Secure Research Environment Guidebook

Computer Circuitry Small Image

The Secure Research Environment (SRE) is a new University virtual environment designed to protect sensitive and restricted research data from misuse and unauthorized access.  The SRE is different from the current UMB research computing environment in that the computing resources, data storage and software are not located on a local desktop or laptop computer but are available in a secure Cloud infrastructure. 

The SRE minimizes risk to the institution and to the principal investigator of an unlawful exposure of sensitive data.

University of Maryland, Baltimore (UMB) 
Guidebook for the Secure Research Environment (SRE)

Introduction

It is critically important for UMB to apply a high-level of data security in protecting health-related information and other sensitive personally identifiable information like social security numbers.  A UMB Secure Research Environment (SRE) has been created to protect sensitive data used by faculty for research purposes as well as for protecting the intellectual property that develops from research studies. The use of the SRE is a mandated requirement when obtaining sensitive data provided by the University of Maryland Medical System (UMMS). The use of the SRE is recommended for research projects that contain sensitive data from other data sources. It complies with HIPAA’s standards, as well as other IT security policies and requirements, for properly securing protected health information (PHI) and personally identifiable information (PII). 

 

New UMB Research Computing Environment

The SRE is a new University virtual environment designed to protect sensitive and restricted research data from misuse and unauthorized access.  UMB faculty researchers can focus on performing research while knowing that the data being used for research purposes are highly secured.  The SRE minimizes risk to the institution and to the principal investigator of an unlawful exposure of sensitive data. 

The SRE is different from the current UMB research computing environment in that the computing resources, data storage and software are not located on a local desktop or laptop computer but are available in a secure Cloud infrastructure.  A faculty researcher simply opens a web browser, connects to their secure research environment, and sees the data and software that they need to perform research analyses.  The data are saved in the Cloud-based infrastructure.  There is no need to use the computing power of a local computer or to store data on a local machine.  It is an analogous user experience to logging in remotely to a desktop computer, where a researcher sees a personalized screen that is familiar to them.

 

Who do I contact to get access to the SRE?

For sensitive data provided by UMMS: EDA-Research@umm.edu

For all other sensitive data: SRE-Support@umaryland.edu

Definition of Terms Used in this Document 

Term

Definition

AVD

Azure Virtual Desktop - the virtual environment that SRE uses

Azure infrastructure

Microsoft’s cloud platform; an evolving collection of integrated cloud services spanning compute, data storage, and software applications

Cloud computing

The delivery of computing services—including servers, storage, databases, software, and analytics—over a computer network

Data steward

Person responsible for ensuring the quality, security, and fitness of the data for the purpose of the research

Egress of data

The output flow of research results

Epic

The medical data repository UMMS uses for research data

Faculty researcher

The UMB faculty member sponsoring the research project, often the Principal Investigator. The data and SRE requestor must be a faculty researcher.

HIPAA

Health Insurance Portability and Accountability Act - a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge

Honest broker

The data steward for the owner of research data who acts to collect and provide that data to research investigators

ICTR

Institute for Clinical & Translational Research

IHC

Institute for Health Computing - leverages advances in network medicine, artificial intelligence (AI), and machine learning to create a premier learning health care system that evaluates both de-identified and secure digitized medical health data to improve outcomes for patients across the state of Maryland

Ingress of data

The input of research data used for analyses

Intellectual Property (IP)

Creations of the mind such as research work or collections of data analyses

PHI

Protected Health Information - a.k.a. personal health information. Examples include:

•Names

•Geographic subdivisions smaller than a state (Note: this includes ZIP code)

•Elements of dates (except year)

•Ages over 89

•Telephone numbers

•Vehicle identifiers and serial numbers, including license plate numbers

•Fax numbers

•Device identifiers and serial numbers

•Email addresses

•Web Universal Resource Locators (URLs)

•Social security numbers

•Internet Protocol (IP) addresses

•Medical record numbers

•Biometric identifiers, including finger and voice prints

•Health plan beneficiary numbers

•Full-face photographs and any comparable images

•Account numbers

•Any other unique identifying number, characteristic, or code

•Certificate/license numbers

PI

Principal investigator - the main researcher on a project

PII

Personally Identifiable Information - information that, when used alone or with other relevant data, can identify an individual. Examples include an individual’s first name or first initial and last name in combination with any one or more of these data elements:

• Social Security number, an Individual Taxpayer Identification Number, a passport number, or other identification number issued by the federal government

• A driver’s license number or State identification card number

•An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual’s financial account

•Health information, including information about an individual’s mental health, Medical Record Number

•A username or e–mail address in combination with a password or security question and answer that permits access to an individual’s e–mail account

RIC

Research Informatics Core – the group within the ICTR that administers the UMMS-controlled research data

Sensitive data

Revealing personal data such as health related data and other types that are not meant to be made public

SRE

Secure Research Environment

UMB

University of Maryland Baltimore

UMMS

University of Maryland Medical System

Frequently Asked Questions

Who can get access to the SRE? 

Any University of Maryland, Baltimore faculty performing research can get access and use the SRE. 

 

What is the process to get access? 

SRE workflow for principal investigators diagram

 

SRE Workflow for Principal Investigators

SRE = Microsoft Azure Secure Research Environment; RIC = UMMS Research Informatics Core;

PI = Principal Investigator; If PI is from UMD (University of Maryland, College Park), PI must obtain a UMB ID

  1. PI discusses data request with RIC
  2. PI completes ICTR form requesting data
  3. RIC interviews PI for data, storage, & computing needs
  4. RIC shares data, storage, and computing info with UMB IT
  5. UMB IT discusses SRE and potential costs with RIC and PI
  6. UMB IT onboards PI to SRE
  7. RIC moves the IRB-approved data to SRE
  8. PI begins research in SRE

SRE Workflow for Principal Investigators with NON-UMMS data Source Diagram

SRE Workflow for Principal Investigators with non-UMMS Data source

SRE = Microsoft Azure Secure Research Environment;

UMB IT = University of Maryland Information Technology Group;

PI = Principal Investigator

  1. PI contacts UMB IT to discuss data, storage, and computing needs
  2. UMB IT onboards PI to SRE
  3. PI begins research in SRE

 

When should a PI move an existing project to SRE? 

what if I already have a current project diagram

What if I already have a current project?

Does the PI have an existing project?

  • No: Is there a project request submitted with ICTR?
    • No: The PI should reach out to the RIC at EDA-Research@umm.edu to start the project request
    • Yes: Does it use data governed by UMMS?
      • Yes: Reach out to the RIC at EDA-Research@umm.edu to discuss moving the project to SRE.
        • UMB IT will also get involved after initial consultation with the RIC.
          • An SRE is created for your project
      • No: Reach out to UMB IT at SRE-Support@umaryland.edu to discuss moving the project to SRE
        • An SRE is created for your project
  • Yes: Does it use data governed by UMMS?
    • Yes: Reach out to the RIC at EDA-Research@umm.edu to discuss moving the project to SRE.
      • UMB IT will also get involved after initial consultation with the RIC.
        • An SRE is created for your project
    • No: Reach out to UMB IT at SRE-Support@umaryland.edu to discuss moving the project to SRE
      • An SRE is created for your project

 

How does data flow with the SRE 

How does data flow with the SRE

{Diagram of data flow, i.e. ingress and egress}

Microsoft Azure Secure Research Environment

Highly restricted inbound and outbound public and private network access

Data Steward

  • Epic or other data sources
  • Requested Data
    • Automation
      • Ingress Folder (Azure Virtual Desktop)
      • Egress Folder (Azure Virtual Desktop)
        • Automation

Researcher

  • Remote Desktop
    • Research Desktop (Azure Virtual Desktop)
      • Ingress Folder (Azure Virtual Desktop)
      • Egress Folder (Azure Virtual Desktop)

Principal investigators will need to work with an “honest broker” to obtain the data being used for their research. An honest broker is the data steward for the owner of research data who acts to collect and provide that data to research investigators. The data steward is responsible for ensuring the quality, security, and fitness of the data for the purpose of the research.

For data sources governed by UMMS, the RIC will act as the honest broker. For other data sources, UMB IT will act as the honest broker.

 

Is training needed/required in order to use the SRE? 

Formal training is not required. Using the SRE is as easy as using your own computer. Instructions on how to access the SRE and using your data to perform research will be provided once the SRE request has been fulfilled.

Who do I contact if I have a question or need assistance with the SRE? 

Process questions when using UMMS data to EDA-Research@umm.edu

Process questions when using non-UMMS, sensitive data to SRE-Support@umaryland.edu

Technical questions to SRE-Support@umaryland.edu

What is the SRE? 

The UMB Secure Research Environment (SRE) is a centralized virtual environment designed to protect sensitive and restricted research data.  Secure virtual desktop environments and custom compute configurations allow researchers to access sensitive data under a higher level of control and data protection. Data is segregated per research project and only accessible by the research team that is assigned to their research environment.

The SRE is an isolated environment where users can use the software programs and tools available in the SRE to conduct their research and analyses. The ingress (input) of sensitive data into the SRE is managed by members of the Research Informatics Core (RIC) and/or the UMB IT support group. The egress (output) of any sensitive data or files from the SRE is also controlled by members of the Research Informatics Core (RIC) and/or UMB IT support group. The egress of non-sensitive data, e.g., summary or aggregated data that does not contain PHI or PII, can also be performed.