PALMS Information Security


The PALMS system contains personal information about study participants that may be protected under various governmental and organizational privacy regulations. In the United States, these regulations include the Health Insurance Portability and Accountability Act (HIPAA) Security Rule as well as numerous University of California policies. This section summaries procedures the PALMS staff at UCSD use to protect data on PALMS servers.

PALMS servers are hosted in a UCSD server room with limited key-card access. Console access (via a private, on-campus network or secure VPN) is limited to 3 PALMS developers and 1 system administrator. The servers are behind network firewalls. UCSD’s network security team systematically scans PALMS servers for security vulnerabilities.

The PALMS database is automatically backed up on a daily basis, currently from 5:00 to 6:30 am Pacific time. Copies of the Sunday morning backup are archived onto a hard drive located in a separate computer.

The PALMS web application is accessible via the public Internet. Communications between the user’s web browser and the PALMS server is protected by Secure Sockets Layer (SSL) encryption. A PALMS user account and password is required to login.PALMS uses the authentication services of the National Cancer Institute’s cancer Biomedical Informatics Grid (caBIG) https://cabig.nci.nih.gov. Each PALMS user is registered with and authenticated by caBIG. Upon entering a user name and password, caBIG provides an encrypted certificate which expires in a pre-specified number of hours. This certificate is passed to the PALMS server for every transaction and is the basis of the PALMS policy enforcement.

The PALMS administrator creates a caBIG user account for each PALMS user and assigns a username and password. The user is assigned to one or more roles in one or more Study Groups. Users can only access studies within their assigned Study Group. The user’s assigned roles define what the user can do within the study. The PALMS administrators are currently the only users who can add and control the PALMS user accounts.

All PALMS administrators and staff have successfully completed UCSD IRB, human-subjects research protection and HIPAA training programs. They are conscience of the personal nature of the geolocated data entrusted to them and are extremely cautious in the use of such data when supporting PALMS users and making presentations about PALMS.

Details regarding the combination of administrative, physical and technical safeguards used to protect information can be found in the document entitled “PALMS Information Security Policy". To request a copy, send an email to palms@ucsd.edu.

NOTE: Protection of data on your workstation is the responsibility of you and your organization. Click here for Information Security Guidelines for PALMS users.