Across our society, technology is delivering enhancements and efficiencies to our day-to-day lives at an exponential rate. It has also, however, brought challenges, as regulations designed to establish ethical standards for the use of that technology have struggled to keep up with the pace of innovation. An article in MIT Technology Review notes how this challenge has manifested in areas such as employment and banking; it’s also true in clinical research, and, indeed, in the healthcare field at large. Researchers, ready and eager to implement enhancements like eSource and wearables into their trials, have had to actively request the relevant guidance on their use from regulatory bodies, who have almost seemed caught off-guard by the arrival of these technologies. Patient data has become more valuable and vulnerable as the technology used to store it – EDC, EHRs, and other systems – outpaces the regulations designed to protect it. Indeed, when it comes to data security, healthcare has a lot of work to do. For clinical research, in which few things are valued as much as patient privacy and intellectual property, this is no small cause for concern.
This is not to say, however, that there haven’t been regulatory efforts to better equip the industry to handle the data security demands of today. Europe, for example, has seen significant action in this arena: the General Data Protection Regulation, proposed by the European Commission in 2012, aimed “to reflect the way that data is now collected, stored, accessed, used and transferred following…the rapid technological advancements that have been made in the two decades following the implementation of [the existing regulation].”1 In other words: traditional safeguards are no longer sufficient to protect clinical data in a high-tech era. Adaptation is in demand.
Medrio’s investments in data security
As the regulations that govern data security in clinical research become more modern, researchers will need to ensure that they have the right data management tools to help them adapt. eClinical vendors with an eye on the direction of the industry will see this as an opportunity. Medrio, for example, anticipating higher data security standards in the years to come, has invested heavily in establishing and maintaining a comprehensive security apparatus. Here are a few pillars of what Medrio sees as the ideal approach to data security for an EDC software:
- The digital paired with the physical
No data should either enter or leave the server unless it’s encrypted using strong Secure Sockets Layers and RSA public keys. The servers themselves, meanwhile, should be subject to fully redundant monitoring by security guards, video, and controlled access.
- No such thing as too much vigilance
To maintain data integrity, any change to any piece of data should be subject to electronic audit trails. The EDC should perform backups of customer data and maintenance of servers on a frequent basis, and the firewalls and antivirus software that protect those servers should be continuously updated.
- A complete regulatory checklist
A wide array of regulations govern the clinical research industry, including 21 CFR Part 11, Annex 11, Privacy Shield, Good Clinical Practice, and HIPAA. To meet the demands of today’s complex regulatory environment, an EDC software should be compliant with as many of these as possible – and employ a well-rounded set of Standard Operating Procedures to maintain that compliance.
Medrio has made it a top priority to meet these standards and others. In addition, recent efforts at Medrio have seen the development of features like two-factor authentication, which buttresses simple password protection by requiring each user to enter not only a password but an access code, exclusive to that user, in order to access data. Users have the option of receiving this access code via email, SMS, or an authenticator application.
Medrio developed two-factor authentication in tandem with single sign-on (SSO), a feature geared mostly toward user convenience but with tangential benefits in data security. After a password is entered into the system, SSO authenticates the user, allowing that user to switch from one application to the next without additional passwords and logins – and, crucially, giving IT departments more direct control over login security. With security concerns in the hands of the system admin, common user habits that can compromise data security are rendered irrelevant: no more sticky notes scribbled with various passwords and posted on workstations in plain view; no need to set several excessively simple passwords only because it’s inconvenient to remember several sufficiently complex ones.
Security standards – today and tomorrow
As of now, the premium placed on data security in clinical research largely correlates to the size of the sponsor or CRO involved. Generally speaking, the larger the company, the more that company is willing to invest in functionalities like two-factor authentication and single sign-on. This partially explains Medrio’s motivation in developing these features: as Medrio grows and begins to take on more large customers, demand for such features grows along with it.
But an equal part of that motivation takes a longer view. Proposals like the General Data Protection Regulation suggest that we may soon see a time when sponsors and CROs of all shapes and sizes are subject to new regulatory standards for data security. And when that time comes, Medrio will be prepared.
1 Johnson, Gillian; Tillett, Charlotte; Walter, Katrina; Data Protection Regime Change in the EU: The Impact on the Pharmaceutical Industry; Applied Clinical Trials; 19 October 2015