Project aims
GRASS, the Global Registry of Alopecia areata disease Severity and treatment Safety, aims to centralise patient data that is currently being kept by individual clinics. The project was commissioned to provide a data capture application to standardise the information captured and provide centralised reporting on treatments.
The RSE team were approached by the Yusur Al-Nuaimi (Royal Devon and Exeter NHS Foundation Trust), Nekma Meah (Honorary Research Fellow - School of Biological Sciences) and Matthew Harries (Clinical Senior Lecturer & Honorary Consultant Dermatologist) to build a web portal to:
- manage data on patients with the condition
- provide a way for clinicians to capture patient data over time, and
- provide data to pharmaceutical companies on the efficacy of treatments.
In addition to providing standardised information that can be shared with other groups using internationally understood terminology, the team would also be able to trigger central reports to quickly address exceptional symptoms or side-effects from treatments. While the current development will allow for patient access and reporting in later phases, this work was out of scope for the current project.
The initial roll-out of the site is to three NHS clinics in Salford, St Helens and Exeter for the first year, and each site has a mix of user types, each needing different permissions and access to the system. Registration for clinicians is all done via the main website, with two-factor authentication required for all users for additional security. Additionally, all new users on the system must be activated by an administrator from the same centre to ensure only authorised accounts can see or edit patient records. The initial admin accounts were created manually by the University team to make sure the initial pool of users are known and authenticated.
Running the project
We elected to build the website using vue.js, with an API built using Python/FastAPI to manage data processing and storage to a Postgresql database. This approach meant we could build the API to manage all patient data in one place, accessing the data through different user-facing systems over time.
As there is identifiable patient data in the system, the project went through our information governance team and is one of the first RSE projects to be hosted using the Secure Web Platforms Service developed by the Highly Restricted Data Service (HRDS) team in Research IT, more on that later!
Technical approach
The initial launch of the project required only website access for clinicians. However, future plans include mobile and patient access, so we planned a flexible solution that could evolve with the project’s requirements. We used Docker to coordinate the running services, broken down across three main services:
nginx: a local web server to catch any traffic and make sure it gets to the correct service - locally serving all static files (images, stylesheets, etc), passing requests for the back-end to the API service, and sending all other traffic to be picked up by the front-end web application and displayed to the user.
fastapi: a python-based service that deals with all requests to view, store, edit and delete data. Data is transferred to and from the API using JSON data format.
vue: a javascript framework that can work with JSON data objects to manipulate and display data to the user. API requests are made to populate and update the Vue data store, with Vue components managing the display of all UI elements.
Deployment
The infrastructure for GRASS was developed and is maintained by the Secure Web Platforms service. Using the platform ensures data is stored securely and that web traffic between the API/database and the web application is handled with the correct level of protection for the classification of the data.
The Secure Web Platforms service has developed a standard architecture for hosting GRASS and other similar projects within AWS (Amazon Web Services), which meets technical security standards for hosting highly restricted data. The team uses Terraform to build and manage the infrastructure and Docker images for the site, effectively defining our infrastructure in text files and using services within AWS to deploy services, such as ec2, S3 and ECR. Terraform simplifies management of the infrastructure layer, rendering the core infrastructure ephemeral so it can be brought up and down as needed, with persistent data stored on volumes that can be mounted to the containers at run-time. This allows us to easily deploy the same services for testing, development or production by updating the definitions to mount the correct persistent data as needed.
Security and testing
We engaged the services of a third-party security firm to perform a full penetration test of the infrastructure and software. This is necessary for all projects using the Secure Web Platforms service and brings cost and process overhead, which need to be factored in as early as possible in a project. The test took around 3 weeks to perform and provide feedback to the project team. The test report highlights all vulnerabilities and ranks them on a scale from low up to critical and gives good information on how to mitigate any issues.
We had relatively few security issues to resolve (given the innovative nature of the project) and are currently waiting for the results of the retest to give the green light to launch.
Future recommendations
This was the first application the RSE team developed which utilised the Secure Web Hosting Platform, so we went through a few iterations to get the setup right. Ultimately, we ended up with a very flexible, secure and reliable solution.
Our biggest challenge was organisational - this new venture required input from a wide range of people, making logistics tricky. For future projects of this scale, I recommend having a project manager to facilitate communication with so many people!
Contact us
If you require our Research Software Engineering services for your project, get in touch with us for a chat.