NCHICA 2018 AMC Conference

Building Health Information Company Security from Scratch

Shay Hassidim , CTO

June 11th 2018

Agenda

• Introducing Sema4

• Sema4 Technology Towers

• Security – The Defense layers

• Data Flow

• ITIL-ITSM

• Cloud Gravity

• Governance

• Decentralizing & Democratization

Biochemical Genetic

Testing

Bioinformatics Research and Clinical Test Development

Sema4: Patient-Centered Predictive Health Company & Leader in Diagnostic Testing

Launched on June 1st 2017, Sema4, a

venture of Mount Sinai, is a patient-

centered predictive health company

founded on the idea that more data,

deeper analysis, and increased

engagement with health care providers

and patients will improve the diagnosis,

treatment, prognosis, and prevention of

disease

Sema4 is led by Dr. Eric Schadt, renowned

scientist with over 350 peer-reviewed

publications in top tier journals

Sema4 is a full-service genetic testing

provider, and has ~400 employees with

HQ in CT, next gen genomic labs and

product R&D in NYC and CT, and a

nationwide sales team.

Scaling genetic testing business

nationwide and creating deep

digital engagement with data-

sharing patient-consumers

The Company The Present The Future

Diagnostic and

Sequencing Testing

Digital Products

Cytogenetic and

Cytogenomic Testing

Sema4 Technology Towers

App lifecycle Automation ,

Orchestration , ITSM , DevOps ,

ITOps , IT Governance

IoT – lab instruments ,

wearable devices, Real

time analytics

AI - Machine Learning, and Deep Learning,

Big Data , NoSQL

Cloud - private / public / hybrid , HPC next

generation

Enterprise grade security, NFV , HA , DR ,

BlockChain

In Memory compute , GPU , TPU , FPGA , BrainWave ,

DNN PU, Spark

Core IT – Network , 365 , End-Point Security , Backup , Storage , Collaboration …

Security

Recent biggest healthcare breaches

http://www.healthcareitnews.com/slideshow/biggest-healthcare-breaches-2017-so-far

Types of HIPAA Breaches

https://www.calyptix.com/hipaa/discover-the-top-3-causes-of-hipaa-violations-and-their-simple-solutions/

IT to handle proactively via

automating processes and

policies enforcement

End point security –virtual desktop

End point security

everyone to be vigilant - if we do not collectively act as stewards of our data, we're not protecting our

investment!

you are only as strong as your weakest link!

Data Flow

Genomics Pipeline HPC based pipelines

10 TB a week

Sema4 Cloud

Bio-Informatics/Analytics Flow

BAM / VCF / TSV / logs

FASTQ / BAM / VCF / TSV

SLA Based Monitoring

SLA automated based monitoring

and alerting

unlimited compute & storage capacity ,

HA , DC OOTB

Fast archiving , automated , fast

retrieval

Sema4 Labs

AWS EMR

AWS Batch

AWS EFS

S3

AWS Glacier

AWS Aurora

Text mining

Bio-informatics workflows

Data and compute intensive. Running 24x7

ITIL-ITSM

ITIL

Information Technology Infrastructure Library, is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.

• Developed by the UK Government’s in the 1980s.

• Adopted by government agencies and private sector world wide.

• Improve the alignment of IT to the business

• Improve the quality of the IT services

•Lower the cost of delivering IT

Sema4 Service Portal

Typical classic IT services

Typical Cloud services

Sema4 Service Portal Cloud Storage Governance and resource creation automation example

Sema4 IT

1- Log into Sema4 SN Portal and

Request Something

2 - Select S3

3.a - Select an existing bucket

to access

3.b - Or Request a new bucket to create & access. Using the Group/Project/ Application to generate a unique bucket name. Set

encryption mode based on PHI type.

4. Approval

5. Orchestration via template+blueprint. Generate the policy

and call AWS API

Automation – end to end

Cloud Gravity

Challenges with in-house infrastructure

NoLimited

Underutilized or scarce resources

Max Capacity

Cloud Model - Pay per Use , Scale as you need

Major Cloud Providers – DC Distribution

Cloud Security Services

Governance

Cloud Governance

Automated enforcementStructured

Multi-tenantConfig as Code

Event BasedVersioned

Context aware

InefficientSlow

ManualUnmanaged pile of

scriptsHard-CodedUser based

Non-portable

Environment on the Cloud Management

Enforcing polices via Blueprints

via an Environment Blueprint

XaaS

Organization

IT

Application infra Developers DBaaS

MOMaaS

EnythingAaS

Blueprints /

Templates

Fully running

app

VPC , VPN , Compute,

Storage resources

EaaS

On-Prem vs IaaS , PaaS, SaaS , EaaS

Environment as a Service

Blueprint & Deployment

Blueprint

Deployment 1Dev

Deployment 2UAT

Deployment 3Prod

Create deployment

Execute workflows(e.g.. "install")

Execution 1Execution 1Execution Execution 1Execution 1Execution

Execution 1Execution 1Execution

Upload

blueprint

• Install• Uninstall• Scale• Heal• Upgrade• Custom workflow• …

Workflows environments

Bizz Dev/ Collaboration environments

Product environments

User / Roles policies

Network config policiesFile storage policies

Database config policies

Compute resource policies

Policies repo

Blueprint catalog

Workflows blueprints

Web Portal blueprints

Big Data blueprints

Data science blueprints

Fully automated policy enforcement.

Data and deployment governance

27

Decentralizing & Democratization

The Next Horizontal Innovation in Data Management

• Similar to the introduction of Cloud computing, Distributed databases, IoT and more recently, Edge Computing – Blockchain, is the latest horizontal innovation disrupter in data and computing management hitting the Fortune 50.

• It is a transformative technology, revolutionizing privacy, data management and governance almost in every sector including healthcare and genomics IT.

• Major cloud vendors such as AWS , Oracle, IBM, Microsoft - offer Blockchain Cloud service. This demonstrates the popularity of such data management functionality.

28

Summary• Most public cloud vendors

offering everything IT may need to run complex workloads on the cloud using cloud native services

• Data governance , deployment , security controls – All MUST use automation to enforce corppolicies.

• New horizontal innovations should be considered to form data sharing platforms in a global scale

Thank You