For medical researchers, clinical data means opportunities and risks: Opportunities for experiments and analyses that will lead to new knowledge about human diseases; risks because the burden of keeping personal medical data secure usually falls on the shoulders of the researchers.
Medical researchers and the clinicians who collect medical data in hospitals and clinics want to work together to advance medical research, said Michael Shoffner, a senior research software engineer at the Renaissance Computing Institute (RENCI) and adjunct faculty member in the School of Information and Library Science at the University of North Carolina at Chapel Hill. Shoffner also serves as the technical lead and architect for the Secure Medical Research Workspace project, a multidisciplinary effort at UNC Chapel Hill to create a secure, controlled environment where researchers can use sensitive medical data.
"The challenge is to get that medical data to the researchers while minimizing the risk that it either accidentally gets out or in some other way escapes from the containment it needs to be in to protect personal privacy and comply with regulations," Shoffner said.
Typically when researchers use test results, medical images, doctors' notes and other clinical data in their research, they obtain that data on a disk or another physical storage device, take it back to their lab and use it in experiments. The clinical data is not in a secured, controlled setting and could be lost, damaged, inadvertently picked up by another researcher or accidentally thrown away.
In order to develop the technical requirements for a secure medical workspace environment, the technical team is working hand-in-hand with medical researchers and other experts from their project partners at the North Carolina Translational and Clinical Science Institute (NC TraCS) and the Clinical Translational Science Award; the project also acquired funding through NC TraCS and CTSA. Together, the project team produces and deploys prototypes as well as the final production-ready virtual workspace environment.
In order to meet government regulations about personal data and privacy, the resulting workspace must achieve what is known as data leakage prevention, or DLP as data security professionals call it. Creating secure, controlled virtual environments for research is one way to plug data leaks.
The researcher's secure "workspaces" exist as virtual machines from a private cloud deployed using VMware ESXi; the cloud will be administered by UNC IT staff.
Each virtual machine contains all the software tools that researchers would use to analyze their data, including the Microsoft Office suite and SAS analytics applications, explained Phil Owen, a RENCI-based information technology developer. If a researcher needs another tool not included in the standard workspace, he or she can request that it be added to their virtual environment.
"It's a virtual environment that mimics what a desktop computer would do," Owen said. "The idea is to isolate the sensitive data into a workspace so that it can't exit that workspace either accidentally or maliciously."
To achieve that goal, the team deploys and enhances commercial DLP software (WebSense) that inspects content entering and leaving a virtual workspace and uses rules, often tied to HIPAA privacy rules and other government regulations, to determine whether that content is sensitive and should be protected. (The US Health Insurance Portability and Accountability Act includes laws that govern the security, privacy, and use of health data; WebSense advertises that it is used in 46 countries, so it may be able to serve in the same way for researchers in other countries.)
"For example, if [a researcher] is downloading or uploading data out of the secure research environment and that data contains something like credit card numbers or patient social security numbers, that would trigger a rule and implement actions. That data would not be able to get out," said Xiaoshu Wang, a RENCI-based biomedical researcher.
It's a process the RENCI team jokingly compares to a roach motel-data can check in, but it won't check out. But jokes aside, they understand the importance of their work.
"The security of data is of paramount importance for the protection of patients, the protection of researchers and compliance with regulatory requirements," Shoffner said. "The driver behind this solution is to provide an environment that will do that and also help the researchers get their work done."
At present, the project is at the prototype stage. Researchers will receive their dedicated virtual workspace sometime in the next week or two.
A version of this story originally appeared on the RENCI website.