BioMedIT operates a federated, multi-stakeholder infrastructure and community. In the past, security in sensitive data processing has been maintained by restricting sensitive data to silos, which have included those in public organizations managing person data, such as hospitals, but also those in commercial organizations performing sensitive research. Mobilizing sensitive data for multi-center, multi-organization research projects involved going beyond these silos. There is no single overriding authority to enforce security over these collaborations and federations, except for legal regulation. Federated scenarios lack single central authority, and rather proceed through negotiation and mutual interest. In order to make this work, the BioMedIT community must address the challenges of federation and collaboration in delivering and consuming services.
First, the federated nature of the situation must be recognized, and the structure of the federation mutually understood. Within the BioMedIT sites delivering services (BioMedIT nodes and BioMedIT central) this implies a large degree of transparency in staff, policies and processes. In security, the sharing of security plans, and alignment of security policies, process and where possible, tools. With the data providers and research projects this means having clear lines of communication, and clearly expressed expectations on the rules governing behavior and the expected actions of each stakeholder.
Because BioMedIT operates in a federated manner, it is not possible to simply centrally determine and enforce security, whether in terms of organizational or technological measures. To address this, BioMedIT works in a policy driven way. Overall policies, including security policies, are agreed by the BioMedIT sites, and set out overall goals and requirements. Each site is then required to create and enforce its own local policies in order to implement the overall policy. This approach allows for cohesion in approach and outcome, but differences in specific and technical implementation. The overall, global policies are then public, and help build trust with other stakeholders. The specific local polices are not public, but the BioMedIT sites perform internal mutual review of local policies in order to ensure they are effective and harmonized.
No system can be perfectly secure, and even a theoretically perfect system would become vulnerable due to technical change, changing risks and the need for perfect behavior, BioMedIT takes a position of Risk based assessment of security, privacy and other risks. Risks are assessed for various aspects, including security vulnerabilities, risks in pseudonymization of sensitive data, and risks associated with access, storage and transfer of information assets. For information assets, risks levels are defined and assigned to all assets. Risk level then governs how assets are handled, processed and disclosed where appropriate. A risk-based approach supports realistic assessment of threats and vulnerabilities, and avoids complacency based on an incorrect assumption of a perfect security model. It also better acknowledges the importance of correct behavior rather than purely technical measures in ensuring security.
Engagement between BioMedIT sites and other stakeholders, especially data providers and research projects, is based on clear, signed agreements between organizations. These provide a legal basis for the processing of highly sensitive data, and also clarify roles and responsibilities, and the policies under which work is conducted. BioMedIT only allows access to and processing of sensitive data once agreements are signed. These agreements are generally based on templates provided by the BioMedIT community, checked with legal officers and compliant with national regulations. BioMedIT also provides legal and ethical support which assists with the negotiation and signing of agreements, and monitors their status to ensure that all transfer, storage and processing of data is permitted and supported by an agreement.
Because BioMedIT works on a policy driven and federated basis, security is not achieved solely through technical means and limitations. A significant contribution to the security of BioMedIT comes from the personal behavior of the stakeholders and participants in the system. As a result, it is key that participants in BioMedIT are aware of the security measures and limitations of the system, and what behavior is expected and legally required of them. To this end, BioMedIT provides basic information security awareness training on safe use of research data, and safe use of BioMedIT. Staff from research projects and data providers must pass this training prior to being gives access to secure systems. BioMedIT also supports skill development of staff at BioMedIT sites grow the overall level of security awareness in the community.
In accordance with the principles of information security, all access to BioMedIT systems and data are controlled, and is based on identified Risk levels. For BioMedIT sites, staff are carefully screened and must undergo security awareness training. All external use, including by research projects or data providers, is based on signed legal agreements. BioMedIT confirms organizational affiliations of individuals, and stakeholders are required to maintain and update the lists of valid users under their organizations.
Transfer of data into and out of the BioMedIT infrastructure is tightly controlled. Data may only be imported through permitted means must be properly logged, and for high risk data such as research data, specialist transfer tools and considerable encryption is required, and such transfer must be supported by a legal agreement. Export of data is equally controlled, and only allowed with logging and using permitted technical mechanisms. BioMedIT provides support for pseudonymization and research projects ensure only aggregated results are exported for publication. Export of sensitive, high-risk data is only possible with prior agreement of data providers.