Blueprint for a data-protection-compliant, secure data cloud

The Leibniz Supercomputing Centre has set up a secure cloud for sensitive medical research data for the digitisation project DigiMed Bayern: It could be a blueprint for other similar services for science and research.

 

Since its official launch in December 2023, the cloud has been filling up every day: the German Heart Centre Munich and the German Heart Foundation have already uploaded a good 802 terabytes of data to the DigiMed Bayern Secure Cloud. This includes 15,000 images of the human heart, coronary vessels, arteries and tissue, as well as information from health insurance companies and patient measurements such as blood pressure, heart rate and weight. "The availability of health data and the ability to analyse it with the help of artificial intelligence and interdisciplinary teams of experts are fundamental for a modern healthcare system," says Dr Jens Wiehler, managing director and coordinator of DigiMed Bayern. "To achieve this, we need a secure, efficient and scalable infrastructure. In addition to the medical-scientific results achieved to date, DigiMed Bayern has created a secure cloud environment in a public data centre as an example for research".

Funded by the Bavarian State Ministry for Health, Care and Prevention, 13 research institutes - including the cardiology centre, the Ludwig Maximilian University (LMU), the Technical University of Munich (TUM), the Helmholtz Centre Munich and the Max Planck Institute for Biochemistry - have been working since 2018 on the medicine of the future. This medicine will be predictive, preventive, personalised, participatory and increasingly digital. The Leibniz Supercomputing Centre (LRZ) was therefore also involved in DigiMed Bayern, with the task of planning and setting up a secure online vault for sensitive medical research data, which can also be used by researchers and - in the future - by doctors with individual access rights. "It was clear from the concept that the cloud had to be very flexible and versatile, but above all convenient and easy to use," explain Florent Dufour and Dr Peter Zinterhof from the LRZ's Big Data and Artificial Intelligence (BDAI) team, who planned and realized this data cloud. "The DigiMed Secure Cloud was modelled on the LRZ cloud, and significant security features were added at all levels".

It was a mammoth task, requiring not only the organisation of a wide range of requirements, but also the clarification of legal and technical issues. For example, the DigiMed network still had to regulate the framework conditions for using the cloud and adapt the technical equipment to the applicable law. "Six years ago, many things were still uncertain and unclear, and admittedly our expectations were too high. This is hardly surprising for projects like this, where basic infrastructures are being researched, developed and put in place. It takes ambition to move things forward," says coordinator Wiehler. "The main advantage of the DigiMed Secure Cloud is that the data is stored and processed at the LRZ, under public control and in a central location in Germany, and can be used by many working and research groups. The cloud thus provides a blueprint for secure, data-protection-compliant collaboration between research and healthcare centres, which can be used to plan and develop further similar services.

Trusted technology and processes

Modelled on the LRZ Cloud the DigiMed Secure Cloud was built according to the principles of Confidential Computing (CC) and consists of three management and computing nodes with Secure Encrypted Virtualisation-Secure Nested Paging (SEV-SNP) components and storage capacity based on solid state and hard disk drives (SSD/HDD).With this technology and the Quobyte file system, all data is automatically encrypted during upload, transport from server to client or computing unit, processing and storage. "We rely on hardware that creates so-called Trusted Execution Environments or TEE for secure computing," explains LRZ researcher Dufour." The cloud itself is based on the OpenStack operating system, virtual machines and self-service, so it can be set up by any user according to their needs and equipped with programmes, analysis tools and additional storage capacity." One consequence of using Trusted computing technology is that data is encrypted at all times throughout its life and even the LRZ administrators cannot see what is stored and what is happening in this data cloud.

Enabling research with data donations

Among other things, the database now contains 2,500 data sets from users of the German Heart Foundation's HerzFit app, who have donated this informations for research purposes. "The idea behind the app is that of a digital coach for heart health," explains Dr Lara Marie Reimer, a business information scientist and the app supervisor. "Users can manually record measurements such as blood pressure, resting heart rate and more, or upload them from wearables and review them. They can find out what they can do to combat cardiovascular risks and how to improve their health through exercise or diet." The app offers a cardiovascular risk calculator, with more services to follow. Around 120,000 people have downloaded HerzFit, a third of whom use it to check their data regularly. "There is a growing willingness among the population to deal with health data and to record it digitally," says Reimer. The donated data from the mobile devices were recorded at the German Heart Centre in Munich, where it was pseudonymised, anonymised and uploaded to the DigiMed Secure Cloud.

The HerzFit-App: digital coach for the heart health. Photo: German Heart Foundation

One goal is to motivate even more people from the HerzFit community to donate data in the long term: "If necessary, we can use the HerzFit app for surveys on heart health, but above all we want to analyse the body data," says Reimer. Such data is in great demand in the scientific community for long-term studies, for example on the development, treatment or prevention of diseases: "Legally, it is very difficult for the Heart Foundation and other research institutions to collect and store such medical data. Commercial cloud providers often lack the trust and security to ensure that the data is backed up in Germany or Europe. With the DigiMed Secure Cloud, there is now finally a secure alternative that is in the public domain," says Reimer." We are currently exploring the existing data sets to use and develop our own analysis tools." Digital sovereignty, local experiences with digitisation and independence from digital corporations were also goals of DigiMed Bayern.

However, much of the heart health data in the secure cloud comes from study participants at the German Heart Centre: "Our image and clinical data allow us to analyse the morphology of coronary vessels and also represent longer-term developments in heart health. We can now use it to train AI models, for example for pattern recognition," says specialist Dr Moritz von Scheidt, deputy scientific director of DigiMed Bayern. In addition to the doctors and researchers at the heart centre, scientists in Bavaria will be able to work with this information. To this end, the Secure Cloud has been designed to integrate high-performance computing (HPC) workloads and artificial intelligence (AI) methods: "We also rely on the Sovereign Cloud Stack, which is integrated into the European data infrastructure Gaia-X," says Dufour, describing the special features. This allows users to separate data sets in the data cloud in whole or in part, to share them with other groups and to assign different access rights, not only within the Bavarian DigiMed circle, but also in European research networks if required: "There will be an area at the Munich Heart Centre where all DigiMed partners can process information and an exclusive area to which only our colleagues will have access," von Scheidt plans.

A recipe for further public offerings

The first users are satisfied with the functions and possibilities of the DigiMed Secure Cloud. In November, when the project ends, the scientific results of the project and its IT infrastructure will be presented and discussed in detail at a symposium. By the next working meeting in April, the consortium hopes to have gained initial experience with applications and analyses, and to demonstrate that more centralised, digital services from the public sector and from Germany will be needed in the future to improve scientific research  and especially healthcare: "I expressly welcome the idea of keeping sensitive medical data in the public domain," says von Scheidt. "It would be desirable for the DigiMed Bayern service to be made permanent and for other comparable, parallel cloud services to be established, as the importance of the data will continue to be of great benefit to public-interest research beyond the duration of the project."

To achieve this, the cloud's operating costs need to be secured and its equipment optimised as practical experience is gained: "For example, as the project progressed, it became increasingly clear that integrating graphics processing power or GPUs into the Secure Cloud also made sense," says DigiMed's manager Wiehler. The DigiMed Secure Cloud could be adapted to other requirements and could become a blueprint for similar non-profit services. The need for secure data storage is growing in the healthcare sector: The vision of a digital healthcare system could see clinics and hospitals networked with doctors, laboratories and pharmacies in secure data clouds, and also sharing pseudonymised and anonymised data with research and their patients.  This would make it possible to comprehensively analyse the causes of diseases, personalise treatments, predict health risks and offer differentiated prevention strategies. (vs/ssc)

Technical Data Secure DigiMed Cloud:

• 3 management and compute cores, als with secure sncrypted virtualisation
• More than 500 secure cores
• Storage on the base of SSD and HDD
• 100 G high performance network fabric
• 1PB of raw secure storage
• OpenStack, Sovereign Cloud Stack, Quobyte filesystem

Teamwork: The LRZ-Team for the Secure Cloud Florent Dufour (2nd from the left) and Vincent Bode, (3rd f.th.left)
start the DigiMed Secure Cloud with Dr. Jens Wiehler (2nd f. th. right), managing director of DigiMed Bayern, and
deputy director Dr. Moritz v. Scheidt (left). Photo: BioM