Network segmentation patterns for genomics diagnostics components

These are applications identified in the genomics diagnostics end-to-end data flow and include:

Test request and ordering – Currently most genomics tests are requested via a manual process whereby test order forms are completed by hospital staff and reviewed for accuracy by clinicians before being uploaded into Genomics England Ltd's (GEL's) test order management system (TOMS) for processing. In a few cases some NHS trusts now use ordering tools like EPIC to document the required test before uploading into TOMS.

EPR – EPR is a single electronic patient record which will replace most paper medical records in the NHS.

Laboratory Information Management System (LIMS) – Test requests can also be generated via the trust's LIMS for non-whole genome sequencing (NWGS) testing or before uploading into GEL’s TOMS if the test is whole genome sequencing (WGS) related.

TOMS – This is an application owned by GEL and used for managing all WGS related testing.

Interpretation portal – The interpretation portal is also a GEL application and used to manage test outcome analysis and provides a web interface for scientists to access test data.

Segmentation options for genomics application services

EPR and ordering and reporting systems should be placed in the same logical network group and subnet with applicable access control policies to ensure only authorised traffic is permitted to/from the systems hosting these applications.

The TOMS in GEL should be deployed in a dedicated logical group and subnet (zone) firewalled with applicable access control policies.

The Interpretation portal should be deployed in a dedicated logical group and subnet (zone) firewalled with applicable access control policies.

GP systems should be segmented from other office applications in its own dedicated logical group, subnet (zone) with applicable access control policies.

Databases connected to GP systems, order and reporting systems or EPR should also be segmented in a dedicated logical group/subnet (zone) with the applicable access control policies to permit only authorised.

Application layer segmentation can be implemented to isolate these systems where possible.

The array of medical devices connected to the network within the genomics pillar stem from data extraction and plating robots to sequencing and analytic devices.

Table 5: Sample diagnostic devices by ecosystem

Segmentation options for genomics devices

Organisations should segment genomics diagnostics devices connected to the clinical network in logical network groups and subnets (zones) behind a router/firewall. The router/firewall should be supported by applicable network access control policy to restrict communication to authorised traffic only.

The logical grouping of genomics connected medical devices (CMDs) should be done in compliance with the organisation’s business continuity plan, to ensure that a successful compromise of one segment does not automatically lead to a lack of service from a particular type of genomics CMDs within the organisation.

Robots, robotic arms, and fluid devices used either in primary or secondary care should be isolated into dedicated logical network groups and subnets (zones) in a mixed economy of genomics devices.

Egress traffic from these logical groups logical groups/subnet (zones) should be governed by applicable access control policies to ensure only authorised communication is permitted.

Genome analyser tools should be segmented into logical network groups and subnets (zones) behind a router/firewall supported by applicable network access control policy to restrict communication to authorised traffic only.

The genomics data is stored in various storage repositories split across GEL (for WGS) and GLHs (for NWGS), and from a data classification perspective are classed as highly sensitive personal confidential data.

Below is an overview of the various data repositories across NHS and GEL:

Sequencing data store – Located within GEL, the repository contains identifiable genome sequencing data classified as highly sensitive stored as VCF and BAM files.

Clinical Variant Ark (CVA) variant store and knowledge base – This contains de-identified reference data only and acts as a knowledge base for information on known genome variants. Variant stores are often more widely available than data stores and analysis tools – they hold only de-identified data and have relevance for research and international collaboration as such a risk assessment should be undertaken to determine the effectiveness or otherwise of segmenting variant stores.

Illumina Sequencing Data Store – This is a 3rd party storage repository and holds de-identified genome sequencing data for a short period only.

Analyser 3rd party data store – These are transient 3rd party data store that hold identifiable highly sensitive data for a maximum 60 days - for example Congenica or BVSI.

National Genomics Integration Services (NGIS) – Genomics Medicine Service (GMS) takes a snapshot of the data case notes and demographics as such classed as sensitive data.

National Genomics Research Labs Research Databases (NGRL) – Stores de-identified sequencing data with some clinical context in research databases.

Test order management system – Stores all test and order information related to any WGS testing in GEL.

Interpretation portal – Holds sequencing data for maximum 60 days within GEL.

LIMS – LIMS is a software-based solution domiciled within NHS trusts (mainly secondary care) with features that support a modern laboratory's operations. It can be used for requesting and ordering genome testing for patients the management of test results. 

LIMS is usually deployed in a client/server architectural model utilising thin and/or thick clients to access the LIMS server.

Recommended segmentation options

For the data stores identified in the overview above:

The sequencing data store – holds sequencing data in VCF and BAM files as such should be deployed in dedicated logical network groups and subnets (zones), with restricted access control policies enforced to ensure only authorised traffic is permitted to/from the datastores.

The CVA variant data store – should also be deployed in dedicated logical network groups and subnets with applicable access control policies to ensure only authorised traffic is permitted to/from the zones.

The Illumina Sequencing Data Store – should be deployed in dedicated logical network groups and subnets with applicable access control policies to ensure only authorised traffic is permitted to/from the zone.

NGRL research databases – should be deployed in dedicated logical network groups and subnets/zones with applicable access control policies to ensure only authorised traffic from the NGRL application/s or other authorised application is permitted to/from the zone.

NGIS – GMS should be deployed in a dedicated logical network group and subnet with applicable access control policies to ensure only authorised traffic is permitted to/from the zone.

Within a chosen 3rd party service provider, the analyser data store should be deployed in dedicated logical network groups and subnets with applicable access control policies to ensure only authorised traffic is permitted to/from the zone.

As stated in Network segmentation - An introduction for health and care organisations, whilst network segmentation is a very important tool in network security design, it must be supported by additional security controls to assure the security posture of any organisation’s network.

See guidance on protecting connected medical devices for recommendations on additional security controls. These apply to all categories of genomics diagnostics components.