Arvados in Regulated Environments
A properly configured and secured Arvados deployment should comply with HIPAA Security and Privacy standards §164.312 Technical safeguards. Along with proper Administrative and Physical safeguards, Arvados may be used as a component in building systems that are compliant with HIPAA, GxP, and other regulatory regimes.
i. Unique user identification.
ii. Emergency access procedure.
All data uploaded to Arvados is private by default. However, in an emergency, system administrators can access protected data in accordance with organizational processes and procedures.
iii. Automatic logoff.
Arvados can be configured so that idle user sessions automatically log off, and that all access tokens automatically expire.
iv. Encryption and decryption.
Each access to the system is recorded in a log, with an associated request id. A “logs” table records changes to the system, and collection versioning provides a history of changes to a given data set.
Use of immutable, hash-based identifiers for data sets enables the receiver to verify that the data requested is the data returned. Collection versioning provides a history of changes to a given data set.
Arvados integrates with various enterprise authentication mechanisms, including LDAP and OpenID Connect, to verify the identity of a user.
Arvados uses industry standard TLS to encrypt all data in transit. Use of immutable, hash-based identifiers for data sets enables the receiver to verify that the data was not modified in transit.