BioMedIT Security Resources

All BioMedIT nodes comply with the requirements of the SPHN/BioMedIT Information Security Policy. The policy, in conjunction with an Access and Use Policy (AUPs, to be signed by BioMedIT users), related Standard Operating Procedures (SOPs) and Work Instructions (WI), define the necessary organizational and technical measures to guarantee the confidentiality, integrity, availability and resilience of the systems with regard to processing of data. These documents set out the way research data is handled, preventing misuse and malicious damage.

The purpose of this policy is to establish a framework to meet SPHN’s responsibilities in matters of Information Security with respect to compliance with the applicable regulations regarding the management, oversight and audit of Information Security. Additionally, it clarifies the roles and responsibilities of various parties relative to Information Security.

Data providing institutions are securely connected to the network to enable secured sharing of sensitive research data over the BioMedIT infrastructure. Each Data Provider has one landing zone to where encrypted and signed data packages are sent, generally via Secure File Transfer Protocol (SFTP) from whitelisted IP addresses. To facilitate end-to-end encrypted and standardized data transfers throughout the whole network, the BioMedIT Interoperability Working Group (BIWG) developed and maintains sett (Secure Encryption and Transfer Tool), a tool to support the full process of secure data transfer with both a graphical user interface (GUI) and a command line interface (CLI).

New BioMedIT users must demonstrate an understanding of the responsible use of health-related data for research by passing a mandatory exam before their user account is validated. Project Leaders can then grant authorized users access to project spaces. The Data Privacy and IT Security Training accompanying the exam is offered as both online training or as classroom based courses regularly hosted in different cities across Switzerland.

Authorized users access the BioMedIT Portal using a SWITCH edu-ID account with two factor authentication. Additionally, the BioMedIT Network can only be accessed from within trusted IT environments (e.g. from within a Swiss university or university hospital network or via VPN).

Data security in the BioMedIT nodes is principally based on allocation of project-specific IT resources within an access-controlled, private, virtual environment offering network isolation, data isolation and computational resources isolation (private tenant). Shared tenants are only permitted in those cases where there is a specific authorization. A private tenant ensures that data stored in one project space cannot be shared – intentionally or by accident - with another project. Users can then connect to B-spaces (project spaces) for which they are specifically authorized via a virtual desktop with a graphical interface or a virtual terminal session. Access to the Internet from the B-space is strictly controlled, limited to trusted and explicitly white-listed web resources. Encrypted backups of the data are done on a regular basis. By default, direct Secure Shell (SSH) access is not permitted but can be enabled in exceptional, authorized cases and to specific project spaces.

The security concepts of the individual nodes are available upon request from the Data Coordination Center.

Life sciences applications and tools packaged with OCI compatible container technology can be supported in BioMedIT provided the Container Security Guidelines are followed. This document sets out the security considerations, configurations and recommendations necessary for running containerized applications inside BioMedIT secure project spaces or on internet-accessible machines providing BioMedIT related services.