Announcing support for protected data management
August 31, 2018 | Rachana Ananthakrishnan
I’m excited to announce that Globus services can now be used to manage protected data, including data regulated by the Health Insurance Portability and Accountability Act (HIPAA).
The rich capabilities that Globus delivers for research data management are now suitable for use with data that requires higher security assurance such as HIPAA-protected data, controlled but unclassified data, and data use agreements that require compliance with NIST 800-53 or 800-171 controls. With this release and the availability of new set of high assurance features, researchers will be able to transfer and share data while meeting the more stringent authentication and privacy requirements associated with research involving protected data.
We received many requests for this capability, both from researchers and from subscribing institutions. Researchers have expressed a need to manage their protected data via the familiar Globus interfaces and services that they’ve come to rely on. Along the same lines, many institutions are deploying up protected data environments and want to use the same scalable Globus infrastructure that’s available to researchers in other environments.
Here are some scenarios that will benefit from the high assurance features in Globus:
- Institutions with secure enclaves where researchers store and analyze data with higher security requirements. For example, the genomic, biometric, and imaging data collected by the Chicago Pancreatic Cancer Initiative are identified with the individual patient whose care the data has the potential to impact, and thus it is essential to protect its confidentiality and integrity. Yet this data must be accessed by a team of clinicians and researchers at multiple institutions in order to extract meaning. The Globus High Assurance subscription includes the robust access control, encrypted transfer, and rigorous auditing capabilities required for secure data access in such environments.
- Multi institutional studies and collaboration, where data needs to be shared across security domains governed by policies set forth by institutional review boards (IRBs). globus-expands-data-services-accelerate-secure-cancer-research. [NCI’s effort to build protected networks for cancer researchers ](/news/globus-expands-data-services-accelerate-secure-cancer-research) is one such example. Multi-institutional clinical trials at MGH Martinos Center for Biomedical Imaging is another, where images from trial subjects may include PHI in file names and customer header fields. Now that Globus can be used to manage such data, researchers will be able to accelerate the pace of their research by more easily moving and sharing human subject research data between collaborators.
- Core facilities including sequencing centers, cryo-EM, and imaging facilities that need to securely distribute data to investigators at the host institution, and to collaborators at external organizations. Distribution of image data can be particularly difficult due to its size and scale, and inherent identifiable information. Using Globus as a platform, core facilities producing sensitive data can now build automated, auditable data distribution pipelines so their users can access data quickly and securely.
Institutions can make Globus high assurance features available to their users by deploying the latest version of Globus Connect Server software, version 5.2. Administrators will have additional configuration options for high assurance data access, and some enforced features such as automatic encryption of all data transfers to and from such endpoints. A strong audit trail, written directly on the subscriber’s storage system, allows administrators to reconstruct data access and user activities.
Users accessing data on such endpoints will see the effects of additional authentication assurance, as determined by the policy set on the endpoint they are accessing. This might require them to re-authenticate within an application session to continue accessing the data, or to authenticate with a specific identity within session, even if they have logged in with a linked identity.
The user experience for access to non-high assurance endpoints remains as it is today, and the high assurance use is as streamlined as possible, while respecting the required security policies.
Next Steps: How to Get Globus with Support for Protected Data
Support for protected data is available for Globus users in two new subscriptions: the High Assurance subscription includes the features described above, and the HIPAA Business Associate Agreement (BAA) subscription adds a BAA for written assurance that PHI will be appropriately safeguarded by Globus.