From Data To Health

From Data To Health Page 1

Two decades of data security:

Pioneering trusted research environments
(TREs) and federated data analysis at
BC Platforms
 From Data To Health

Page 1

BC Platforms is a global leader providing a powerful data and

technology platform for personalised medicine, accelerating the
translation of insights into clinical practice including novel drug
discovery and development.
We are the pioneer of federated genomic analysis In TRUE federated data analysis, analyses are
— delivering our BC|RQUEST federated genomic performed on multiple, separate datasets. This
architecture since 2017 and trusted research means that only aggregated, GDPR non-personal
environments (TREs) since 2009. TREs are secure data are exposed outside of organisations’ firewalls.
computing environments that manage sensitive For data security reasons, only the parameters of
patient data while allowing access to researchers. the analysis workflows and methods, not actual
Our team has helped to establish TREs as part of our workflows, are delivered to data hosting sites
dedication to enabling safe and secure data-driven containing pseudonymised information classified
collaboration. as personal data in GDPR. All workflows that can be
executed are pre-approved by data custodians in
order to guarantee data privacy.

BCRQUEST.com is a Global Data Partner Network

providing genomic and clinical cohort data
for pharmaceutical and medical research and
development. It delivers access to diverse genomic and
clinical data and samples from more than 5 million
subjects from 17 locations globally.

33 Million+ 17 Data
Patient lives in our catchment
459,614 Partners
area (BCRQUEST.com + Subjects with Genomic Data
EU, Americas, Asia-Pacific
Extended network)
and Africa
 From Data To Health

Page 2

Data security, federated systems

and TREs How BCP meets the highest security,
At BC Platforms, we are fully aware of the privacy and safety standards
importance and challenges of maintaining the
security of patient data, especially electronic
medical records (RWD) and molecular data in
Information Security Management
healthcare settings. Our solutions meet the highest
System (ISMS)
demands of a TRE, as well as pharma companies’
data security standards — enabling the highest ISO/IEC 27001: Full certification, in line
security measures on a global scale. with International Standard for Information
Security, with annual audit programme.
BC Platforms uses a highly-secure, proxied and
ISO 13485: Has compliant and certified
logged data exchange layer for exchanging
quality management system.
information between orchestration and data source
layers. By running pre-defined analysis behind the HIPAA & GDPR: All BC Platforms products
data custodian’s firewall, returning simple patient are able to function as a database solution
counts, analysis p-values etc. to BC|RQUEST’s portal, in a Health Insurance Portability and
we ensure a Safe Setting because detailed patient Accountability Act (HIPAA), and relevant
data never leaves its original environment. Only products in 21 CFR Part 11 compliant
projects, environment or organization.
anonymous, aggregate (GDPR ‘non-personal’) data
leaves the server, ensuring patients’ privacy.
HIPAA and GDPR compliance on top of general
legislation, including different state and
Unfortunately, this is not the approach taken by national statutory and regulatory requirements
other providers of so-called ‘federated data analysis in all the countries BC Platforms operates.
platforms’ — introducing potential security risks to
your data, patient privacy, and projects (see table).
 From Data To Health

Page 3

Security features of BC|RQUEST and how they compare to other providers

of so called federated solutions

Security feature BC Platforms’ approach Other approaches (note 1)

No holes to firewall required, with All data kept behind data custodian firewall Firewall hole allowing access from public
data writing out blocked No access from outside to data server cloud, and allowing data writing to the public
cloud
Not possible to write data outside of data
server 3rd party has access to account and
encryption keys

Result of security breach/attack Attackers cannot move any data out from the Attacker can copy all data out (GDPR violation),
system by using for example a compromised research
account, man-in-middle attack, attack on vendor
system running in public cloud, or dishonest
researchers

Only workflow parameters shared — In TRUE federated analysis, only analysis Researcher able to run any workflows from
NOT workflows parameters are shared from the outside the outside

Result of security breach/attack All workflows used are approved by data Researcher can run workflow to copy all the
custodians. These workflows are proven to data (data-copy model)
produce GDPR non-personal classified results Executing workflows from outside permits
on any parameter values attacker or man-in-the-middle to execute
Possible attacker can therefore only access any workflow (e.g., data-copy, or delete-all
GDPR non-personal results workflow)
All inputs and sent results are logged for Can steal or destroy all the data from all data
auditing by data custodian — possible custodians
violations can be detected

Data server pulls and validates Data server pulls analysis parameters and Vendor server in public cloud pushes any
parameters performs comprehensive tests of parameters analysis parameters (and workflows) to data
value validities before executing analyses on server. Possible parameter value checks are
data server done on vendors’ server in public cloud

Result of security breach/attack Only validated data parameters are used for As parameter values are checked outside the
analyses data server, ‘man-in-the-middle’ attacker can
send malicious parameters (e.g., pieces of code),
causing workflows to malfunction or can copy
data out from the system

Manual check of all results/files In non-federated analyses, researcher stores Researcher can run any analyses or workflows,
final results in quarantine folder for manual and download any results files
check and acceptance

Result of security breach/attack Researcher can only download manually Researcher can download results that
verified results that do not violate patient compromise patient privacy, or are not in
privacy, and which only are in-line with scope of approved research plan, without any
approved research plan control

Note 1, as gathered from publicly available patent descriptions and similar documentation.
 From Data To Health

Page 4

Secure, federated data analysis at

BC Platforms – Our experience
BC Platforms is a secure partner
Since 1997, BC Platforms has been deploying its
with a strong track record:
federated data analysis and pioneering the use of TREs:

Clalit Health Services

Israel’s leading healthcare organisation for over 4.5
million patients, with representative EMR data and an Used by the UK’s Health Data Research
integrated electronic health records (EHR) database. (HDR) Gateway to offer federated
Partnering with BC Platforms and its BC|RQUEST network queries across multiple UK datasets,
including COVID-19 datasets
provides access to its database, starting with a cohort of
40,000 consented ethnically-diverse patients, including
whole exome sequence data linked with longitudinal
EMR data, to help accelerate data-driven decision making
and increase the speed of pipeline output.

Delivered research platforms for 8x EU

Kaiser Permanente
FP7 / Horizon 2020 projects
Kaiser Permanente is one of the USA’s largest not-for-
profit health plans, with 12.5 million members. BC
Platforms and Kaiser Permanente have collaborated
using Microsoft’s Azure cloud platform to safely and
securely integrate data from multiple research centres
into a single, virtual biobank framework. In 2020, they
Supported Innovative Medicines
won the Microsoft Health Innovation Award in the Initiative (IMI) project on sharing
Reimagine Health Category, for enabling a unique way of research data in Europe
pairing clinical and genomic data on the same platform to
advance precision medicine capabilities.

FinnGen
Initiated in 2017, the FinnGen project is a large public-
private partnership aiming to collect and analyse Finnish PRIVASA project — differential
privacy approach for analysing
genome and health data from 500,000 Finnish biobank
sensitive patient data and secure
participants, funded by the Finnish government and
federated AI model training
pharma companies. It is one of the very first personalised
medicine projects at this scale. BC Platforms delivered a
secure, audited BC|RQUEST system for performing data
availability queries based on clinical and genomic data,
available to all FinnGen researchers.
 From Data To Health

Page 5

When working with healthcare and RWD data,

patients’ privacy is of the utmost importance. That is
why, from the very first planning phases of a TRE, an
organisations’ data security team must be involved.
As laws, regulations, and their interpretations vary
country by country, solutions that are valid in one
country, for example the UK, cannot be applied to the
We are excited to be collaborating with BC Platforms
EU, or other countries without comprehensive security
analysis. Having a local understanding in terms of to securely share our data for the benefit of patients
patient privacy is therefore critical. without compromising any privacy issues. We have
been impressed by the BC|RQUEST platform and its
Timo Kanninen ability to analyse, integrate and share data in a secure
CSO and Founder, BC Platforms manner and in line with the European General Data
Protection Regulation (GDPR) to support researchers
with developing personalised medicines.

Dr. Christian Gülly

COO Biobank Graz, Medical
University of Graz, Austria

BC Platforms has a strong scientific heritage,

underpinned by over 20 years of working in
close collaboration with a network of leading
researchers, developers, and industry partners.

Visit www.bcplatforms.com to learn more

Timo Kanninen Phd. Anni Ahonen-Bishopp
CSO and Founder Solution Director,
Follow us on LinkedIn @BC Platforms Pharma and Research

ZURICH BOSTON HELSINKI SINGAPORE

Bleicherweg 10, 1 Lincoln St., STE 2400 Innopoli 3, Vaisalantie 6, #05-01 Connexis, Fusionopolis Way,
8002 Zürich, Switzerland Boston, MA 02111, USA FI-02130 Espoo, Finland Singapore 138632, APAC
+ 41 79 420 4749 +1 617 981 0636 +358 50 467 9282 +65 88786088