HPHCI Network Administration Practices


The overall privacy and security of a PopMedNet network is determined by a combination of the PopMedNet software, the hosting environment, and the procedures and processes of the network's administrators and users.

The page details the network administration practices of the PopMedNet Team from the Harvard Pilgrim Health Care Institute Department of Population Medicine. The PopMedNet Team act as Network Administrators for the following PopMedNet networks:

For information on the network administration practices of another network, please contact the PopMedNet Network Administrator for that network.



Network Administrators

Network Administrators are responsible for the overall access control configuration of a network. As such, they are power users with the ability to view and manage any network entity or activity at any time. 

Only trained staff from the HPHCI DPM act as Network Administrators. Our development team, (formally Lincoln Peak partners) is responsible for the development of the PopMedNet software and the hosting of the networks managed by the HPHCI DPM. All staff have passed background checks as a condition of employment with their respective organizations.


Access Control Management 

The PopMedNet software uses a system of granular access controls to manage user permissions with a network implementation. These access controls allow for customized network configurations to meet individual network governance requirements.

Access controls may be applied network-wide or to specific entities such as Organizations, DataMarts, and Projects. The PopMedNet team exclusively manages all access controls for every entity in each network. No access control management is delegated to any other users. This ensures uniformity of permissions across entities, security groups, and users. 

Requests to change access controls at the network-wide or entity level must be sent to the PopMedNet Team. The PopMedNet Team will review all requests to ensure that they are technically feasible and appropriate with regards to network governance. If the requested change would result in a violation of network governance, it may be rejected or escalated for review by the governing body of the network.


User Authentication

The PopMedNet software requires that all user accounts are approved or created only by authorized users. The PopMedNet Team exclusively approves and creates users in each network. No user approval or creation permissions are delegated to any other users.

All new users must be authenticated before their accounts are approved or created. If an unauthorized user registers for an account on any network, they will not be approved until they have been verified as an authorized user by a network coordinating center, (such as SOC), and/or an authorized user from their organization, depending on network governance requirements. Individual networks may also have additional requirements for user authorization, such as ensuring that appropriate signed forms are on record for the user. If the PopMedNet team is unable to authenticate the user, his or her registration will be rejected.

Once verifying that a user is authorized to participate in the network, the PopMedNet Team checks his or her registration to ensure that the appropriate corporate email address and other information is present. The PopMedNet Team then assigns the user to his or her specified organization and assigns security groups as appropriate. Security groups specify the permissions that apply to the user. See below for more information.


Designated Roles

The PopMedNet software uses Security Groups to determine the permissions that apply to each user. Security groups are a combination of a role (e.g. investigator, DataMart Administrator) and the network entity (Organization or Project) that the user has permission to act upon or within.

Security Groups and the permissions that apply to them are determined by the access control configuration of a network. The PopMedNet Team defines a standard set of roles that may be applied to entities within a network.

Role*Description
Network (System) Administrator

Create, view and edit entities, (Organizations, DataMarts, Projects, Users), assign/edit permissions, edit notifications

Only members of network operating centers based at HPHCI have this role

Networks: Sentinel, PCORnet, HDC

DataMart Administrator

Review and respond to requests via the DataMart Client.

Depending on network governance, DataMart Administrators may also manage the metadata for their DataMart(s) and/or submit requests to their own DataMart(s).

Networks: Sentinel, PCORnet, HDC

Investigator

May submit requests and review/export aggregated (not site-specific) results within a Project.

Networks: PCORnet

Enhanced Investigator

May submit requests and review/export disaggregated (site-specific) results within a Project.

Networks: Sentinel, PCORnet, HDC

Observer

View Network or Project activity, excluding request results

Networks: Sentinel, PCORnet, HDC

Enhanced Observer

View Network or Project activity, including request results.

Networks: Sentinel, PCORnet, HDC

FDA Observer

Run network activity report

Networks: Sentinel

Organization Administrator

Manage the metadata for their Organization and DataMart(s).

Monitor their DataMart(s) activity.

Networks: Sentinel, PCORnet, HDC

Request Reviewer

Review requests before they are released to any DataMart(s).

Networks: Sentinel, PCORnet

Response Reviewer

Review responses for a specified DataMart or group of DataMarts before they are released to the Investigator.

Depending on network governance, Response Reviewers may also have the option to group responses from multiple DataMarts into aggregate result sets before release.

Networks: Sentinel, PCORnet

Not all roles may be used in each network.


Contact Us

PopMedNet Service Desk