Protected Environment (PE) at the CHPC

On this page

The table of contents requires JavaScript to load.

This page refers to the refreshed PE that was funded partially by a NIH Shared Instrumentation Grant (1S10OD021644-01A1) Award received in April 2017. The award allowed the CHPC to deploy a complete refresh of the existing PE, and in the process expand the capabilities and increase the security relative to the initial CHPC PE deployment. In addition, the refreshed PE is configured to allow for expansion in a condominium fashion, in both the storage and in the HPC components. The different components of the new PE were made accessible to users as they were deployed, most during the first quarter of 2018.

Description

The CHPC operates a Protected Environment (PE) for researchers with sponsored research projects and work with data that is sensitive in nature. These resources have been reviewed and vetted by the Information Security Office and the Compliance Office as being an appropriate place to work with Protected Health Information (PHI). If you have data that has other compliance requirements, please let us know well in advance so that we may ensure that our PE meets the requirements needed for your project.

If you would like to learn more about the PE, please check the Protected Environment Frequently Asked Questions (FAQ) page and contact us if you have any additional questions or concerns.

Only CHPC staff system administrators will have root to hosts in the Protected Environment, and only sponsored research projects with HIPAA/PHI or other specific data restrictions will be provisioned in the PE.

If you decide to work with protected and/or regulated data outside of the CHPC's designated Protected Environment, please know that you'll need to investigate any required agreement(s) that must be in place in accordance with the HIPAA privacy rule prior to creating, processing, maintaining, or transmitting ePHI/PII (protected health information and/or personally Identifiable information), such as a Business Associate Agreement or, in the case of research purposes, a valid Institutional Review Board (IRB) or other agreement, as appropriate. The Privacy Office contact information can be found at https://uofuhealth.utah.edu/privacy-office/ and details about the IRB can be found at https://irb.utah.edu/ for guidelines and more information. If CHPC resources are used, we will assist you with the requirements.

A list of existing BAAs with the University of Utah (for those allowed via role-based security) can be found via the following URL: https://pulse.utah.edu/site/comser/infpriv/Pages/Business-Associates.aspx

Resources in the Protected Environment

The Protected Environment consists of

An HPC cluster (redwood)
Interactive nodes (bristlecone)
A Windows server (narwhal)
A Virtual Machine (VM) farm (prismatic/prismatic2)
Storage
- Home, /uufs/chpc.utah.edu/common/HIPAA/your uNID
- Project, /uufs/chpc.utah.edu/common/HIPAA/name of project directory
- Scratch, /scratch/general/pe-nfs1
- Archive (elm)

Getting started in the Protected Environment

Getting started in the Protected Environment is a multi-step process; this is necessary to ensure that projects have been approrpriately reviewed, and that all users are approved to access data and systems associated with their respective projects.

Determining whether your project requires Protected Environment resources

Not all projects with sensitive information require resources in the PE. In many cases, you may be able to use services such as REDCap or Box to collect, collaborate on, and store data.

It may be that your project needs can be served by using the REDCap (Research Electronic Data Capture) tool. REDCap can be used to create web accessible forms, a secure database with continuous auditing, and a flexible reporting system. More information can be found at https://redcap01.brisc.utah.edu/ccts/redcap/index.php?action=training. To determine if the REDCAP tool fits with your project, require assistance or have any questions about REDCap, please contact REDCap Support or see ServiceNow - Survey Tools for more information.

The University of Utah instance of Box, http://box.utah.edu, can be used to store PHI. The reference for the acceptable use of Box for PHI can be found at University of Utah Box User Agreement.pdf. Please refer to and see the section at the bottom about storage of regulated information. To use the Box instance for PHI, users need to create a specific University of Utah Box account. Personal accounts cannot be used. The university's Box service doesn't fit the needs for all use cases; if you only need a storage space under the Box limit (see https://box.utah.edu/ for current limit), however, then it may be a good fit. If the needs are to store and process (HTC, HPC, SQL, etc.) or use SAS/STATA and other applications, the needs are likely better served via CHPC’s PE.

If the data are de-identified, there are no regulatory restrictions or mandates to use the Protected Environment or other secure computing environments, unless specified in a data use agreement or other document. For more information on what information is protected, please see http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html.

Setting up a project in the Protected Environment

For new projects, please submit the Needs Assessment form with all required information. We will respond to your request as soon as possible. In the meantime, please feel free to contact us with any questions. If you already submitted the Needs Assessment form, please click here to see the status of your request.

You will need a CHPC account to submit the Needs Assessment form. If you do not have a CHPC account, please see the instructions for creating one below.

The CHPC reviews submitted Needs Assessments weekly.

Depending upon the scope of the project, an "Inherent Risk Survey" may need to be done by the Information Security Office (ISO) Governance, Risk & Compliance (GRC) group. Information on the security policy can be found at https://regulations.utah.edu/it/4-004.php. For more information about the process, contact this group via ISO-GRC@utah.edu. The CHPC can help you with the process. A risk assessment and mitigation plan must be approved by the Information Security Office. In addition, a satisfactory scan report must be completed.

If there is any information sharing with third parties, an information sharing assessment form (ISAF) needs to be initiated with the Privacy Office to determine whether a Business Associates Agreement needs to be put into place. The ISAF must be completely filled out (typed) by the requesting department and returned for evaluation to determine the need for a Business Associate Agreement or other agreement to protect the information being shared. The ISAF form can be found on the Business Associates page. Please refer to the university's Privacy Office for details and help (and keep the CHPC informed). Please be sure to send the CHPC any existing contracts or BAAs you may have with third parties.

Finally, if there are or will be any accounts provided for people outside the University of Utah (e.g., researchers from another institution), a University of Utah Non-Employee Confidentiality and Security Agreement must be signed and sent to the CHPC for our records. Please contact the CHPC if there are any questions about this form and when it is needed.

Needs Assessment form

Additional project resources

If the project requires a new VM to be provisioned (one of the items requested via the Needs Assessment), you will be notified when the VM has been provisioned. If you have not yet discussed the VM requirements with CHPC, we will reach out to schedule a call or meeting with you. Any new Protected Environment virtual machine requests must come from the PI (or co-PI). See 1.4.2 Virtual Machine Allocation Policy. For VM "block" sizes and costs, please refer to the VM documentation page.

In addition, if the new project needs additional storage, you can submit a ticket to purchase additional project space on mamoth. See the PE storage page for details of the cost structure of storage.

Requesting access to a Protected Environment resource

If you are requesting access to a UCGD or UCGD_Collab project, please discuss the process with UCGD personnel prior to completing an application.

Existing Protected Environment users

To request access to additional, existing PE projects if you already have an account in the PE, please use the PE Request form.

PE Request form

New Protected Environment users

If you do not yet have a PE account, please follow the instructions in this section.

Ensure you have an active University of Utah account (uNID)

You must have an active University of Utah account (uNID) before proceeding. If you do not have a uNID, please see the CHPC's account documentation page for more information about creating one. You can check whether you have an active account by attempting to log in to Campus Information Services.

The CHPC uses University of Utah systems to authenticate CHPC accounts. Your CHPC account details will be the same as your University of Utah account (a uNID like u0123456) details, and you must therefore have an active uNID to create a CHPC account.

Ensure you have a General Environment account at the CHPC

Once you have a University of Utah account (uNID), you can use the CHPC's account request form to request a CHPC account.

An existing CHPC account is currently required to request a CHPC Protected Environment account. Requesting a PE account grants access to the PE for existing users.

Please note that the Principal Investigator must have a CHPC account before other researchers can request one, as account requests are reviewed by the PI of a group.

CHPC (General Environment) Account Request form

Ensure you are requesting access to an existing Protected Environment project with an existing Principal Investigator, and that you are authorized to access resources associated with the project

If the project you would like to access does not yet exist in the PE, please see the section on setting up a project.

When you request access to a project in the PE, you'll need to know the details of the project, including the number or name of the project (typically the IRB record number, if applicable) and the name of the Principal Investigator. You must also be listed as Study Personnel on any relevant IRB records.

You will need to know your project number or name to request access to a project. This is typically the IRB record number for projects involving PHI. If you are unsure, please ask the Principal Investigator of the project.

If you are requesting access to a project with an IRB record, you will need to be listed under Study Personnel on the University of Utah Compliance System (ERICA). To ensure compliance with regulations, the CHPC is only able to provide access to the resources of such projects to individuals listed on the IRB record. If you are not listed as Study Personnel, or if you are not sure whether you are listed as Study Personnel, please consult the Principal Investigator of the project.

If you are not listed under the Study Personnel of a project, your application may be delayed.

Request access to your project

Now that you know your project details and have an existing CHPC account, you can request access to your project with the PE Request form. Each request is reviewed by staff at the CHPC, so this process may take some time.

PE Request form

Complete CHPC HIPAA security training

After your PE Request is approved, you will receive an email invitation to training, which includes the Canvas link. Please note that you must do this even if you have already completed the University of Utah HIPAA training. While we understand that this will be a duplication of training for a number of our PE users, the training does not take long and can be completed in 10–15 minutes. This training will need to be renewed each year; we will send out an announcement when it is time to renew your training.

Set up a Duo (multi-factor authentication) account

Duo is an additional authentication step for additional security. If you don't already use Duo, you will need to visit the Duo management page and register your device to the campus two-factor authentication service. Afterward, please notify the CHPC that you've completed the Duo registration; we will ask UIT to associate your Duo account with the proper CHPC PE group(s). We will notify you when this is complete.

Once you've completed the previous steps (and have been notified by CHPC that your CHPC PE account is provisioned) and the PE resources needed for the project (narwhal, redwood, an existing Protected Environment virtual machine, default project directories, etc.) exist, you may proceed to log in to the PE.

Logging in to the Protected Environment

Access to the CHPC PE is allowed only from University of Utah networks; if you're connecting from a device that is not on a University of Utah network, you will need to connect to the university's VPN first. Information about the university's VPN can be found at https://uofu.service-now.com/it/?id=uu_kb_article&sys_id=3cf34fa5d5558900023cf36e22818368.

Connecting with an SSH client

We recommend testing your connection by using SSH to connect to resources in the PE. If you are unable to SSH, please contact us for support; it is unlikely that RDP or FastX will work.

SSH clients are available by default on most modern desktop operating systems. For more information, please see the CHPC's SSH documentation.

Connect to redwood.chpc.utah.edu (this does a DNS round-robin to redwood1.chpc.utah.edu and redwood2.chpc.utah.edu) using your uNID. You may want to enable X forwarding to view graphical windows; instructions for doing so can be found on the SSH documentation. Enter your password and authenticate with Duo. You should be connected to a login node on the redwood cluster.

Connecting with FastX

Please see the FastX3 documentation. Connect to redwood1.chpc.utah.edu:3300 or redwood2.chpc.utah.edu:3300 to access the login nodes of the redwood cluster, or bristlecone1.chpc.utah.edu:3300 or bristlecone2.chpc.utah.edu:3300 to access the interactive (bristlecone) nodes. If your group has a designated owner node, you can also connect to it with FastX.

Connecting with Open OnDemand

Open OnDemand is a web portal that provides access to CHPC file systems. In the PE, Open OnDemand can be accessed at https://pe-ondemand.chpc.utah.edu. This is the best option for use of GUI-based applications such as MATLAB, Jupyter Notebooks, and RStudio Server.

Connecting to the Windows host (narwhal) with Remote Desktop (RDP)

Instructions for connecting to the Windows server, narwhal, can be found on the narwhal documentation page. The page also details the process for accessing your home directory and project space.

Accessing home directories and project spaces from Linux hosts

The full/absolute path to project data is /uufs/chpc.utah.edu/common/PE/name of project directory.

Alternatively, from your home directory, you can run

cd ../name of project directory

Note that tab completion may not work initially, as the project spaces are not mounted automatically.

Cost of virtual machines in the Protected Environment

Please see the VM page for current pricing.

Allocations on redwood

Allocations can be used for priority access to CHPC-owned nodes on the redwood cluster. As in the General Environemnt, there are two kinds of allocation:

Quick allocation for one quarter only (up to 20,000 wallclock core hours)
Normal allocation, submitted at most quarterly for up to four quarters at a time

Quick allocations are for PIs who are new to having a CHPC allocation, and can be submitted at any time. The awarded time is for the remainder of the current quarter. It is expected that after gaining experience using our systems with the quick allocation, the allocation process (below) will be followed. Quick allocations are reviewed by senior CHPC staff and awarded at CHPC's discretion.

Normal allocation requests are accepted four times per year, according to the following schedule:

December 1 for allocations beginning January 1
March 1 for allocations beginning April 1
June 1 for allocations beginning July 1
September 1 for allocations beginning October 1

As in the General Environment, a group may request up to four quarters at a time such that they only need to complete this process once per year. However, should needs change, groups can re-apply at any of the quarterly request windows even if they have an existing award.

There is one request allowed per research group; if your group has multiple projects, please be sure to select all projects that will make use of redwood in the request. Requests can be made by the PI of the project or his/her delegate, provided the delegate also has a PE account. If you have the ability to complete this form, when you log in to the CHPC website, there will be a section under “User Roles” for “PI/Delegate in the PE.”

Allocations in the Protected Environment are currently reviewed and awarded by CHPC staff.

As in our General Environment, users in groups without allocation can run in the freecycle mode on general nodes or as guest on the owner nodes, subject to preemption by jobs with allocation or owner jobs, respectively.