Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Certifying and Securing a Trusted Environment for Health Informatics Research Data

Presentation from the Jisc security conference 2016

www.jisc.ac.uk

  • Login to see the comments

  • Be the first to like this

Certifying and Securing a Trusted Environment for Health Informatics Research Data

  1. 1. Certifying and Securing aTrusted Environment for Health Informatics Research data Dr Jonathan Monk, Director of IT, University of Dundee 1/11/2016
  2. 2. Health Informatics Centre dundee.ac.uk/hic Dr Jonathan Monk Director of IT University of Dundee Certifying and Securing a Trusted Environment for Health Informatics Research data
  3. 3. Health Informatics Centre dundee.ac.uk/hic 1. Overview of Health Informatics 2. Research Data Management Platform 3. Safe Haven Architecture 4. ISO27001 Certification
  4. 4. Health Informatics Centre dundee.ac.uk/hic Overview of Health Informatics
  5. 5. Health Informatics Centre dundee.ac.uk/hic Geographic - Tayside And Fife Population of Scotland Time Period 1972 - 2016 Electronic Medical Data Coverage
  6. 6. Health Informatics Centre dundee.ac.uk/hic Parents Conception Birth Early Life Childhood Adulthood Late Life Death Research Datasets • GoDARTS Diabetes – 18K - Case/Controls • TASC FORCE – 5000 - MRA Volunteers • POPADAD – 1200 - Diabetes with no CVD • TRACE RA – 3200 - Rheumatoid Arthritis/UK Pre-consented Cohorts  SHARE – 100+K  Generation Scotland – 20K SMR02 Maternity & Neonate Walker 48,00 Births (1952-1966) Health Care Data  Primary Care : Community Prescribing  Secondary Care : Out Patient Visits, Hospital Admissions, Accident & Emergency, Cancer Register, Psychiatric Episodes.  Diagnostics : Radiology Events, Cardiology & Vascular Labs, Bowel Screening  Laboratory - Biochemistry, Haematology, Immunology, Microbiology, Virology  Diabetes Surveillance - BP,BMI, Smoking Alcohol, Amputations, Ulcers  Diabetic Retinal Images – DRS Retinopathy Image Library (Go DARTS Population) Disease Registers • TARDIS Respiratory Disease • SDCRN – Scottish Dementia Network • SCI Diabetes • Epilepsy Child Health Pre-School/School SIRS/CHSP Register Of Deaths DataForLinkageExistingResearch StudiesPhenotypic Data Available
  7. 7. Health Informatics Centre dundee.ac.uk/hic Data Linkage Through Family Generations 2004 - Community Prescribing (Dispensed) 2016 1986 - Acute Hospital Admission Tayside 1975 - Births and Neonatal Record 1986 - Laboratory ( Biochemistry, Haematology, Immunology, Microbiology) 1994 - Radiology Records 1952 Walker Dataset 1952 – 66 48,000 Dundee Births Babies Mothers Fathers 1980 – Cancer Register 1990 – Diabetes Records Cohort participants episodes recorded in dataset
  8. 8. Health Informatics Centre dundee.ac.uk/hic
  9. 9. Health Informatics Centre dundee.ac.uk/hic Controls  Ratio : 3:1  Match on Age, Sex, SIMD Feasibility Searches Inclusion:  Health Board : Tayside  Status : Alive  Conditions : Type 2 Diabetes  Age: >= 65  Prescribed : Insulin > 2yrs Exclude:  Prescribed: Statins Researcher Supplies Search Criteria Matches 570K 450K 120K 70K 9210
  10. 10. Health Informatics Centre dundee.ac.uk/hic
  11. 11. Health Informatics Centre dundee.ac.uk/hic Demography GRO ECHO There was a 22% overall reduction in all cause mortality with β blocker use Prescribing TARDIS Biochemistry MicrobiologyHaematology Case Study # 1 - β blockers: Their Effect in Managing Chronic Obstructive Pulmonary Disease (COPD) Setting Tayside, Scotland (2001–2010) Population 5977 patients aged >50 years with a diagnosis of COPD. BMJ. 2011; 342: d2549. 10.1136/bmj.d2549 P.M Short, S.I.W Lipworth, D.H.J Elder, S. Schembri, B.J. Lipworth.
  12. 12. Health Informatics Centre dundee.ac.uk/hic Hospital admissions GRO More than 400 lives are being lost each year because breast cancer patients fail to take the full course of the drug Tamoxifen due to "intolerable" side-effects Prescribing Br J Cancer. 2008 December 2; 99(11): 1763–1768. 10.1038/sj.bjc.6604758 McCowan, J Shearer, P T Donnan, J A Dewar, M Crilly, A M Thompson and T P Fahey Researcher Supplied Cohort Cancer patients from a Ninewells clinic Case Study #2: Tamoxifen adherence: Relationship to Mortality in Women with Breast Cancer
  13. 13. Health Informatics Centre dundee.ac.uk/hic Research Data Management Platform (RDMP) ‘Optimizing and Augmenting the Research Data Supply Chain` Labs SMR01 Prescribing Raw Data Data Import Databases Custom Extractions & Export Formats RDMP Labs SMR01 Prescribing Raw Data Data Import Structured Database Extraction + Export DataLoad Engine Research Data Warehouse Validate Clean Catalogue QualityChecks Project X Data Marts Validate Clean Catalogue QualityChecks Project Y Data Marts Validate Clean Catalogue QualityChecks DataExtraction Engine
  14. 14. Health Informatics Centre dundee.ac.uk/hic Data Set 1 Data Set 6 Data Set 2 Data Set 3 Data Set 4 Data Set 5 Data Set 1 Pseudo-CHI Data Set 2 Pseudo-CHI Data Set 6 Pseudo-CHI Data Set 3 Pseudo-CHI Data Set 4 Pseudo-CHI Data Set 5 Pseudo-CHI CHI and All Identifiable Data Data Set 1 Project -CHI Data Set 4 Project -CHI NHS Network University Network Data Repository Function of Safe Haven Analytic Platform of Safe Haven Virtual Environment – no data leaves
  15. 15. Health Informatics Centre dundee.ac.uk/hic • Extraction takes minutes • Data released is standardised – the same regardless of Data Analyst that completes the work • A history is recorded of all changes to data over time • Data released now will be in the same format as in 5 years from now • Metadata has been added • Methods for transforming and validations have been added across all data sets • Tools to manage and explore the data are available to Data Management team and researchers • Audit and Logging all automated • Major work towards integration of image and genomic data
  16. 16. Health Informatics Centre dundee.ac.uk/hic
  17. 17. Health Informatics Centre dundee.ac.uk/hic • Standard restrictive VDI solution • VMWare View / Horizon
  18. 18. Health Informatics Centre dundee.ac.uk/hic • AppVolumes used for Applications • Bring Your Own License • Lots of Application Variations!
  19. 19. Health Informatics Centre dundee.ac.uk/hic • There are many types of ISO Certification. • We have 27001:2013 – Certificate Number: 2016/2269 • ISO 27001:2013 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. What is ISO27001?
  20. 20. Health Informatics Centre dundee.ac.uk/hic Why ISO27001 certification? • Independent set of standards – so rather than constantly having to think what documents and processes we should have in place and reinventing the wheel, ISO gives us this! • Gives confidence to other organisations we work with e.g. NHS, main University. • Reduces other documentation requirements for governance, as we can just reference ISO documentation. • Improves the working practices of HIC. This has been particularly the case with our hardware infrastructure. • Key towards Scottish Government Safe Haven Accreditation.
  21. 21. Health Informatics Centre dundee.ac.uk/hic Scottish Government Safe Haven Accreditation • 27001 standard controls PLUS some additional ones specific to Safe Havens. • Reviewed by Scottish Government eHealth. • Documentation Required: • Risk Assessment Doc • Mapping of Controls
  22. 22. Health Informatics Centre dundee.ac.uk/hic
  23. 23. Health Informatics Centre dundee.ac.uk/hic Scope “The provision of data to researchers via safe haven environment, secure patient recruitment, data collection using software tools, data entry, the development and operation of web based applications and all assets underpinning the provision of those services from the locations of HIC premises at Ninewells Hospital and data centres within the University of Dundee Campus”
  24. 24. Health Informatics Centre dundee.ac.uk/hic ISMS Controls Status with Statement of Applicability and Gaps
  25. 25. Health Informatics Centre dundee.ac.uk/hic ISO Controls – Made up of HIC specific ones and University/NHS general controls University of Dundee Security Policies University of Dundee HR Policies and Procedures (and NHS where appropriate as we have honorary contracts) HIC HR Procedures/Training/Policies HIC Security Policies A7: Human Resource SecurityA5: Information Security Policies A6: Organisation of Information security University of Dundee Security Policies HIC Security Policies, SOPS, Procedures, Work Instructions and Service Descriptions
  26. 26. Health Informatics Centre dundee.ac.uk/hic Document Types and Review Static & Formally Approved: HIC Exec & HIC Information Governance Committee • Policies • Standard Operating Procedures (SOPs) • Risk Management Doc • Information Security Management System (ISMS) Manual • Business Continuity Plan Just HIC Exec • Procedures Working Documents (technical): Relevant Technical Manager • Service Descriptions • Work Instructions • Asset and Responsibility Matrix • Disaster Recovery Plans • Infrastructure Diagrams
  27. 27. Health Informatics Centre dundee.ac.uk/hic Structure of Docs in Box Become aware of an improvement of our current procedure Take a copy of Procedure from “Live” folder and move to “Under Development”. Draft change using tracked changes. Ask Technical Manager to review. Technical Manager moves the doc they have approved to “Awaiting Approval Folder” and asks for it to be included in HIC Exec Meeting Agenda for review. If approved at HIC Exec either formally approved or sent to HIC Information Governance Committee for additional formal approval (if document type requires) Approved doc is moved to “Live” folder by HIC Admin Procedure Changes
  28. 28. Health Informatics Centre dundee.ac.uk/hic Infrastructure comprised UoD, HIC & NHS University of Dundee Network NHS Network HIC Managed Hardware HIC Managed Hypervisor Cluster HIC Managed Operating Systems HIC Managed Applications UoD Hardware UoD Hypervisor UoD OS UoD Applications HIC and UoD use identical platform technology and share locations Hardware & responsibility for management varies depending on specificity University of Dundee Data Centres NHS Locations
  29. 29. Health Informatics Centre dundee.ac.uk/hic Timelines • Help from University’s Information Security Officer (Graham McKay) to get us up to the required standard. • Passed our Stage 1 audit of our documentation in June 2015. • Passed our Stage 2 audit of our systems (do we do what we say we do in our documentation) in Jan 2016. • Passed second Stage 2 audit July 2016 • Now have full audits every 6 months for the next 3 years!
  30. 30. Health Informatics Centre dundee.ac.uk/hic Phil Appleby Jim Galloway Chris Hall Duncan HeatherEmily Jefferson Claire JonesGordon McAllister Keith MilburnLeandro Tramma Donald Scobbie Thomas Nind Guney Hanedan Graham McKay Many thanks to the people that did all the work!
  31. 31. Health Informatics Centre dundee.ac.uk/hic Questions?

×