Data Security Infrastructure Policy: updated guidelines for implementing widespread security policies

22 Oct 2019

The Data Security Infrastructure Policy (DSIP) was developed as a foundational policy of the Global Alliance for Genomics and Health (GA4GH) by the Data Security Work Stream to facilitate the responsible sharing and processing of genomic data.

Image Credit: Stephanie Li, GA4GH

Trust is necessary for effective, responsible genomic data sharing. But without a safe, robust, and trustworthy technology infrastructure, it is difficult for stakeholders to trust one another, for users to trust the platforms within which standards are implemented, and for patients and participants to trust their personal data will be handled responsibly and respectfully. 

The Data Security Infrastructure Policy (DSIP) was developed as a foundational policy of the Global Alliance for Genomics and Health (GA4GH) by the Data Security Work Stream to facilitate the responsible sharing and processing of genomic data. Originally published in 2014, the DSIP outlines basic security best practices for standards development and implementation within the GA4GH ecosystem. The GA4GH Steering Committee has now approved an updated version of the document, which provides guidelines for safely and securely handling sensitive information.

The DSIP was developed in accordance with the Framework for Responsible Sharing of Genomic and Health-Related Data, and is updated periodically as the needs and innovations in genomic data sharing change. As with all GA4GH standards, the DSIP is focused on forming a foundation of trust in the genomics and health data sharing community. 

“This standard isn’t a physical or functional implementation,” said Dixie Baker, primary author of the original document. “Rather, it is a set of recommended best practices and security standards to guide the implementation and operation of a trustworthy and federated environment for sharing data and genomic standards.”

The most recent update defines the roles and responsibilities GA4GH stakeholders play in maintaining security technology best practices. By defining and differentiating between data contributors, controllers, and processors, the authors of the DSIP were able to clarify comprehensive and specific responsibilities of each entity in ensuring a trustworthy community for data sharing and data processing.

“GA4GH Work Stream contributors rely on a set of common data security values and expectations to ensure the standards produced will interoperate within the overarching GA4GH ecosystem,” said Jean Pierre Hubaux, co-lead of the GA4GH Data Security Work Stream and lead on the DSIP revision. 

The DSIP holds developers to a high caliber; it outlines protocols for typical security technologies—authentication, authorization, access control, and audit—but also helps developers build systems that are durable against threats to data integrity, confidentiality, and service availability. “This framework underlies every standard developed by GA4GH contributors,” said Hubaux, who is a full professor in the Laboratory for Data Security at L’Ecole Polytechnique Fédérale de Lausanne (EPFL).

Designed in response to risks of data breach, unwarranted destruction of data, disrupted access, and other unethical or illegal actions against data security controls, the DSIP provides recommendations for appropriate responses on behalf of each defined stakeholder. 

“We view the DSIP as a list of suggestions for maximizing the security of GA4GH standards,” said David Bernick, co-lead of the DSWS and an author on the DSIP V4.0, who is the Data Security Officer at the Broad Institute of MIT and Harvard.

While the DSIP was written with GA4GH standards developers in mind, the document is also pertinent to anyone using or creating software held to high security standards. The framework is closely aligned with security technology frameworks imposed by international governments and industry, but offers most value to software developers seeking an internationally standardized, genomics-centric security framework. The DSIP authors anticipate a future wherein all organizations implementing a GA4GH standard will construct their code in compliance with the DSIP framework. 

Many of the GA4GH standards have already been aligned with this policy framework, such as the recently-approved Crypt4GH file format for secure data storage. 

“The security framework is a good foundation on which to build GA4GH standards,” said Robert Davies, Senior Scientifc Manager at the Wellcome Sanger Institute, who contributed to the development of Crypt4GH. “Thanks to feed-back from the GA4GH Data Security Work Stream, we were able to make many improvements to our encrypted format proposal based on the DSIP as it went through the approval process.”

The DSIP is crucial to the development of standards for international genomic data sharing — a high priority of the Global Alliance for Genomics and Health — particularly because of its guidance on dealing with private, personally-identifiable information such as genomic and health-related data. 

Davies said, “I would recommend anyone handling sensitive data to read the policy document, as it includes lots of useful information on handling data in a safe and secure manner.”