1. Overview (Project Background)

As collaborative research involving multiple healthcare institutions expanded, an integrated security governance system became essential to safely share and utilize sensitive medical data, given that each institution had different security regulations, access controls, and approval procedures. In particular, medical data must meet stringent requirements including legal regulations (PIPA, Medical Act), IRB approval, and patient consent, making it necessary to establish not just simple data sharing but a centralized security control structure encompassing authority, approval, audit, and monitoring. MegazoneCloud HALO designed a security architecture that centrally controls the entire cycle from accounts, authority, approval, security policies, audit, and monitoring based on AWS.

2. Challenges (Problem Definition)

1. It was difficult to establish an integrated governance system due to different security policies and operational standards across institutions.

As multiple healthcare institutions participated, each institution had different security regulations, access policies, and approval procedures. Even when handling the same data, the standards required by each institution differed, making it difficult to apply consistent security policies. This issue was a structural constraint in establishing common security standards for collaboration.

2. Inconsistencies in approval, consent, and IRB procedures for utilizing sensitive medical data made integrated operations difficult.

Medical data has very stringent legal and ethical standards, but approval criteria and verification methods differ across institutions. It was impossible to determine on a common basis which users could access which data, and essential procedures such as patient consent, IRB, and prohibition of off-label use were not standardized, making it difficult to even establish the foundation for collaborative research.

3. There was no way to comprehensively manage users with diverse roles in a multi-institutional environment.

While user roles were diverse—data providers, researchers, AI developers, platform administrators—there was no system to manage them consistently from a central location. Role definitions and authority structures differed across institutions, and access permissions, work environments, and approval procedures were dispersed, making user control complex and increasing the possibility of security incidents. In particular, excessive or neglected permissions by insiders were identified as the greatest risk.

4. Increasing security regulations and audit requirements made centralized control difficult due to dispersed logs, approvals, and action records.

Regulatory environments such as ISMS-P require centralized tracking of data access history, approval records, action logs, and anomaly detection. However, in the existing structure, different log formats and policies across institutions made it difficult to verify regulatory compliance, and real-time monitoring or threat detection was practically impossible. A stronger centralized security system was urgently needed.

3. Solutions (Resolution Approach)

HALO built an AWS-based medical data security governance system as follows.

1. Established multi-account governance based on AWS Control Tower

By standardizing accounts per institution, security policies could be centrally controlled. This integrated the security policies of multiple institutions into a single framework.

2. Integrated authentication and access management based on IAM Identity Center

By implementing role-based security policies (RBAC) and SSO, permissions based on roles such as researchers, data providers, and administrators could be controlled.

3. Established centralized security operations center (SOC) for real-time monitoring

Security events from all institutions and users can be monitored from a single location. Even across different institutions, the same level of security monitoring and response is now possible.

4. Approval-centric access control based on DataZone

While each institution retains data ownership, all access is integrated through standardized security procedures of request–approval–authorization–revocation, creating a multi-institutional data governance system that can be transparently audited.

4. Results (Achievements)

Previously, security standards and procedures differed across hospitals, resulting in large attack surfaces, operational burdens, and regulatory risks. However, after adopting the security governance proposed by HALO, the system transformed into an integrated centralized security system, raising security levels, reducing risks, and accelerating collaboration.

• Significantly reduced the attack surface that had been expanded through separate operations at each institution through a centralized security system.

• Standardized approval, authorization, and access procedures, simultaneously reducing security risks and operational burdens.

• Shortened preparation time for audit and regulatory compliance (particularly ISMS-P), and eliminated the burden of evidence collection.

• Reduced blind spots in permission revocation, expiration, and institutional changes, minimizing the risk of internal data leakage.

• Improved inter-institutional trust, accelerating joint research and collaboration among multiple institutions.

• Centralized security monitoring and threat detection, dramatically reducing potential incident response time.