Case Study: We helped Origent Data Sciences build and launch their groundbreaking forecasting platform for ALS (Lou Gehrig’s disease)
Origent is dedicated to managing and reducing drug development risks through better foresight. By modeling patient-level dynamics, their statistical models uncover a deep level of insight from patient health information.
Origent developed a suite of accurate statistical models for the evolution of Amyotrophic Lateral Sclerosis, and sought help creating a secure cloud application that could be made directly accessible to ALS clinics. After just a few weeks, ForecastOne™ ALS was production-ready.
Life on Mars came highly recommended when we were looking for a partner to build the MVP for our clinician-facing ForecastOne platform. We couldn't be happier with their work, and we got a lot more than we bargained for. They worked seamlessly with our team, and provided a smooth transition of the MVP into the hands of our in-house development staff, providing additional training for new technologies wherever needed. Their diligent research, thorough documentation, and transparent processes gave us peace of mind in the quality of their work and its compliance with regulatory requirements under HIPAA. CEO at Origent Data Sciences
ForecastOne™ ALS
ForecastOne™ ALS is a web application which allows clinicians to better understand the future progression of symptoms for individual patients living with ALS. After collecting data from patient visits, the application makes use of proprietary statistical models in order to estimate the progression of the disease.
ALS is a disease whose evolution is notoriously hard to predict. In the absence of ForecastOne™ ALS, doctors can only rely on population averages when trying to answer patients’ questions about their prognosis. By using Origent’s platform, they can quickly ascertain each patient’s personalized progression path, to better inform patients and anticipate their needs.
HIPAA Compliance
HIPAA, the Health Insurance Portability and Accountability Act, was passed in 1996, and among other things, outlines the requirements for the management of, storage and transmission of protected health information (PHI) in both physical and digital form. Its Technical Safeguards outline what an application must do while handling PHI, which ForecastOne™ ALS absolutely does.
We invested quite a bit of time into research, and consulted with folks in our network who had successfully dealt with HIPAA before, to ensure we had a thorough grasp of these guidelines and what they mean for web application security in 2016. Most of these requirements parallel best security practices for any serious web application. A couple of examples are described below.
Emergency Access Procedure
Our user accounts were able to take on different sets of roles. One of the roles implemented was Administrator, which grants full access to the medical records. Every access to any resource, independently of roles, is recorded.
The database is backed up daily and automatically through RDS, with some extra magic to implement a retention policy. We conducted a drill to test and practice a solid response to a data loss scenario, and delivered a document containing the corresponding recovery strategy.
Encryption and Decryption
One of Amazon's HIPAA compliant service is RDS, for a few select database engines. We ended up using MySQL, since PostgreSQL was not supported at the time. RDS handles encrypting data both at rest and in transit.
Our application was deployed to an EC2 instance, which does not store information locally apart from nginx and Rails logs. We replaced the standard logging messages with a custom logger, which only logs non-ePHI information.
Agile teamwork
The collaboration between Origent and Life on Mars was as smooth as can be expected from a properly framed Agile engagement. Origent provided full access to their team, which included a product owner and project manager.
During this project we ran, together with Origent, daily standup meetings, sprint planning sessions, and weekly sprint retrospectives. This allowed Origent to constantly refine and reprioritize the backlog with the assistance of our engineers, without the need for change requests or other operational overheads.
Our engineers were exclusively allocated to this project, and they felt very much as part of the Origent team, while simultaneously taking advantage of the technical backbone at Life on Mars for architecture discussions, code reviews, and capacity bumps.
Working this closely made knowledge transfer simple: it ensured Origent’s technical team was constantly abreast of new developments, and made it easy for us to explain the rationale behind technical decisions.
We’re particularly excited for also having had the opportunity to train the Origent’s data scientist team in git through a workshop we put together. This allowed them to version control their statistical models in a smoother way than before.
Infrastructure handoff
We built the infrastructure for ForecastOne™ ALS entirely on Amazon AWS. Since we wanted the smoothest possible transition upon the completion of the project, we decided to use Terraform for infrastructure orchestration and SaltStack for instance configuration. Each had its own git repository, which allowed the team at Origent to launch their infrastructure with a couple of simple commands, and without being required to give us access to their AWS account.
Terraform and SaltStack depend on sensitive information, such as database passwords and other keys. To prevent this from being readable by anyone with access to the git repository, files with sensitive information were encrypted.