Embed Size (px)
Citation preview
Security & Privacy aspects of OpenClinica – the CTMM-TraIT experience
Jacob Rousseau – TraIT, VU University Medical center &
Marinel Cavelaars – TraIT, the HyveVersion 0.5 21-05-2015
©
#OC15Europe 2
Content of presentation Introduction CTMM / TraIT
Data-flows between applications
Hosting & operations
Privacy & security
Performance
©
#OC15Europe 3
CTMM-TraIT Center for Translational Molecular Medicine - CTMM
Translational Research IT - TraIT
Public partners, private partners, patient foundations and charities
CTMM 2009-2015
TraIT Oct 2011 - 2016
CTMM merges with TI Pharma as of January 1st 2016
©
#OC15Europe 4
TraIT partners
©
#OC15Europe
TraIT applications & work-packages
5
©
#OC15Europe
Statistics - OpenClinica Number of studies: 151
Number of users: 900
Number of unique sites: 157
6
©
#OC15Europe 7
OpenClinica uptake20
08 -
Q1
Q2
Q3
Q4
2009
- Q
1
Q2
Q3
Q4
2010
- Q
1
Q2
Q3
Q4
2011
- Q
1
Q2
Q3
Q4
2012
- Q
1
Q2
Q3
Q4
2013
- Q
1
Q2
Q3
Q4
2014
- Q
1
Q2
Q3
Q4
2015
- Q
1
Q2
Q3
Q40
10
20
30
40
50
60
70
80
90
100
110
120
130
140
150
Nu
mb
er o
f S
tud
ies
July 2008Start DeCoDeOpenClinica
October 2011Start TraIT
OpenClinica
Pre TraIT-effectMulti-center
VUmc studies
Other multi-center studies Dutch
UMC’s
136 studies157 sites852 users
©
#OC15Europe 8
Number of visits per month to OpenClinica.nl
Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar0
200
400
600
800
1000
1200
1400
1600
1800
Number of Visitssince april 2014
Number of Visits
Source: AWStats
©
#OC15Europe
TraIT: step by step guides
9
Web site: http://www.ctmm-trait.nl/
©
#OC15Europe 10
Content of presentation Introduction CTMM / TraIT
Data-flows between applications
Hosting & operations
Privacy
Security provisions
Performance
©
#OC15Europe
Clinical Research data flows
11
All steps have to be reviewed for security
©
#OC15Europe
OCDataImporter Developed by Cuneyt Parlayan, VUmc, CTMM-DeCoDe
Source: https://github.com/cuneytparlayan/trait_open_clinica_upload_tool_2
Executable available via the TraIT service-desk
What does it do? Converts text (CSV) files to ODM taking subject, events, groups and
repeats into account Automated mapping of columns to ODM-items Creates SQL-insert files to create subjects and to schedule events
(not needed with improved web services)
12
©
#OC15Europe 13
OCDataImporter
©
#OC15Europe
Link to clinical or digital pathology image Add a 'parameterized link' in the Excel-CRF in the
left/right column text:
<a href="https://www.example.com:123/ContextRoot?images=/${item['IMAGE_ID_ITEM_ID']}" target="_blank">Click here to see this subjects slides in tEPIS</a>
Links to an image for which the review results must be entered in the CRF
14
©
#OC15Europe 15
Link to digital pathology image
©
#OC15Europe 16
Schedule Appointment
Logis
Developed by MEMIC, center for data- and information management, Maastricht University Medical Center, Dirk Veldman
Date and time of visits entered in Logis; the corresponding visit / event is scheduled in OpenClinica using web services
©
#OC15Europe 17
Export to Transmart OpenClinica (ODM) to ETL (csv) to tranSMART (I2B2)
Developed by Ward Blondé
©
#OC15Europe 18
Content of presentation Introduction CTMM / TraIT
Data-flows between applications
Hosting & operation
Privacy & Security
Performance
©
#OC15Europe
Hosting Hosting partner Vancis
4 environments at Vancis Sandbox; for study & CRF development Archive; for inactive studies Acceptance; to solve technical problems Production
Philips environments for technical R&D and upload testing
19
©
#OC15Europe 20
Deployment setup
Apacheweb
server
Tomcatapplication
server
Postgresdatabase
server
AJP
JDBC
Hosting provider Vancis
©
#OC15Europe 21
Content of presentation Introduction CTMM / TraIT
Data-flows between applications
Hosting & operations
Privacy & security Legislation Technical measures Process Operational
Performance
©
#OC15Europe 22
Legislation
Legislation – National level Medical Research (Human Subjects) Act (Wet Medisch-
wetenschappelijk Onderzoek bij mensen, WMO) Dutch Personal Data Protection Act (Wet Bescherming
Persoonsgegevens, WBP)
European level European Data Protection Directive - Directive 95/46/EC
©
#OC15Europe 23
Future legislationNational Level
Mandatory to report data breaches to Dutch Data Protection Authority (amendment to the WBP – ‘Meldplicht Data Lekken’)
European level General Data Protection Regulation (GDPR)
Clear definition of responsibilities data processors and controllers
Challenges are: Data Protection Officer Strict administration Subject agreement (Informed Consent) Right to be forgotten / right for erasure Substantial fines Amendments by Committee for Civil Liberties, Justice and Home Affairs
(LIBE)
©
#OC15Europe 24
Technical measures Separation of modules in different Virtual Machines
Separate Web-module (Apache Webserver) Separate access and performance logging Automatic redirect to /OpenClinica Separate location for static content of studies (e.g. images)
https://www.openclinica.nl/static/biomarkers/arthritis_skeleton_highlighted.jpg
Possibility of load-balancing with multiple Tomcat instances
Caching Avoid caching of secure content on disk using headers
©
#OC15Europe 25
Technical measures Transport-layer encryption (HTTPS) Access logging Firewalls Export logging for non-repudiation Log retention
Two additional technologies:
Trusted Third Party & Single Sign-On
©
#OC15Europe 26
Trusted Third Party - TTP Pseudonymisation of Subjects
Encryption using symmetric keys; only source (hospital) and TTP have keys
One key per site or one key per study Two types of ID's:
National Identification number (BSN) Hospital Information System ID (HIS)
Various technical implementation strategies tested:
Client-side with Java-script Client-side with Java Applet Server-side ( for HIS-numbers only )
©
#OC15Europe 27
Single Sign-On SAML 2.0 Developed in cooperation with Daniel Pletea –
Philips and Paul van Dijk - SURFnet
SAML (Security Assertion Markup Language)
Only for authentication
Intended deployment (using OpenConext at Vancis) with SURFconext / eduGAIN
©
#OC15Europe 28
Processes User management
PI is responsible to remove user from study if he / she is no longer active
Periodical reminders for studies to verify if users are still active or affiliated
User administration via the TraIT service-desk
Password expiration
©
#OC15Europe 29
Processes Checks on directly identifiable information before study is
promoted from sandbox to production
SQL scripts to scan database for directly identifiable information
Standard Operating Procedures
©
#OC15Europe 30
Operations Standard operating procedures for administrative
personnel
Periodic review of vulnerabilities in components (e.g. US-CERT)
Secure connections to servers for administrative operations
©
#OC15Europe 31
Content of presentation Introduction CTMM / TraIT
Data-flows between applications
Hosting & operations
Privacy & security
Performance
©
#OC15Europe 32
0
2
4
6
8
10
12
14
16
18
20
Number of usersper hour
Number of usersper hour
From 27th of March to 4th of May
©
#OC15Europe 33
Monitoring Tools at hosting-provider (e.g. Nagios) to monitor
availability
Periodic database scripts to register number of users logged-in (performance)
AWStats for statistics (performance)
Selenium-scripts deployed at 2 sites to register the duration of common user actions (performance)
Presentation: CRF Performance and System Scalability by Annelies Rotte gives all details on performance
©
#OC15Europe 34
Final words Privacy / security / risk assessments must have on-going
attention
Due care and due diligence
Multi-faceted: technology, legislation, operations, development
©
#OC15Europe 35
Thanks OpenClinica LLC: Alicia Goodwin, Cal Collins, Krikor Krumlian, Ben Baumann
The Hyve: Marinel Cavelaars, Kees van Bochove
Trial Data Solutions: Gerben-Rienk Visser, Annelies Rotte
CTMM: Jan-Willem Boiten
NKI: Gerrit Meijer, Gwen Dackus
VUmc: Henk Verheul, Jeroen Beliën, Rene Breet, Cuneyt Parlayan, Ward Blondé, Rinus Voorham, Sander de Ridder
Philips: Wim van der Linden, Daniel Pletea, Cees de Jonge
Memic: Alfons Schroten, Dirk Veldman, Robert Klinkenberg
Netherlands eScience Center: Rita Azevedo, Ruud Ross
Maastro: Johan van Soest, André Dekker
Vancis: Kees Louwen, Marcel Bunte, Auke Abbekerk
SURFnet: Paul van Dijk
©
#OC15Europe 36
