DECIDE of Confidence by an Diagnostic Enhancement International

DECIDE of Confidence by an (Diagnostic Enhancement International Distributed Environment) From neurological research to clinical praxis: a European e-Service to support the early diagnosis of neurodegeneration Valeria Ardizzone Consorzio COMETA (DECIDE Technical Coordinator) IWSG-Life 2011, London, 09. 06. 2011

Outline The DECIDE project overview The DECIDE Science Gateway Authentication and Authorization service Robot Certificate Applications’ GUIs Grid services interface within Liferay portlet with JSAGA Data management service with g. Library and Secure Storage The DECIDE Grid Infrastructure Summary and Conclusion 2

DECIDE at a glance Submitted to EC Call: FP 7 -INFRASTRUCTURES-2010 -2 – Virtual Research Communities Started on the 1 st September 2010 Duration: 24 Months Requested EC contribution: ~2. 4 M€ GARR provides overall coordination COMETA does the technical coordination The DECIDE Scientific Coordinator is the neu. GRID Principal Investigator Involves 13 European Partners + a European network of major reference centers in Neurology, and patient advocate societies all across Europe All stakeholders involved, from the network layer to endusers 3

The DECIDE project goals To provide the Neuroscientific and Medical community with a dedicated e. Infrastructure relying on GEANT, EGI and Neu. Grid To deploy a secure and user-friendly service for the early diagnosis and research on dementia and other brain diseases linking large distributed DBs of multi-modal neuro-images To validate the e-Infrastructure and the services with real patients in day-by-day clinical practice To propose a long-term vision for the sustainability of the infrastructure of the project and its extension to new communities and pathologies To disseminate the results and provide training programmes promoting the adoption of the DECIDE infrastructure and services. 4

DECIDE Partners A vertical approach to e-Health, targeting the needs of neuroscientists community through the provisioning of an e-Infrastructure aimed at supporting them in the daily execution of the diagnosis. 1 CONSORTIUM GARR Italy 3 CONSORZIO COMETA Italy Network and GRID Infrastructure Partners 2 CNR 6 UNIVERSITY OF GENOA - UNIGE Italy 7 UNIVERSITY OF FOGGIA - UNIFG Italy 9 MAAT FRANCE - maat G France 10 IMPERIAL COLLEGE– United Kingdom 11 UNIWERSYTET WARSZAWSKI - Poland Application Layer Partners 4 FATEBENEFRATELLI - Italy 5 UNIVERSITY SAN RAFFAELE - Italy 8 FONDAZIONE SDN - Italy 12 CENTRE HOSPITALIER UNIVERSITAIRE DE TOULOUSE - France 13 ALZHEIMER EUROPE - Luxembourg Clinical and Patient Layer Partners 5

DECIDE infrastructure and services 6

DECIDE Applications Grid. SPM specifically designed for SPECT and PET neurological : clinical images provides an SPM analysis for the early diagnosis of Alzheimer Disease; Grid. ANN 4 ND concerns the analysis of PET biomarkers in : Neurological and Psychiatric Disorders and provides a classification of suspected patients through an Artificial Neural Network; Grid. MRISeg implements an automatic algorithm for the : subcortical segmentation of MRI brain images for hippocampal volume estimation, using the auto context model (ACMAdaboost) developed by LONI; Grid. EEG implements EEG processing algorithms with the aim : of detecting early symptoms of Alzheimer Disease and distinguishing different forms of degenerative impairment.

DECIDE end users Neurologists taking care of patients presenting with neurological , symptoms from diagnosis to therapy. Physicians acting at a specific stage of the neurological diagnostic process, as Radiologists, Nuclear Medicine physicians, Neuro. Physiologists, who provide the neurologists with diagnostic information, relative to the specific test of competence, reporting changes in the biomarkers under study; Scientists dealing with diagnostic algorithms, including Physicists, Mathematicians, Statisticians, Engineers, who collaborate with the physicians by providing knowledge and comprehension of the methodology underlying the diagnostic algorithms used to support a diagnostic decision. 11

DECIDE service architecture 12

The DECIDE Science Gateway in depth Requirement: “To ease the access to the distributed computing and storage resources by the largest possible community of (Grid non-expert) clinicians through a set of well defined and domain specific applications. ” Science Gateway integrated services: 1 - Authentication 2 - Authorization 3 - Robot Certificates 4 - Applications’ GUI 5 - Data and Metadata management 6 - Grid e-Infrastructure 7 - Final report download Neurologis ts 6 Physicians 5 Scientists SG 1 7 4 2 13 3

SG DECIDE Science Gateway http: //application. eu-decide. eu/ Liferay is currently the most used framework to build Science Gateway in the “Grid world” It is fully compliant with the JSR 268 (portlet 2. 0) It can be easily combined to build complex and appealing e-collaboration environments. It will allow clinicians to change how they work and grow scientists research activity. 14

User Registration Request 15

1 Authentication mechanism 16

The GARR-IDEM Identity Federation (www. idem. garr. it) • • • IDEM figures: 45 IDPs (not only in Italy): 31 in production; 14 in tests; >2, 700, 000 end users (as of October 2010); ~50% of the Italian higher education & research community 17

2 Authorization mechanism The Scientific Board of DECIDE has decided that a board of people designed grants authorisations. A centralised LDAP server provides the authorisations by associating users with roles so a user can perform on the Science Gateway all the activities designed for the roles he/she is associated with. Different levels of authorization: Qualified experts( Neurologists, nuclear medicine physicians etc. ); Users with no expertise (-> go to DECIDE e-Service Educational and training programme) The educational and training programmes of DECIDE will be required as prerequisite for the authorization to the e-services.

Training activities 19

3 ROBOT certificate • The core of the new library is represented by the e. Token. Server Java class, a multithreaded server which accepts all the requests coming from a list of authorized clients and manages a list of robot certificates kept in the USB token. 20

4 Applications’ GUI Physician/Scientist workflow: 1. The user fills a web form on the Science Gateway defining the input parameters of the application; 2. Input files to be analised from algorithm are selected in the Science Gateway; 3. Other input files are transfered to the Science Gateway; 4. A job, described using the Job Description Language of g. Lite, is automatically created and submitted to the DECIDE Grid infrastructure together with the input files; 5. The user is notified when the job is submitted and from then on he/she can monitor its status through a dedicated portlet of the Science Gateway; 6. When the job finishes, the user receives an email from the Science Gateway containing the output of the job. 21

5 Data and Metadata Management services The project will design and implement a multimodal imaging repository, to include MRI, PET and EEG datasets and made them available for exploitation to the data analysis software at the basis of the diagnostic/prognostic service. g. Library: g. Library is one of the first robust solutions and easy-to-use system available to provide access to digital repositories on grid infrastructures. Secure Storage System: a service to manage confidential data. It is the unique system providing these features and compliant with the g. Lite middleware. 22

Data management: g. Library • Flexibility and exstensibility offered for many cataloguing purposes; • Input files can be read from local disks, network shared folders, HTTP/FTP servers, etc. and replicated to one or more SE; • Can be manage assets already present on Grid resources, through direct accesso to FC; • Fine-grained authorization mechanism is used to set permission: each assets, type and category has a set of ACLS that restricts its usage. Even if at the moment g. Library is very g. Lite centric, it can be easily integrated with other storage technologies such or cloud platforms, as far they provides some kind of URL for referring to files and supports common transfer protocols such as HTTP/HTTPS, FTP, GSIFTP and so on. 23

Data management: Secure Storage System • It provides users with suitable and simple tools to save confidential data in storage elements; • It provides encryption/decryption functions and other utility functions; • The keystore is a new grid element used to store and retrieve the users’ keys in a secure way; • The keystore is installed inside the data owner’s trusted environment; The keystore is not accessible from the external world to guarantee a good security level. 24

Normals Database Upload workflow 1 2 3 Secure Storage Keystore 4 Server with Robot 5 Images + Metadata 6 SE 25

6

Neurologist workflow 1 Patient data anonymisation 2 3 3 Neurologist can upload images on GRID and ask to an DECIDE Expert Qualified user to run the analysis specifying parameters. Parameters + (Gender, age, etc. ) 4 File uploaded will be usable by the Expert/External user in charge for the analysis. SE Once the analysis is completed the Neurologist can receive the report by email from the DECIDE service. 27

Qualified Expert workflow 2 3 1 9 Parameters (Gender, age, etc. ) 4 7 8 SE 6 Physician Is able to run the analysis using that data uploaded previously by the Neurologist. 5 Once the execution will be completed they can notify the neurologist that an email will be sent by the DECIDE service with the report. 28 + Parameters (Gender, age, etc. )

7 Final Report Download • Qualified expert runs the analysis with the specified parameters throws the DECIDE service; • Once the analysis is completed they can download the results by email. 29

Summary & Conclusion The main difference of the DECIDE SCience Gateway with current Grid portal available in other projects is the use of two different security systems linked together by the portal, providing users an easy access to resources without their own certificates. Since users cannot access without Shibboleth and the available services do not provide direct access to resources it is almost impossible for the users perform malicious operation through the portal. Middleware interfaces are exposed to end users through standard portlets embedded in the Liferay container. Grid transactions are secured by proxy certificates created by the robot server. Data management services are used through the Representational State Transfer (REST) functions of the g. Library and together with the encryption/decryption Secure Storage functionalities: the data confidentiality is guaranteed. Different initiatives envisage for the long term sustenability (DECIDE service usage training courses, fund raising activities, etc. ) will warrant the success story of the project. 33

Thank you for your kind attention! For further information please contact Laura Leone (laura. leone@garr. it) (DECIDE project coordinator) and/or visit www. eu-decide. eu 34