Ensuring Digital Data Security in Biomedical Workspaces with Trusted Research Environments (TREs)

The Challenge

Biomedical organisations serve as custodians of patient clinicogenomic data and serve a range of internal and external researchers. This presents a formidable challenge in ensuring strict compliance with data security and privacy regulations. 

To secure assets and safeguard against data leaks, many organisations develop their own bioinformatics workflows for carrying out data analyses in silos. This has led to fragmented pockets of non-interoperable research, severely hindering scientific collaboration.

Biomedical data needs to be accessible to accelerate clinically actionable research insights. To a great extent, cloud services have bridged the gap between data accessibility and security by democratising access and affording different levels of data protection.

However, when it comes to highly-sensitive patient records and associated multi-omics data, healthcare organisations are justifiably wary. Patient confidentiality, data governance, informed consent, and data security are crucial considerations that require additional protective layers — such as a Trusted Research Environment.

What is a Trusted Research Environment? 

A Trusted Research Environment (TRE) is a digitally secure data environment. Think of the Reference Section of an institution’s library. Patrons browse and read books from this section on premise, but cannot borrow them out of the library — not without the explicit permission of authorities with higher tier access.

A TRE functions similarly, enforcing high-levels of security that rigorously control and monitor data flow at all times. Most TREs follow the Five Safes framework: Safe People; Safe Projects; Safe Settings; Safe Data; Safe Outputs. The TRE that provides high levels of control for each ‘Safe’ is geared towards maximising research benefits without compromising data safety. 

With TREs, researchers can access and analyse de-identified data (data without sensitive information like names, commercial or identifiable information) without needing to remove it from the controlled TRE environment.

Trusted Research Environments (TREs) on Quark 

Quark’s TRE provides a dedicated and streamlined research environment called Workstation, to analyse sensitive data and promote ethical collaborative research. Every Quark TRE user can request their own Workstation, where data access is rigorously monitored and controlled by the Project’s Administrator. 

Quark TRE also enhances data protection by integrating with cloud services and their vista of data restriction and access controls, like Role-Based Access (RBAC), Identity and Access Management (IAM), and Multi-Factor Authentication (MFA). 

Workstations (WS) are controlled by the Project’s Administrator. Each user’s workstation needs to be approved by the Administrator. No user can access data without prior authorization from the Project Administrator.

Data does not leave its environment, and is automatically scanned before use. In addition to these stipulations, other controls may be enforced by the User or the Administrator to control data usage and enhance its security. 

Administrator-Level Controls

For each project, the Project Administrator defines multiple types of Workstations that users can create to request data access. Administrators can control the operating system and all the software that is available as part of Workstations provided to users.

Administrators may attach pre-existing datasets to Workstations and provide access to individual users. 

In addition, Project Administrators may exercise the following controls:

1. Track audit logs of each Workstation to monitor its usage.
2. Restrict the capacity of different Workstations based on their memory and CPUs/GPUs usage. 
3. Monitor costs and assign budgets at a project and user level. 
4. In the event of a user requiring to upload or download data, the Project Administrator will need to authorize the data upload/download. All data uploads/downloads are scanned for viruses before authorization. 
5. Administrators may implement project-wide data access and attach datasets to the workstations for users’ downstream analysis. This circumvents ‘repeat requests’ for data access by individual users, and places constraints on the number of workstations approved for a project.

Secure, Collaborative Environments for Users

Users of varying roles and technical backgrounds can seamlessly use Workstations to securely collaborate and carry out their analyses.

1. Data Management: Seamlessly bring data from various sources to Workstations. All data is automatically scanned for viruses and sent for administrators approval. Similarly, users can download data from Workstations for further analysis. All download requests are also sent for administrators approval.
2. Self-service Workstation Management: Users can start, stop and manage their Workstations through a simplified user interface without any deep technical expertise.
3. Workstation Lifecycle Policy: Users may set a lifecycle policy for their Workstations, ensuring that their Workstations are automatically stopped when they are not in use (e.g., a workstation “enabled” from Mon–Fri 9 am – 5 pm, is stopped when the user is away.) The lifecycle policy has the additional benefit of minimizing costs of Workstation upkeep. 

4. Set Workstation Capacity: Users can select workstation capacity (compute and memory) from a predefined set of capacity configurations and obtain approval from the administrator to start their work.  
5. Monitoring: Users can track CPU, GPU and Memory usage of Workstations in real-time to understand usage and troubleshoot any issues.
6. Cost Visibility: Users get real-time visibility of costs associated with their Workstations.

Concluding Remarks

Biomedical data needs rigorous security as it is sensitive to data leaks and confidentiality breaches. This is one reason why many organisations prefer to carry out their data analyses in silos, which leads to fragmented and non-interoperable pockets of research studies. 

Trusted Research Environments or TREs are one solution being increasingly adopted by institutions worldwide to bridge the gap between data security and accessibility. Quark’s TREs enforces stringent adherence to data security and privacy regulations so that institutions can secure their assets, maintain data governance, and control data flow at all times — without impacting ethical collaborative research.

Additional privacy controls restrict and monitor data usage. For example, Quark TREs are completely auditable under the Project Administrator’s oversight, and users need to be authorized by the administrator to utilize a workstation.

Finally, Quark is future-proof to advances in computing infrastructure, affording users a flexible research environment that harnesses powerful analytical tools without needing to leave the TRE. Oriented towards providing a comprehensive solution, Quark TREs ensures continuous and remote data accessibility without compromising its high data security standards.

Schedule a demo with us to learn more about Quark.