The Scalable Protected Infrastructure (SPI) team within the National Center for Computational Sciences, with assistance from ORNL Risk Management and the IT Services Division, has launched Citadel, the NCCS’s framework of security protocols that enables researchers to harness its supercomputers for open-science projects using protected data.
While ORNL has a long history of conducting computational analysis on “open research” data (which is typically easy to publish and disseminate), Citadel implements security controls for the handling of large datasets that include private information. This capability provides unprecedented levels of high-performance computing (HPC) power for research projects in the health-care field, for example, which require the protection of patients’ privacy under the Health Insurance Portability and Accountability Act (HIPAA).
The Citadel framework allows Protected Health Information (PHI), Personally Identifiable Information (PII), data protected under International Traffic in Arms Regulations (ITAR), and other types of data requiring privacy to be securely used on the Summit supercomputer, the upcoming Frontier exascale system, and other systems managed by the Oak Ridge Leadership Computing Facility (OLCF), a DOE Office of Science User Facility at ORNL.
NCCS can now allow for people with highly protected data to leverage this vital resource in a way that’s compliant with the Federal Information Security Management Act (FISMA). With Citadel, the NCCS is utilizing an encrypted parallel file system that improves both performance and security, ensuring that we’re doing this in compliance with all of the regulations that are in place to protect this data.
Citadel’s security improvements aren’t just technical—new administrative protocols were also put into place for the handling of private data. While ORNL already adheres to the National Institute of Standards and Technology’s security and privacy controls for moderate Official Use Only (OUO) data, the SPI team developed extra precautions to place private data in secure containers that cannot be accessed by other researchers or used by other projects. For example, HIPAA-protected data for a project sponsored by the US Department of Veterans Affairs (VA) will be kept absolutely separate from HIPAA-protected data for a projected sponsored by the Centers for Medicare and Medicaid Services (CMS).
With its heightened level of security for private data, Citadel presents many possibilities for research projects that previously could not access Summit, the nation’s most powerful and smartest scientific supercomputer. For example, using medical records that include hand-written doctor’s notes were problematic before Citadel—while names and addresses can be automatically stripped out of structured medical records, freeform notes are not so simple.