole state, the whole nation knowing what happened in a few minutes."
IRBs sometimes find that middle-aged researchers are unaware of the potential harm of some of their online activities. For instance, there was a situation where a researcher wanted to post pictures of participants who were minors on a Facebook page, Allen explains.
The researcher didn't consider the consequences, such as cyber bullying, he adds.
Although the photos were going to be listed anonymously and in a positive context, this exposure posed much greater risk in the Internet environment than it would have on a paper brochure.
"They thought they could post these pictures on Facebook and no one would know who they were," Allen says. "They had done this with brochures, but when you do this in a virtual realm it's different."
IRBs need to stay aware of these types of risks and educate investigators about them.
Allen often speaks with other IRB and research leaders at conferences about cyber age risks in research.
"When many of the research rules were written in the 1980s, cybercrime wasn't a big deal," he says.
In this decade, cybercrime has become a big business with organized crime and professional hackers involved, he adds.
"There are people who are paid $30,000 a month to hack into a particular large organization," he says. "The bigger the unit the more credibility they get and the more products — like worms and viruses — they can sell."
Research institutions are not immune to this mischief. In one recent case, a research institution had a large database without updated security measures. The university said it was the investigator's responsibility to make the data fully secure. The investigator countered that it was the university's responsibility, Allen recalls.
When a breach happened and a hacker obtained a few hundred thousand Social Security numbers, exposing breast cancer research study participants to risk, the university had to spend a lot of money on informing people of the breach, he adds.
IRBs can help reduce this risk by asking investigators for details about their data security measures. Allen suggests they start with these questions:
- What kind of data do you need to do the project — not just what is convenient, but what do you really need?
- How long do you need to keep data for the study's analysis? Think more in terms of weeks and months rather than years.
- How will you transfer data? "Don't just e-mail it; that's not the most secure way to send information," Allen says.
- Have you scheduled audits to make sure information is secure and that your security measures meet current standards?
- Will you update your security measures regularly?
- Are you taking simple security steps, such as turning off your computer when it's not in use?
"The cybercrime technology grows faster than the technology we use to catch it, so you have to make your computer not as accessible and develop a long and complicated password," Allen says.
Cybercrime and data exposure pose a relatively new risk to research participants. IRBs have been addressing this threat in recent years, but they haven't given as much thought to their own responsibility and risk from wireless technology, an expert says.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.