The overall privacy and security of a PopMedNet network is determined by a combination of the PopMedNet software, the hosting environment, and the procedures and processes of the network's administrators and users.
For information on the network administration practices of another network, please contact the PopMedNet Network Administrator for that network.
Network Administrators are responsible for the overall access control configuration of a network. As such, they are power users with the ability to view and manage any network entity or activity at any time.
Only trained staff from the HPHCI DPM act as Network Administrators. Our development team, (formally Lincoln Peak partners) is responsible for the development of the PopMedNet software and the hostingof the networks managed by the HPHCI DPM. All staff have passed background checks as a condition of employment with their respective organizations.
Access Control Management
The PopMedNet software uses a system of granular access controls to manage user permissions with a network implementation. These access controls allow for customized network configurations to meet individual network governance requirements.
Access controls may be applied network-wide or to specific entities such as Organizations, DataMarts, and Projects. The PopMedNet team exclusively manages all access controls for every entity in each network. No access control management is delegated to any other users. This ensures uniformity of permissions across entities, security groups, and users.
Requests to change access controls at the network-wide or entity level must be sent to the PopMedNet Team. The PopMedNet Team will review all requests to ensure that they are technically feasible and appropriate with regards to network governance. If the requested change would result in a violation of network governance, it may be rejected or escalated for review by the governing body of the network.
The PopMedNet software requires that all user accounts are approved or created only by authorized users. The PopMedNet Team exclusively approves and creates users in each network. No user approval or creation permissions are delegated to any other users.
All new users must be authenticated before their accounts are approved or created. If an unauthorized user registers for an account on any network, they will not be approved until they have been verified as an authorized user by a network coordinating center, (such as SOC), and/or an authorized user from their organization, depending on network governance requirements. Individual networks may also have additional requirements for user authorization, such as ensuring that appropriate signed forms are on record for the user. If the PopMedNet team is unable to authenticate the user, his or her registration will be rejected.
Once verifying that a user is authorized to participate in the network, the PopMedNet Team checks his or her registration to ensure that the appropriate corporate email address and other information is present. The PopMedNet Team then assigns the user to his or her specified organization and assigns security groups as appropriate. Security groups specify the permissions that apply to the user. See below for more information.
The PopMedNet software uses Security Groups to determine the permissions that apply to each user. Security groups are a combination of a role (e.g. investigator, DataMart Administrator) and the network entity (Organization or Project) that the user has permission to act upon or within.
Security Groups and the permissions that apply to them are determined by the access control configuration of a network. The PopMedNet Team defines a standard set of roles that may be applied to entities within a network.