Certifying and Securing a Trusted Environment for Health Informatics Research Data

Certifying and Securing aTrusted Environment for Health
Informatics Research data
Dr Jonathan Monk, Director of IT, University of Dundee
1/11/2016

Health Informatics Centre
dundee.ac.uk/hic
Dr Jonathan Monk
Director of IT
University of Dundee
Certifying and Securing a Trusted
Environment for Health Informatics
Research data

dundee.ac.uk/hic
1. Overview of Health Informatics
2. Research Data Management Platform
3. Safe Haven Architecture
4. ISO27001 Certification

dundee.ac.uk/hic
Overview of Health
Informatics

dundee.ac.uk/hic
Geographic - Tayside And Fife Population of Scotland Time Period 1972 - 2016
Electronic Medical Data Coverage

dundee.ac.uk/hic
Parents Conception Birth Early Life Childhood Adulthood Late Life Death
Research Datasets
• GoDARTS Diabetes – 18K - Case/Controls
• TASC FORCE – 5000 - MRA Volunteers
• POPADAD – 1200 - Diabetes with no CVD
• TRACE RA – 3200 - Rheumatoid Arthritis/UK
Pre-consented Cohorts
 SHARE – 100+K
 Generation Scotland – 20K
SMR02
Maternity & Neonate
Walker
48,00 Births (1952-1966)
Health Care Data
 Primary Care : Community Prescribing
 Secondary Care : Out Patient Visits, Hospital Admissions, Accident & Emergency, Cancer Register, Psychiatric Episodes.
 Diagnostics : Radiology Events, Cardiology & Vascular Labs, Bowel Screening
 Laboratory - Biochemistry, Haematology, Immunology, Microbiology, Virology
 Diabetes Surveillance - BP,BMI, Smoking Alcohol, Amputations, Ulcers
 Diabetic Retinal Images – DRS Retinopathy Image Library (Go DARTS Population)
Disease Registers
• TARDIS Respiratory Disease
• SDCRN – Scottish Dementia Network
• SCI Diabetes
• Epilepsy
Child Health Pre-School/School
SIRS/CHSP
Register Of
Deaths
DataForLinkageExistingResearch
StudiesPhenotypic Data Available

dundee.ac.uk/hic
Data Linkage Through Family Generations
2004 - Community Prescribing (Dispensed)
2016
1986 - Acute Hospital Admission Tayside
1975 - Births and Neonatal Record
1986 - Laboratory ( Biochemistry, Haematology, Immunology, Microbiology)
1994 - Radiology Records
1952
Walker Dataset
1952 – 66
48,000
Dundee Births
Babies
Mothers
Fathers
1980 – Cancer Register
1990 – Diabetes Records
Cohort participants episodes recorded in dataset

dundee.ac.uk/hic

dundee.ac.uk/hic
Controls
 Ratio : 3:1
 Match on Age, Sex, SIMD
Feasibility Searches
Inclusion:
 Health Board : Tayside
 Status : Alive
 Conditions : Type 2 Diabetes
 Age: >= 65
 Prescribed : Insulin > 2yrs
Exclude:
 Prescribed: Statins
Researcher Supplies Search Criteria
Matches
570K
450K
120K
70K
9210

dundee.ac.uk/hic
Demography
GRO ECHO
There was a
22% overall
reduction in all
cause mortality
with β blocker
use
Prescribing TARDIS
Biochemistry
MicrobiologyHaematology
Case Study # 1 - β blockers:
Their Effect in Managing Chronic Obstructive Pulmonary Disease (COPD)
Setting Tayside, Scotland (2001–2010)
Population 5977 patients aged >50 years
with a diagnosis of COPD.
BMJ. 2011; 342: d2549. 10.1136/bmj.d2549 P.M Short, S.I.W Lipworth, D.H.J Elder, S. Schembri, B.J. Lipworth.

dundee.ac.uk/hic
Hospital
admissions
GRO
More than 400 lives are being lost each year
because breast cancer patients fail to take
the full course of the drug Tamoxifen due to
"intolerable" side-effects
Prescribing
Br J Cancer. 2008 December 2; 99(11): 1763–1768. 10.1038/sj.bjc.6604758 McCowan, J Shearer, P T Donnan, J A Dewar, M Crilly, A M Thompson and T P Fahey
Researcher Supplied
Cohort
Cancer patients from a
Ninewells clinic
Case Study #2: Tamoxifen adherence:
Relationship to Mortality in Women with Breast Cancer

dundee.ac.uk/hic
Research Data Management Platform (RDMP)
‘Optimizing and Augmenting the Research Data Supply Chain`
Labs
SMR01
Prescribing
Raw Data Data Import Databases Custom Extractions & Export Formats
RDMP
Labs
SMR01
Prescribing
Raw Data Data Import Structured
Database
Extraction + Export
DataLoad
Engine
Research
Data Warehouse
Validate
Clean
Catalogue
QualityChecks
Project X
Data Marts
Validate
Clean
Catalogue
QualityChecks
Project Y
Data Marts
Validate
Clean
Catalogue
QualityChecks
DataExtraction
Engine

dundee.ac.uk/hic
Data
Set 1
Data
Set 6
Data
Set 2
Data
Set 3
Data
Set 4
Data
Set 5
Data Set 1
Pseudo-CHI
Data Set 2
Pseudo-CHI
Data Set 6
Pseudo-CHI
Data Set 3
Pseudo-CHI
Data Set 4
Pseudo-CHI
Data Set 5
Pseudo-CHI
CHI and All
Identifiable
Data
Data Set 1
Project -CHI
Data Set 4
Project -CHI
NHS Network University Network
Data Repository Function of Safe Haven Analytic Platform of Safe Haven
Virtual
Environment –
no data leaves

dundee.ac.uk/hic
• Extraction takes minutes
• Data released is standardised – the same regardless of Data Analyst that
completes the work
• A history is recorded of all changes to data over time
• Data released now will be in the same format as in 5 years from now
• Metadata has been added
• Methods for transforming and validations have been added across all data
sets
• Tools to manage and explore the data are available to Data Management
team and researchers
• Audit and Logging all automated
• Major work towards integration of image and genomic data

dundee.ac.uk/hic
• Standard restrictive VDI solution
• VMWare View / Horizon

dundee.ac.uk/hic
• AppVolumes used for Applications
• Bring Your Own License
• Lots of Application Variations!

dundee.ac.uk/hic
• There are many types of ISO
Certification.
• We have 27001:2013 – Certificate
Number: 2016/2269
• ISO 27001:2013 is a specification for an
information security management
system (ISMS). An ISMS is a framework of
policies and procedures that includes all
legal, physical and technical controls
involved in an organisation's information
risk management processes.
What is ISO27001?

dundee.ac.uk/hic
Why ISO27001 certification?
• Independent set of standards – so rather than constantly having to
think what documents and processes we should have in place and
reinventing the wheel, ISO gives us this!
• Gives confidence to other organisations we work with e.g. NHS, main
University.
• Reduces other documentation requirements for governance, as we
can just reference ISO documentation.
• Improves the working practices of HIC. This has been particularly the
case with our hardware infrastructure.
• Key towards Scottish Government Safe Haven Accreditation.

dundee.ac.uk/hic
Scottish Government Safe Haven Accreditation
• 27001 standard controls PLUS some
additional ones specific to Safe Havens.
• Reviewed by Scottish Government
eHealth.
• Documentation Required:
• Risk Assessment Doc
• Mapping of Controls

dundee.ac.uk/hic
Scope
“The provision of data to researchers via safe haven environment, secure
patient recruitment, data collection using software tools, data entry, the
development and operation of web based applications and all assets
underpinning the provision of those services from the locations of HIC premises
at Ninewells Hospital and data centres within the University of Dundee
Campus”

dundee.ac.uk/hic
ISMS Controls Status with Statement of
Applicability and Gaps

dundee.ac.uk/hic
ISO Controls – Made up of HIC specific ones
and University/NHS general controls
University of Dundee Security
Policies
University of Dundee HR Policies and
Procedures (and NHS where
appropriate as we have honorary
contracts)
HIC HR
Procedures/Training/Policies
HIC Security Policies
A7: Human Resource SecurityA5: Information Security Policies
A6: Organisation of
Information security
University of Dundee Security
Policies
HIC Security Policies,
SOPS, Procedures, Work
Instructions and Service
Descriptions

dundee.ac.uk/hic
Document Types and Review
Static & Formally Approved:
HIC Exec & HIC Information Governance Committee
• Policies
• Standard Operating Procedures (SOPs)
• Risk Management Doc
• Information Security Management System (ISMS)
Manual
• Business Continuity Plan
Just HIC Exec
• Procedures
Working Documents (technical):
Relevant Technical Manager
• Service Descriptions
• Work Instructions
• Asset and Responsibility Matrix
• Disaster Recovery Plans
• Infrastructure Diagrams

dundee.ac.uk/hic
Structure of Docs in Box Become aware of an
improvement of our
current procedure
Take a copy of Procedure from “Live” folder and move to
“Under Development”.
Draft change using tracked changes.
Ask Technical Manager to review.
Technical Manager moves the doc they have approved to
“Awaiting Approval Folder” and asks for it to be included in
HIC Exec Meeting Agenda for review.
If approved at HIC Exec either formally approved or sent to
HIC Information Governance Committee for additional
formal approval (if document type requires)
Approved doc is moved to
“Live” folder by HIC Admin
Procedure Changes

dundee.ac.uk/hic
Infrastructure comprised UoD, HIC & NHS
University of Dundee Network NHS Network
HIC Managed Hardware
HIC Managed Hypervisor Cluster
HIC Managed Operating Systems
HIC Managed Applications
UoD Hardware
UoD Hypervisor
UoD OS
UoD Applications
HIC and UoD use identical platform technology and share locations
Hardware & responsibility for management varies depending on specificity
University of Dundee Data Centres NHS Locations

dundee.ac.uk/hic
Timelines
• Help from University’s Information Security Officer (Graham McKay)
to get us up to the required standard.
• Passed our Stage 1 audit of our documentation in June 2015.
• Passed our Stage 2 audit of our systems (do we do what we say we do
in our documentation) in Jan 2016.
• Passed second Stage 2 audit July 2016
• Now have full audits every 6 months for the next 3 years!

dundee.ac.uk/hic
Phil Appleby
Jim Galloway
Chris Hall
Duncan HeatherEmily Jefferson
Claire JonesGordon
McAllister
Keith MilburnLeandro Tramma
Donald
Scobbie
Thomas Nind Guney Hanedan
Graham
McKay
Many thanks to the people that did all the work!

dundee.ac.uk/hic
Questions?

Certifying and Securing a Trusted Environment for Health Informatics Research Data

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Certifying and Securing a Trusted Environment for Health Informatics Research Data (20)

More from Jisc (20)

Recently uploaded (20)

Certifying and Securing a Trusted Environment for Health Informatics Research Data

Editor's Notes