Embed Size (px)
Citation preview
Certifying and Securing a Trusted Environment for Health Informatics Research dataDr Jonathan Monk, Director of IT, University of Dundee
1/11/2016
Health Informatics Centre
dundee.ac.uk/hic
Dr Jonathan MonkDirector of IT
University of Dundee
Certifying and Securing a Trusted Environment for Health Informatics
Research data
Health Informatics Centre
dundee.ac.uk/hic
1. Overview of Health Informatics2. Research Data Management
Platform3. Safe Haven Architecture4. ISO27001 Certification
Health Informatics Centre
dundee.ac.uk/hic
Overview of HealthInformatics
Health Informatics Centre
dundee.ac.uk/hic
Geographic - Tayside And Fife Population of Scotland Time Period 1972 - 2016
Electronic Medical Data Coverage
Health Informatics Centre
dundee.ac.uk/hic
Parents
Conception
Birth
Early Life
Childhood
Adulthood
Late Life
DeathResearch Datasets
• GoDARTS Diabetes – 18K - Case/Controls• TASC FORCE – 5000 - MRA Volunteers• POPADAD – 1200 - Diabetes with no CVD• TRACE RA – 3200 - Rheumatoid Arthritis/UK
Pre-consented Cohorts SHARE – 100+K Generation Scotland – 20K
SMR02Maternity & Neonate
Walker48,00 Births (1952-1966)
Health Care Data Primary Care : Community Prescribing Secondary Care : Out Patient Visits, Hospital Admissions, Accident & Emergency, Cancer Register, Psychiatric Episodes. Diagnostics : Radiology Events, Cardiology & Vascular Labs, Bowel Screening Laboratory - Biochemistry, Haematology, Immunology, Microbiology, Virology Diabetes Surveillance - BP,BMI, Smoking Alcohol, Amputations, Ulcers Diabetic Retinal Images – DRS Retinopathy Image Library (Go DARTS Population)
Disease Registers• TARDIS Respiratory Disease• SDCRN – Scottish Dementia Network• SCI Diabetes• Epilepsy
Child Health Pre-School/SchoolSIRS/CHSP
Register OfDeaths
Data
For
Lin
kage
Existi
ng R
esea
rch
Stu
dies
Phenotypic Data Available
Health Informatics Centre
dundee.ac.uk/hic
Data Linkage Through Family Generations
2004 - Community Prescribing (Dispensed)
2016
1986 - Acute Hospital Admission Tayside
1975 - Births and Neonatal Record
1986 - Laboratory ( Biochemistry, Haematology, Immunology, Microbiology)
1994 - Radiology Records
1952
Walker Dataset1952 – 66
48,000 Dundee Births
BabiesMothers Fathers
1980 – Cancer Register
1990 – Diabetes Records
Cohort participants episodes recorded in dataset
Health Informatics Centre
dundee.ac.uk/hic
Health Informatics Centre
dundee.ac.uk/hic
Controls Ratio : 3:1 Match on Age, Sex, SIMD
Feasibility Searches
Inclusion: Health Board : Tayside Status : Alive Conditions : Type 2 Diabetes Age: >= 65 Prescribed : Insulin > 2yrs
Exclude: Prescribed: Statins
Researcher Supplies Search CriteriaMatches
570K
450K
120K
70K
9210
Health Informatics Centre
dundee.ac.uk/hic
Health Informatics Centre
dundee.ac.uk/hic
Demography
GRO ECHO
There was a 22% overall reduction in
all cause mortality
with β blocker use
Prescribing TARDIS
Biochemistry
Microbiology
Haematology
Case Study # 1 - β blockers:Their Effect in Managing Chronic Obstructive Pulmonary Disease (COPD)
Setting Tayside, Scotland (2001–2010)Population 5977 patients aged >50 years with a diagnosis of COPD.
BMJ. 2011; 342: d2549. 10.1136/bmj.d2549 P.M Short, S.I.W Lipworth, D.H.J Elder, S. Schembri, B.J. Lipworth.
Health Informatics Centre
dundee.ac.uk/hic
Hospital admission
sGRO
More than 400 lives are being lost each year because breast cancer patients fail to take the full course
of the drug Tamoxifen due to "intolerable" side-effects
Prescribing
Br J Cancer. 2008 December 2; 99(11): 1763–1768. 10.1038/sj.bjc.6604758 McCowan, J Shearer, P T Donnan, J A Dewar, M Crilly, A M Thompson and T P Fahey
Researcher SuppliedCohort
Cancer patients from a Ninewells clinic
Case Study #2: Tamoxifen adherence:Relationship to Mortality in Women with Breast Cancer
Health Informatics Centre
dundee.ac.uk/hic
Research Data Management Platform (RDMP)‘Optimizing and Augmenting the Research Data Supply Chain`
Labs
SMR01
Prescribing
Raw Data Data Import Databases Custom Extractions & Export Formats
RDMP
Labs
SMR01
Prescribing
Raw Data Data Import Structured Database Extraction + Export
Data LoadEngine
ResearchData Warehouse
Validate
Clean
Catalogue Quality Checks
Project XData Marts
Validate
Clean
Catalogue Quality Checks
Project YData Marts
Validate
Clean
Catalogue Quality Checks
Data Extraction Engine
Health Informatics Centre
dundee.ac.uk/hic
Data Set 1
Data Set 6
Data Set 2
Data Set 3
Data Set 4
Data Set 5
Data Set 1 Pseudo-CHI
Data Set 2Pseudo-CHI
Data Set 6Pseudo-CHI
Data Set 3Pseudo-CHI
Data Set 4Pseudo-CHI
Data Set 5 Pseudo-CHI
CHI and All Identifiable
Data
Data Set 1 Project -CHI
Data Set 4Project -CHI
NHS Network University Network
Data Repository Function of Safe Haven Analytic Platform of Safe Haven
Virtual Environment – no data leaves
Health Informatics Centre
dundee.ac.uk/hic
• Extraction takes minutes• Data released is standardised – the same regardless of Data Analyst that
completes the work• A history is recorded of all changes to data over time• Data released now will be in the same format as in 5 years from now• Metadata has been added• Methods for transforming and validations have been added across all data sets• Tools to manage and explore the data are available to Data Management team
and researchers• Audit and Logging all automated• Major work towards integration of image and genomic data
Health Informatics Centre
dundee.ac.uk/hic
Health Informatics Centre
dundee.ac.uk/hic
• Standard restrictive VDI solution• VMWare View / Horizon
Health Informatics Centre
dundee.ac.uk/hic
• AppVolumes used for Applications• Bring Your Own License• Lots of Application Variations!
Health Informatics Centre
dundee.ac.uk/hic
• There are many types of ISO Certification.• We have 27001:2013 – Certificate
Number: 2016/2269• ISO 27001:2013 is a specification for an
information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
What is ISO27001?
Health Informatics Centre
dundee.ac.uk/hic
Why ISO27001 certification?• Independent set of standards – so rather than constantly having to think
what documents and processes we should have in place and reinventing the wheel, ISO gives us this!
• Gives confidence to other organisations we work with e.g. NHS, main University.
• Reduces other documentation requirements for governance, as we can just reference ISO documentation.
• Improves the working practices of HIC. This has been particularly the case with our hardware infrastructure.
• Key towards Scottish Government Safe Haven Accreditation.
Health Informatics Centre
dundee.ac.uk/hic
Scottish Government Safe Haven Accreditation
• 27001 standard controls PLUS some additional ones specific to Safe Havens.
• Reviewed by Scottish Government eHealth.
• Documentation Required:• Risk Assessment Doc• Mapping of Controls
Health Informatics Centre
dundee.ac.uk/hic
Health Informatics Centre
dundee.ac.uk/hic
Scope“The provision of data to researchers via safe haven environment, secure patient recruitment, data collection using software tools, data entry, the development and operation of web based applications and all assets underpinning the provision of those services from the locations of HIC premises at Ninewells Hospital and data centres within the University of Dundee Campus”
Health Informatics Centre
dundee.ac.uk/hic
ISMS Controls Status with Statement of Applicability and Gaps
Health Informatics Centre
dundee.ac.uk/hic
ISO Controls – Made up of HIC specific ones and University/NHS general controls
University of Dundee Security Policies
University of Dundee HR Policies and Procedures (and NHS where
appropriate as we have honorary contracts)
HIC HR Procedures/Training/Policies
HIC Security Policies
A7: Human Resource SecurityA5: Information Security Policies A6: Organisation of Information security
University of Dundee Security Policies
HIC Security Policies, SOPS, Procedures, Work Instructions and Service
Descriptions
Health Informatics Centre
dundee.ac.uk/hic
Document Types and ReviewStatic & Formally Approved:HIC Exec & HIC Information Governance Committee
• Policies
• Standard Operating Procedures (SOPs)
• Risk Management Doc
• Information Security Management System (ISMS) Manual
• Business Continuity Plan
Just HIC Exec
• Procedures
Working Documents (technical):Relevant Technical Manager
• Service Descriptions
• Work Instructions
• Asset and Responsibility Matrix
• Disaster Recovery Plans
• Infrastructure Diagrams
Health Informatics Centre
dundee.ac.uk/hic
Structure of Docs in Box Become aware of an improvement of our current procedure
Take a copy of Procedure from “Live” folder and move to “Under Development”.
Draft change using tracked changes.Ask Technical Manager to review.
Technical Manager moves the doc they have approved to “Awaiting Approval Folder” and asks for it to be included in
HIC Exec Meeting Agenda for review.
If approved at HIC Exec either formally approved or sent to HIC Information Governance Committee for additional
formal approval (if document type requires)
Approved doc is moved to “Live” folder by HIC Admin
Procedure Changes
Health Informatics Centre
dundee.ac.uk/hic
Infrastructure comprised UoD, HIC & NHS
University of Dundee Network NHS NetworkHIC Managed Hardware
HIC Managed Hypervisor ClusterHIC Managed Operating Systems
HIC Managed Applications
UoD HardwareUoD Hypervisor
UoD OSUoD Applications
HIC and UoD use identical platform technology and share locationsHardware & responsibility for management varies depending on specificity
University of Dundee Data Centres NHS Locations
Health Informatics Centre
dundee.ac.uk/hic
Timelines• Help from University’s Information Security Officer (Graham McKay)
to get us up to the required standard. • Passed our Stage 1 audit of our documentation in June 2015.• Passed our Stage 2 audit of our systems (do we do what we say we do
in our documentation) in Jan 2016.• Passed second Stage 2 audit July 2016• Now have full audits every 6 months for the next 3 years!
Health Informatics Centre
dundee.ac.uk/hic
Phil Appleby
Jim Galloway
Chris Hall
Duncan Heather Emily Jefferson
Claire Jones Gordon McAllister
Keith Milburn Leandro Tramma
Donald Scobbie
Thomas Nind Guney Hanedan
Graham McKay
Many thanks to the people that did all the work!
Health Informatics Centre
dundee.ac.uk/hic
Questions?
