Talk to the Veterans Crisis Line now
U.S. flag
An official website of the United States government

Health Services Research & Development

Veterans Crisis Line Badge
Go to the ORD website
Go to the QUERI website

2008 HSR&D National Meeting Abstract

Printable View

National Meeting 2008

1082 — A Data Security Framework for Research Study Databases Using Metadata

Obrosky DS (Center for Health Equity Research and Promotion (CHERP),VA Pittsburgh Healthcare System), Burkitt KH (CHERP, VA Pittsburgh HCS), Zickmund S (CHERP, VA Pittsburgh HCS)

Objectives:
Recent changes in VA data security require careful scrutiny of all research study standards and practices. An essential first level of protection is the database itself. Our objective is to present methods for standardizing the definition and automatic application of security to a database.

Methods:
We describe the design and implementation of a data security framework for a study’s database management system. Information (“metadata”) describing user, role, and group access to specific database “objects” (e.g., tables, views, and stored procedures) are maintained in a data dictionary. Utility programs use these metadata to apply, log, and report permissions.

Results:
Databases for research studies are often accessed by a variety of users with differing roles and training. To ideally meet the needs of these users, different types of application front-ends are needed, such as front-ends with data entry, viewing, or reporting functions, or statistical analysis programs. While a useful supplement, defining and synchronizing data security from these front-ends is difficult and not fully sufficient. The primary level of data security must still be at the database and database object level. In our system being developed for the HSR&D-funded PATHS Study at the VA Pittsburgh Healthcare System, we are able to ensure database security with the following steps: (1) As database objects are created, records are programmatically inserted into metadata tables indicating that initial access to these newly created objects should be disallowed. Utility procedures apply these permissions to the objects. (2) Specific user, role, and group permissions are then defined only via these metadata. (3) Any permission changes are automatically logged, giving the ability to report on user, role, and group access levels and the time periods of access. Thus, when used in conjunction with logging of stored procedures execution and data entry/modifications, a complete history of a user’s access, entry, and modification to specific data columns and rows can be maintained and reported upon.

Implications:
Standardization and automation in defining, applying, logging, and reporting on database object security facilitates necessary VA data security efforts.

Impacts:
The use of a common data security framework for one or more research studies will greatly facilitate research data security.


Questions about the HSR&D website? Email the Web Team.

Any health information on this website is strictly for informational purposes and is not intended as medical advice. It should not be used to diagnose or treat any condition.