Web-Based Research:
Issues to Consider When Writing a Human Subjects Application

The following are questions that reviewing committees frequently ask investigators who propose to conduct web-base research with human subjects, especially when that research involves information that should be kept confidential.

It may well be that not all questions are relevant to every research project, and that other, unlisted questions are relevant to some projects. For example, research that involves storing protected health information on web servers is subject to special regulations under HIPAA.

However, reviewing this list while preparing an application for such research, and addressing the relevant questions in the application, will significantly assist in the review process.

  1. Who has physical access to the secure server?

    For example, is it in a locked room? Who has a key to the room?

  2. Do you back up the data on the server to a second computer? To alternate media?

    If so, where is that computer? Where are the backup media stored? Who has access to it or them?

  3. Do the data need to be shared?

    If so, why? Could the data be stored on a single machine that is not connected to the internet? If not, why not?

  4. System Administrators who maintain the server will also have access to the data.

    What human subjects training have they had? What written assurances of confidentiality have they given?

  5. Does the server have other uses, besides the storage of study data specified in your application?

    It is important to be aware of all the other services that this particular server provides to better assess the risk of a remote compromise. In other words, the more open holes the server has, the more vulnerable it is to remote intrusion.

  6. What platform is the server running? Windows? Linux? Please explain.

  7. What measures have been taken to secure the server from remote attacks?

    For example, how many layers of security exist? Is the server behind a firewall, either logical (software) or physical? Is it kept up to date with security patches? How strict is the password policy that is enforced? Is any security logging enabled? What other measures have been taken to secure any services that are running on the server? Have any threat assessments been done on the server to establish known vulnerabilities, and have those vulnerabilites been tested for how they will hold up in a remote attack?

  8. How secure are the desktop computers that access the server?

    Where are they located? Are they kept up to date with security patches? Who has access to these computers? Most importantly, do you know who actually uses every computer that accesses the server? If it is a single individual and they are away from their desk, can someone else with physical access to their computer gain access to the files, or do the users log out of either the server or their computer when they leave their desk? Please explain.