The emergence of Covid in 2020 saw an explosion in HPC-powered health research. As the pandemic raged on, though, one limiting factor became increasingly clear: the difficulties and restrictions inherent in handling sensitive health data. That same year, the National Center for Supercomputing Applications (NCSA) began working on an HPC system dedicated to handling sensitive data. By the summer of 2021, NCSA had launched the Nightingale system, named for celebrated nurse and statistician Florence Nightingale.

Nightingale, housed in NCSA’s National Petascale Computing Facility (NPCF) and pictured in the header, was built in-house and consists of 33 nodes, all based on AMD Epyc “Milan” CPUs and, in some cases, Nvidia GPUs:

• 4 compute and login nodes with dual 64-core CPUs and 512GB of memory
• 6 nodes with dual 32-core CPUs, an Nvidia A100 GPU and 256GB of memory
• 5 nodes with dual 32-core CPUs, an Nvidia A40 GPU and 512GB of memory
• 16 nodes with dual 64-core CPUs and 1TB of memory
• 2 nodes with dual 32-core CPUs, dual Nvidia A100 GPUs and 512GB of memory

These nodes are complemented by 880TB of Lustre storage.

Developing Nightingale

“One of the things we’ve done over the decades in the computation and data science space is always observe where there might be roadblocks or hurdles that are either slowing down research or even getting completely in the way of people making progress,” explained Colleen Bushell, associate director of healthcare innovation at NCSA, in an interview with HPCwire. “One of those areas we were aware of is working with sensitive data.”

Bushell said that this involved not just legal requirements, but also the need to have data owners feel confident about sharing data; some data owners in the past had been skittish about sharing even carefully deidentified clinical data. “When we identified that, we thought, okay, we need to provide a mechanism for faculty to more easily work with data and feel confident,” Bushell said.

Some years earlier, NCSA had already built a system for Mayo Clinic that was compliant with the requirements of using data protected by the Health Insurance Portability and Accountability Act (HIPAA). Alexander Withers, assistant director of NCSA’s cybersecurity division, recounted that Nightingale’s development stemmed naturally from that prior system and from a professor who was joining the university and who needed a system that could store electronic protected health information (ePHI).

“That sort of grew into [Nightingale] almost organically,” Withers said. “We’re serving this one person – why don’t we just build something that serves his needs, but is there to expand and grow for the other people? Because we keep hearing from people who need an environment like this.”

While NCSA moved quickly on this need once it was identified, supply chain issues hit hard. Though turnaround was fast – the system was planned in the summer of 2020, online by March 2021 and fully operational by June – Doug Fein, the lead architect of the system, said that the supply chain disruptions were so severe that some network switches didn’t arrive until six months after the system became operational.

Process-driven security

Nightingale, of course, uses “all the technical things we have at our disposal” for security, Withers explained: the caged system employs firewalls and has safeguards like intrusion detection and prevention measures. But these aren’t the “keys” to Nightingale’s security, which Withers said were, instead, the processes behind the system.

“I wouldn’t call it particularly unique in terms of an HPC system,” Withers said. “That’s not to diminish it. The focus is: how do we enable access? How do we set up all this scaffolding around it that does all the things we need to do in terms of security controls and processes without bothering the user with too much of that stuff?”

By way of example, Withers cited users who wanted to install new software libraries on Nightingale. “We don’t have a technical means to implement that or deliver that securely,” Withers said. “But what we do have is a process in place that we’ve defined and as an organization we have decided we have to follow this process, we have to document it.”

Nightingale is also audited annually by an external organization to ensure compliance with SOC 2 Type 2 standards, which assess an organization’s handling of sensitive data. “Originally, SOC 2, Type 2 was kind of a forcing function, but I would say that it is the rare example of an audit that was beneficial in actually changing and securing the environment,” Withers said.

New capabilities

All that said, Nightingale is coming up on its second birthday – and NCSA says the system has been a tremendous help.

“I think we’re really enabling new kinds of research that couldn’t really happen before,” said Maria Jaromin, senior research coordinator at NCSA, who said they have been pleasantly surprised at the demand for Nightingale. “We’ve seen all kinds of people coming to us and explaining their data problems – so saying, for example, there is this Medicaid or Medicare dataset, it is fully deidentified, but the data owner comes with a list of security requests[.]” Now, Jaromin said, they can accommodate those needs.

Much of Nightingale’s work, of course, has centered around health data. Jaromin explained that one group of researchers in the School of Social Work at the University of Illinois at Urbana-Champaign used Nightingale to look at Medicaid data that specifically could not be stored in any kind of cloud. Nightingale also continues to host the data from the university’s SHIELD project, which leveraged a Covid saliva test and rigorous process to protect the campus community during the early stages of the pandemic.

But Nightingale doesn’t only host health data and projects. Jaromin outlined use cases at the College of Business, which was using Nightingale to handle a sensitive commercial dataset (“The security requirements for that data are less than HIPAA, but still, it would require some kind of secure system”) and mentioned uses relating to Controlled Unclassified Information (CUI, a relatively new standard in defense research) and data protected under the Family Educational Rights and Privacy Act (FERPA).

“It has gone beyond the need for just healthcare,” Bushell said. “There are other types of sensitive data needs that we’ve discovered.” Bushell added that NCSA is working hard to consult and train both veteran and newer HPC users in navigating both the system and the protocols for working successfully with sensitive data. Most of the use at the moment is academically-driven, but NCSA welcomes industry use of Nightingale – provided the industry members engage with NCSA on other aspects of their work, as well.