Challenges and Emerging Solutions for Securing Medical Data and
Applications
Michael Kamerick1, Javed Mostafa, MA, PhD2, David Ervin3
1University of California, San Francisco, CA; 2University of North Carolina, Chapel Hill,
NC, 3The Ohio State University, Columbus, OH
Abstract grid infrastructure provides integration with existing
institutional identity provisioning systems such as
The panel will discuss data security in the context of LDAP so that researchers maintain a single logon
medical data provisioning, particularly focused on
account. Additionally, the TRIAD grid uses robust
long-term storage, manipulation, generation of security protocol and access management controls to
derivative data, collaborations among team
ensure access to data and services is conducted
members, and keeping pace with changing policies, securely while maintaining ease of use. The
rules, and regulations.
University of California San Francisco (UCSF) has
Introduction developed a secure, virtualized, remoted environment
called MyResearch, which provides access to both
The clinical research enterprise is confronted by the data and data manipulation software to researchers in
twin challenges of accelerating demands for data a centralized location. Data and applications are
management and the increasing complexity of a very stored and executed centrally but displayed locally on
difficult regulatory environment1. Institutions and users’ workstations. MyResearch is fully integrated
individuals face significant financial penalties for the with the UCSF Active Directory infrastructure to
mishandling of patient data. Traditional methods enable single sign-on for investigators, and it
used by investigators are not up to these challenges. provides an encrypted ‘drop-box’ feature for secure
Researchers wishing to focus on health care file transfer. By policy, MyResearch is the
outcomes find themselves distracted by issues of authorized control point for the release of clinical
firewall configurations and network data security. data for research at UCSF. At the University of
The storage of sensitive data on personal North Carolina, Chapel Hill (UNC), a project similar
workstations has become a liability, not an asset, for to UCSF’s is underway. UNC is developing a system
the investigator. called Secure Medical Workspace for provisioning
Out of this context there has emerged a significant data and data manipulation tools together to
interest in building centralized systems that mitigate researcher based on a virtualization technology. The
data disclosure risks for patients, for investigators, UNC solution is also attempting to combine data
and for institutions, while still enabling investigators governance with data provisioning by creating
to work with their data in a fully productive manner. comprehensive data leakage protection tools that
These systems seek to provide investigators with a operate using a rule-based engine whereby rules
safe and protected storage environment for the data, reflect the established policies associated with data
secure methods of data transmission, and methods use.
and common tool sets that allow them to manage and Conclusion
analyze their data without having to place it or
themselves in jeopardy. To summarize, in this panel we will explore current
and planned medical data security system
Current Developments and Concrete Cases implementations, from the technical, operational, and
Systems which fulfill this capacity are already in policy focused perspectives. The knowledge gleaned
production at Academic Medical Centers and more from launching and evaluating medical data security
systems are currently undergoing development and projects from the three large academic centers will be
testing. In this proposed panel, each of the used to motivate and drive the discussions. However,
participants will share experiences from their own we will also invite and engage participants to share
institutions in launching and evaluating systems for their own experiences in securing medical data as
securing medical data in their home institutions. For they relate to challenges and potential solutions.
example, to facilitate ease of adoption for a common Below is a list of current panel members and brief
service platform and control data access, The Ohio description of their backgrounds.
State University CTSA has built the Translational
Research and Data Management (TRIAD) grid. This
146
Challenges and Emerging Solutions for Securing Medical Data and
Applications
Michael Kamerick1, Javed Mostafa, MA, PhD2, David Ervin3
1University of California, San Francisco, CA; 2University of North Carolina, Chapel Hill,
NC, 3The Ohio State University, Columbus, OH
Abstract grid infrastructure provides integration with existing
institutional identity provisioning systems such as
The panel will discuss data security in the context of LDAP so that researchers maintain a single logon
medical data provisioning, particularly focused on
account. Additionally, the TRIAD grid uses robust
long-term storage, manipulation, generation of security protocol and access management controls to
derivative data, collaborations among team
ensure access to data and services is conducted
members, and keeping pace with changing policies, securely while maintaining ease of use. The
rules, and regulations.
University of California San Francisco (UCSF) has
Introduction developed a secure, virtualized, remoted environment
called MyResearch, which provides access to both
The clinical research enterprise is confronted by the data and data manipulation software to researchers in
twin challenges of accelerating demands for data a centralized location. Data and applications are
management and the increasing complexity of a very stored and executed centrally but displayed locally on
difficult regulatory environment1. Institutions and users’ workstations. MyResearch is fully integrated
individuals face significant financial penalties for the with the UCSF Active Directory infrastructure to
mishandling of patient data. Traditional methods enable single sign-on for investigators, and it
used by investigators are not up to these challenges. provides an encrypted ‘drop-box’ feature for secure
Researchers wishing to focus on health care file transfer. By policy, MyResearch is the
outcomes find themselves distracted by issues of authorized control point for the release of clinical
firewall configurations and network data security. data for research at UCSF. At the University of
The storage of sensitive data on personal North Carolina, Chapel Hill (UNC), a project similar
workstations has become a liability, not an asset, for to UCSF’s is underway. UNC is developing a system
the investigator. called Secure Medical Workspace for provisioning
Out of this context there has emerged a significant data and data manipulation tools together to
interest in building centralized systems that mitigate researcher based on a virtualization technology. The
data disclosure risks for patients, for investigators, UNC solution is also attempting to combine data
and for institutions, while still enabling investigators governance with data provisioning by creating
to work with their data in a fully productive manner. comprehensive data leakage protection tools that
These systems seek to provide investigators with a operate using a rule-based engine whereby rules
safe and protected storage environment for the data, reflect the established policies associated with data
secure methods of data transmission, and methods use.
and common tool sets that allow them to manage and Conclusion
analyze their data without having to place it or
themselves in jeopardy. To summarize, in this panel we will explore current
and planned medical data security system
Current Developments and Concrete Cases implementations, from the technical, operational, and
Systems which fulfill this capacity are already in policy focused perspectives. The knowledge gleaned
production at Academic Medical Centers and more from launching and evaluating medical data security
systems are currently undergoing development and projects from the three large academic centers will be
testing. In this proposed panel, each of the used to motivate and drive the discussions. However,
participants will share experiences from their own we will also invite and engage participants to share
institutions in launching and evaluating systems for their own experiences in securing medical data as
securing medical data in their home institutions. For they relate to challenges and potential solutions.
example, to facilitate ease of adoption for a common Below is a list of current panel members and brief
service platform and control data access, The Ohio description of their backgrounds.
State University CTSA has built the Translational
Research and Data Management (TRIAD) grid. This
146
