Data Security and Audit features in Atlas

SELVA_MUTHU_KUMARAN · May 23, 2019, 2:44am

Hello Everyone,

We are setting up OMOP CDM and Atlas for analysis of our data. I would like to know about the data security and audit features available in Atlas. Through @anthonysena I came to know about access rights feature in Atlas, can you please help me in understanding audit features available in Atlas

The way I have put my question might be non-technical but I am looking to know how this can be implemented technically. I can forward the response/check with tech experts to get this done.

Data Security - I came to know that we can set up user authentication and role configuration based on user profile to provides restricted access (ex: New cohort button enabled/disabled etc) to the Atlas platform. Is there anymore features for data security that are present in Atlas? You can also suggest us as to how we can make it more secure?
Audit Features - Can you please explain about the audit features available in Atlas? Should I be relying on any logs to find out the user behavior? Ex: user A logged in yesterday and generated a cohort, User B logged in at 10’o clock today and created a concept set. Can you please let me know where can I find this info? Let’s say we have an Administrator and from where he can find this info?
Data Export - I understand that we can’t download any individual level data from Atlas. Even if I would like to generate any Summary data (Cohort definition, Descriptive statistics etc), can it be download only after Executing R script? Is it possible to download the summary statistics/cohort generation result from Atlas?

Thanks for your time and help

Thanks
Selva

SELVA_MUTHU_KUMARAN · May 23, 2019, 2:43am

@ambuj @anthonysena - Can any of you help me with this questions? It would be helpful.

ambuj · May 23, 2019, 7:43am

SELVA_MUTHU_KUMARAN:

Data Security - I came to know that we can set up user authentication and role configuration based on user profile to provides restricted access (ex: New cohort button enabled/disabled etc) to the Atlas platform. Is there anymore features for data security that are present in Atlas? You can also suggest us as to how we can make it more secure?

That is a user level security which is a part of Atlas, apart from this you can get have AD/LDAP integrated with your atlas so only authenticated users having their account on Active Directory can login. In addition, you can host atlas within the local network instead of hosting on public.

Audit Features - Can you please explain about the audit features available in Atlas? Should I be relying on any logs to find out the user behavior? Ex: user A logged in yesterday and generated a cohort, User B logged in at 10’o clock today and created a concept set. Can you please let me know where can I find this info? Let’s say we have an Administrator and from where he can find this info?

You can get these details under Job section within Atlas menu.I haven’t explored that part much as of now but that is the only place where you can see the logs and status.

Data Export - I understand that we can’t download any individual level data from Atlas. Even if I would like to generate any Summary data (Cohort definition, Descriptive statistics etc), can it be download only after Executing R script? Is it possible to download the summary statistics/cohort generation result from Atlas?

I don’t think there is such option available apart from retrieving the queries to run using R.

@anthonysena, if you would like to add something to it.

Adam_Black · September 4, 2019, 3:53pm

@anthonysena, Is there any documentation on user action logging and how those logs can be accessed programmatically and/or exported to an external system? What types of actions are logged? This information is important for our security team as well.

anthonysena · September 5, 2019, 2:00pm

Adding @pavgra and @gregk for input on this.

@Adam_Black - I think that @ambuj covered this well in his post above. ATLAS as an application does not provide logs - it is leveraging WebAPI which contains logs via Tomcat (or whatever Java servlet container you are using). You may be able to retrieve access logs for ATLAS from the web server that is hosting it but I do not believe it will contain user information unless you configure that via your web server.

The WebAPI server logs are created using Log4j and it should be possible to export or inspect programmatically. I’d need to have @pavgra or @gregk speak to the logging of events and if those are tied to user accounts.

@SELVA_MUTHU_KUMARAN - in terms of auditing “entities” (i.e. concept sets, cohort definitions, etc) there is no unified way of doing this at the moment. You could query things via the WebAPI DB directly to understand a user’s actions for audit purposes.

In terms of downloading summary statistics from ATLAS: this is possible via the interface in certain sections of the application. For example, you can download the summary statistics from a characterization. However, you cannot directly download the inclusion report from a cohort definition through the interface at this time but you could use the WebAPI REST endpoint to pull that information the same way that ATLAS does for displaying it. I know this is not ideal but that’s the current state of things with the 2.7.3 release.

Hope this is helpful.

Adam_Black · September 6, 2019, 4:24pm

Thank you @anthonysena. I have a couple more security related questions to add to this thread that I need to be able to answer.

I am I correct that there is no possibility of SQL injection in the Atlas application? It looks to me like the only free text boxes are for naming things like cohorts. I imaging those names do get put into the database using SQL so maybe they are being scrubbed. How is SQL injection handled?

Does Atlas or WebAPI handle any PHI or patient level data at any time or is all patient level data confined to the database? I know that Atlas will not display any patient level information but I need to know if all computation is done in the database and only aggregate numbers are exported to WebAPI.

gregk · September 6, 2019, 4:51pm

@Adam_Black
ATLAS - like any web app - can have vulnerabilities and security issues. But over the past year or so, there were two vulnerability assessments conducted - funded by OHDSI collaborators, including Odysseus and Stanford - and as a result, we tested ATLAS/WebAPI and fixed quite a few issues that were found, as well as established “better” best practices on how code should be done to avoid vulnerabilities in the future. Such assessments are quite expensive and we are in discussion of getting funds from external sponsor so that we can do it more regularly.

Does Atlas or WebAPI handle any PHI or patient level data at any time or is all patient level data

ATLAS does have a patient profile page. Some organizations (typically, in Healthcare or Payer community) are actually interested in potentially displaying some information that could be considered PHI, but some others want to completely restrict it showing any PHI info. We are actively discussing how to have have this configurable as an option to enable/disable such use cases.