Security Overview
One of the major features of IRB Exchange is data security, which is achieved by virtue of encryption of all IRB data stored in and transferred to and from the IRB Exchange. As a result, even Huron's administrators of the IRB Exchange site are unable to read the data you store and transmit to the Exchange.
Private Key Authentication
A system attempting to access the IRB Exchange must authenticate using the private key of its site's certificate. Each institution provides its public key to Huron when requesting an IRB Exchange account.
In addition, each institution is authenticated as either a participating site (pSite) only or as authorized to act as a sIRB (in addition to being a pSite). A major distinction between the roles is that sIRB institutions can initiate the creation of studies on the IRB Exchange.
To handle the private key authentication, all application requests to the IRB Exchange must be signed. The Huron IRB solution handles all aspects of signing requests. For those with Huron Portal and .NET systems, the provided client libraries handle the details of signing requests to enable applications using these libraries to be free of this additional work in each request. For those using non-.NET systems, the application code must handle signing of each request.
For signing requirements and further details, see Request Signatures.
Access to Specific Data
In addition, access to data stored in the IRB Exchange is restricted to institutions that are specifically authorized to view that data. To accomplish this, the institution storing the data must identify the IRB Exchange accounts of other institutions authorized to view that data. The IRB Exchange provides the ability to look up the IRB Exchange accounts of other participating institutions by name in a filtered list. For details on performing this lookup, see the List Organizations method.
Because a single institution may have multiple IRB Exchange accounts to represent different IRB offices, campuses, medical centers, etc., Huron recommends asking the other institution for the exact name they are using for the applicable IRB Exchange account.