DCS Cloud and trusted research environment
Trusted Research Environment Overview
Trusted Research enviements (TRE) are designed to provide a secure and controlled space for authorized users to access, store, analyze and share sensitive data, analysis results, large models and other outputs while ensuring data privacy, security and compliance,This supports advanced research and development.
Historically, traditional approaches to data consolidation for research have involved replicated movement of data between organizations. A trusted research environment eliminates the need to physically share data between researchers and organizations, provides researchers with a secure environment to access and analyze data, allows researchers to access data in a secure manner, and retains data in a secure environment,Computational analysis by authorized researchers using tools provided in a trusted research environment provides an alternative to data sharing.
Advantages of using a trusted research environment
The flow of data creates value. Genomic data and other types of health data have high value in research, and large-scale genomic data can accelerate society's innovative research on how to detect, prevent, and treat disease, but the scale and sensitivity of these data have brought resistance to data flow. Compared to traditional methods of copying and moving data,The Trusted Research Environment addresses many issues regarding patient privacy and data security through multi-layered security control and monitoring audit capabilities, and provides multiple advantages for health data research and management.
01 Promoting the value of large-scale health data
In order to protect patient privacy, most health data is stored in the independent environment of institutions, and data sharing between institutions is very complex. In addition to signing the corresponding data sharing agreement, it is also necessary to consider the security protection of private health data between institutions and the regulatory requirements for data sharing access in the region.The trusted research environment provides the functionality and infrastructure to support large-scale sensitive health data research, it solves the problem of data authorization sharing, ensures that data is processed in a safe and responsible way, and promotes data research and value utilization without sacrificing data security.
02 Favor for Better Medical Discovery
Large-scale data are essential for understanding disease-forming factors and for identifying patterns and trends in health and disease. Trusted research environments can be used to store and process large amounts of patient data, allowing research to be conducted on a larger scale than traditional methods, making it easier to discover new causes of disease and to develop new, more effective methods of diagnosis, treatment and care.
03 Higher data security
A trusted research environment is a secure and controlled environment where approved researchers can use the data in the environment, but the data does not leave the trusted research environment. The most significant advantage of using a trusted research environment for health data management is the ability to securely store and access sensitive health data. Trusted research environments allow approved researchers to work safely,It also protects health data from unauthorized access and potential security risks.
04 Lower data management costs
In the traditional data sharing method, data is copied and moved, which consumes a lot of resources. Trusted research environments minimize data replication and movement by consolidating data storage and analysis into a single environment, thereby reducing resource consumption. At the same time, researchers can reduce the cost of maintaining multiple systems and data migration,Trusted research environments are more cost-effective than traditional data sharing methods.
05 Meet legal compliance requirements
In every country and region, the healthcare industry is subject to strict legal regulation, and organizations must comply with regulatory requirements to ensure compliant processing of patient health data. The trusted research environment ensures compliance with regulations such as the Personal Information Protection Act, HIPAA and GDPR, and security standards such as ISO 27001 by providing the necessary control and monitoring measures,Help organizations meet requirements and avoid costly data breaches and penalties for violations.
Functional Requirements for a Trusted Research Environment
Different countries and regions have slightly different functional requirements for the trusted research environment, but the security measures usually taken to meet the functions of the trusted research environment have common points.
Five security frameworks
The five security frameworks are the UK Health Data Research Centre's feature function standards for trusted research environments, namely, safe personnel, safe projects, safe settings, safe data and safe output. The framework covers all stages of data management and is widely regarded as the gold standard for sensitive data protection.
Five security frameworks for data access
01 Security personnel Only authorized researchers can access the data, and only for approved projects. Data managers need to have processes to verify personnel authorization status and to be able to isolate data access between users. All user access and actions on the data management platform need to be documented to ensure full auditability.
02 Security Items A trusted research environments need to have a transparent data access application process, for example, users need to clarify the purpose of data.
03 Security Settings A trusted research environments must store data securely and have industry-standard security controls (e. G., data encryption, prohibition of individual-level data export, ability to track researcher/user activity).
04 Secure Data Data needs to be de-identified and encrypted in both static storage and transmission.
05 Safe Output Trusted research environments need to support the export of data results through a reliable and transparent process to prevent unauthorized data leakage.
Trusted Data Space
The trusted research environment also needs to meet the core capability requirements of the trusted data space to ensure the trusted circulation, efficient interaction and co-creation of value of data in the research environment space. According to the definition given by China's National Data Bureau's Action Plan for the Development of Trusted Data Spaces (2024-2028), a trusted data space refers to a consensus-based rule,A data flow utilization infrastructure that connects multiple subjects to share data resources. If the Internet is compared to the ordinary highway of information transmission, the trusted data space is like a super highway equipped with full monitoring, anti-collision guardrail and intelligent scheduling.
Trusted Data Space Three Core Competences
01 Trusted Control Capability
It supports trusted authentication of subject identities, data resources, products and services in the space, supports dynamic control of the whole process of data circulation and utilization, and supports real-time authentication and result tracing.
02 Resource interaction capability
Supports unified publishing of data resources, products, and services from different sources in the trusted data space, efficient query, and cross-entity mutual recognition to realize cross-space identity recognition, resource sharing, and service sharing.
03 Value creation ability
Support multi-subject participation in data development and utilization under the constraints of trusted data space rules, promote the transformation of data resources into data products or services, and protect the legitimate rights and interests of all parties involved.
Data Security Best Practices
In addition to the five Security frameworks and trusted data spaces, the systems and infrastructure that support large-scale research should also have a high level of security protection to enable researchers to access and analyze data safely and effectively.
The data security protection capabilities of organizations that provide a trusted research environment usually vary according to their own situations, but the best data security protection practices of organizations generally follow the industry-recognized best practice standards, such as ISO27001 and information security level protection. These best practice standards specify the security capabilities that enterprises need to possess in multiple dimensions related to data security,And there are generally independent third-party audit institutions to provide audit certification services.
Organizations can increase the trust of researchers and institutions in a trusted research environment by obtaining audit certification from an independent audit institution to demonstrate that they meet the best standards of data security practices and have strong data security protection capabilities.
Trusted research environment for DCS Cloud
We (DCS Cloud, DCS for short) attach great importance to the protection of user information and data, establish a trusted research environment according to the functional requirements of the trusted research environment, and take various security measures to protect the data in the trusted research environment, thus realizing that the original data does not leave the platform.
Five safety framework construction
01 Security personnel
We established a role-based privilege control mechanism (RBAC). Project managers can assign roles to project users, and different roles have different access rights to data resources, thus achieving fine-grained data access control. Project managers manage the data access rights of different roles and the role assignment authorization of users through the rights management module and the application approval process.Users can only access their existing projects and data for which the role is authorized. Data access between different projects and users is isolated and does not affect each other.
In addition, we have established an internal system that strictly limits the access of internal employees to user data. Developers use mock data or anonymized data for debugging, and use of real user data is prohibited. Operation and maintenance personnel access server and database resources through the Bastion machine, the bastion machine is the only entrance, and the deployment of permission control and operation log audit measures,Important operations involving user data require multiple levels of approval authorization. These measures effectively avoid the risk of illegal access and operation of user data by internal employees.
At the same time, the independent third-party public cloud records the login and data operation access logs of DCS users in its system, including user ID, Operation type, operation time, Operation details, Resource Identification, resource type and remote address. Logs are stored in the third-party public cloud, and the DCS service has a tamper-proof mechanism.The project manager can authorize the project audit role, contact us by using the method published by the platform, and apply for the data operation access log in the system to view and audit the data access and Operation records.
02 Security Items
Project managers are responsible for controlling access to project data using the system's rights management module. The newly added user needs the authorization of the project manager to obtain the access permission of the corresponding role Project data. The new data access requirement of the project user needs to explain the reason for the data usage, and obtain the approval authorization of the project manager through the data permission application approval process,To obtain access to the corresponding data.
In addition, through data access control and business logic design, we realize the calculation, storage and data isolation between different projects at the software level, and the data operation between projects does not interfere with each other, effectively avoiding the risk of data tampering and leakage between projects.
03 Security Settings
We have established comprehensive security control measures for our system and trusted research environment based on ISO27001 and information security level protection (Level 3) security industry practice standards, including but not limited to data encryption, data desensitization, access control, high-risk operation approval, Logging and auditing, identity authentication, project data isolation, etc.
Meanwhile, based on the concept that prevention is better than cure, we use the comprehensive software Development methodology of DevSecOps (Development, safety and operation) and SDL(Security Development Lifecycle) in the stage of platform system Development,Integrate security practices into every stage of software development, and ensure the native security of the system by identifying and resolving security issues early in the development phase, reducing the cost and risk of subsequent fixes.
04 Secure Data
We have adopted TLS transmission channel encryption measures for the data transmission process from the outside to the platform system and between the platform system, and have also encrypted and protected the transmitted sensitive information (such as passwords). In the process of data storage at rest, we also encrypt sensitive data. We use strong encryption algorithms and keys in the encryption process,The plaintext data is converted into unreadable ciphertext data, which maintains the confidentiality and privacy of the data.
In addition, we also take data desensitization measures for sensitive data of users, such as mobile phone numbers, email accounts, etc., and deform sensitive data according to desensitization rules to remove sensitive data parts, so as to realize reliable protection of sensitive data, thus ensuring the security of using data in the system environment and interface display.
05 Safe Output
The data output in our environment is completely controlled by the user, and the resulting data can only be exported if the user has data export permission. User permissions are supported by the permission control application process, and corresponding records are kept for permission application approval and data export. The operation records include file name, Operation type, status, File path, operation time and operator.Such multi-layer management effectively reduces the risk of unauthorized data output leakage.
Comply with trusted data space core competencies
01 Trusted Control Capability
In order to solve the identity problem of accessing various resources in the platform, we support the trusted identity authentication of multi-factor identity authentication technology for registered users who enter the platform. Only after the authentication is passed can they enter the platform to access the corresponding projects and data resources. We promote the calculation and analysis of data and the delivery of results in the form of project management,The calculation, storage, and data of each project are isolated, which is equivalent to the establishment of a data sandbox. Access to data resources within a project is based on the roles owned by the user, with different roles having access to specific data resources, and user roles are assigned and granted by the project manager according to the rights management process.
In addition, we log the whole process of user data operation access and circulation utilization, including operation time, operator, data object, Operation behavior, etc. Log records are stored in an independent system, and a tamper-proof mechanism is established. Records can only be viewed but not modified. Log records will be kept for at least 6 months,The audit role can trace the results of data operations and audit abnormal operations within the time limit.
02 Resource interaction capability
We provide powerful resource interaction capabilities to support the unified Publishing and efficient query of multi-source and multi-type data resources, tools, and services in the platform space. Through intelligent search and classification management functions, the platform enables users to quickly locate the required resources, while supporting cross-project identity recognition and resource sharing, realizing the seamless flow of data, tools and services.DCS Cloud provides users with an efficient and secure resource interaction environment for integrated analysis of multi-omics data and flexible invocation of tools, ensuring the efficient use and maximum value of data resources.
03 Value creation ability
We take data value transformation as the core and support multi-user subjects to participate in data development and utilization in the platform space. Through a project-centric collaboration model, the platform enables users to quickly integrate data and tools, form a complete analysis process, and promote the transformation of data resources into scientific research results. At the same time, the platform provides transparent rules and billing mechanisms,Protect the legitimate rights and interests of all parties involved and ensure the fairness of the data sharing and use process. The platform strictly follows the principle of data sovereignty, user data ownership and derivative intellectual property rights are owned by users, users can safely control data assets, and through the platform tools to easily transform methods and results, not only to protect the rights and interests of innovation and activate data circulation.In addition, the platform also supports knowledge sharing and collaborative innovation. Users can deposit the analysis process and experience results into the knowledge base to form sustainable data assets and help the prosperity and development of the data ecology.
Follow data security best practice standards
We have established an efficient security organization, formulated a comprehensive security management system, applied multiple security technology platforms, and maintained security education for employees. We have established a data security management system with reference to industry best practice standards to achieve multi-dimensional and multi-level data security protection.
We are certified to several best practice standards in the field of data security, such as the Cybersecurity Level Protection Level 3 certification and the ISO27001 Information Security Management System certification. In addition, we are externally audited annually by an independent third-party auditor to ensure compliance of our security measures with best practice standards.
Conclusion
DCS Cloud always regards user data security and privacy protection as the core cornerstone and primary responsibility of its services. We follow the five Security frameworks, trusted data space and data security best practice standards, through the establishment of multi-level security protection system, including data encryption and desensitization, strict access control, logging and audit,And a privacy compliance framework that meets international standards to build a trusted research environment. We know that user trust is the lifeline of digital services, so we always build a strong data defense line according to the highest security standards, so that users can enjoy efficient data services without worrying about the risk of privacy disclosure and data abuse, and truly realize the harmonious progress of technology application and privacy protection.
Reference
1,UK Health Data Research Centre, Building a Trusted Research Environment-Principles and Best Practices; Towards a TRE Ecosystem
https://zenodo.org/records/5767586
2, the National Data Bureau, a picture to read | Credible data space development action plan (2024-2028)
https://www.nda.gov.cn/sjj/zwgk/ytdd/1122/20241122163755929549118_pc.html
3,UK Data and Analytics Research Environment, Joint Multi-Party Trusted Research Environment: Establish infrastructure for secure analysis across different clinical genomic datasets
https://zenodo.org/records/7085536
4, productivity alliance, enterprise information security management system ISO27001 introduction
https://mp.weixin.qq.com/s/ppUtd9lgFNRKfi8PVWgnOg
5, Network security and informatization, security learn from me | Network security level protection: protect your digital life
https://mp.weixin.qq.com/s/DCWTfULkH8vyZwIQks3yag
6, Xu Chen to, [Nature Communications] a cloud-based gene storage computing environment -- TRE (trusted research environment)
https://mp.weixin.qq.com/s/pL3Pv5HisMCKUDsXnip3IQ
7,Microsoft Security Development Lifecycle (SSL)
8,Microsoft, what is DevSecOps? Definitions and best practices
https://www.microsoft.com/zh-cn/security/business/security-101/what-is-devsecops