The Interoperable Informatics Infrastructure Consortium (www.i3c.org)
is an open, global organization that coordinates and guides the design and development of
methodologies and software that support computer-held data and software tool
interoperability in pursuit of work that develops and promotes global, vendor-neutral
informatics solutions that improve data quality and accelerate the development of life
science products.
It needs expert information security input to ensure they provide appropriate security
for the biotechnical and life-sciences research and development industry which they aim to
support.
Mike Jerbic has established contact between our Security Forum and the I3C. Both the
Security Forum and I3C appreciate that we have mutually beneficial interests, in us both
properly understanding their real business requirements for secure computing in a
specialist vertical professional industry, and identifying appropriate information
security solutions that will meet their requirements.
We have held several teleconference discussions in which we have explored aspects of
these issues and how we can collaborate. This outreach to a vertical industry sector is in
line with the Security Forum's strategy of engaging with such industries. On 6 May 2003,
Dave Lounsbury gave a presentation to an I3C meeting in Boston describing how the Security
Forum believes it can help them and benefit from analyzing their requirements. This joint
meeting in Boston, for which I3C signed up as a Conference Supporter, is a further stage
in developing our relationship.
In this joint meeting, the agenda was to discuss opportunities for collaboration on
specific projects which we will take forward jointly.
After a round of introductions, Brian Gilman gave a presentation
on the I3C's activities, and its issues and challenges in providing adequate information
security in the Life Sciences industry's very large consumption of IT resources.
Brian presented two use cases to illustrate the challenges involved:
- Two organizations form a collaboration where researchers are given access to proprietary
databases (e.g., histopathology databases). Researchers are given access to only a subset
of the data. There is often a need to disallow access to certain data (name, SSN, etc.)
but allow access to other information (phenotype, affected status, etc.).
- A database of phenotype/genotype and drug sensitivity data has been made available to an
international group of researchers collaborating over the Internet. Patients are asked to
fill in diagnostic forms on the website. Patients are not allowed to modify their answers.
Full confidentiality of the patients contact information is required by law. Doctors
are only allowed to see the inputs from a subset of patients to whom they have been
assigned.
Common Requirements: the FDA requirements enforce digital signature of documents,
experiments, and samples; we must ensure identity and authority in computer systems; we
must provide facility to disallow access to subsets of data; we often need to set up a
hierarchy of role-based query and access control; and we must provide means to disallow
identification of patients based on analytical results and samples taken from the patient.
Security is critical in life sciences to enable collaboration, protect intellectual
property, and to comply with regulatory requirements (HIPAA, and 21 CFR Part 11), and
reduce financial risks. Brian expanded on each of these in his presentation.
Brian emphasized how the I3C recognizes the value of leveraging existing expertise that
exists in the Security Forum in deciding how to address evolving requirements as their
industry expands.
Common requirements include identity management, and authorization to access and
manipulate scientific data. Also relevant here is the lifetime of data storage on
electronic media, because regulatory requirements demand long-time storage of information.
Nick commented that many of the issues raised in I3C's presentation on life sciences
have similar if not the same requirements in other industries, so he hopes the solutions
will be shared. In discussion this was characterized as approximating to the 80:20 rule,
where 80% of the requirements are common to most industries, with 20% being particular to
the sector-specific industry.
Bob considered the privacy and lifetime requirements in life sciences probably fall
into this 20% category. Nick noted that the Medical and Education sectors have for many
years claimed their requirements are special and need solutions which are individual to
them; however, his experience suggests they are no different in their security
requirements from any other industry sector. The exceptional and perhaps
unique requirements are usually complex and hard to fix. However, putting 80% of
their security in place is very important and worthwhile. Other Security Forum customer
members supported Nick's viewpoint. Bob cautioned that the real problem is that the life
sciences industry is not well advanced in information security, and best practices are the
best starting point, not advanced technology solutions.
Mike Jerbic then gave to I3C a summary presentation on
what the Security Forum is about, for the benefit of I3C members, covering what The Open
Group is, what we used to do, why we do things differently now to address the real
information security challenges we face today, the variety of security-related activities
currently being addressed in The Open Group across all its Forums, what our Boundaryless
Information Flow vision is about and how the Security Forum supports this in its work on
architectures (design patterns, family of architectures, and TOGAF), education (Managers
Guides series), risk management and active loss prevention, and engagement with real
challenges in specific industry sectors (like biotech). Mike closed by listing good
reasons why the Security Forum and I3C should work together:
- Some of I3C's problems arent unique - some have already been solved (wed
like to share what weve learned) and some havent so are of interest to us to
address as real requirements. For your unique problems our approaches may help.
- Your requirements may be bellwethers in other Open Group member industries.
- Regulatory concerns affect all of us if not now, in the future.
- We can help with jump-starting your processes.
Nick observed that much can be done at a low level to improve information security in
any organization and environment. Having a sound business policy for an industry sector's
information security is absolutely essential. Furthermore, that policy needs to have ways
of permeating the whole of the consumer's organization, which requires effort to market
security through the whole organization.
Brian Gilman asked how we characterize software architecture. Bob noted this has
evolved over several years in The Open Group, and is now expressed in three main ways:
design patterns, TOGAF (generic building blocks methodology), and family of architectures
(high-level views of data flows and business relationships). All are seen as complementing
each other and having their own characteristic strengths.
Joyce asked what the deliverables are from this group and how we make them available.
Ian explained that all document deliverables are freely available from the public areas of
The Open Group website. Work-in-progress in specific Forums is also available from our
website, but is only accessible to members of The Open Group. If I3C were to become
members, then all I3C members would be able to access the members-only information.
Discussion on how to move forward included the following suggestions:
- Build a common body of knowledge and put together a package of documents
- Show a structured way of assimilating it
- Set up trials with other vertical industry sectors to check and improve its
effectiveness
- Give I3C a set of tools to try out and they will report back on their experience
- Set up joint working groups to:
- Access security awareness and capability - perhaps define ways to significantly improve
education, maybe using a questionnaire
- Address a specific and immediate I3C security problem
- Address use cases supplied by the I3C by analyzing them using our design patterns
It was noted that the next I3C meeting is in October 2003 in England, and the following
one is in the US in mid-February 2004. It was agreed we would like to demonstrate results
of mutual value sooner rather than later, so aiming to do so by I3C's Oct 2003 meeting is
preferable.
Oracle Security
Joyce Peng, Oracle's Security Product Manager, Life Sciences, gave a presentation on Security in Oracle Database Products. Joyce covered four
particular areas:
- Security Challenges
Joyce highlighted the main challenges as Privacy of Communications, Sensitive Data
Storage, Granular Access Control , Scalability, Ease-of-use, Know your Users, Audit trail,
eRecords & eSignatures.
- 21 CFR Part 11
These are Regulations that provide criteria for acceptance by FDA of electronic records,
and handwritten signatures executed to electronic records as equivalent to paper records
and handwritten signatures executed on paper. The key requirements here are Strong
Security - to ensure the authenticity, integrity, and confidentiality of electronic
records; a sound Audit Trail; Operational System Checks; and Electronic Signatures
to ensure that the signer cannot readily repudiate the signed record.
- HIPAA
Health Insurance Portability and Accountability Act, USA 1996, followed by the
Administrative Simplification Act which addressed what privacy information must be
protected and how security of healthcare information should be protected. Joyce considered
how identity and authentication, privacy and secure networking, access control, databases
and data encryption, and auditing to achieve acceptable accountability, all fit here.
- Oracle Security
Joyce listed database security features and criteria and compared their availability in
Oracle to that in IBM DB2 and Microsoft SS2000. She went on to discuss availability and
business continuity features, and described how Oracle's PCASSO (Patient Centered Access
to Secure Systems Online) product satisfies the HIPAA requirements for securing patient
data in the healthcare industry.
- Life Sciences User Group - Meeting on 10 Sept 2003 - San Francisco:
Joyce closed her presentation with mention of this meeting, to be held at Oracle World.
Issue URLs to I3C, and to the Security Forum, advising where to find deliverable
documents published by the Security Forum in particular and by The Open Group in general.
ACTION: Ian
Work with Brian, Joyce, and Ian to assemble at least one package proposing specific
work that we can undertake as a joint project of mutual benefit to both I3C and the
Security Forum.
ACTION: Mike Jerbic
Schedule a teleconference including Brian, Joyce, and Mike, to agree and resource a
joint security-related project.
ACTION: Ian
Arrange with Brian and Joyce to share in delivering reports on our joint project(s) to
the I3C members meeting in Hixton, England in October 2003.
ACTION: Ian