Search

Health Data

Understand sensitive data and the challenges of using it in biomedical research

Scientific Services

Services to support research using sensitive health related data

BioMed IT Infrastructure

A secure IT environment for the responsible handling of health data as a service

Getting started

Start here to find out all you need to know before setting up your BioMedIT user account

Training & information

Find out about the training available to help you use BioMedIT

About us

Meet the people behind the BioMedIT Network, and find out what we're trying to achieve

B-spaces: BioMedIT secure research project spaces for analysing and exploiting sensitive health data

The fundamental service offered by BioMedIT is provision of B-spaces: secure processing environments for collecting, storing, analysing and learning from health-related data at one of the three BioMedIT nodes. These environments are each specific to a single research project, which allows project members to collaborate from multiple institutions, but also maintains the security of the data imported for the project. While data, applications and methods can be reused within the BioMedIT platform (if applicable), each use should be within the environment for a specific approved research project.

These spaces are composite services that consist of multiple elements and often require customisation per customer, but have some standard starting points and assumptions.

Services are delivered following a ‘base package,’ of standard components, with a number of additional options which can be added to it. The B-space represents the minimum/standard specifications needed for simple use cases in processing sensitive personal data.
B-spaces are delivered based on some default assumptions about how service will be used. While delivery can be achieved in other ways, you would need to discuss any variation with your BioMedIT node, as it may require additional risk assessment or other service options.

Please contact us to discuss your requirements.

The B-space base package

B-spaces are typically provided with an initial resource type or allocation, but this can be varied over time (depending on available resources and funding). The standard initial allocation, which we call the B-space “base package” currently consists of:

Virtualised resources in a secure infrastructure, with a minimum of 20 CPU cores, 32GB of RAM and 20TB of storage
Access to the virtualised resources through a remote desktop system
User management and access using SWITCH edu-ID and two factor authentication
Onboarding of up to two new data providers per research project, and access to the BioMedIT data transfer system to securely move it from the data provider institutions to the BioMedIT Node in use
Access to standard research software suites, with the possibility to bring in additional software (must pass a security assessment)
Training material to support use of BioMedIT and SPHN services
Standard support according to our Service Level Description including:
- Support for establishment of legal agreements such as a Data Transfer and Use Agreements (DTUA) or a Data Processing Agreements (DPA)
- Support for whitelisting customer IPs
- Fulfilment of various security requirements (e.g., according to specifications from Swiss university hospitals)
- Handling of incidents and service requests.

In addition, a number of services can be added to the B-spaces.

Some additional services are not considered part of the base package but can be used with the B-space immediately.

Container Registry - Provides a registry for hosting, vulnerabilities scanning and sharing of OCI compatible container images
Git Registry - Provides a repository to registered BioMedIT users to create, collaborate and share their application codes with other BioMedIT users

Some other services can be added to the B-space on request, but may incur an additional fee:

Terminology Service - Provides SPHN compatible, machine-readable versions of national and international terminologies and classifications in RDF (Resource Description Framework) format
Confluence Wiki - Provides a collaboration space and repository for the working- and implementation groups
Data Management for your research data using different technologies depending on the node your work sits on
Additional resources for your B-space (increased number of CPU and GPU cores, increased RAM or storage)
Onboarding additional data providers (above the two included in the base package)

Delivery assumptions

The following represent assumptions we will make about how a B space is delivered to customers. These are based on the architecture, security model and delivery structure envisaged for B-spaces. If your needs do not match these assumptions, please contact us to discuss how your needs can be met, as thsi may require additional review or agrement to support your use.

Customer structure
- We assume that there is a single project operated through each B space, such that the data in that project can be restricted to permitted participants.
- There is a defined set of organisations or individuals that can access that B-space and the data within it.
- All organisations with access to the B-space are party to the legal agreements supporting the project.
- All members of a project can access all data within the project, and there is no internal role based access control or segregation provided by default.
Software and applications
- Each node provides a set of commonly used / default software for research either within the B-space or from a trusted repository.
- Additional software can be requested and arranged with the node, pending their agreement.
- Customers can import containers to the B-space, but must take reasonable steps to ensure that they are sufficiently secure. Containers cannot be pre-screened by the node but shall be runtime-scanned as much as possible to support B-space security.
Data transfer
- All import and export from the B-space is controlled, and performed via an approved and logged method, whether the data is personal data, sensitive personal data, or non-sensitive data.
- The sett tool is the standard method for data import and export
- Customers are responsible and accountable for correctly assigning data to be imported or exported to the correct risk level according to our Information Security Policy.
External access to/from the B-space
- Customers interact through a remote access system, which one depending on the node selected.
- Limited external network access from B-spaces is provided, to specific tools and services upon request
  - To the BioMedIT Data Coordination Centre Git, for storing code developed in projects.
  - The BioMedIT Data Coordination Centre Harbour for staging containers built by research projects for their work. Containers may be scanned for security issues but remain the responsibility of the customers
  - Major software repositories of default software needed for research (varies per node)
  - Selected large databases for open research data
- Public-facing IT services may only be run from within the B-space with explicit permission and following an in depth security review and approval to manage risks of data leakage.
- Monitoring of the B-space from the outside of the secure network can only be achieved via an intermediate step controlled by the node, and requires special set-up and agreement.

Find out how to get started on BioMedIT