FAQ for information security officers
The following list of questions has been drawn from interactions with IT, Information Governance and Information Security officers at a number of NHS institutions over the last five years.
What is the name and supplier of the system/product?
eXtensible Neuroimaging Archive Toolkit (XNAT), supplied by the Flywheel LLC and the Neuroinformatics Research Group, Washington University School of Medicine in St Louis. Software development has been funded continuously by NIH R01 grant since 2008 (and earlier via other public grant mechanisms). XNAT is an open-source product that has a long track record and is used by many of the world’s leading academic healthcare institutions for managing image data.
What exactly is XNAT and what does it do?
XNAT (www.xnat.org) is a secure data-curation platform for images used in research projects. Its core function is to manage the import, archiving, processing, visualisation and secure distribution of image and related study data.
Who will host data? (in-house solution/cloud, name of the provider)
Data will be hosted either by the Institute of Cancer Research (ICR) or Royal Marsden (RM) depending on the particular project.
For projects domiciled with ICR, data are stored on ICR-owned equipment at the VIRTUS LONDON4 data centre in Slough. LONDON4 is the home of the Jisc Shared Data Centre, comprising of approximately 25 academic and research organisations. This represents some of the UK’s most powerful supercomputers.
Projects domiciled with RM are hosted on the RM’s Azure Cloud tenancy, with data stored only in the UK. A generalised Data Protection Impact Assessment for the use of XNAT has been approved and signed off by RM and a detailed risk assessment was undertaken as part of this.
What physical security measures are in place to protect hardware used to store data?
The LONDON4 site is highly secure. VIRTUS operates a ‘defence-in-depth’ approach to security. With a dedicated on-site security team 24/7, protecting IT infrastructure is VIRTUS’ highest priority.
Microsoft provides similar guarantees regarding the physical layer that provides its UK cloud infrastructure.
What servers do your systems run on?
Our current systems are Ubuntu 20.04 LTS VM servers.
For projects stored in ICR’s jurisdiction, VMs run under a vSphere hypervisor on a resilient three-node physical cluster, and built from a hardened template supplied by IT security professionals in The Institute of Cancer Research, based on the CIS Ubuntu Linux Benchmark 1.0.0. The hardware infrastructure for the servers is located within Jisc shared data centre (part of the secure Virtus LONDON 4 data centre, physically located in Slough). Physical access procedures are tightly controlled. Topologically, all systems lie completely within the ICR’s internal network (i.e., not exposed in the DMZ) and, hence behind the ICR’s main firewall. Risk is minimised by opening only those ports that are strictly necessary for operation of the system, currently, those dedicated to the HTTPS and DICOM protocols.
For projects stored within RM, our Azure servers are managed by the RM’s partner infrastructure company Agilisys. The XNAT Team has hardened the VMs according to the same high standards as within the ICR on-premises estate and the XNAT Team also provides day-to-day management of applications on these servers.
There are no end-user logins and no opportunity for end users to write data to the system other than via the XNAT application. The systems run no “end-user applications” (e.g., word processing, email clients, web browsers, etc.) so that even system administrators have little possibility to inadvertently access malware.
How do you ensure that the systems are updated?
For servers in ICR’s jurisdiction, the update system is managed by ICR Digital Services. Security patches are applied within days of becoming available. Other package updates are flagged and applied by the XNAT Team at the next suitable downtime period.
For servers in RM’s Azure subscription, security updates and patches are applied in a timely fashion by Agilisys, the RM’s cloud infrastructure technical partner. Other package updates are applied at the next convenient opportunity by the XNAT Team.
What security measures are in place to protect our data? (AV/endpoint protection, Firewall, hard drive encryption standards, etc.)
For ICR servers, protection is provided via Crowdstrike Falcon endpoint protection and the main ICR firewall, with restrictive rules allowing access for external users only via ICR web proxy (HTTPS traffic) or main firewall (traffic via the DICOM protocol).
RM servers are protected by an extremely restrictive firewall that allows access only to a small number of whitelisted external sites.
Do you encrypt data at rest?
No. Given the previously described measures taken to protect the physical hardware, this is not necessary.
How will you transfer the data? (transfer solutions, encryption standards, etc.)
Transfer will take place via the HTTPS protocol encrypted using the TLS1.2 standard.
What are the access control measures? (2FA, minimum password requirements, VPN, IP whitelisting, etc.)
Access to the XNAT servers on which data are stored is controlled via either the ICR or RM (as appropriate) network username, password and 2FA provision, and is available only to a handful of sysadmins. Access to the XNAT webapp is protected as follows:
- XNAT accounts are issued to a limited range of authorised users.
- XNAT accounts are accessed via username and password, with a maximum of 5 failed logins (after which the account is locked for a specified time period, currently 1 hour)
- XNAT user session auto-logout for inactivity occurs after 15 minutes
- XNAT users are disabled for inactivity if no there are no logins for a specified time period.
- Within XNAT, data are available according to role-based access that minimises visibility to non-authorised users.
Has penetration testing been conducted and were all high risks addressed?
Penetration testing was conducted by MTI Technology in May 2023 and all security considerations were addressed in a detailed response document.
Who is responsible for managing access control? Who grants access to the system?
Simon Doran, with certain aspects delegated to local ICR database administrator, Thesha Thavaraja. At all times we are guided by the relevant PIs and Trial Steering Committees of the various trials/studies hosted.
Are you going to use portable devices to handle our data?
Deliberately not. By design, our systems are based on fixed servers and we strongly encourage networked data upload. We strongly discourage the use of portable media (e.g., DVDs, USB hard drives or memory sticks). However, If the latter turn out to be the only way that a collaborator can deliver data to us, in extremis, we will accept pseudonymised or fully anonymised data on suitably encrypted hard drives (with the liability on the data originator to specify the hardware and level of encryption appropriately).
What data types will you use? (DOB, CHI, Name, Address, diagnosis, etc.)
The main data type we use is anonymised DICOM image. We will store some patient demographic information as mandated by clinical studies, but only data that does not identify the patient (e.g., weight and height, smoking status and age (but not DOB)).
Can you provide details of any data backup? (physical location, retention period, etc.)
For data stored within ICR’s jurisdiction, backup is to the ICR’s Research Data Storage (RDS) infrastructure, geo-dispersed between Slough and our premises at Sutton. The retention period for these backups is negotiable on a study-by-study, but is typically the same as agreed for the clinical study/trial as a whole. For data stored on RM’s Azure platform, backup is provided under the terms of the RM’s SLA with infrastructure partner Agilisys.
How will the data be removed? (Certified/Industry approved standards of data deletion, hardware decommissioning standards)
The primary copy of the data will be removed from XNAT either via the web interface or programmatically via the REST API. System administrators are able to inspect the filesystem to ensure files have been removed. The server disks will not be removed from the server room except in the case of malfunction (in which case they will be replaced under a service agreement, with the original being handed to the ICR IT department for secure destruction of data). The server will remain in the data centre until it is decommissioned, at which point ICR staff will render data non recoverable. ICR has a subsection on data destruction as part of its Retention Policy. Data stored on RM’s Azure tenancy will be removed via appropriate actions by Agilisys colleagues.
Will any 3rd parties have access to our data?
The people with access to the data will be:
- The list of authorised XNAT users for the study/trial.
- The XNAT system administrators (currently, Simon Doran, James Darcy and Thesha Thavaraja). This access is required in order to manage the platform.
- Selected staff from ICR Digital Services or RM Digital, as required to provide technical support. It is not expected that these staff will need to inspect any clinical trial data.
What access control monitoring/auditing measures are in place?
All database activity (i.e., all REST queries) are saved in XNAT’s access.log file, which records the access date and time (with millisecond precision) name of the accessing user and a description of the activity.
Who is responsible for system management? (support contact, SLAs, etc.)
Simon Doran, Senior Staff Scientist at ICR, with certain aspects delegated to the ICR Digital Services and Agilisys as relevant.
Is XNAT Desktop Client safe to download and install?
- Yes. XNAT Desktop Client is the recommended software for uploading data into XNAT. It has the following advantages:
- It is specifically designed for uploading to XNAT with an improved workflow
- It enables pixel level anonymisation to avoid leakage of “burned-in” patient information
- It allows the ICR XNAT team to ensure that data uploaders pseudonymise data correctly and always use the correct “anonymisation scripts” for a given study. This is particularly important in multicentre trials where metadata consistency is important.
- XNAT Desktop Client should be downloaded directly from https://xnat.org/download. It has the following security features:
- It is built on a version of Java to which Oracle has committed to extended support until December 2030.
- It is digitally signed.
- The open-source nature of the software means that IT Security departments can verify the code that will be run should they choose to do so.
- It is actively maintained: four major releases in 2023; latest release 2023-06-09.
- The ICR has privileged access to the development team and JIRA issue tracker, and can thus warn of any security alerts rapidly.