Skip to Content

Looking for Member-only Content?

opened lockSign in here to update your member information.

Create AAMC Account

1. Click sign in above
2. Enter personal information
3. Answer institutional identification questions
4. Answer AAMC questions

Forgot Login?

1. Click sign-in above
2. Click 'Forgot your password" or "Forgot your username"
3. Enter the email address you used to register

AAMC Mailing Lists

stamp on an envelope

AAMC mailing lists are available for sharing valuable information and resources with our member institutions and constituents.

Cooperation and 'IDEAS' Renew Collaboration

February 2010

Cooperation and 'IDEAS' Renew Collaboration

Bill Sanns, Director, Information Systems
Department of Epidemiology and Biostatistics
University of Texas Health Science Center at San Antonio

The University of Texas Health Science Center at San Antonio (UTHSCSA) has a long-standing and successful partnership with the Audie Murphy South Texas Veterans Health Care System. Not only is the VA partner considered an operational component within the Cancer Therapy and Research Center (CTRC), but the Bartter Research Unit, previously the GCRC, now a component of UTHSCSA's Clinical Translational Science Award (CTSA), is physically located within the VA and has long flourished under an established sharing agreement. UTHSCSA systems are physically wired throughout the VA facilities, and a large number of staff and faculty work within the VA. For over two decades there existed a secure, trusted, and free flowing stream of research data moving between the organizations.

The Department of Epidemiology and Biostatistics (DEB) is in the unique position of serving as the informatics and statistical core to both the CTRC and CTSA. While the department is only eight years old, it has had the opportunity to support and work with VA investigators from a myriad of disciplines.

In 2007 several highly-publicized data breaches caused the VA system to re-evaluate their security policies and procedures. What followed were a series of decisions that crippled the research collaboration at UTHSCSA as well as other academic affiliates across the country. Patient-identifiable computerized data was no longer allowed to leave the VA facility, and any data gathered within the VA or on a VA-sponsored clinical trial fell under the most stringent VA guidelines. This change in policy made it nearly impossible to correlate, analyze, and report data being gathered on open and distributed clinical trials and bio-repositories, essentially shutting down this aspect of our research.

Once the uproar over the new VA polices began to settle later in the year, we were able to more clearly evaluate the situation and begin working on a solution. Core to DEB's support is a locally-developed clinical trial management system known as the Informatics Data Exchange and Acquisition System (IDEAS). IDEAS represents the operational framework managing both DEB's NCI and CTSA core responsibilities. While IDEAS meets and often exceeds HIPAA, local and national compliance standards, it did not meet the new VA requirements.

In order for IDEAS to continue to be used within the VA, it had to be certified as compliant with the Federal Information Security Management Act (FISMA), a time intensive and costly process. This standard was well beyond the existing data facilities capabilities, and while a few institutions and academic medical centers were able to pursue certification, the Health Science Center determined that this option was not within its reach. The UTHSCSA research infrastructure, like many other academic medical centers, is primarily a decentralized grant-funded operation. While this model provides a welcome level of independence and autonomy, it does place a number of financial constraints on its operation. With no grant to support the transition to FISMA certification, it was clear that this was neither a fiscal nor sustainable option.

With FISMA no longer an option, and in an effort to get stymied research back on line, DEB began to explore ways to duplicate the IDEAS framework within the VA's FISMA infrastructure. The first choice was to provide the VA with both an application and database server. The VA would host a replicated environment in the data center. While both organizations felt this was the quick and (somewhat) easy answer, it turned out to be against VA policy to host third-party servers in their data center.

Continuing with the replication concept, the VA next offered to buy servers for UTHSCSA's use. DEB would become a "vendor" operating within the VA environment. This worked for DEB, and there was precedent with associated policy in place to support the move. However, complicating this solution was that DEB operates within a UNIX and open source development environment. The University of Texas system has also negotiated Oracle site licensing, so DEB takes full advantage of those cost savings and has implemented Oracle as its database management system. The VA is primarily a Windows-based environment and did not have the skilled staff to support the DEB environment. While another acceptable operational solution, further investigation found that the total cost was not within the local VA operating budget.

Not to be deterred, DEB offered to migrate its application server from Sun Solaris to Linux and to replicate its database into Microsoft's SQL server. The VA would at least be able to utilize existing hardware, and they found that several of their system administrators were adept enough with Linux, through their own interests, to support the required maintenance. The move to SQL server would prove a challenge, but DEB was confident that the IDEAS software architecture had sufficiently encapsulated the data layer minimizing any programming changes.

DEB began to move forward. Creating a copy of IDEAS in Linux was straightforward, especially since the overall demands on this version would not require as finely-tuned a system as the primary IDEAS system. DEB borrowed a Windows server, procured a development version of SQL server, and began to recreate the data structure within the new environment. Work also began on the process of procuring a Windows-based development and test environment to properly manage the application once it finally moved to the VA.

Things were finally looking up when DEB was informed that the VA would not allow any open-source applications on their network. With IDEAS relying on Apache as the web server and TomCat as the application server, the collaboration was nearing a stopping point. The department debated whether to completely rewrite the application (web, application, and database) in the Windows environment, but realized this would risk spreading resources too thin and not having appropriate coverage. Once this conclusion was reached, it was time to look at other solutions. The problem was we were seeking a technical solution to an artificial situation created through a policy decision, which was based on events outside the control of either side.

Not willing to quit, UTHSCSA continued to address the situation from all levels between key parties from both organizations. The University's leadership met regularly with VA leadership to discuss options and possibilities. The University Vice President for Research sponsored a visit from a congressional subcommittee member to get UTHSCSA's input and raise the issue to a national level. Also the Chief Information Officer and the Chief Information Security Officer worked directly with their VA counterparts to ensure options met the necessary technical and security requirements. DEB assisted and facilitated along the way.

Finally, in 2009, more than two years after the policy-driven shut down, UTHSCSA saw the first inclination of a shift in policy resulting from a combination of local efforts, (somewhat) clear and updated guidance from the VA Central Information Technology office, and a change in the local VA's top leadership.

DEB worked closely with the VA's Research Associate Chief of Staff (ACOS) and quickly reacted to the change in policy. The decision was made to focus on a single research protocol, establish precedent, and use that to move forward with the other on-going and prospective trials. Selected was a once previously thriving prostate bio-repository. In 2007, this bio-repository had thousands of samples and well over a hundred thousand diagnostic test results. It not only supported clinical and pathological research, it was also acting as an overflow clinical repository taking samples deemed for disposal due to VA space limitations.

Due to the VA policy, access to data had been severely restricted nearly resulting in a shutdown in bio-repository operations. With the backing of the VA ACOS and supported by a very dedicated University Urology research staff, DEB worked closely with VA Research and Development (VA R&D) to make the necessary protocol-related changes and with the VA's Information Security Office to find the acceptable technology-based solution. There were four primary requirements to be met:

  1. Each protocol's consent form had to be updated to reflect the physical location of the data storage facility (the IDEAS Oracle database in our case);
  2. A security application for each protocol (both initial approval and yearly review) had to be submitted to both VA R&D and the VA Security Office;
  3. VA's Central IT reiterated that any system utilizing protected health information (PHI) had to comply with existing HIPAA requirements; and
  4. all IDEAS-based servers must meet the Federal Information Processing Standard (FIPS) 140.2 cryptographic standards.

To ensure DEB complied with HIPAA requirements, VA Information Security met with DEB representatives to assess the IDEAS data system, operational policies, and data handling procedures. Through the assessment, DEB presented the IDEAS application and data security software models, their programming methodologies, and their data infrastructure for approval. Once satisfied with DEB's operational parameters, focus shifted to the IDEAS physical infrastructure. DEB utilizes three distinct firewalls (two managed by the University and one by the department), four programming environments (two development, test, and production), server virtualization (Solaris zones), a complete separation of production services (interface, logic, and database), communicating through a University-managed virtual local area network. These measures taken with a planned physical move of all production systems from a DEB server closet to the University's Central Computing Facility satisfied the VA's HIPAA requirements.

The last remaining hurdle to cover was the FIPS 140.2 cryptographic requirements. Once again, DEB reached out to it's University partners and collaborated with it's CISO to review what was in place, what was needed to meet specification, and what it was going to take to get there. DEB System Administrators worked closely with local VA security, installed a series of Solaris upgrades, and met the FIPS prerequisites.

DEB received final approval in May 2009 to reestablish VA-UTHSCSA research operations. The prostate bio-repository went back on line, is fully operational, and is now scheduled for a major software upgrade. In addition, two diabetes trials have opened, there are several existing trials awaiting approval, and a growing queue of new trials waiting to be started.

Given an opportunity to reflect on these events, there were several key factors leading to this successful outcome. DEB has always and continues to operate in a transparent and open environment. University Compliance, Central IT, Information Security, the Institutional Review Board, and University Internal Audit have always been considered partners and members of the research team. This present a dichotomy not unusual for research in that DEB functions as an independent research organization, but also depends on the University enterprise for services making the success of both intertwined. By working within the enterprise, taking the council of partners, and being open to outside input, the only change DEB actually made to get research with the VA moving again was to install the FIPS-specific upgrades. In fact, in the operational model, this would have been done at the VA's request regardless of the VA research shutdown. We truly believe that cooperation leads to collaboration.

During this process, we did learn a few lessons. As difficult as it was at times, we recognized the importance of patience. This was key in realigning the two organizations. The stakes are high, the problem complex, and the variables almost too numerous to count and persistence pays off. We remained determined in our efforts even when it seemed like all of our attempts were failures. We also understood while research is DEB's top priority, it's just one of the VA's many missions. There were times we had to wait until they were ready and able to work with us. Lastly, this experience reinforced how important partners are to any successful operation. This would not have been possible if the VA ACOS for Research (Dr. Peter Melby), his assistant chief (Dr. Kim Summers), the University's CIO (Mr. Jerry York), and his Chief Information Security Officer (Mr. David Nelson) were not as committed, dedicated, and diligent as they all proved to be.

For those that would like additional information, learn more of our experiences, or discuss details from the text, I would be pleased to share what we've done and what we've learned. I can be reached at

Member Viewpoints

Featured in issues of the GIR Newsletter and the GIR website, these articles are contributed by GIR representatives on current IT-related issues, challenge solutions, and technological innovations in academic medical institutions.