The Rett Syndrome Patient Registry is designed to be an efficient, GDPR-compliant, and modular platform for onboarding, managing, and analyzing patient and contact information. This document provides an overview of the main technical building blocks and the tools in use, allowing contributors to understand the project context and identify areas where they can provide input or support.
The high-level architecture integrates a mix of cloud services and third-party tools to provide a secure and scalable environment. The architecture diagram below illustrates the main components and their interactions:
The WordPress CMS serves as the public frontend for the registry, handling public-facing content and facilitating initial data intake via forms. This CMS setup is chosen for its simplicity, ease of maintenance, and extensive plugin ecosystem, making it ideal for hosting and managing content updates.
We will implement a private area for users to login and maintain their profile. It will also allow users to create, edit and delete patient records.
The registry employs Auth0 for passwordless, secure authentication. Auth0 simplifies login management, allowing for secure access without traditional passwords, and supports two-factor authentication (2FA) for added security.
Azure Functions act as the backend for the registry system, managing key processes such as data validation, storage, form submissions, and file uploads. Serving as the backend for PowerApps, Azure Functions support CRUD operations and enable real-time data interactions. They are triggered by events like form submissions, file uploads, and PowerApps requests, processing and securely routing data to Azure SQL or Blob Storage as needed.
This serverless, scalable setup ensures efficient processing while adapting to demand, maintaining high performance, and supporting seamless integration across the registry system.
The following endpoints serve various aspects of the patient registry, providing CRUD functionality directly accessible by PowerApps and other components. This approach eliminates the need for separate “PowerApps” endpoints by standardizing interactions across all user-facing components.
POST /onboarding/submitForm: Processes form submissions for new user onboarding.POST /onboarding/verifyEmail: Verifies user email by handling verification token or link.These endpoints handle all CRUD operations, making them directly usable by PowerApps and other components.
Patient Endpoints
POST /patients: Creates a new patient record.GET /patients/{id}: Retrieves details for a specific patient.PUT /patients/{id}: Updates patient information.DELETE /patients/{id}: Soft deletes a patient record.Contact Endpoints
POST /contacts: Creates a new contact.GET /contacts/{id}: Retrieves contact information.PUT /contacts/{id}: Updates contact details.DELETE /contacts/{id}: Soft deletes a contact.Relationship Endpoints
POST /relationships: Links a contact to a patient.DELETE /relationships/{id}: Deletes a specific patient-contact relationship.POST /files/upload: Accepts file uploads linked to a patient or contact, storing files securely in Blob Storage.GET /files/{id}: Retrieves files associated with a specific patient or contact.POST /surveys/submitResponse: Captures and stores responses from surveys, linking data back to the appropriate patient or contact.POST /notifications/sendEmail: Sends email notifications (e.g., for onboarding confirmation, survey invites).POST /notifications/sendSMS: Sends SMS notifications for reminders or verifications as needed.The primary database for the registry, Azure Cosmos DB stores patient, contact, and relationship data securely. It offers flexibility for structuring longitudinal data and supports scalability for future analytical needs.
Azure Blob Storage securely stores uploaded files (e.g., genetic reports) linked to patients. Blob Storage provides scalable and secure file management, essential for large files and GDPR-compliant storage practices.
Blob Storage access is secured with several key controls:
* SAS Tokens: Temporary access is granted using Shared Access Signatures (SAS), generated by the backend to restrict file access based on user roles.
* Role-Based Access Control (RBAC): RBAC ensures that only specific system components, like backend services, can write or delete files, with limited permissions granted as needed.
* Network Restrictions: Private endpoints and firewall rules restrict access to known IPs within our virtual network, minimizing exposure to the public internet.
To ensure data protection, Blob Storage applies encryption both at rest and in transit:
* Encryption at Rest: All files are encrypted automatically using Microsoft-managed keys (AES-256).
* Encryption in Transit: HTTPS/TLS encryption secures data transfer to and from Blob Storage, protecting data confidentiality during upload and download.
We utilize AI/ML operations to analyze genetic reports, specifically to extract Mecp2 mutations. These mutations are then added to the patient profile, enhancing the accuracy and comprehensiveness of patient data.
PowerApps serves as the internal admin interface for managing and reviewing patient registry data. This platform allows authorized administrators to perform CRUD operations and view reports in a user-friendly, customizable interface.
Power BI is used for reporting and analytics, providing a comprehensive view of patient demographics, registry growth, and survey results. It integrates directly with Azure SQL for seamless data access and visualization.
To ensure effective communication with registry users, SendGrid is used for email notifications, and Twilio for SMS alerts (e.g., for two-factor authentication). These tools support both initial onboarding communications and ongoing engagement.
All Azure services are configured within a secure Virtual Network (VNet) to enhance security, ensuring all internal services communicate over private IPs. Additionally, a firewall limits traffic to only authorized IPs.
Azure Application Insights provides logging, diagnostics, and performance monitoring for Azure Functions and other backend services. It supports real-time insights, helping to optimize performance and troubleshoot issues.