1. Overview (Project Background)

As collaborative research involving multiple healthcare institutions expanded, an integrated security governance system became essential to safely share and utilize sensitive medical data, given that each institution had different security regulations, access controls, and approval procedures. In particular, since medical data must meet stringent requirements including legal regulations (PIPA, Medical Law), IRB approval, and patient consent, a centralized security control structure encompassing not just data sharing but also authorization, approval, audit, and monitoring was necessary. Megazone Cloud HALO designed a security architecture that centrally controls the entire cycle from accounts, authorization, approval, security policies, audit, and monitoring based on AWS.

2. Challenges (Problem Definition)

1. It was difficult to establish an integrated governance system due to different security policies and operational standards across institutions.

As multiple healthcare institutions participated, each institution had different security regulations, access policies, and approval procedures. Even when handling the same data, the standards required by each institution differed, making it difficult to apply consistent security policies. This issue was a structural constraint in establishing common security standards for collaboration.

2. Inconsistencies in approval, consent, and IRB procedures for utilizing sensitive medical data made integrated operations difficult.

While medical data has very stringent legal and ethical standards, approval criteria and verification methods differ across institutions. It was impossible to determine on a common basis which users could access which data, and essential procedures such as patient consent, IRB, and prohibition of off-label use were not standardized, making it difficult to even establish the foundation for collaborative research.

3. There was no way to manage users with diverse roles in a multi-institutional environment in an integrated manner.

While user roles are diverse—data providers, researchers, AI developers, platform administrators—there was no system to manage them consistently from a central location. Role definitions and authority structures differed across institutions, and access rights, work environments, and approval procedures were dispersed, making user control complex and increasing the possibility of security incidents. In particular, excessive or neglected permissions by insiders were identified as the greatest risk.

4. As security regulations and audit requirements increased, logs, approvals, and action records were dispersed, making centralized control difficult.

Regulatory environments such as ISMS-P require tracking all data access history, approval records, action logs, and anomaly detection from a central location. However, in the existing structure, different log formats and policies across institutions made it difficult to verify compliance, and real-time monitoring or threat detection was virtually impossible. A stronger centralized security system was urgently needed.

3. Solutions (Resolution Approach)

HALO built an AWS-based medical data security governance system as follows.

1. Established multi-account governance based on AWS Control Tower

By standardizing accounts per institution, security policies could be controlled centrally. This integrated security policies from multiple institutions into a single framework.

2. Integrated authentication and access management based on IAM Identity Center

By implementing role-based security policies (RBAC) and SSO, permissions based on roles such as researchers, data providers, and administrators could be controlled.

3. Established centralized security operations center (SOC) for real-time monitoring

Security events from all institutions and users can be monitored from one location. Even across different institutions, the same level of security monitoring and response is now possible.

4. Approval-centric access control based on DataZone

While each institution preserves data ownership, all access is integrated into standardized security procedures of request–approval–authorization–revocation, creating a multi-institutional data governance system that can be audited transparently.

4. Results (Outcomes)

Previously, security standards and procedures differed across hospitals, resulting in large attack surfaces, operational burdens, and regulatory risks. However, after adopting the security governance proposed by HALO, the system changed to an integrated centralized security system, raising security levels, reducing risks, and accelerating collaboration.

• The attack surface that was previously operated separately by each institution and spread widely has been significantly reduced through a centralized security system.

• As approval, authorization, and access procedures became standardized, both security risks and operational burdens decreased simultaneously.

• Preparation time for audit and regulatory compliance (particularly ISMS-P) has been shortened, and the burden of evidence collection has been eliminated.

• By reducing blind spots in permission revocation, expiration, and institutional changes, the risk of internal data leakage has been minimized.

• Improved trust between institutions has accelerated collaborative research and collaboration involving multiple institutions.

• With security monitoring and threat detection centralized, potential incident response time has been significantly reduced.