BioMedBridges: Implementation of a pilot for the security framework

Managing authorised access to data is crucial in medical research and especially in translational medicine, since in this field open-access information is mixed with restricted-access data sets. In general, all health data has to be regarded as sensitive, subject to special protection. Thus, a sound approach to this problem is particularly critical when we deal with clinical data and patient’s personal information.

BioMedBridges addresses these issues in WP5, which collected requirements for data protection and information security from all participating research infrastructures and documented those in D5.1 and D5.2. Report D5.3 applies these data protection requirements when considering theoretical and methodological aspects of secure information exchange, describing the most common security and privacy threat types according to the well-established STRIDE and LINDDUN approaches. Moreover, D5.3 outlines the practicalities of implementing infrastructures and workflows to countermeasure such threats.

Here we describe the pilot infrastructure that we have implemented, where different software applications are coordinated to allow end users appropriate access to restricted-access biomedical data. In such an infrastructure, the user initiates data search in public resources where only general data set descriptors are available. As the next step, the initial search results can be expanded by following cross-links to other, protected resources. Such restricted access is mediated by the integration of well-known identity management software, as well as tools to manage access policies. As we show in the following, our pilot makes use of a well-established software solution, which is already in use in the biomedical field. This minimizes the disruption of the existing IT infrastructures, e.g. by removing the need to create new user accounts and credential management tools. Our solution is modular and makes it possible to integrate components other than the ones we have considered so far. An example of this is shown in section 7.

This work has been done by organisations that have significant experience with the management and exchange of biomedical data, either for clinical studies or other research purposes. The Technische Universität München (TUM) has experience in web applications for managing clinical data and biobanks. In particular, they participate in the BBMRI-ERIC network. The CSC-IT has expertise in developing the Finnish state-owned IT infrastructure, including solutions for IT security. The European Informatics institute (EMBL-EBI) has been providing freely available data for the worldwide research community for more than 20 years, and has developed the BioSamples database as a hub of information on biological samples used in life sciences.