Review of Paul Harris' System

Goal

Be able to implement data management tools for a wide variety of studies, and to build a toolset that uses best security practices

Basis Software

PHP, MySQL with abstraction layer ADODB, Apache web server, PHPmyAdmin.

Features and Pros

User authentication is done using Vanderbilt VunetID or E-password. The system is currently on the VUMC production Webserver. Encryption for selected fields is supported. Field characteristics are specified using PHP objects.

The system emphasizes HIPAA compliance including the upcoming 2005 rules. Encryption is a selling point for oversight agencies who may worry that an in intruder who gain access to all clinical trial databases on the server. The VB ADO recordset object was modeled using PHP/ADODB and is used to select, delete, and update database records. Client-side validation is done using a single general Javascript function. Security user roles are defined. Project files can be archived. Both hard and soft range checks are nicely implemented. Fields such as phone numbers are checked for legality, then are reformatted in a more readable way upon data entry. When the cursor is over a field, additional characteristics (e.g., units of measurements) are shown on the bottom panel. A spreadsheet view is being developed. A metadata table has fields that would allow for full annotation of analysis files (including units of measurements and validation rules). Specification of the database through a PHP script is fairly efficient.

Cons

Encryption gets complicated when unlike character fields it does not preserve data types (e.g., dates). ADOBC may not scale efficiently to tables with hundreds of fields. There is no server-side validation. An audit trail capability is under development but is not finished. Work has just begun on sub-forms. All numbers are stored as double precision and there is no integer type, which will cause very large databases to be handled less efficiently (double precision for all numbers is simply convenience - all mySQL field types are legitimate (PH)). HTML data entry screens are single column. Authentication for users outside VU will need to be implemented.

Conclusions

The system appears to be quite usable already, and Dr Harris is very open to joining forces with other developers. Within-Vanderbilt authentication, HIPAA compliance, and instantaneous field validation are strong points. The available of extent of metadata will allow the creation of fully annotated analysis files from data exported from the system. PHP is a good choice for specifying the database. If development continues at the same pace and subforms and more polished data entry screen creation are fully implemented, the system has a lot of potential for use in a variety of research projects.

-- FrankHarrell - 20 May 2004