PCAP Data Security

Since 2006, PCAP has contracted with a well-known Seattle-based company for a web-based online data recording and management system to collect, manage, and share data. The products and services of this company have been implemented by 45 of the top 50 universities in the U.S., U.S. government institutions such as the Veterans Administration and Center for Disease Control, as well as some of the most recognized research institutions globally like The Rand Corporation. PCAP evaluation forms are created using proprietary software developed by this company and are housed on a dedicated server at their secure offsite location. The forms are accessed in the field through a HIPAA-compliant secure-access “web console” designed and customized by them for PCAP in conjunction with the PCAP evaluator.

Details:

Web Console. The HIPAA-compliant secure-access web console uses https, 128-bit encryption and a signed SSL certificate. PCAP staff across the state can log in from any computer on a secure network using a “strong” password. All staff are thoroughly trained on the importance of protecting the security of the data. Each user has a customized view or role, so that case managers access only their caseload, supervisors access only their sites, and administrators can access all. The system administrator (PCAP Program Evaluator) can deactivate users at any time. Users are deactivated when they leave PCAP employ.

Evaluation Data Entry Forms. Data entry forms for evaluation data are created and modified using proprietary software that relies on two features for security: authentication (ID and password) and encryption. Every page the user submits to the dedicated server is encrypted and every page the server sends to the user’s browser is also encrypted. This 128-bit encryption is the same as that employed by online banking and other commercial web applications requiring the highest levels of security.

Dedicated Off-Site Server. The only way to access submitted data on the system is through the dedicated server, which uses SSL and user/password authentication. This server enforces user access restrictions, preventing users from unauthorized access to the data and is backed up nightly. All access to data takes place over secure https connections using the same 128-bit encryption used in surveys. Once the encrypted data is downloaded by the PCAP Evaluator it is kept on a password protected computer where analysis is performed.

Throughout this process, data is never combined with personally identifiable information.