Info

BMIA Security and Privacy

The protection of the privacy and security of the data are of paramount importance for TraIT. The TraIT infrastructure, software and procedures have been defined and implemented to protect the privacy of the patient and ensure security of the data.

TraIT BMIA has taken a number of security measures. We use standardized TraIT procedures (SOPs) for creating new user accounts in order to comply to the data owner’s data access policies and to prevent unauthorized access to study data. The TraIT BMIA environments are hosted by Vancis. Vancis meets the ISO 27001 standard for information security management. The network communication with the TraIT BMIA web-applications (incl. the upload process) is secured via the HTTPS protocol, meaning that hospitals do not have to open ports on their firewall (assuming that the basic HTTPS port is open to the outside world). We have a GeoTrust RapidSSL CA V3 (algorithm: sha1 RSA) certificate that guarantees that the TraIT BMIA user is really communicating with the TraIT BMIA environment. Our infrastructure architecture has been optimized for data security; for example separate compartments are used for the web-, application and database environment. The BMIA database is backed up every night and every other year we perform a disaster recovery test. The last successful disaster recovery test was performed on April 2 2013.

BMIA takes security seriously at the application level. It works with controlled access through user accounts and authorization at the study and role level.

NBIA uses a dedicated application called the Common Security Module User Provisioning Tool (CSM-UPT). For more information about CSM-UPT please see https://wiki.nci.nih.gov/pages/viewpage.action?pageId=4260067.

XNAT in turn has similar authorization options. For each study (project in XNAT), the study owner decides which users to add and with which role. For more information, please see: https://wiki.xnat.org/display/XNAT16/User+Roles+and+Permissions.

Furthermore, the visibility of a project/collection can be set as:

  • Public: all project visible to outside world (for NBIA and XNAT).
  • Protected: project description visible to outside world, but image (derived) data not. Users can request access (XNAT only)
  • Private: a user should be a member of the project to see it after login (NBIA and XNAT)

By default, a project is created with private visibility. The study owner can change this at the creation of the project, or at a later moment.

The data owner (data controller), generally the principal investigator of the research project, decides in both tools who gets access to the study in BMIA and indicates the role/authorization that should be applied to the user account. The institute or investigator that supplies the data to BMIA remains the owner of the data and access to the data is controlled by the owner. In order to comply to privacy regulations it is only allowed to store anonymized or pseudonymized data on the TraIT BMIA server.

Security at transport level, especially with regards to data collection/ingestion and data consumption, is covered by using standard ciphering protocols to provide encrypted communications over the Internet.