• Subscribe

At Science Node, we need your help. Science Node is serving more people than ever before. Because of the economics of support for scientific research organizations, our sponsorship dollars are running behind our expenditure rate. We'd like to raise $20k from readers to balance the books for the first 6 months of the year. Donate now to Science Node through the IU Foundation.

Into the Medical Science DMZ

Speed read
  • HIPAA security and privacy rules stipulate that patient healthcare data must be protected
  • Privacy regulations create challenges for scientists accessing medical data for research
  • Medical Science DMZ model speeds research and improves collaboration

The 1996 Health Insurance Portability and Accountability Act (HIPAA) is best known for preserving insurance coverage for employees who change or lose their jobs. But the law also includes a Security Rule and a Privacy Rule that protect confidential healthcare data for consumers. 

<strong>Speeding research.</strong> The Medical Science DMZ expedites data transfers for scientists working on large-scale research such as biomedicine and genomics while maintaining federally-required patient privacy.These security and privacy regulations—which took effect in 2003—continue to safeguard patient health information, but also create challenges for the medical research community. The guidelines provided for implementing technical measures to protect medical data sometimes also impede usability, including high-bandwidth data transfers.

Not so surprising, given that 2003 was still early days for the internet, and it moved at a much slower pace. Now, fifteen years later, there is a better way to transfer large datasets containing patient data while still complying with HIPAA’s rules.

Design for performance

In their paper, Lawrence Berkeley National Laboratory (LBNL) computer scientist Sean Peisert and Energy Sciences Network (ESnet) researcher Eli Dart and their collaborators outline a “design pattern” for deploying specialized research networks and ancillary computing equipment for HIPAA-protected biomedical data that provides high-throughput network data transfers and high-security protections.

Read previous Science Node coverage on the original Science DMZ model

Science DMZ: the fast path for science data -- interview with Lary Smarr, founding director of the National Center for Supercomputing Applications (NCSA).
The Science DMZ is secure -- Internet2 engineers discuss the security advantages of the Science DMZ.

“The original Science DMZ model provided a way of securing high-throughput data transfer applications without the use of enterprise firewalls,” says Dart. “You can protect data transfers using technical controls that don’t impose performance limitations.”  

Created with US Department of Energy (DOE), National Science Foundation (NSF), and National Oceanic and Atmospheric Administration (NOAA) science applications in mind, the original Science DMZ model supports research in areas such as high-energy physics, atmospheric modeling, and cosmological data.

But domains such as genomics also require high-performance applications to process incredibly large and complex datasets. For example, the Department of Veterans Affairs’ (VA) Million Veterans Project (MVP) is reported to be the largest genomic database in the world as of 2016, and the National Institutes of Health (NIH)All of Us” program seeks to develop a dataset of electronic health records and genomes of similar size.

However, unlike high-energy physics, which many scientists would view as requiring relatively low levels of cybersecurity protections, human genomic data and electronic health records require substantially more safeguards in order to comply with the HIPAA Security Rule in the US, and similar regulations exist in other parts of the world.

MVP. The Million Veterans Project will establish one of the largest databases of genetic, lifestyle, and health information which researchers will use to study the genetic basis for diseases like diabetes and cancer--all while keeping individual patient information confidential. Courtesy US Department of Veterans Affairs.

The National Institutes of Standards and Technology (NIST) has published extensive guidelines on implementing the HIPAA Security Rule.

"Many traditional security protections, such as the stateful and deep-packet-inspecting firewalls prescribed by NIST, don’t support both the goals of security and the high-performance networking needs of these applications,” says Peisert.  “The Medical Science DMZ addresses these problems by creating a network that is explicitly designed for high-performance biomedical applications with security protocols.”

“If you look at overall network and system design as part of your security architecture, this allows you to make better decisions,” says Dart. “This leads to better scientific outcomes.”

Collaboration nation

In his original Science DMZ work, Dart found that the Science DMZ design pattern increased collaboration among different research organizations by improving transfer speeds and reducing cost.

Peisert, Dart, and their collaborators at Indiana University (IU), the University of Chicago (UIC), Harvard University, and BioTeam expect the same will be true when applying the Medical Science DMZ to HIPAA-protected data..

<strong>Bionimbus Science DMZ</strong> architecture at the University of Chicago (UC). With this architecture, UC doesn't use a commercial firewall between the storage and compute nodes and Science DMZ  but instead has a number of compensating controls and procedures to provide the required security.“If we look at what the medical field is trying to do with cancer data,” says Dart, “we need a way for multiple institutions to collaborate. Everybody may have a piece of the puzzle, but nobody has all the data in one place.”

Shared data repositories like the National Library of Medicine, the National Cancer Institute, and the European Bioinformatics Institute are growing rapidly, highlighting the need for a quick and cost-effective way for researchers to access their large datasets.

“The datasets traditionally used in medical data have been smaller,” says Peisert. “But scientific work in large-scale precision medicine research requires substantially larger data-driven efforts in order to be successful.”

Ensuring privacy and results  

The original Science DMZ model is just one example of how the computing community has evolved in recent years.

“We’re able to do things with computing now that we couldn’t dream of a generation ago,” says Dart.

The Medical Science DMZ may help researchers pioneer results in multiple human health domains by improving data transfer times, while still complying with and enforcing HIPAA’s security and privacy regulations.

Peisert notes, “We did this work to develop this framework because we wanted to dramatically change the way data-driven medical science takes place. We wanted to make it possible for institutions doing data-driven medical science to move large amounts of data in a secure way without it taking a month to move the data over the internet, or by mailing giant hard drives to each other.”

Though the Medical Science DMZ was originally developed with biomedical science in mind, Peisert and Dart point out that the same model is appropriate to other types of science with robust security needs, such as data with intellectual property constraints or other confidentiality and privacy requirements.

Join the conversation

Do you have story ideas or something to contribute? Let us know!

Copyright © 2018 Science Node ™  |  Privacy Notice  |  Sitemap

Disclaimer: While Science Node ™ does its best to provide complete and up-to-date information, it does not warrant that the information is error-free and disclaims all liability with respect to results from the use of the information.

Republish

We encourage you to republish this article online and in print, it’s free under our creative commons attribution license, but please follow some simple guidelines:
  1. You have to credit our authors.
  2. You have to credit ScienceNode.org — where possible include our logo with a link back to the original article.
  3. You can simply run the first few lines of the article and then add: “Read the full article on ScienceNode.org” containing a link back to the original article.
  4. The easiest way to get the article on your site is to embed the code below.