Enterprise Europe Network Luxembourg IBBL – data protection in practice

Enterprise Europe Network
Luxembourg
Conférence Protection des Données
May 25,
5, 2011
0
09h00
IBBL – data protection in practice
Dominic Allen, COO, IBBL
Damien Aps, CFO, IBBL
The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation
Introduction
•
•
•
•
2008 – Grand Duchy created IBBL to support biomedical research in Personalized
Medicine and to work closely with the Lung Cancer Program and the newly created
Luxembourg Centre for Systems Biology
IBBL’s mandate requires it to support a broad range of biomedical research projects
and develop research collaborations internationally
IBBL collected its first sample and data,
data for a lung cancer study
study, in 2009
2009, but
became fully operational only in mid 2010
In the immediate future, the IBBL needs to be collecting tissues and associated
data to support research in four priority areas:
•
•
•
•
Cancer
C
Diabetes (T2)
Parkinson’s disease
A large population cohort
IBBL must ensure that its data protection policy and practice supports its strategy
The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation
Current Status - Specimens
• Collections
–
–
–
–
–
–
Lung cancer – Two hospitals Luxembourg, one Belgium, one France
Colon – One hospital Luxembourg
Brain – One hospital Luxembourg (pending)
Normal population – One hospital Luxembourg
Blood samples for cardiovascular clinical trial – 31 EU sites
Bladder cancer – Spanish National Cancer Research Center
• Types of Samples
–
–
–
–
Tumour
Blood/serum
DNA/RNA
Viable cells
IBBL is extending its collection program in Luxembourg and internationally
Current Status – Research &
Collaboration
•
•
•
•
•
•
GBM clonality (TGen & Niclou – CRP-Santé)
MSRA – Develop SNPs for European strains (TGen & Even – LNS)
Lipid accumulating bacteria (TGen & Wilmes – CRP-GL & Uni.lu)
Whole genome sequence of never-smoker (TGen & Betsou/De Witt – IBBL)
Gene methylation in CML (TGen & Dieterich – Kirchberg) (pending)
Bladder cancer – biomarkers in urine (Domon – LCP)
•
Pre-analytical metabolomics (Biobanque de Picardie, France)
•
Tissue biospecimen research (Pathology group in Thionville, France)
•
Tuberculosis biobanking,
g, p
publication in p
preparation
p
((WHO,, Geneva))
•
Methodological evaluation of a population cohort, publication submitted (The Institut
de Veille sanitaire, France)
•
Quality assurance in biobanking, publication submitted (NCRI)
•
ISBER on development and implementation of international proficiency testing
IBBL is developing research collaborations internationally
Potential Barriers to Success
•
Acquisition of significant volumes of biospecimens for research can only be
efficient if consent and collection are part of the standard processes of
diagnosis
g
and treatment in regular
g
medical care
•
Electronic health records are essential, as is the continuous updating of data
associated with human tissue samples stored in biobanks
Efficient collection of samples and data pose important
questions relating to data protection
TTP – cornerstone of IBBL privacy protection
Issue
How to ensure the highest level of privacy and confidentiality of donor identity?
Complete anonymization is a poor solution:
•
Impossible to provide important feedback to donor
•
Greatly reduces the value of the samples because follow-up data not possible
IBBL Approach
•
•
•
•
•
•
•
•
IBBL has contracted with an external partner, ebrc, to provide a service at arms length –
th Trusted
the
T t d Third
Thi d Party
P t (TTP)
The functionalities were designed by CRP-HT with the future needs of eHealth in mind
The concept uses the ORACLE Master Patient Index product
Double de-identification of all data and highly secure IT links
The TTP never stores donor medical data (CRF…)
IBBL never stores donor identifying data (name, address, DoB)
But the TTP allows continuous updates of donor data
IBBL can share data and samples with a broad range of scientists without compromising
privacy of donor data
The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation
TTP De-identification Process
Data Source
Trusted
Third
Party
Samples
Collection Site
1st Level De-Identification
Demographic
Data
Demographic
Data
Pseudonym
Data
Management
Researcher
IBBL
Data Consumer
2nd Level
De-Identification
L
lD
Id tifi ti
Pseudonym
Donor ID
DID
Message ID
Message ID
⌛
TTL
DID
BEN
BEN
Demographic
Data
Donor ID
Donor ID
Medical Data
Medical Data
DID
Medical Data
Message ID
Medical Data
Medical Data
Message ID
Message ID
DID
BEN
TANS
TANS
TTL
De-Identification ID
Bonded Execution
Number
Transaction Number
(Source)
Transaction Number
(Destination)
Time To Live
The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation
TTP De-identification Process
• The TTP stores personal
identifying data about
subjects, but no
samples or clinical data
or genetic data
• IBBL stores samples and
clinical data
(as well as information
generated byy research such
g
as genetic data),
but no personal
identifying data
• The link is the double
de-identified ID of the
donor
The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation
IT Security Policy in IBBL - guidelines
Security is a process, not a state
Security is a process, not a state
•
•
•
•
•
ISO 27001 for IT systems ISO
27001 for IT systems
ISO 17025 for laboratories
Best practice
Best practice HealthNet Security Policy
Minim m ri hts ne essar to ork
Minimum rights necessary to work IBBL Network
HealthNet
Le HealthNet est une plateforme télématique dédiée au secteur de la santé, dont le but est de mettre à disposition des professionnels de la santé et des établissements du secteur:
• une infrastructure leur permettant de communiquer de façon sécurisée
• des applications spécialisées permettant l’échange de résultats d'analyses médicales et dans l'avenir des applications de télémédecine
• Le réseau HealthNet se base sur des lignes louées auprès des opérateurs g
p
p
de télécommunications, des connexions DSL ou ISDN via des canaux sécurisés (VPN)
• Actuellement tous les hôpitaux, certains laboratoires d'analyses p
,
y
médicales, les centres de recherche, les caisses de maladie, le Ministère de la Santé, l'Entente des Hôpitaux Luxembourgeois ainsi qu'environ 200 médecins utilisent HealthNet dans leur travail quotidien
External access
• External access is limited and possible only with an RSA token
• Today, with a token it is possible to access:
– Email
– Bio4D
(IBBL’s software platform in development)
Internal security
• Firewall
– Zones (DMZ, Trusted, Untrusted)
Zones (DMZ Trusted Untrusted)
– Vlans (Servers, Office, Sensors, Wifi, Guests, Labo … )
– Guests areas
• Active directory
Active directory
– User rights
– Limited groups access
• Antivirus software
Antivirus software
– On the user computer
– On the Exchange system – On the file server On the file server
• Security Policy – Passwords
Limited user rights
– Limited user rights Next steps – short term
(Q2, Q3 2011)
• Monitoring system Monitoring system
– Log monitoring system based on Nagios
– Proxy server for WWW filtering •
•
•
•
IIntrusion Detection/Prevention System
i
i /
i
S
Internal IT procedures
New backup system
New backup system New IT organization in laboratories
(preparing for ISO 17025 accreditation)
Next steps – medium term
•
•
•
•
(Q4 2011)
IBBL Security Policy IT procedures Vulnerability assessment system
Vulnerability assessment system
IT security training for IBBL staff
• Full audit and penetration test prepared by external company based on ISO 27001 (in 2012)
Thank you
The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation