How we work

Data Security vision statement

Read the 5-year vision statement of the work stream or read the full GA4GH Connect Strategic Plan.

Motivation and Mandate

An international consortium federating large volumes of sensitive clinical and genomic data across virtual computing environments presents formidable challenges in assuring data confidentiality, data integrity, service availability, and individual privacy. The fact that healthcare data are a leading target for cyber-security attackers exacerbates these challenges.

GA4GH and its partners must implement defense in depth to protect the high-value data we rely upon to accelerate the acquisition and application of biomedical knowledge. A key mandate of the Data Security Work Stream is to help assure that the standards produced by the Technical Work Streams have been developed within a sound risk-management framework.

Existing Standards

Some of the security challenges GA4GH faces call for innovative application of well-established security standards and protocols, such as identity federation on a global scale, using OpenID Connect; distributed authorization using OAuth 2.0; transmission protection using Transport Layer Security (TLS), and data encryption using symmetric encryption algorithms such as Advanced Encryption Algorithm (AES). Other challenges require solutions still emerging from security research, such as privacy-preserving data linkage, homomorphic encryption, and quantum key distribution.

Risk management is central to the Data Security Work Stream’s standards-development process, which seeks to leverage industry standards and best practices wherever possible, including GA4GH-specific profiles of existing standards.

To enable GA4GH and its partners to effectively prevent and respond to breach attacks requires a layered and proactive scheme to identify potential threats and vulnerabilities, continuously monitor the use of data and services, detect potential attacks, and collectively respond to potential breaches. The Data Security Work Stream will work with the Driver Projects to broadly apply breach-response methods currently in use to collaboratively protect collective data assets.

Proposed Solution

The remit of the DSWS includes, but is not limited to, identity management, access authorization and control, privacy-preserving computation, non-repudiation, accountability, service continuity, and breach detection and response. High-priority needs include:

  • Standard templates to support “gatekeeper” function
  • Standard profiles of OAuth 2.0 and OpenID Connect standards for authorizing access and federating authentication across GA4GH (incorporating vocabulary being developed by Data Use and Researcher Identities (DURI) work stream)
  • Standard operating procedure for collaboratively detecting and responding to breaches