Data security with Mobile Forms
When doing field research you will often capture sensitive and identifiable information. The most common type of sensitive data is medical data. As a researcher you are responsible for protecting that data. In this guide we share with you how to collect sensitive data using mobile forms.
When doing data collection, efficiency, cost management and data integrity are of paramount importance. Researchers strive to reduce possible data errors in data collection and minimize the cost of transcribing paper data.
Mobile data collection is the use of smartphones, tablets and iPads to capture study data electronically. Mobile devices can empower a research team by eliminating the use of paper forms and enhancing the study workflow with robust data validation, branching logic and decision support.
Although mobile data collection can be a powerful instrument, it opens the door to potential security shortcomings. For example, what happens in the unfortunate event that a team member loses a device with research data or has it stolen, can someone access that sensitive information?
Alternatively, how can we trust that as we enter data on a mobile device, it is safe from tampering?
In this article, we will answer those questions and address what security features to look for when building or choosing an available app for mobile data collection.
What is sensitive data?
When doing field and clinical studies, researchers often will need to collect, store and analyze sensitive information from their participants.
The term sensitive data is used to refer to data that reveals the identity of a study participant or subject, commercially sensitive information that if disclosed could cause economic harm to any person, data on rare or endangered species, and data that poses a threat to others or have a negative public impact.
Access to sensitive data should be safeguarded, and researchers are obliged to obtain informed consent from their participants and use best practices when gathering and storing this type of information.
Although researchers can use any mobile form app to create forms and collect information from their study participants, not every mobile app is designed to handle research data.
HIPAA compliance: What is it and when is it needed?
The Health Insurance Portability and Accountability Act (HIPAA) is a United States law that has, among different requirements, the protection and confidential handling of health information. The HIPAA privacy regulation mandates that health care providers, clinical researchers and their business associates, follow and develop practices that ensure the protection and confidentiality of protected health information (PHI).
PHI is "any information about health status, provision of health care, or payment for health care [...] and can be linked to a specific individual" (Wikipedia). If you will be collecting PHI data you must use a system that is HIPAA compliant, like Teamscope. Additionally, ensure that you sign a Business Associates Agreement (BAA) with any parties that may have access to such data, this includes the software company that is responsible for storing that information.
How to keep your data secure
The following are security features that distinguish a mobile data collection that can be used for research purposes from a general survey tool.
1. Data encryption
When data is saved using an electronic form, it is transferred and stored in a database. This database can be hosted on a cloud server or in the case of a mobile data collection app, a smartphone or tablet may also act as a storage medium.
Data at rest vs. Data in transit
Data protection is vital at two pivotal moments: when it is communicated across the network, data in transit, and once is stored in a database, also known as data at rest.
Data at rest is data that is inactive and stored physically in any digital format, for example, a computer server, an external hard drive, or the memory of a mobile device.
Data in transit is data that is in movement and transmitted through the internet.
Plaintext vs. Encrypted
Regardless if it is at rest or in transit, data can have two forms: plaintext or encrypted. Plaintext data is at a higher risk as anyone with the capability of intercepting it in transit (i.e. man in the middle attack) or with physical access to a server, may be able to obtain and tamper the data.
For a platform to mitigate the risk of interception, theft, or tampering of data in transit, it must communicate using robust security protocols, such as Transport Layer Security (TLS).
Mobile data collection adds a new layer of complexity to data at rest. Mobile Data Collection apps can store data in two locations, on a cloud server and also in the local memory of the smartphone or tablet. Since mobile devices have a sizable risk of them being stolen or lost, mobile data collection apps must also encrypt the data that is at rest on the memory of the device, especially if it is sensitive data.
Teamscope encrypts data at rest on our iOS and Android app using 256-bit AES. Data at rest on our servers is also stored encrypted using AES-256 and keys are stored encrypted in Amazon’s Keys Management System using a process called envelope encryption.
There is a smarter way to do research.
Build fully customizable data capture forms, collect data wherever you are and analyze it with a few clicks — without any training required.
2. Audit trails
The standard functionality of a data collection application is to allow for saved data to be changed or modified. A user might need to edit data on a completed form to correct a data entry mistake or add additional information.
A secure data collection application has to be able to transparently show the complete history of data creation and changes and attribute them to a user. Researchers often refer to this functionality as an audit trail or a revision history.
An audit trail record will contain details that include the date, time, and user information associated and what action was taken by that user, for example, “edited a form”.
An audit trail helps to maintain accountability across a research team, identify areas of non-compliance or possible issues in how a data collection form has been set up.
When doing mobile data collection, an audit trail is fundamental.
Teamscope automatically tracks all data creation and modifications with its audit trail feature.
3. Access management
Research is a collaborative effort; it requires teamwork from start to finish. A project team might be split up into different functions, levels of responsibility and geographic areas. Some team members will be doing the day to day work of collecting data while others only data analytics.
Teams can also be dynamic; a study manager might add new team members to speed up data collection or perhaps remove someone that has left the organization.
How can we ensure that proper access is maintained and controlled even if members of a team have left?
How do you ensure that proper access is maintained and that if you choose to remove someone from your team, they no longer are capable of accessing your project or study data?
This is solved by implementing an access management system.
An access management system ensures that the proper people in an organization or team have the appropriate access to a specific resource. Access management systems in a data collection platform identify, authenticate and authorize individuals whenever they wish to complete a mobile form or view previous data.
A robust access management system should have the capability of assigning granular permissions to each user based specific privileges, for instance, “view data” or “export”.
4. Session timeout and App Passcode
Android and iOS users can help secure their phone or tablet by setting a screen lock. Each time a user turns on a device or wakes it up, the device will become unlocked with a PIN, pattern or password.
More modern devices may even require a bio-password such as a fingerprint scan or facial recognition.
Users can choose whether they want to have an automatic screen lock on their mobile device or not. However, what happens if a device is stolen or lost and the owner had not enabled a screen lock? Then anyone can swipe to activate the device and access any stored sensitive data, including valuable research data.
It is for this reason that a mobile data collection app, similar to banking or password storage apps, must time out if the user is inactive for a short period and grant access only after entering a valid password, PIN or fingerprint again.
5. Data backups
Data backup is a process of duplicating data and saving it in another location for retrieval in case of a data loss event, natural disaster, or other kinds of emergency. A robust data collection system should have a periodic, ideally automatic, data backup procedure that ensures that data is secure and protected from loss or damage.
Additionally, a standard operating procedure (SOP) should be in place, describing how Backups are retrieved.
Mobile data collection is a practical way to reduce costs and collect better data in clinical and field research; however, one must be conscious of the potential risks that come associated.
Not every app that supports mobile form creation and data entry are suitable for capturing and storing sensitive research data. Researchers must be aware of the risks involved when storing sensitive information on a mobile device.
Teamscope is a secure and easy-to-use Mobile Data Collection app for clinical and field research.
With Teamscope, researchers can build powerful mobile forms and benefit security-specific features, such as the ones described above. Through this, they are improving the quality of their research data and can rest assured that they are adhering to the highest standards.
Planning on starting a new clinical or field study soon? Schedule a live demo here.
Cover image: Axel Fassio/CIFOR (CC BY-NC-ND 2.0)
- “Dealing with sensitive data,” University of Bristol, http://bit.ly/30Aj0cJ
- Wikipedia contributors. (2020, April 24). Protected health information. In Wikipedia, The Free Encyclopedia. Retrieved 10:09, September 1, 2020, from https://en.wikipedia.org/w/index.php?title=Protected_health_information&oldid=952954752