Compliant collaborations on sensitive health data
Published Oct 11 2023 10:40 AM 1,505 Views

Data collaboration within healthcare and life sciences organizations is paramount to enabling innovation and equitable health. However, parties are often unwilling or unable to give others access to their sensitive data due to security and privacy concerns.


With Decentriq Data Clean Rooms, organizations have a privacy-compliant and secure method for analyzing sensitive data - without sharing the data itself, or proprietary algorithms. Compliance and control are enforced through trusted execution environment hardware technologies like Intel SGX and AMD SEV-SNP, ensuring that the program code and data are isolated into an enclave that cannot be accessed or modified. Data is encrypted not just at-rest and in-transit but also in-memory while in use. This architecture guarantees that sensitive patient data remains inaccessible to external parties.


In the healthcare ecosystem, simple and secure collaboration in Data Clean Rooms allow organizations to unlock sensitive datasets, like real-world data, for advanced analytics, while safeguarding sensitive information. By enabling new approaches to data partnerships, it opens new avenues for groundbreaking research and helps accelerate advances in diagnostics, treatment, and patient care.

Potential use cases

  • Improve patient risk prediction and personalize treatment outcomes. Personalized treatment requires research into stratified at-risk populations. However, large, meaningful datasets are often kept locked in silos. With Decentriq Data Clean Rooms, partners can collaborate on new data without the risk of identifying patients based on outliers, keeping private data completely confidential.
  • Evaluate a patient's journey for value-based healthcare. Patients are often in contact with multiple sites of care. In order to understand their full journey, these sites need to be integrated and combined for analysis. However, care sites and other healthcare organizations are often prevented from sharing these sensitive datasets. With Decentriq Data Clean Rooms, this analysis is possible thanks to confidential computing, enabling partners to collaborate on joint datasets without having to share any raw data.
  • Improve model training for rare diseases patient prediction. Rare disease patients are difficult to find. In order to train models for these diseases, there is a need for organizations and care sites to collaborate. However, due to their unique characteristics, these patients are very easily identifiable, even after being anonymized. With Decentriq Data Clean Rooms, this collaboration can happen without the risk of breaching patient privacy. As the data remains safeguarded and encrypted at all times, patients cannot be accidentally identified.
  • Generate insights from large public-private consortiums. When public and private organizations come together to collaborate, incentives are often misaligned and there is lack of trust - especially if multiple competitors are working with datasets and models that are proprietary and provide a competitive advantage. This often leads to complicated legal and ethical processes which hinder the spirit and success of collaboration. With Decentriq Data Clean Rooms, both public and private partners can come together with guarantees that their data and analyses are not accessible and only the approved insights will be retrieved.


User interacts with the Decentriq platform (running on Azure VMs) through Web UI (Azure Static Web Apps) or Python API. Platform state is persisted in PostgreSQL and datasets are stored encrypted in Azure Blob Storage. Data is encrypted also while in use, enabled by Azure SGX VMs. Backups are stored in Azure Backup vault. Virtual machines belong to a virtual network and are monitored with Azure Monitor.



The solution involves the following steps:
1. Data analyst accesses the platform through Web UI or API
2. Data analyst pre-configures a Data Clean Room with analyses
3. Data analyst uploads their data, which will be stored encrypted on Azure Blob Storage
4. Data analyst invites the Custodian to the Data Clean Room
5. Custodian uploads their data, which will be stored encrypted on Azure Blob Storage
6. Data analyst activates analysis in the Decentriq platform
7. Data will be confidentially computed in the Decentriq Platform using Intel SGX or AMD SEV-SNP
8. Results will be stored, encrypted, and become available for review through the Web UI by both parties

In this example, the data analyst might be a pharmaceutical company, and the custodian might be a hospital.


  • Azure Static Web Apps are used in this architecture to host a React Web UI, allowing autoscaling and high availability without the need to manage the infrastructure.
  • Azure Virtual Machines provide flexible computing resources for running applications and handling various workloads. In this architecture, the application backend is run in VMs exposing API endpoints, and can scale based on need.
  • Azure Blob Storage is a scalable and secure cloud storage service designed to store and retrieve large amounts of data, used in this architecture to persist encrypted datasets.
  • Azure SGX VMs offer enhanced security and protection for virtual machines (VMs) by leveraging Trusted Execution Environments (TEEs) with Intel SGX. It ensures that the data in use and the code running inside the VMs remain encrypted and protected from unauthorized access, even from the cloud provider or administrators, providing an extra layer of security for sensitive workloads and data. It's also possible to combine the use of Azure Confidential VMs with AMD SEV-SNP in case Intel SGX is too restrictive for the compute payload.
  • Azure Virtual Network is used to create isolated and secure virtual networks in the cloud, allowing control over network traffic using features like subnets and security groups. In this architecture, the connectivity between Azure VMs and Azure SGX VMs is made though Azure Virtual Network.
  • Azure Monitor provides a unified platform for collecting and analyzing metrics, logs, and application and network insights to ensure optimal performance, detect issues, and gain actionable insights for proactive troubleshooting and optimization.
  • Azure Backup offers a reliable and scalable solution for backing up virtual machines, databases, files, and other Azure services with features like incremental backups, encryption, long-term retention, and flexible recovery options to help ensure data resiliency and enable efficient data restoration in case of hardware failures, or other data loss scenarios.



This architecture implements the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see the Microsoft Azure Well-Architected Framework.



This solution makes use of Decentriq Data Clean Rooms enabled by Confidential Computing.

Data Clean Rooms enable users to work with and collaborate on data assets with minimal risk. As the first data collaboration platform where users do not have to trust each other, the platform operator, or the cloud provider, Decentriq mitigates the risks of collaborating on sensitive data sets and helps organizations unlock the full potential of their data.

Data protection is verifiable by implementing encryption not just at-rest and in-transit but also in-memory while data is in-use. This is made possible through trusted execution environment hardware technologies like Intel Software Guard Extensions (Intel SGX) and AMD Secure Encrypted Virtualization with Secure Nested Paging (AMD SEV-SNP) on Azure confidential computing. These technologies provide support to ensure that the program code and data are isolated into an enclave that cannot be accessed or modified.


Cost optimization

Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.

For a deployment in a single region, example pricing information is available in the Pricing Calculator


Deploy this scenario

Decentriq Data Clean Rooms for Healthcare are available as a low-code/no-code SaaS offering, and can be set up in just a few minutes.

Get started today with the Azure Marketplace solution, you can check it out here.


Version history
Last update:
‎Oct 11 2023 10:40 AM
Updated by: