Remote Service - Roche · The Axeda Enterprise system is physically located in a Datacenter in Europe (Germany). The disaster recovery infrastructure is physically located in the

Remote Service

Privacy Information V04

10373982 GSS 000 03

Remote Service Privacy Information

V04 Page 2

Table of contents

1 Document History.................................................................................................................... 2 2 Purpose .................................................................................................................................... 3 3 Scope ....................................................................................................................................... 3

3.1 In scope ............................................................................................................................. 3 3.2 Out of scope ...................................................................................................................... 3

4 Introduction ............................................................................................................................. 4 5 Infrastructure characteristics ................................................................................................. 6

5.1 Hosting / access details ..................................................................................................... 6 6 Privacy information ................................................................................................................. 7 7 Data transferred between Laboratory and Roche ............................................................... 11

7.1 Data transferred from Roche to cobas® link / systems ..................................................... 11 7.2 Data transferred from systems to Roche via cobas® link ................................................. 11

8 Privacy Contact at Roche ..................................................................................................... 16 9 Glossary ................................................................................................................................. 17

1 Document History

Version Date Name Reason

V00 08-FEB-2010 Thomas Maly Creation of document.

V01 03-NOV-2010 Thomas Maly Added information for Roche Vanilla Agent and connect 2 Minor changes throughout the document. Changed PAP to GSS document Digital Signature in DVS

V02 17-MAY-2011 Thomas Maly Updated complete document to reflect new Axeda infrastructure hosted by Axeda in the On Demand Center.

V03 10-APR-2013 R. Gwerder, C. Schindler

Changed ‘TeleService’ to ‘Remote Service’. Changed ‘cobas IT firewall’ to ‘FortiGate 40C’. Glossary aligned with Remote Service Glossary 10013271 PJM 000 03.

V04 16-May-2014 R. Gwerder Changed ‘Out of Scope’ as the UK is now on the global DMZ.

UltraVNC Viewer and UltraVNC Server added to the glossary

Disclaimer: Working copy if printed.


V04 Page 3

2 Purpose

Privacy laws and regulations such as EU Data Protection Directive 95/46/EC and HIPAA provide requirements which have to be met when dealing with personal data. In connection with the services provided through the Roche Remote Service Platform, Roche may get access to sensitive customer personal data such as patient medical data and other personal data (hereafter Personal Data, see Glossary).

The purpose of this document is to describe the privacy of the Roche Remote Service Platform. Such solutions and guidance shall reflect the privacy requirements in the respective laws. This document should also give guidance to potential questions with respect to data privacy arising from the laboratory personnel. The target audiences of this document are Roche Affiliates world-wide.

Organizational solutions for regulatory compliance are here only suggested – local country organizations consulted by Remote Service are responsible for the implementation.

3 Scope

This document is part of the Remote Service Privacy, Security and Connectivity documentation. The complete set is outlined below:

Remote Service Privacy Information V04 (ID: 10373982 GSS 000 03, this document)

Remote Service Security Information V04 (ID: 10373981 GSS 000 03)

Remote Service Connectivity Information V05 (ID: 10373979 GSS 000 04)

3.1 In scope

The described solutions apply to the Remote Service Platform infrastructure and hardware:

Remote Service Platform - Axeda Enterprise - Axeda Global Access Servers - Axeda (Gateway) Agent - TeleService-Net

cobas® link (including Roche Connectivity Layer Software)

connect 2

3.2 Out of scope

Other Roche products besides the Remote Service Platform are out of scope.


V04 Page 4

4 Introduction

Remote Service offers a secure communication-platform and -service for Roche Diagnostics: The “Remote Service Platform”.

Primary objective is to increase the quality of service and additional cost containment for both sides (Customer, Roche).

Connectivity on the laboratory side is always established by the Axeda Agent or the Roche Connectivity Layer software.

The Axeda Agent is available for:

connect 2 (hardware gateway), integrated part

Standalone installation (software gateway) for direct installation on specific systems. The software gateway is further referenced as the “Roche Vanilla Agent”.

cobas® link (hardware gateway), integrated part

The Roche Connectivity Layer (RCL) is available for:

cobas® link (hardware gateway), integrated part

Generally, the following use cases are implemented:

(Depending on the system type, one or more services are available.)

1. Remote sessions incl. manual data transfer (on response to user‘s reported problems). These services are offered by the Axeda Agent only.

From Roche User PC to remote system (e.g. cobas 6000 or Integra 400) (files can be transferred in both directions).

From Roche User PC to remote gateway (e.g. cobas® link or connect 2) (files can be transferred in both directions).

2. Scheduled data transfer from remote host to Roche: These services are offered by the Axeda Agent and the RCL.

upload of monitoring information

on-line monitoring of systems (e.g. alarm data)

performance evaluation

3. Scheduled data transfer from Roche to remote host: These services are offered by the Axeda Agent and the RCL.

Download of system parameters, chemistry lot data of reagent / calibrators / controls (e-BC electronic Barcode)

Download of Human Readable Data (e-PI electronic Package Insert – regulatory relevant information similar to package insert or other information for customer)

Download of software patches / upgrades / security hot fixes and virus definitions.


V04 Page 5

Schematic overview outlining the basic connectivity involved for the Remote Service Platform (Axeda services only).

Details are described in the following chapter: “5 - Infrastructure characteristics”


V04 Page 6

5 Infrastructure characteristics

The Remote Service Platform is the infrastructure and the software used for transfer, storage, evaluation and presentation of information. The Remote Service Platform hardware & software is mainly outsourced to the Axeda Corporation and is subject to regular security related procedures of Roche IT organization (e.g. penetration tests by independent consultants).

The connect 2, Roche Vanilla Agent and the cobas® link are communication gateways. Where the connect 2 and cobas® link contain Roche provided hardware including communication software, the Roche Vanilla Agent is pure software only. The gateways are located at the customer site and function primarily as a secure communication gateway between the system network and the Axeda Enterprise (ServiceLink & Global Access Servers).

Axeda ServiceLink is a 3rd party software providing a communication and data exchange solution comparable to the Remote Connectivity Layer, which is a Roche developed solution. The Axeda (Gateway) Agent is pre-installed on the connect 2 and the cobas® link hardware gateway.

Global Access Servers are required by the Axeda ServiceLink application to provide efficient screen sharing sessions world-wide.

The Remote Service Data Warehouse (RSDW) is temporary data storage (XML) for uploaded instrument data (e.g. monitoring information). This data is then made available for other Roche business applications.

5.1 Hosting / access details

Axeda Solution

All services (hardware & software) are outsourced to the Axeda Corporation.

The Axeda Enterprise system is physically located in a Datacenter in Europe (Germany). The disaster recovery infrastructure is physically located in the United States.

The Global Access Servers are physically located at three different sites: Europe (Germany), North America and Asia.

The Axeda ServiceLink application is accessible Roche Internally only. It is not available directly via the internet. Users accessing the application from a Roche internal computer are always authenticated using their active directory credentials. User accessing the application via the internet using the Roche service “RANGE BASIC”, are authenticated by a 2-factor authentication mechanism. RANGE is a service offered by Roche Global Informatics.

Roche Connectivity Layer Solution

All services (hardware & software) are hosted Roche internally. The system is used for data distribution only. The enterprise infrastructure is called “TSN or TeleService-Net”


V04 Page 7

6 Privacy information

1. Is Roche considering privacy?

Roche declares that compliance with data privacy laws while processing of Personal Data is a corporate objective. As such, Roche is committed to respect the personal rights and privacy of individuals. The data privacy principles reflecting the data privacy laws and regulations and which Roche will comply with are described in detail in the document: “Roche Directive On the Protection of Personal Data”.

2. How is privacy assured for transmissions between the laboratory and the Remote Service infrastructure at Roche?

For the connection between the remote system and the enterprise infrastructure, the privacy requirements are fulfilled by encryption mechanisms. Different techniques are in place to fulfill a wide variety of connectivity requirements. Details can be found in the “Remote Service Connectivity Information document”.

In general, no unencrypted data shall be exchanged:

between the Enterprise systems and the remote system

within the Remote Service Platform in the Roche Corporate Network and the Axeda On Demand Center.

between any 3rd party involved in the communication

at the network of the healthcare organization

Note: Virus definitions are not encrypted, but digitally signed to prevent manipulation, as the content is available to the public anyway.

3. Is privacy ensured during screen sharing sessions?

In order to troubleshoot and restore a system to its full working condition, a screen sharing session may be necessary. This occurs usually after a customer notifies the Roche call-center about a problem or a Roche employee contacts the customer via phone after observing system behavior indicating non-compliance.

During this screen sharing session it might be necessary to access the system screen with sample information, which may contain laboratory specific comments related to a patient.

This is an incidental use/disclosure of the individually identifiable health information, which is required by the regulations in some countries (e.g., 45 CFR Parts 160 -164 Standards for Privacy of Individually Identifiable Health Information often referred as HIPAA rule in USA).

Customers in countries, which regulations do not consider incidental use concepts should avoid access at system or transferring any comments related to patient identity from the LIS unless regulatory and respective data privacy requirements are met (e.g. patients consent). Additionally these customers may request from Roche the Notice of Privacy Practices, which reflects the essence of Roche Data Protection Directive.

This also applies to a specific request for access to the system/LIS communication trace file.


V04 Page 8

4. What kind of patient information will be handled by Roche?

Personal Data generally does not contain individually identifiable health information (patient name, ID, etc.) which would allow tracking back to and identifying a patient. During this screen sharing session it may be necessary in rare cases to access the system screen with sample information, which may contain laboratory specific comments related to a patient. See paragraph 3 & 6 of this section for more information.

5. Can collected data be tracked to individual systems? Yes, all systems are equipped with individual serial numbers. In order to assign data to specific system types for later analysis it is essential to clearly identify the systems which generated the information.

6. How does Roche ensure privacy of customer information?

The data used for monitoring system performance does not contain individually identifiable health information (patient name, id, etc.). In addition, only de-identified patient information related data is transferred from the system to the gateway (e.g. cobas® link). The de-identification is performed by removing all comment fields related to a sample that could be used by the laboratory for storing patient information before the data leaves the system.

Regarding the details of the data exchanged between Roche and the system, please refer to chapter 7.

7. Who can access the Remote Service Platform systems? The Remote Service Platform systems are equipped with a user management system. Only authorized Roche users have access to these systems. The screen sharing system can be accessed by granted users only. Access is given on a country level, e.g. people working for the Swiss Roche affiliate will only be able to access systems in Switzerland. Access to Remote Service systems for data processing is also handled on a country level.

For support purposes, employees working in global functions are granted credentials to access data of all countries. More details can be found in the “Remote Service Security Information documentation”.

8. What happens with the information after collection? Data collected by Roche is used for later analysis (E.g. system / test performance) and stored according to business best practices and compliance with applicable laws and regulations.


V04 Page 9

9. Where are the system information / data stored? In the context of the Remote Service Platform, Roche stores all information in data-centers in compliance with applicable laws and regulations. Data stored in external hosting centers do underlie the same regulations as data stored in Roche internal data-centers.

A) Depending on the system which generates the data, storage duration and archiving varies. Detailed information can be found in the corresponding system documentation.

B) The cobas® link can store backups (configuration information) generated by some system types. System (Test-) -Performance relevant information, alarm data and other information is forwarded to the Enterprise infrastructure on a daily basis (E, F). For details see chapter 7.

C) The connect 2 gateway cannot store any system data. It is designed as a gateway for screen sharing only.

D) The Roche User PC does not receive, forward or store any system generated data. Data collected during screen sharing sessions may be transferred manually to the customer relationship management software (Clarify).

E) Monitoring data collected by the gateway (e.g. cobas® link) is temporary stored in the Remote Service Data Warehouse (RSDW) according to business best practices.

F) Monitoring data collected by the gateway (e.g. cobas® link) is permanently stored in the TSN Infrastructure until migration to the RSDW is completed.

G) Uploaded system information & files and management data is collected and stored in the Axeda Enterprise system.

H) The Global Access servers are not storing any data. They act as communication broker for screen sharing sessions only.


V04 Page 10

10. Where is the enterprise infrastructure located physically?

The Remote Service Data Warehouse and the TSN Infrastructure are located inside the Roche Corporate Network in Switzerland.

The Axeda Enterprise is located in the Axeda On Demand Center in Frankfurt, Germany. The Disaster Recovery servers are located in the Axeda On Demand Center in the US.

The Global Access Servers are located in the Axeda On Demand Centers in Europe (Germany), America (United States) and Asia (Hong Kong).

11. Who can access which data in the Axeda On Demand Centers? Axeda system administrators have access to the complete ServiceLink database and all its contents. Access is required for administrative and operational tasks.

12. Are privacy principles followed by Roche users? Yes, a homogeneous standard on processing personal data and contractual agreements with third parties adopted by all Roche companies has been established to provide preventive safeguards against infringement of privacy rights through the inappropriate processing of personal data. In addition the Roche Directive on the Protection of Personal Data provides general principles which have to be applied when processing personal data within Roche.


V04 Page 11

7 Data transferred between Laboratory and Roche

Only the cobas® link is capable of transferring e-library and performance relevant data between the laboratory and Roche. Details are described in the following chapters. Remark: The connect 2 and Roche Vanilla Agent do offer the capability for screen sharing and transmit system management data (e.g. host name or configured IP-address). In addition, the Agent also provides file transfer capabilities.

7.1 Data transferred from Roche to cobas® link / systems

For some classes of Roche systems (e.g. cobas® 6000 and cobas® 8000) binary data will be transferred from Roche to the laboratory system. The e-barcode (System Readable Data) is binary data related to the chemistry (reagents, controls, calibrators) accompanied by some information for routing transferred to the cobas® link and after release by the system’s user it is transferred to the system. The activation (installation of the binary data on the system) requires an explicit approval from the system’s user.

Human Readable Data – documents in PDF format –will be transferred from Roche to the cobas® link to be used by the laboratory user. These are usually documents accompanying the chemistry data (e-Package Insert) or any type of Customer Letter.

The software upgrades / patches of the cobas® link and AntiVirus definitions will also be transferred from Roche to the cobas® link and automatically installed.

7.2 Data transferred from systems to Roche via cobas® link

The table below summarizes the data transferred from a customer laboratory with Roche systems to Roche. The table uses examples based on Roche / Hitachi systems and the data may vary for other system families.

Data group Examples of Data Elements Description

Lab Definition necessary and informative data for registration of the given laboratory; must be included for each data originator referenced in the file

Lab Identifier unique identifier for a lab; takes the format of a URL with {lab name}. [{custom identifier}.] {country code}

Lab Registrator lab registration data

Lab Details informative data for lab

Instrument Definition

necessary and informative data for registration of the given instrument; must be included for each data originator referenced in the file

Lab Identifier unique identifier for a lab; takes the format of a URL with {lab name}. [{custom identifier}.] {country code}

Instrument Identifier unique identifier for an instrument; takes the format of a URL with {serial number}. {instrument type}. {lab identifier}

Instrument Registrator instrument registration data

Instrument Details informative data for the given instrument

Custom Record record wrapper for custom fields


V04 Page 12

Accumulated Data

monitoring data that accumulate with time (like counters, logs, etc.) for the given instrument


Counters collection of counter entries

Logs collection of log entries

Benchmarking

Instrument Identifier instrument unique identifier; takes the format of a URL with {serial number}. {instrument type}. {lab identifier}

Module Identifier relative identifier for a module belonging to the instrument in context (use default module, if data originates from the instrument in context)

Sub module Identifier relative identifier for a sub module belonging to the module in context (use default sub module, if data originates from the module in context)

Binary Files wrapper for files in any format that are internally stored in base64




Binary File container for a base64 encoded binary

Instrument Calibration

instrument calibration and adjustment data for the given instrument


Blank Cell Elecsys module blank cell data


V04 Page 13

Instrument Check

instrument check data for the given instrument


Photometer Unit Check C-modular photometer check results for the given sub module

Assay Performance Test Elecsys module assay performance test

System Volume Check Elecsys module system volume check

Instrument Configuration

instrument configuration listings for the given instrument


Photo Interruptor HMCONT Clinical chemistry module photo interruptor data

Photo Interruptor LON Clinical chemistry module photo interruptor data

Probe Adjustment Clinical chemistry module probe adjustment settings

Test Assignment Clinical chemistry module test assignments

Adjustment Elecsys module hardware adjustment data

Application Parameter Elecsys module application parameter settings

Application Sample Type Info Elecsys module application parameter settings

Assay Parameter BTS Elecsys module barcode transfer sheet application parameters

Carry Over Evasion Elecsys module carry over evasion

Clot Adjustment Elecsys module clot adjustment

Instrument Factor Elecsys module instrument factors

PMT Adjustment Elecsys module photometric test adjustments

PreSetting TS Elecsys module TS pre-settings

Reagent MBC Assay Elecsys module reagent MBC assay

Reagent MBC BlankCell Elecsys module reagent MBC

Reagent MBC Calib Elecsys module reagent MBC

Reagent MBC Control Elecsys module reagent MBC

Reagent MBC Dil Elecsys module reagent MBC

Reagent Test No Elecsys module reagent test no

Ref Blank Cell Calibration Name

Elecsys module reference data

Ref Calibration Info Elecsys module reference data

Ref Diluent Info Elecsys module reference data

Ref Diluent Name Elecsys module reference data

Ref Determination Number Elecsys module reference data

Ref Result Message Elecsys module reference data


V04 Page 14

Test Assignment Elecsys module test assignments

…more fields reserved …more fields reserved

Inventory

Instrument Identifier instrument unique identifier; takes the format of a URL with {serial number}. {instrument type}. {lab identifier}



Notification immediate notification data, e.g. alerts, status changes, etc. for the given sub module




Event Message single occurrence of an event message (alarm, warning, etc.) with the specified properties

Status Change operation status change

Test Calibration

result parameters for test calibrations for the given instrument


Immuno Test Calibration calibration result for immunology tests

ISE Test Calibration calibration results for ISE tests

PM Test Calibration calibration results for photometric tests


V04 Page 15

Test Results QC sample and anonymized patient sample results




Sample sample and QC sample (control) information – fields where patient related information may be stored are anonymized by the instrument – transferred information related to the patient: age, sex and internal instrument identifier – no patient identifying information.

Result test results (regular sample and QC)

Instrument factor

Instrument factor settings are transferred from the analyzer to the cobas® link within one hour after update. Therefore the System Mean (calculated based on ‘normalized’ Control results) can deviate for interval of 1 hour.

Formula: y = ax + b




Factor a

a = slope

Factor b b = offset


V04 Page 16

Instrument factor

“Compensated Test” is transferred via Instrument Back up file from the instrument to the cobas® link data station. Therefore the System Mean (calculated based on ‘normalized’ Control results) can deviate for interval of 1 week.




Formula Defined on analyzer

8 Privacy Contact at Roche

Questions and comments can be addressed at the Roche privacy contact for Remote Service:

Please forward inquires to “[email protected]“

Note: Roche Affiliates are encouraged to follow the established procedures for inquires.


V04 Page 17

9 Glossary

Axeda infrastructure / part of Remote Service Infrastructure

Software and Hardware required providing the following services:

Screen sharing incl. gateway monitoring

e-library; e-PI and e-BC download to cobas® link and instruments (in development)

Collecting monitoring data from cobas® link and instruments (in development)

Axeda ServiceLink / Axeda Enterprise Server

ServiceLink is the frontend web application of Axeda Enterprise Server. The user can manage and remote connect to the remote assets from ServiceLink. Axeda Enterprise is the backend of Axeda ServiceLink. This application server collects, stores, and serves data generated by Axeda Agents. It provides applications that are used to screen share, monitor and troubleshoot devices.

Axeda Global Access Servers (GAS)

GAS Servers are placed in in different world regions to establish the connection between the customer side and the DMZ (Axeda product). Multiple servers are used to improve connection performance.

Axeda (Gateway) Agent An Axeda software component running on the client side - it is the counterpart of Axeda ServiceLink on the server side. Axeda Gateway Agent is the off-the-shelf version, whereas Roche Vanilla Agent is the tailored version for Roche.

Axeda Desktop Viewer Axeda Desktop viewer is a 3rd party software for screen sharing, it is a special implementation of UltraVNC. It is the screen sharing client for Axeda Desktop Server.

Axeda Desktop Server A software component by Axeda to establish screen sharing sessions, it is a custom implementation of UltraVNC. The component runs on the Axeda assets, e.g. Roche instruments.

cobas® e-library Date repository supplied e.g. on cobas link, containing assay, calibration and QC documents, customer letters, and instrument-readable data for the analyzers. It is either updated automatically using network connectivity or by installation of an e-library CD at regular intervals.

cobas® link

cobas link is a gateway system custom-made by Roche Diagnostics, providing a secure remote connection for data transfer between the customer network and the Roche Corporate Network.

It supports several use cases, such as screen sharing, download & display of cobas e-library data, upload of monitoring data, and serves as destination for the backup.

connect 2

connect 2 is a gateway system (hardware) custom-made by Roche Diagnostics, providing secure remote connection between Roche corporate Network and customer laboratories. Connect 2 interconnects Axeda Enterprise Server on one side with Roche Vanilla Agent / Axeda client software at the customer site.


V04 Page 18

FortiGate 40C firewall

Firewall selected by Roche for usage in customer laboratories. The FortiGate 40C firewall can be installed in combination with a cobas® link and is also verified for certain systems.

electronic Barcode (e-barcode / e-BC / Instrument readable data / IRD)

An electronic data item that is downloaded to the instrument, via Remote Service infrastructure. The e-barcode files contain the information necessary for the instruments to process assays. The e-BC transfers the same data to cobas® systems which is provided e.g. to Hitachi Modular systems via barcode transfer sheets and scanned with barcode scanner.

electronic package insert ( e-PI / Human readable data / HRD)

A set of PDF files that replaces the paper-based reagent kit inserts, data types are method sheets, target value sheets, customer letters, important notes, etc. These files can be read on and printed from the cobas® e-library on cobas® link.

Hardware Gateway

See cobas® link or connect 2 for details

Personal Data

Personal data are e.g. sensitive customer data, patient medical data, data on suppliers and employees, other personal data. See the EU Data Protection Directive 95/46/EC for definition of personal data at: http://eur-lex.europa.eu/

pcAnywhere

3rd party software for screen sharing (used by the legacy Remote Service and Axeda Infrastructure).

RANGE (Basic)

RANGE is a remote IT access service. Through RANGE, users can access the Roche Network from almost any computer, including COE computers, those at Internet Cafes and personal computers by visiting https://range.roche.net. Usage of the service requires 2-factor authentication.

Roche Connectivity Layer (RCL)

Software installed on the cobas® link to enable communication to the legacy Remote Service infrastructure.

Roche IT infrastructure

The term ‘Roche IT infrastructure’ refers to the complete Roche IT infrastructure. However, only the Remote Service and Axeda infrastructure is in scope of this documentation.

Roche Vanilla Agent (RVA)

Software installed on systems / instruments to enable communication to the Roche Axeda infrastructure. The Roche Vanilla Agent includes the Axeda Agent, Axeda Desktop Server and Deployment Utility (configuration utility). RVA is an extended version of the Axeda Agent, it provides "out-of-the-box" remote services, tailored for the needs of Roche Diagnostics.

http://eur-lex.europa.eu/

https://range.roche.net/


V04 Page 19

Remote Service / Remote Service Infrastructure

Remote Service is a global platform for data exchange between diagnostic system solutions at customer sites and Roche Diagnostics.

Remote Service Data Warehouse (RSDW)

The Remote Service Data Warehouse is temporary data storage (XML) for uploaded instrument data (e.g. monitoring information). This data is then made available for other Roche business applications.

Software Gateway

See Roche Vanilla Agent for details.

TeleService-Net (TSN) / Legacy Remote Service infrastructure

Software and Hardware required to provide the following services:

cobas e-library (e-PI and e-BC download to cobas® link and instruments)

Collecting monitoring data from cobas® link and instruments

UltraVNC Viewer 3rd party client software for screen sharing.

UltraVNC Server

3rd party server software for screen sharing.

Documents

Remote Service - Roche · The Axeda Enterprise system is physically located in a Datacenter in Europe (Germany). The disaster recovery infrastructure is physically located in the