What to know
This page answers common questions about protecting cancer registry data.
Policies and standards
What are NPCR's data security standards?
Registries funded by CDC's National Program of Cancer Registries (NPCR) are subject to the following policies and procedures:
- North American Association of Central Cancer Registries (NAACCR) Standards for Completeness, Quality, Analysis, Management, Security, and Confidentiality of Data
- Veterans Health Administration Directive 2014-1072
- Health Insurance Portability and Accountability Act (HIPAA)
- Office of Management and Budget Protection of Sensitive Agency Information memo
Will NPCR provide funds to the registries to implement encryption?
NPCR registries may use funds to enhance data security or facilitate data reporting. A detailed justification and cost breakdown should be included in the annual budget. CDC will provide NPCR registries with support to address data security issues by telephone and email.
Is sample contract language available to require contractors to follow the registry's data encryption standards?
Yes. The following language applies to all laptops and mobile devices that are owned by contractors and subcontractors and contain registry data. The contractor should comply with the registry's encryption standards before any registry data are stored on a contractor's laptop or mobile device.
- All laptops used on behalf of the registry should be secured using a Federal Information Processing Standard (FIPS) 140-2-compliant, whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product should be tested and validated under the Cryptographic Module Validation Program.
- All mobile devices, including non-registry laptops and portable media, that contain sensitive registry information shall be encrypted using a FIPS 140-2-compliant product.
- A FIPS 140-2-compliant key recovery mechanism should be used so that encrypted information can be decrypted and accessed by authorized personnel. Key recovery is required by OMB Guidance to Federal Agencies on Data Availability and Encryption.
- Encryption key management should comply with all registry policies and provide adequate protection to prevent unauthorized decryption of the information.
- All media used to store information shall be encrypted until they are sanitized or destroyed in accordance with registry policy and procedures.
Protecting data at rest
What types of data should be encrypted?
OMB memorandum M-06-16 recommends that all federal agencies protect sensitive information and provides a security checklist to support this process. The checklist includes specific actions for protecting personally identifying information (PII) collected by third parties (including cancer registries) that use federal funds.
Should only the database containing PII be encrypted, or is the entire disk required to be encrypted?
All PII should be stored in a partition on the hard drive that is encrypted with FIPS 140-2-validated software and capable of key recovery. A copy of the encryption key(s) should be stored in multiple secure locations.
Should backups be encrypted?
Yes.
Can databases containing PII be stored unencrypted on standalone computers?
Databases stored on standalone (non-networked) computers need to have the same security as databases stored on networked computers because of the dangers of the computer being stolen, discarded, sold as surplus with the data improperly erased, used by someone without authorization, or connected to a network.
Should a database that resides within a secure domain with exclusive control to the central registry be encrypted?
A database that resides within a secure domain requires the same security as a database on an organization’s network.
Hardware
What equipment should be encrypted?
The following equipment used to process or store PII should be encrypted:
- Laptops and tablets.
- Desktop computers, if they are at a high risk for theft or misuse.
- Portable electronic media.
Can PII or registry-owned sensitive information be stored on personally owned equipment?
No. Registry data should NEVER be stored on personally owned equipment.
How do I know if my computer has been encrypted?
You can contact the registry’s IT department for help.
What is a mobile device?
Any portable or handheld computer with an operating system, including a laptop, tablet, flash drive, USB key, or portable hard drive.
What are portable electronic media?
Portable electronic media include floppy disks, compact discs (CDs), digital versatile discs (DVDs), tapes, secure digital (SD) cards, and compact flash (CF) cards.
What should be done for platforms and operating systems that are not supported by FIPS 140-2-certified encryption?
All laptops and tablets should be encrypted. Whenever possible, platforms should be changed to one supported by a FIPS 140-2-certified, whole-disk encryption package. If the platform cannot be changed, the laptop or tablet should be secured with compensating controls and validated by NIST.
Software is available that can encrypt individual files. Each registry must determine which encryption products are supported.
If my laptop is not encrypted, what should I do to safeguard the data?
If a laptop does not have a FIPS 140-2-certified whole-disk encryption solution, it should not be used to store PII or sensitive information.
- All PII stored on nonencrypted laptops should be removed and stored on either a managed server or a FIPS 140-2-certified storage device.
- Approved FIPS 140-2 encryption software is available on the National Institute of Standards and Technology (NIST) website.
- Each registry should determine which encryption products will be supported.
How should I remove PII or sensitive information?
Simply deleting a file is not sufficient. Use disk sanitization software. Each registry must determine which disk sanitation products are supported.
Does a nonportable laptop or tablet that is connected to a scientific device need to be encrypted?
If a laptop or tablet is connected to a scientific device and meets specific registry security policy criteria, it may be eligible for a waiver from the registry or supporting organization. These criteria include, but are not limited to, compensating controls, such as being physically secured and labeled appropriately. A detailed explanation of why the laptop cannot function with encryption software must be included. All waiver requests should be sent to the registry’s security steward. See the next question for more information.
What is the potential waiver process for exempting a laptop or tablet from using encryption software?
Fill out and sign the laptop encryption waiver form. The waiver must be approved by the registry's security steward.
- Describe why implementing the encryption requirement is not feasible or technically possible while supporting the registry's scientific mission or business function.
- Confirm that the laptop or tablet does not, and will not, access or store PII or other sensitive data. If it does store PII or other sensitive data, additional compensating controls may be required.
- Describe the technical, operational, and management security controls that will offset the risk of not implementing the encryption requirement. For example, the device is not portable and is attached securely to an instrument or bench with a cable lock.
- List the device's location, serial number, and registry decal number.
Encryption software
Are the data in databases used by Registry Plus applications encrypted?
No.
What encryption solutions comply with FIPS 140-2?
See the Cryptographic Module Validation Program.
Does NPCR recommend or require specific encryption software?
NPCR is not permitted to recommend specific software. See the Cryptographic Module Validation Program for FIPS 140-2-compliant encryption solutions. Acquisition agreements in the US General Services Administration's blanket purchase agreements can help registries get certified software solutions.
Can Microsoft® BitLocker® be used to encrypt laptops running the Microsoft operating system?
Yes. Microsoft BitLocker is FIPS 140-2 certified and can be used in FIPS mode on the Microsoft operating system. Each registry must determine which encryption products will be supported.
Protecting data in motion
What does "transmitting data" mean?
"Data in motion" is a common term for data that are being transmitted across a local or wireless network or the Internet. Encrypting data in motion hides information as it moves across the network between the database and the client. Encrypting data before transmission prevents:
- Interception of confidential data as they move between the client and database.
- Session hijacking (redirecting data).
- Replay attacks (replaying an authentication session to fool a computer into granting access).
Standards for encrypting data in motion include Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Internet Protocol Security (IPSEC).