What to know
Data security is the process of making sure data are available only to those who need to use it for a legitimate purpose. Controlling access to data helps ensure privacy and is required by various federal agency policies and regulations.
The value of cancer registry data
Cancer registry data contain personally identifying information (PII) that can be used for illegal purposes, such as identity theft. Full names, addresses, telephone numbers, Social Security numbers, birthdates, and other personal information can allow criminals to get credit and buy goods and services fraudulently.
A person's medical history can be used to get prescription medication fraudulently or to embarrass or blackmail the person. Health care providers can also use this information to analyze market share and perform studies on costs, charges, and clinical services, giving the provider a competitive advantage in the market.
How data can be compromised
Lax data security can allow hackers to get unauthorized access to data online. But identity thieves often get data through more low-tech means—for example, by stealing laptops or storage media (like USB flash drives) and rummaging through garbage for printed copies or discarded equipment.
Employees with access to sensitive data pose a security risk. If they discard old hardware without ensuring that data are erased, PII can end up in the hands of the public. Employees, particularly disgruntled and ex-employees, also may provide data to unauthorized people on purpose to cause harm.
How to protect data
The foundation for data security is a security document that spells out the rules, expectations, and overall approach that an organization uses to maintain the confidentiality, integrity, and availability of its data. This document includes an assessment of the risks to your registry’s data, policies for mitigating those risks, and procedures for handling a security breach.
Guidelines for cancer registries
CDC's National Program of Cancer Registries requires registries to follow the data security policies and procedures outlined below.
NAACCR
The North American Association of Central Cancer Registries (NAACCR) provides structural requirements, process standards, and outcome measures for access to source data and completeness of reporting, data quality, data analysis and reporting, and data management. NAACCR's Standards for Completeness, Quality, Analysis, Management, Security, and Confidentiality of Data discusses reporting, data quality, data analysis and reporting, and data management.
NAACCR holds its member registries responsible for guarding data from unauthorized access and release. Each central cancer registry's director has the ultimate responsibility for data security at the registry.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provision provides standards for the protection and privacy of customer health data.
HHS
The US Department of Health and Human Services (HHS) provides guidance on technologies and methods to protect data. The department's Security Rule Guidance Material web page provides HIPAA security guidance and other sources of standards for safeguarding electronic protected health information (e-PHI).
Technical support
All NPCR registries must develop data security policies that are specific to the needs of the registry. These policies should also meet the requirements of any organization in which the registry operates, such as a university, public health department, or hospital.
All NPCR registries must develop and maintain expertise in addressing data security issues among their own staff. Other registries should contract, hire, or independently develop the capability to understand and maintain data security.
CDC will provide support to help NPCR registries address data security issues by telephone and email. CDC is not staffed to provide on-site services, nor can we support hospitals, clinics, laboratories, or other private users. For technical support by email, contact cancerinformatics@cdc.gov.