Info

XNAT Security and Privacy

The protection of the privacy and security of the data are of paramount importance for TraIT. The TraIT infrastructure, software and procedures have been defined and implemented to protect the privacy of the patient and ensure security of the data.

TraIT has taken a number of security measures (see Technical and organisational control measures).

We use standardized TraIT procedures (SOPs) for creating new user accounts in order to comply to the data owner’s data access policies and to prevent unauthorized access to study data.

The TraIT XNAT environment is  hosted by Vancis. Vancis meets the ISO 27001 standard for information security management. The network communication with the TraIT XNAT web-application (incl. the upload process) is secured via the HTTPS protocol, meaning that hospitals do not have to open ports on their firewall (assuming that the basic HTTPS port is open to the outside world). Our certificate guarantees that the TraIT XNAT user is really communicating with the TraIT XNAT environment. Our infrastructure architecture has been optimized for data security. The XNAT database is backed up every night and every other year we perform a disaster recovery test.

TraIT takes security seriously at the application level. It works with controlled access through user accounts and authorization at the study and role level.

XNAT in turn has similar authorization options. For each study (project in XNAT), the study owner decides which users to add and with which role. For more information, please see: https://wiki.xnat.org/display/XNAT16/User+Roles+and+Permissions.

Furthermore, the visibility of a project/collection can be set as:

  • Public: all project visible to outside world.
  • Protected: project description visible to other users, but image (derived) data not. Users can request access.
  • Private: a user should be a member of the project to see it after login.

By default, a project is created with private visibility. The study owner can change this at the creation of the project, or at a later moment.

The data owner (data controller), generally the principal investigator of the research project, decides who gets access to the study and indicates the role/authorization that should be applied to the user account. The institute or investigator that supplies the data to TraIT remains the owner of the data and access to the data is controlled by the owner. In order to comply to privacy regulations it is only allowed to store anonymized or pseudonymized data on the TraIT XNAT server.

Security at transport level, especially with regards to data collection/ingestion and data consumption, is covered by using standard ciphering protocols to provide encrypted communications over the Internet.