Research Security

The Research Compliance team in the Office of Research Integrity and Compliance (ORIC) collaborates with the Quantitative Science pillar and Hospital Information Management to execute a Research Security program. Research security is a broad term that refers primarily to national security and institutional considerations surrounding research involving certain types of sensitive data, intellectual property, conflicts of interest and commitment, and other risks.

The research setting poses unique information security risks and challenges, including regulatory and contractual constraints that require additional policy provisions and protective measures. The Children’s Hospital of Chicago Medical Center (the “Medical Center”), doing business as Ann & Robert H. Lurie Children’s Hospital of Chicago, is committed to protecting our researchers and the information that is critical to research and patient care, as well as our business operations, and the communities we serve, including faculty, staff members, and the public.

Below are the components of the Medical Center’s Research Security Program. Please contact Research Compliance with any questions.

Data security refers to the protection of data from unauthorized access, use, change, disclosure, and destruction, and includes network security, physical security, and file security. To protect research data appropriately and effectively, you must be able to identify the appropriate data classification, which defines all necessary security control requirements for protecting research data.

The Medical Center has classified information into five sensitivity levels based on the information’s risk, value, and sensitivity. Treat and manage data appropriately in accordance with the Medical Center’s Classification and Handling of Information Policy.

Please note, while ensuring the security of any research data is important, it is especially important when working with human subjects’ data. Protecting data collected from human subjects is critical, and the stewardship of such data is guided both by regulatory and ethical principles. 

Researcher Responsibilities

Data security and classification is everyone’s responsibility, but Principal Investigators (PIs) are particularly responsible for their data management. For postdocs and others, when in doubt about data security, please consult with your PI. 

For some general tips on data management:

  • Understand Lurie Children’s data classifications and classify your data appropriately.
  • Do not divulge, copy, release, sell, alter, or destroy information unless in conformance with applicable standards or requirements.
  • Contact the Office of General Counsel prior to disclosure for any legal purposes.
  • Contact Research Compliance prior to contact or disclosures related to research to regulatory agencies, inspectors, examiners, and/or auditors.

In order to streamline the process of collecting and evaluating electronic information system attestations, questionnaires and surveys, specifically focusing on the requirements for electronic information systems used in research, our office, in conjunction with Information Security, Information Management, and the Quantitative Science pillar, are here to assist our research community.

View the intake and review process page to ensure your submissions of research data security questionnaires are handled efficiently and effectively.

All Medical Center personnel have an obligation to properly manage, store, and protect research data, materials, and intellectual property and information incorporated therein. Researchers must be especially mindful of where their data is stored, who has access to it, and who is authorized to use it. There are many considerations to take into account whenever requesting new software solutions for research, such as cybersecurity infrastructure, compliance with federal regulations, and legal terms and conditions.

Our Research Compliance team is here to assist when new software platforms are requested for research. We will work with you and relevant organizational stakeholders (e.g., Quantitative Science, Contracting Services, Information Management, Information Security) to coordinate the review, approval, and deployment of your software solution.

Please visit the intake and review process page to ensure your requests for new research software solutions are handled efficiently and effectively. 

Under the final NIH Policy for Data Management and Sharing (DMS Policy), NIH requires the submission of a Data Management and Sharing Plan (DMSP) with funding applications that generate scientific data, outlining the plan for managing, preserving, and sharing project data. Moreover, recipients of awarded applications must comply with the DMS Plan as approved by the funding NIH Institute, Center, or Office (ICO) as a term and condition of the award.

View the Data Managment Service Plans page for details on resources and revisions. 

A Data Use Agreement (DUA) is a written agreement governing the terms and conditions upon which the Medical Center will permit transfer of institutional data to, or receive information from, an external party. In any instance Lurie Children’s patient or other data is shared with an external party, there must be authorization (whether from patient, statute, or legal) to share, or an agreement covering that transfer. Additionally, if you are using data that have been collected from another source, it’s important that you know from the beginning if there are any restrictions on how you can use and share the data.

Visit the the Data Use Agreement page to learn more or initiate a DUA. 

When sharing information with colleagues at other institutions (e.g., Shirley Ryan, Northwestern University) or externally at all, it is crucial to ensure that your files are transmitted securely. The Medical Center provides several secure methods for sending emails (suitable for text or small files) and sharing large files containing sensitive information.

Visit the General File Sharing Guidance page.

The CHIPS and Science Act of 2022 prohibits federal employees, contractors, and awardees from participating in Malign Foreign Talent Recruitment Programs (MFTRPs). While most talent recruitment programs are upstanding and promote a healthy exchange of culture and knowledge, some are part of a broader whole-of-government strategy to surreptitiously obtain U.S. technologies. These programs are considered malign and are generally one-sided, as well as contradictory to the Medical Center’s values.

Review the Malign Foreign Talen Recruitment Program page for information on identifying MFTRPs. 

As a Lurie Children’s investigator or staff member involved in the conduct of research, you may be required or requested to take compliance training for various reasons (eg., federal requirements) and on a variety of topics, such as:

  • Cybersecurity (e.g., best practices in data protection, incident responses)
  • Research Security (e.g., international collaboration risks, disclosure practices)
  • Foreign Travel Security (e.g., vulnerability awareness, device risks)
  • Export Controls (e.g., working with export-controlled technology, items)

Local Training Resources

Our Research Compliance team is dedicated to supporting your training needs. You can request specific training resources directly from our office. We offer tailored sessions to address various compliance topics, ensuring you have the knowledge and tools necessary for your research activities. Training may be requested directly from ORIC's Research Compliance team.

On-Demand Training Modules

For convenient, self-paced learning, we recommend exploring the National Science Foundation (NSF) Research Security training modules. These modules are available on-demand and free of charge, covering a wide range of topics crucial for maintaining research integrity and security. Access these resources anytime to enhance your understanding and compliance with federal guidelines.

If you have any questions or need further assistance, please don’t hesitate to contact our Research Compliance team to stay informed and compliant with federal guidelines.