1. ENSAT-CANCER@Melbourne Virtual ANonymisation Grid for Unified Access to Remote Data www.ensat.org Project Overview The ENSAT consortium (European Network for the Study of Adrenal Tumors) are a group of leading specialists formed to investigate and share medical information on adrenal tumors across Europe. Based in France, Germany, Italy and the UK – the group have previously shared information by inputting data to an Access database then sending this by courier mail to the various participating centres. Building on initial work undertaken by the National e-Science Centre (NeSC) at the University of Glasgow in developing a web-based data sharing platform for ENSAT, and the move of the Director of NeSC to Melbourne, the University of Melbourne are now engaged in a major 5-year European-wide development “ENSAT-CANCER” to support all aspect of adrenal tumour research and collaboration through establishment and support of a security-oriented Virtual Research Environment. This includes establishing clinical data registries; supporting biobanking and sample sharing across European hospitals and biomedical centres, through to supporting all aspects of two major European-wide clinical trials sponsored by major pharma- companies from recruitment, data collection and trial endpoint adjudication. At the heart of this solution is the need for fine-grained access control. ENSAT Consortium The ENSAT consortium (http://www.ensat.org) are a network distributed across Europe based in several leading clinical centres – Paris, Munich, Wurzburg, Birmingham, Turin, Padua.http://www.ensat.org As part of the recently-funded ENSAT -CANCER project, a drive to form an online “Virtual Research Environment” has been incorporated, which will allow data-sharing and communication crossing the adrenal cancer clinical and biomedical space. Secure linkage to external resources will be made available, allowing connections between this specialist group and centres of bio-material, and genetic information, etc. Through the VANGUARD [1,2] linking methods, anonymity of patients will be secured and enforced, without the mediating agent seeing the data passing through. Adrenal Tumours The clinical basis for adrenal research can be summarized as follows: the adrenal consists of two functionally distinct endocrine glands, both parts playing an essential role in adaptation to major stress. Adrenal tumors can be benign (non-cancerous) or malignant (cancer). Often this separation is difficult to make and long term close follow up is necessary after removal to detect recurrences early in patients who have adrenal cancer. The ENSAT consortium is especially interested in four major types and causes of adrenal tumors: Adreno-Cortical Carcinoma (ACC) – this is a rare malignancy, of which pathogenesis and prognosis is incompletely understood. Patients with ACC will usually be identified with a hormone excess or a local mass effect. Aldosterone Producing Adenoma (APA) – is a type of cancer which results in secondary hypertension accounting for up to 5-10% of all hypertensive patients. Non-Aldosterone Adreno-Cortical Adenomas (NAPACA) – Non-aldosterone secreting cortical tumors represent the most common benign adrenal tumor, and these may be non-functioning. Autopsy studies show that up to 5% of the population may harbor so- called adrenal incidentalomas. Pheochromocytomas and related paragangliomas (Pheo) - Catecholamine-producing tumors may arise in the adrenal medulla (pheochromocytomas) or in extra-adrenal chromaffin cells (paragangliomas). Contacts: Prof. Richard O. Sinnott (rsinnott@unimelb.edu.au)rsinnott@unimelb.edu.au Anthony Stell (a.stell@nesc.gla.ac.uk)a.stell@nesc.gla.ac.uk Jipu Jiang (j.jiang@nesc.gla.ac.uk)j.jiang@nesc.gla.ac.uk [1] A.J. Stell, et al Designing Privacy for a Scalable Electronic Healthcare Linkage System, IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT 2009), Vancouver, Canada, August 2009. [2] R.O. Sinnott, O. Ajayi, A.J. Stell. Data Privacy by Design: Digital Infrastructures for Clinical Collaborations, International Conference on Security and Privacy, Orlando, USA, July 2009. ENSAT Online Registry The ENSAT Online Registry facilitates a more efficient and cost-effective way of sharing the data between clinical and research network centres. The registry allows secure logins, uploading, updating of patient details and a search facility across patients and associated forms, such as biomaterial, pathology forms, surgery records, etc. Key to this is supporting security-oriented data access and linkage on a variety of levels, e.g. enforcing data access and usage for local researchers only; for national researchers; for researchers across the ENSAT-CANCER partner sites, through to wider international researchers. Infrastructure – VANGUARD To support biobanking scenarios where clinical data information is linked with actual biosamples which are sent (and tracked) across Europe, the VANGUARD infrastructure [1,2] has been developed. VANGUARD has been developed to meet the anonymisation-oriented nature demanded by data providers and researchers. In its most simple form VANGUARD comprises: Viewers (to request and receive data) Agents (to mediate information exchange) Guardians (to protect access to data). Data is linked, joined and anonymised through these components and targeted use of encryption and hashing keys. It does not mandate that direct queries through hospital firewalls is supported, but is based on a pull-oriented data access and usage model. All data is encrypted and the only entity capable of accessing the actual (decrypted) data is the end user. To achieve this, several overlapping trust agreements drive the interaction: the agent is trusted by all parties to execute policy but not to see data; the guardian, in a specific context, may trust the viewer to see the data; and the guardians do not trust each other with their own local datasets. Joining itself is performed on hashed and encrypted data points hence it is possible to join without knowing the underlying values themselves. To access external non-consortium resources, a mapping can be made of encrypted indexes against the external identification index (e.g. bio-bank barcode), which protects identity whilst allowing traversal of domain boundaries.