Options for secure data storage and access

When working with restrictive or sensitive data, especially data that contains PII or PHI, it is the responsibility of everyone who can access the data to keep files within secure storage at all times. Use networked storage managed by JHU whenever feasible, particularly for collaborative access to files. JHU Information Technology provides resources to meet most storage needs, even for collaborations with those outside JHU. IRB, the JHM Data Trust Council, and other compliance policies strongly prefer particular JHU-managed network platforms for sensitive data with PII/PHI, and all clinical and health data derived from JHM sources, and require evaluation and certification of any networked access outside of JHU domains. Similar levels of security are a best practice for any data from human subjects or other restricted access.

REDCap

http://redcap.jhu.edu/

REDCap is a mature, secure web application for building and managing online surveys and databases.

• Design your own survey electronically
• Share data securely with research staff and external collaborators
• Built in tools for viewing EPIC data, and limited de-identification

Basic level free for JHU/JHMI users. (See site for Bronze and Gold levels)

Introductory videos: https://projectredcap.org/resources/videos/

Contact redcap@jhu.edu for more details

OneDrive

Overview and access info at JH@IT's Office 365 Communications Hub 

OneDrive is part of JHU's licensed services with Microsoft 365. All users with a JHED account are provided with 5TB of storage. OneDrive is particularly useful as a collaborative storage space, for managing shared access to files and folders, and collaborative access to MS Office documents.

According to IT@JH, OneDrive meets all HIPAA and FERPA compliance standards for secure file sharing and storage, provided that any shared access to files is managed properly. It is possible to set any file or folder for open public access outside the JHU, violating protections of files containing sensitive or human subjects information. Similarly, folders with PII/PHI could be accidently set to allow access to anyone with a JHU account, rather than only to approved collaborators listed on a study IRB form.

Therefore, if using OneDrive for collaborative access to sensitive files:

• Consider first whether SAFE Desktop if a feasible option.
• Consider encrypting the files separately, with password protection within files when possible (e.g. for Excel worksheets) or software that encrypts folders and directories.
• Follow instructions for Configuring OneDrive for Secure Sharing (IT@JH) and contact your IT representative for assistance if necessary. Limit who has access to those folders and assign someone to be responsible for monitoring and administering access settings.

Microsoft Teams is another option for secure collaborative storage within the Office 365 service suite. It includes additional tools for collaboration, communication, and limited project management. Research teams and departments can request Team spaces, which will help maintain file access to approved participants. Like OneDrive, however, files and folders can be accidently set for more broad public access and must be managed carefully.

Overview and access info at JH@IT: https://livejohnshopkins.sharepoint.com/sites/Office365Hub/SitePages/Teams.aspx

Dropbox and other non-JHU cloud servers: Not approved for PHI/PII.

Generally, commercial Dropbox accounts and other third-party cloud services are not recommended for collaborative research, especially involving human subjects. JHU domain services are the preferable and free alternatives for both internal and external collaborations. Using external services may require review and approval by IRB, JHM Data Trust Council and IT@JH. [See Data Trust section for details.]

See also Johns Hopkins Institutionally Approved Data Sharing Mechanisms For Protected Health Information