Frequently asked questions about Data Security
OncoAct WGS (diagnostics) & Hartwig Medical Database (re-use for research)
1. What types of personal data does Hartwig Medical Foundation (Hartwig) process in the context of OncoAct WGS (diagnostics)?
- Names and e-mail addresses of hospital contacts.
- Indirect patient identifiers: hospital patient number, pathology number
- Direct patient identifiers: initials, (birth) name, date of birth, gender, postal code
- Metadata of the biopsy and tumour, such as tumour type, tumour location and biopsy site
- Measurement results of biological (genetic) material: DNA sequencing data (unaligned reads: fastq files) of patients whose DNA has been sequenced
2. What types of personal data does Hartwig Medical Foundation process in the context of the Hartwig Medical Database (re-use for research)?
- Metadata of the biopsy and tumour, such as tumour type, tumour location and biopsy site
- Clinical data such as treatment data, response and other diagnostic data, such as X-ray and MRI images
- Measurement results of biological (genetic) material: DNA sequencing data (unaligned reads: fastq files) of patients whose DNA has been sequenced
The above personal data is processed and stored in the Hartwig Medical Database under a pseudonym.
Additional personal data is also processed as part of the pseudonymisation:
- Indirect patient identifiers: hospital patient number, pathology number
- Direct patient identifiers: initials, birth name, date of birth, gender, postal code
The above personal data is stored fully secured and is not part of OncoAct WGS or the Hartwig Medical Database. This data is used subject to a strictly set up governance structure. This data is only used to link to external data sources for the purpose of enriching the data in the Hartwig Medical Database. The data sources are linked through pseudonyms ensuring patient privacy.
3. Where does Hartwig Medical Foundation store data processed as part of OncoAct WGS (diagnostics)?
Hartwig uses the Google Cloud Platform (GCP) for this purpose. The data is stored on servers in the Netherlands, with a backup in Finland.
4. Where does Hartwig Medical Foundation store data processed as part of the Hartwig Medical Database (re-use for research)?
Again, the Google Cloud Platform (GCP) is used, with the same backup setup (see question 3).
For both purposes (diagnostics and re-use for research) the data is kept in different locations within GCP, subject to a governance structure specifically set up for each purpose (with associated strict access policies); see the schematic overview with additional information under point 5.
5. Schematic representation of the ICT infrastructure
The left-hand side of the figure shows the ICT infrastructure for OncoAct WGS (diagnostics), and the right-hand side for the Hartwig Medical Database (re-use for research). The various components of Hartwig’s ICT infrastructure are technically segregated. In addition, access to the various systems is also segregated; access is granted depending on the employee’s tasks.
Additional explanation diagnostic ICT components:
- Diagnostic ‘Silo’; contains direct patient identifiers. Serves solely as input for reporting to the hospital. A strict governance structure applies and access is limited to staff involved in the OncoAct WGS production process. The access logging is audited once every calendar quarter. The data in this silo is deleted 90 days after reporting to the hospital.
- Internal lab database; contains only indirect patient identifiers. Facilitates the laboratory process for processing patient body tissues. Access is restricted to employees involved in the laboratory process. The data is stored in a secured environment for 20 years for quality purposes.
- OncoAct WGS reporting; includes direct patient identifiers on reports. A strict governance structure applies and access is limited to staff involved in the OncoAct WGS reporting process. The data is stored in a secured environment for 20 years (unless otherwise agreed) for quality purposes.
Additional clarification, reuse ICT components:
- Linkage ‘Silo’; contains direct patient identifiers. Serves solely to enable links to other data sources. A very strict governance structure applies and access is only possible after going through a consent process (Hartwig Medical Foundation board / DPIA).
- Hartwig Medical Database; does not include patient identifiers. All data is stored and shared under Hartwig-specific pseudonyms.
6. Does Hartwig Medical Foundation have information security certification?
Hartwig Medical Foundation has been ISO27001 certified (ISMS-K107606/01) since 15 April 2021. The Public Statement of Applicability (HMF-ISMS-260) and the Information security policy (HMF-ISMS-195) will be sent upon request.
7. How does Hartwig Medical Foundation ensure continuity of data availability (backups, restore testing, fallback procedures, etc.)?
Hartwig has a continuity plan in accordance with ISO27001. In addition, Hartwig Medical Foundation has a comprehensive backup system that is tested every calendar quarter. The Business Continuity Plan (HMF-ISMS-233) and Back-up policy (HMF-ISMS-200) are available for inspection and can be consulted at Hartwig Medical Foundation.
8. How does Hartwig protect its systems?
The IT pipeline (software repositories) is publicly available on Github. The data is stored on the Google Cloud Platform (GCP). All processes, including running the IT pipeline, also take place within GCP. This service is provided by Google and falls under the supplier (performance) procedure as part of the quality system for which Hartwig Medical Foundation is accredited (EN ISO/IEC 17025:2017). Hartwig has furthermore adopted additional security measures (GCP additional security measures (HMF-ISMS-204)). This document is available for inspection and can be consulted at Hartwig Medical Foundation. We also create awareness about information security among our staff (e.g., about phishing and IT security in general). Regular training sessions are organised on the various topics.
9. How is the data secured at Hartwig?
Both data ‘at rest’ (stored data) and data ‘in transit’ (data moved between systems), is encrypted (within GCP, using proprietary managed encryption (Customer Managed Encryption Key)). Access to systems/data is limited as much as possible to what an employee needs to perform according to his/her tasks. Ground rules have additionally been adopted on how to handle sensitive data. All Hartwig Medical Foundation staff are required to sign an NDA or a confidentiality obligation at the start of their employment.
10. How is access to the data set up?
Data used as part of OncoAct WGS (reporting for diagnostics) is shared via our secure portal (NextCloud) and only with persons authorised by the hospital for this purpose. Login requires 2-factor authentication.
Data included in the Hartwig Medical Database is shared for scientific research via the Google Cloud Platform (GCP), with the approval of the application and following an examination conducted by a Scientific Board and Data Access Board. Applicants must create a GCP account using their institutional email address, with 2-factor authentication. The GCP account is granted access to the requested data for a restricted period.
Every calendar quarter the access logs of these systems are read and monitored.
11. What is the hardening process that ensures that ICT components involved in providing the services are secured against attacks? In what way and with what scope and frequency are vulnerability assessments and pen tests performed? Does that include code reviews?
Hartwig Medical Foundation follows ISO27001 guidelines and uses regular pen tests (every two years) for this purpose. The pen tests do not include code reviews, but Hartwig Medical Foundation follows a procedure for secure development (Secure development policy (HMF-ISMS-199)). Furthermore, an internal risk assessment takes place at least once every calendar quarter. Results of pen tests and risk inventories are included in a risk analysis and handled in accordance with the risk procedure (Risk analysis methodology (HMF-ISMS0196)). These documents are available for inspection and can be consulted at Hartwig Medical Foundation.
The complete DNA test allows for personalized treatment and so limits the chance of undesirable side effects.