Data security risks are growing as more and more clinical trials embrace telemedicine and other digital technologies. The challenge is the complexity of securing a clinical trial ecosystem that may involve hundreds of data input points, trial sites, networks and applications, including patient’s own devices.
Wearables, smart phone apps, telemedicine platforms, and remote testing kits (for blood, for example), are just a few examples.
“We’re seeing increased use of technology and technology partners. When you think about the entire, end-to-end data flow through the many clinical trial partners, you have to consider the Internet of Things (IoT) and data that is flowing from a lot of different devices,” Doug Shaw, CISA, principal consultant, the Halloran Consulting Group, told BioSpace.
Transitioning from centralized to decentralized virtual trials leaves many trial sponsors without a good grasp of all the moving parts and their security vulnerabilities. For example, Laurie Halloran, CEO of the Halloran Consulting Group, said, “Most are trying to support a business continuity position, which is a different process.”
Business continuity plans may enable an organization to revert to manual processes, for instance, but don’t include the controls to prevent the disruption.
When designing a clinical study, Shaw advised sponsors to map the data flow. Start with where the data is generated, where it’s stored and how many software systems it flows through. Clinical trial sponsors also must know what controls are in place to protect that data flow, and any gaps. Achieving this necessitates interviewing clinical trial partners about their own data flow and how they protect it, and reviewing technology platforms to understand their controls. Finally, it means identifying the source of truth for the trial data and where that source of truth resides.
“All this information typically isn’t in any one person’s head,” Shaw said, and is one of the biggest shortfalls in terms of protecting data. Exacerbating the issue, “We’re seeing complexity increase,” as technologies, technology partners, and trial sites increase.
“In decentralized trials, data may flow from WiFi as well as virtual private networks (VPNs), so trial sponsors also need data encryption,” Shaw said. Sponsors also need people to monitor the network, he said, and the business side of the organization needs to understand the basics to ensure their IT department is provisioned and can protect the data.
Beyond mapping data flow, sponsors must ensure that software and firmware patches are made as soon as they become available. Although some updates are pushed to clients, many need the client to schedule the download and install the patches. If equipment is in constant use, many will postpone security updates and leave the device or network vulnerable.
Postponing security patches to anything connected to the Internet makes it easier to hackers to gain access. Ripple 20 malware, for example, is a recent threat to medical devices, and Urgent 11 was on the FDA’s radar in 2019. Phishing remains a constant threat. Any of these threats could allow hackers to infiltrate systems and access patient files for identify theft, or use poorly secured devices to launch ransomware or denial or service attacks, or simply cause devices to malfunction to create mayhem.
Business executives haven’t always understood the vulnerabilities. With cyber-attacks in the news routinely, non-IT executives are taking the risk more seriously than they did even a few years ago.
While ransomware attacks on the pharmaceutical industry are rare, they’re much more common in the healthcare setting. For example, 41 of the 128 ransomware attacks reported during the first half of 2020 were on healthcare providers, according to Emisoft. “Ransomware has shut down organizations, CROs, and central labs for a couple of weeks at a time,” Shaw said.
In trials, sponsors tend to trust their partners to put in the controls and encryption and keep the application patches up to date. Ultimately, however, data security is the sponsor’s responsibility. Sponsors, therefore, need to trust but verify.
Therefore, controls need to be in place not just at the sponsor’s site, but also among all of a sponsor’s trial partners to scan for malware, patch applications as soon as patches become available, and inform personnel on how to protect their data.
Vulnerabilities may arise when sponsors work with large, well-respected contract research organizations (CROs) or other well-known partners and rely on them to collect, maintain, and transfer data to sponsors securely. The issue isn’t that partners are incautious, but they realize that every trial and every team is different enough to need a program-specific data security plan, Halloran pointed out.
The lack of a standard approach to data transfer is one example of a data control that may easily be overlooked. When sometimes the data is emailed and sometimes it’s delivered in a thumb drive, it could lead to questions by trial auditors.
There are big opportunities for trial sponsors that transition to digital technologies in their clinical trials. CEOs who are pressured to get trials off the ground despite a global pandemic recognize the need for innovative solutions and, increasingly, are incorporating digital approaches. But, to do so successfully, they must ensure that proper and prudent controls are deployed throughout their clinical trial ecosystem to ensure data integrity.