REDCap is being provided by the department of Clinical Surgery at the University of Edinburgh and is hosted within the University of Edinburgh Virtual Machine architecture which is physically secured. “At rest” encryption is in place on the database server. Access control is achieved by directly administered usernames and passwords, with limitation of collaborator access to institution-specific data. Passwords are stored as an encrypted one-way hash of the password. Accounts are disabled after 5 failed login attempts. Users are auto logged out after 30 minutes of no activity. Users are forced to change password after 90 days. Daily audit tracking of users is in place.
Data is protected by being stored in MySQL databases on a separate server. This server is behind a firewall and can only be accessed from the IP address of the web server. An SSL-tunnel encrypts communication between the web and databases servers. File upload is secured between servers using the WebDAV protocol with SSL. “At rest” encryption is in place on the database server (aes-xts-plain64:sha256 with 512-bit keys). Operating security updates are installed automatically. Antivirus software runs to a scheduled protocol on the web server.
REDCap has a built-in audit trail that automatically logs all user activity and logs all pages viewed by every user, including contextual information (e.g. the project or record being accessed). Whether the activity be entering data, exporting data, modifying a field, running a report, or add/modifying a user, among a plethora of other activities, REDCap logs all actions. The logging record can itself be viewed within a project by users that have been given privileges to view the Logging page. The Logging page allows such users to view or export the entire audit trail for that project, and also to filter the audit trail in various ways based upon the type of activity and/or user. The built-in audit trail in REDCap allows administrators to be able to determine all the activity and all the data viewed or modified by any given user. Audit trail data will be analysed and any problems will be initially raised internally to the University of Edinburgh Information Services, before contacting the Scottish National Caldicott Guardian scrutiny panel.
For those with intermittent data access, paper forms will be provided with matching fields that can be printed and used. These must be held securely to conform with the local hospital data security policy, and then uploaded as soon as possible to the website.