Implementing Security in a Regulated
Environment:
Expectations of IRBs and Other Regulatory
Groups
Frank J. Manion
Fox Chase Cancer Center
Frank.Manion@fccc.edu
Thursday October 4, 2007
Outline
 Background on caBIG project and
development of the current security model
 Development of caBIG security from a
regulatory perspective
Development of the caBIG™ Security
Model
caBIG™ Structure
 Domain Workspaces (focused on specific disciplines)
Clinical Trial Management Systems (CTMS) Develops a comprehensive set of standards-based tools
designed to meet the diverse clinical trials management needs of the Cancer Center community.
Integrative Cancer Research (ICR) Produces tools and interfaces for integration between biomedical
informatics applications and data. This will ultimately enable translational and integrative research by
providing for the integration of clinical and basic research data.
In Vivo Imaging (IMAG) Creates and validates tools and methods to extract meaning from and share
imaging data.
Tissue Banks and Pathology Tools (TBPT) Develops a set of tools to inventory, track, mine, and visualize
biospecimen and related annotations from geographically dispersed repositories.
 Cross-Cutting Workspaces (focused on defining and achieving interoperability)
Architecture (ARCH) Develops the fundamental caGRID platform that supports the analytic tools. caGRID
is the underlying network architecture and platform that provides the basis for connectivity, tools
deployment, and data sharing between caBIG™ participants.
Vocabularies and Common Data Elements (VCDE) Evaluates and integrates systems and standards for
vocabularies and common data elements and ontology content development, as well as software
systems for content delivery. They also define semantic interoperability, train and provide mentors,
and provide guidelines for the adoption of standards and CDE harmonization.
 Strategic-Level Workspaces (focused on overarching issues integral to all workspaces)
Data Sharing and Intellectual Capital (DSIC) Addresses issues and develops recommendations related to
data sharing, patient privacy, intellectual capital, security and other policies related to caGRID as well
as other regulatory and proprietary issues.
Documentation and Training (D&T) Defines guidelines, processes, templates and tools for developing
consistent software documentation and training materials and for fostering mentoring activities
throughout caBIG™.
Strategic Planning (SP) Assists caBIG™ senior leadership with strategic planning and vision development
activities.
Modified from https://cabig.nci.nih.gov/overview/howitworks/
Issues related to privacy and security are addressed in the
Data Sharing and Intellectual Capital Workspace (DSIC WS).




Goal: identify and then propose solutions to potential barriers to data
and resource sharing and other collaborative work across the caBIG
community
These barriers may arise from law, regulation, institutional policies and
desire to protect intellectual property interests
DSIC WS contains about twenty regular participants, and an additional
twenty to thirty ad hoc participants, with a wide range of perspectives
and expertise
Legal and policy requirements related to privacy and security drivers
include
–
–
–
–
–
–
HIPAA Privacy Rule
HIPAA Security Rule
The Common Rule for Human Subjects Research
FDA Regulations on Human Subjects
21 CFR Part 11
State and institutional requirements.
Dan Steinberg JD, in https://cabig.nci.nih.gov/working_groups/DSIC_SLWG/Documents/
HIPAA_Summit_Presentation_v1_09.26.2006.ppt
Federation

What is a federation?
–

Other (basic technical) characteristics
–
–
–

An association of organizations that use a common set of attributes, practices, and
policies to exchange information about their users and resources in order to enable
collaborations and transactions. [InCommon website]
Resources (data, computation) remain under control of the owner of the same
Strict separation of responsibilities for Authentication from Authorization
One & possibly many directories of people, objects, and other resources involved.
Drivers in caBIG™
–
Need to retain local control of resources
•
–
–
Presumed very large ultimate community size
Possible to leverage 3rd party identity credentials by several initiatives
•
•
–
HIPAA
SAFE, CRIX/Firebird FDA 1572 investigator registry
Federal e-Authentication credentials
Possible to leverage campus provided credentials
•
•
Perceived requirement from some Centers
Many members with existent Identity Management infrastructures or projects for
the same
Necessary elements for federations

Common Governance Frameworks
–

Legal Agreements
•
Federation structure
•
Attribute release policies
•
Operating practices
Common standards
–
Authentication
•
•
•
–
Attributes
•
•

Levels of trust
Certifying authorities
Common Operating Policies and Procedures
–
Variety of frameworks that may provide guidance
•
•
•

Naming
Identity vetting
Technology – SAML, PKI
COBIT 4.0
ISO 17799:2005(E)
Variety of FIPS/NIST publications
Agreement on type of federation
–
Federations represent a continuum
Example Legal Agreements – UT System
Federation
 UT System IdM Federation Policy Documents
–
–
–
–
–
–
–
–
Federation Foundation Documents (Lists all
documents with summaries)
Federation Charter
Federation Operating Practices
Member Operating Practices
Federation Attribute Table
Membership Fee Schedule
Federation Membership Agreement
Federation Membership agreement with Exhibit
See https://idm.utsystem.edu/utfed/
What are the data security and data
protection requirements?
Requirements regarding data security
 Confidentiality: the assurance that data are not made
available or disclosed to unauthorized person.
 Integrity: ensure data cannot be changed/deleted/altered
by unauthorized party/person.
 Authenticity:
•
•
ensure that the person is the one she claimed to be.
integrity plus freshness.
 Accessibility: upon demand (patient) data can be accessed
and used by authorized people.
 Accountability: actions of a person, especially modifications
that she performs on data can be traced.
Courtesy Ulrich Sax
What are the data security and data
protection requirements?
Additional data protection requirements when dealing with
person related data
 Data necessity principle: disclose all person related data of
a patient, but not more than the needed data for the
treatment.
 Context of treatment: person related data of a patient
should be disclosed only to the personnel participating in
his treatment.
 Patient consent: the patient should formally agree on the
handling of his person related data.
 The guarantee of patient rights: the possibility of
rectification, blocking, deletion of his personal data should
be offered.
Courtesy Ulrich Sax
Levels of Assurance
 e-Authentication effort (OMB, NIST SP-800-63)
defines four levels of assurance (LOAs) as
follows:
–
–
–
–
Level 1 – assertion based, no restrictions on form.
Primarily used for session context in anonymous
applications
Level 2 – Assertion based, photo id required to register,
remote validation with third party information okay.
Level 3 – Cryptographic credentials, photo id, remote
validation with third party information okay
Level 4 – Cryptographic hardware base, in person,
photo id, two forms of identity
GAARDS Security Infrastructure
From http://gforge.nci.nih.gov/frs/download.php/1416/caGrid-1-0_Users_Guide.pdf
caBIG™ security project - what IRBs
want…
Some Challenges in Practice – caBIG™ as a Case
Study

caBIG™ has enormous scope and (potential) scale
–
800-1000 participants, potentially 10’s of thousands of end users.

Constituencies requiring differing levels of authorization and regulatory controls
–
Clinical Trials – Strong Authentication (hardware based 2-factor), Digital Signatures
–
Tissue banks and pathology tools – Assertion based identity may be sufficient, HIPAA,
Common Rule still and issue, IP Concerns
–
Integrated Cancer Research – IP Concerns probably predominate, HIPAA may be a
factor in some cases

Complex, evolving technology base at or near state of the art
–
Grid technology, semantic web, etc.
–
Security technology itself is a area in rapid evolution

Tools vary in:
–
Complexity
–
Maturity of Information Model
–
Security/privacy parameters
–
Regulatory environments
–
Supporting technology requirements
Initial state – circa 2005
 Security viewed as a strictly technical issue
 Regulatory issues viewed as legal and application centric
issues
 Strategic planning group felt federation was essential for
future proofing
 Variety of standards, but which ones?
 Different constituencies had different views of the beast
–
–
Grid security, electronic signature, de-identification of PHI from free
text, etc.
Patient advocates, clinicians, tissue bankers, basic scientists, etc.
 Stronger systematic approach or “engineering process”
needed
 Evolutionary, not revolutionary
Intervening activity

Lead to development in late 2005 of caBIG Security Technology
Evaluation White Paper
–
–
Too focused on technology use cases
Did, however, recommend development of a security engineering process as
part of caBIG™
 Recommendations from the White Paper included:
–
Develop business-oriented security use & abuse cases
•
–
–
Vet the notion of employing Federated Identity Management
Develop caBIG™ governance policies
•
–
–
–
–
–
Need input from IRBs, Compliance Officers, Honest Brokers, CIOs and other
institutional executives, Bioethicists, etc.
Success involves multiple layers (i.e., trust, identity vetting, guidelines, data
standards, firewalls, physical security, etc.)
Involve multiple workspaces and stakeholders in policy development
Identify the minimum security requirements from regulatory mandates
Develop a Proof-of-Concept implementation
Consider the maturity of technologies
Consider separating regulated and non-regulated environments
caBIG™ Security Program Goals

Subsequent development of project for data gathering

Major goal was to develop a framework for security engineering for the
caBIG™ project as a whole

Targeted Cancer Centers which are the initial four adopters of caTIES
–

Focus on involving regulatory and other “business users” at the Cancer
Centers
–
–

Washington University, U. Pittsburgh Medical Center, Thomas Jefferson, U Penn
IRB members
Compliance officers
Deliverables:
–
–
–
–
Capstone governance structure framework and documents
Security refinement processes
Interconnection security agreement (trust agreement) among adopters
Policy and procedures sufficient to operate caTIES at individual Cancer Centers
Method
 Focused on caTIES as a model project
 Four scripted elicitation interview scenarios were developed
collaboratively during a 1½ day face-to-face meeting on June
12-13, 2006 by 38 individuals representing a wide spectrum of
experts and caBIG™ stakeholders
 Scenario questioned focused on Locus of Control, Auditing,
Consenting, and De-identification.
 Scenarios used as a basis for interviews with 19 regulatory
affairs and information security personnel at six cancer
centers
 Interviews were either done face to face (N=5) or by phone
(N=14), recorded, and transcribed.
Organizational Role of Interviewees
Organizational Role
Count
University and IRB legal counsel
3
IRB Director or Chair, or Director of Human Subjects Protection
5
IRB Regulatory Affairs Officer
1
Information Security Officer
3
Hospital Privacy Officer
3
Hospital Compliance Officer
1
University or Research Institution Privacy Officer (supervising Hospital Privacy
Officer)
4
University or Research Institution Compliance Officer
3
Institutional Strategic Planning Executive
2
Director of Office of Research, or Vice President for Research
3
Hospital Department Director of Information Services
1
Findings – Governance Issues

Strong desire for a clear, cohesive and empowered governance entity,
separate from government or individual centers
–
–
–
–

Major recurring theme in interviews
Should be a separate legal structure
Functions include
• Governance of data exchange
• Risk assessment
• Audit
• Security control
• Operations
Consistent with Cobit 4.0, ISO recommendations
Substantial concern over stricter European privacy laws
– Up to, and including desire not to partner with caBIG™ if in partnership

Strong desire for risk data to routinely be available to all parties for
decision making
– Issues of risk asymmetry, financial, idemnification
Findings – Application models
 Application Models
– Application models of security and operational characteristics should
be agreed on
– Includes personal attributes, authorization inventory and
authorization attribute definitions done in a systematic fashion across
project working groups
– Includes definitions of private versus public data stores
– Includes awareness of other types of security exploits such as cross
site scripting
 Honest Broker System
– Trusted third party that acts as a broker, removing identifiers and
otherwise brokering transactions
– Separate from authentication/authorization functions
– Developed, well-vetted in SPIN project
– Should be considered as a model for all caBIG™ projects handling
de-identified data and “limited data sets” as defined by HIPAA
Findings – Auditing/Regulatory Compliance
 Auditing
– A central auditing authority appears to be needed
– Specific tooling, such as unified log analysis tools, are
needed to support audit functions.
 Regulatory Compliance and Training
– Adopter and developer institutions should attempt to agree
on a common training set.
 Audit retention policy – Very substantial differences between
respondents
Findings – Specific infrastructure tooling needed to
promote trust
Desire to have support infrastructure for regulatory
“Credentialing” processes
–
–
–
–
–
–
Registry of caBIG™ security program accredited “participating” institutions
Protocols
Trust and security levels of members
IRB federal certification status
Other metadata
Tools to determine ahead of time who can access what data under what circumstances and
where from
Strong authentication was viewed as required
– Supports notion of OMB e-Auth
Unaffiliated investigators pose special problems
– Define steps & governance needed to allow access to regulated resources.
– Special infrastructure possibly needed for compliance certification and authentication
credentialing.
– An unaffiliated investigator agreement will need to be developed
General ongoing challenges
 Basic vocabulary
 Basic concepts
–
–
Legal, technical, governance, processes, security
Particularly concept of service discovery and use
 Agreeing on common models at a variety of levels
in the architecture
 Agreement on scope of “security”
 Agreeing on degree of scale and complexity in the
system
Conclusions to date
 In general, project provided a reasonable
framework in a variety of areas
 A roadmap to secure operations of “production
grid” remains to be done
–
Issue of scale and complexity of the caBIG™ project
 Decisions and agreements still needed by the
project
–
–
–
–
Agreement on Federation model
Agreement on business model of governance
Agreement on necessary authentication practices and
levels of assurance
Agreement on authorization parameters
Current Status
 caBIG Security Working Group Formed
– Working on common identity standards
– Agreed on OMB e-Authentication standards
per NIST SP-800-63
– Currently working on LOA-1 agreements
– Need input from ISSOs and other stakeholder
For more information

caBIG™ Website
– https://cabig.nci.nih.gov/

caBIG™ Security technical evaluation white paper
–

https://cabig.nci.nih.gov/workspaces/Architecture/
caBIG_Security_Technology_Evaluation_White_Paper_20060123.pdf
caBIG™ Security project white papers (8) resulting from inteviews with regulatory
personnel at six cancer centers
–
http://gforge.nci.nih.gov/projects/secprgmdevl/
•
Initial problem scenarios used for scripted elicitation interviews
•
Requirements analysis
•
Report on Technical Implications
•
Policy compliance report
•
Trust agreements for use in federation
•
Policies for Authentication and Authorizations
•
Standards procedures for signoff on use of caTIES by IRBs
•
Security operations conceptual document
•
Proposed Governance frameworks
Acknowledgements











Robert Robbins - FHCRC
Rebecca Crowley - UPMC
William Weems - UTHSC
Denton Whitney - OSU
Dan Steinberg - BAH/NCI
Marsha Young - BAH/NCI
Wendy Patterson - NCI
Amin Chisti - FCCC
George Mathew - FCCC
Marcia Ransom - FCCC
Dom Olivastro - FCCC