NMC security requirements
Security Requirements NMC Data Support Platform
Version:Machiel Jansen 1-7-2010
This page presents a brief overview of the proposed requirements regarding Authentication, Authorization and Accounting (AAA) for the NMC Data Support Platform (DSP). Potential users can request a login and password by applying for an account at the NMC. The NMC will set up a procedure by which new applications will be judged.
Research data may be subject to privacy laws and regulations. The DSP will not enforce these or issue warnings. Instead a ‘Code of Conduct’ for proper user of the DSP will be set up by the NMC. The system will contain a disclaimer against storing privacy sensitive data in the DSP. Patient records should NOT be stored in the DSP.
Data will not be stored encrypted. The transfer of the network and the internet will be encrypted by https. Users will login with a username and password.
In the DSP we will distinguish roles for each user of the system. Each user will be given at least one role which allows him or her to perform certain actions within the system. These actions can be of the following types: Create(C) , Read (R), Update or write(U) and Delete (D). In addition, data elements in the system are also owned (O) by users with a specific role. Creating a project, study or data file in the DSP will make the user owner of that data item. Based on the access rights provided by the owner, users have read/write access to the data in the DSP.
The following roles can be distinguished:
- Project Leader The leader of the project is responsible for the content and access to the project
- Project member Can read/write data in the project
- Sub Contractor Can own data within the project and may hide data from project leader
- Global Administrator Can create users and institutes or organizations
- Local Administrator Can create users for an institute or organization
- Guest Has only access to public data
The Project Leader (PL) is the person responsible for the content of the project. He/she is allowed to created studies, samples and create data items. The PL can select users and promote them to Project Members (PM’s) by assigning read/write access to them, within the context of the project.
If the PL grants a Project Member (PM) read or write access then the PM is able to read or write all data in the project which is owned by the PL. All data that is uploaded or changed in the project is owned by the PL. An exception is formed by data that is created or uploaded by the Sub Contractor in the project owned by the PL. A PL can add a Sub Contractor (SC) to the project. This user can own and create his own data items in the DSP and later transfer ownership to the PL.
The reason for introducing the SC came up in conversations with people from the DCL in Leiden. The DCL often performs measurements for studies and returns to the PL the resulting peak information. The intermediate data is not returned, unless it is specifically asked for. In order to facilitate such a use of the DSP the DCL will take the role of SC and transfer ownership of the peak data files to the PL. Information about QC’s and other intermediate or raw data can still be in the DSP but invisible to other users. A Global Administrator (GA) is able to view and change all data within the DSP. This user will be bound by NMC procedures and regulations not to abuse access to the system. The GA is not a normal user of the system but takes care of bugs, problems and maintenance. The GA also can add users and institutes. A Local Administrator (LA) can create users which belong to a certain institute.
The following actions will be logged for accounting purposes.
- Data and time of user log in
- Date and time of user downloading a dataset
- Data and time of user updating or deleting a dataset
- Date and time of transfer ownership (from SC to PL)
WRITE permissions entail READ permissions, the inverse is not true.
Only anonymous data will be stored in the system. This means that no information which directly links to a patient identity will be stored. In the case of clinical studies the treating physician is owner of patient data and will hold the key which links anonymous to patient data. The project leader, in charge of the investigation, will enter data into the system and responsible for sharing parts, with other groups or persons.
Data can also indirectly lead to a person’s identity. It’s not clear which impact this has on the requirements of the system. Communication with the database will be SSH/SSL/HTTPS encrypted.
s 24/7 support needed? Not known, but unlikely. Is there trust in external web services? What part of the data will be stored by the web service provider? Best would be to use only web services that are insourced. The project can learn from Parelsnoer. They share very little data for these reasons.
The following consequences of a breach of security will have to be discussed in more detail 1. Loss or corruption of data Backups will have to be provided. Currently there seems to be no need for a mirror system. 2. Disclosure of secrets or sensitive information 3. Disclosure of privileged/privacy information about individuals 4. Corruption of software or introduction of malware, such as viruses 5. The need for the following types of security has to be discussed. 1. Physical security. Where to host the NMC datawarehouse? 2. Access by user role or types. 3. State access control requirements by data attribute. For example, one group of users has permission to view an attribute but not update it while another group of users has permissions to update or view it. 4. State access requirements based on system function. For example, if there is a need to grant access to certain system functions to one group of users, but not to another. For example, "The system shall make Function X available to the System Administrator only". 5. State if there is a need for certification and accreditation of the security measures adopted for this application
The authentication scheme implemented should be able to differentiate between individual users, research groups and companies, and should facilitate separation of concerns within a study.