Technology continues to play a larger and more critical role in advancing clinical research. It has also brought challenges as regulatory bodies try to establish ethical standards while keeping pace with the rate of technological innovation.
In December of 2020, the European Medicines Agency (EMA) announced they were the victims of a cyber-attack. Confidential documents relating to the Pfizer-BioNTech COVID-19 vaccine had been accessed and leaked on a mass scale. This incident served as a humbling reminder to regulators and researchers alike that data security is an ever-present threat.
Prior to the pandemic, researchers were ready and eager to implement enhancements like remote monitoring and wearables into their trials. But, they had to actively request relevant guidance on their use from regulatory bodies, who seemed caught off-guard by the arrival of these technologies.
When COVID-19 arrived, it disrupted nearly all clinical trials globally and postponed the promise of new therapies and life-saving vaccines. It also cost the life sciences industry millions in foregone or delayed revenue.
As such, the FDA and EMA began issuing new guidance to enable trial continuity. This guidance touched on in-home visits, direct-to-patient trial supply, telehealth, ePRO/eCOA, eConsent, and remote patient monitoring.
But as clinical technology continues to expand through the introduction of decentralized solutions, researchers are struggling to maintain security for a growing number of in-clinic and remote data endpoints.
As a result, between 2009 and 2020, there were nearly 4,000 healthcare data breaches resulting in the loss, theft, exposure, and impermissible disclosure of over 250 million healthcare records.
Patient data has become more valuable and vulnerable as the technology used to store it – EDC, EHRs, and other systems – outpaces the regulations designed to protect it.
When it comes to data security, healthcare has a lot of work to do. For clinical research, in which few things are valued as much as patient privacy and intellectual property, this is no small cause for concern.
Medrio’s Commitment to Data Security
As the regulations that govern data security in clinical research begin to catch up to the available technology, researchers will need to ensure that they have the right data management tools to help them adapt.
ClinOps and study managers need to focus on introducing new decentralized workflows and technologies to their sites, teams, and patients. They don’t need to also worry that these new technologies could be exposing them—or their stakeholders—to potential security risks.
Having a fully compliant, robust EDC is essential to ensuring that regardless of how you facilitate your trial, your data is always accurate, compliant, and secure.
Prior to the pandemic, Medrio was investing in higher data security standards. We did this by establishing and maintaining a comprehensive security infrastructure that starts at the core of our EDC and extends through every technology in our unified ecosystem.
Through this journey we identified guiding principles to ensure data security for EDC software:
- Infrastructure that is secure by design
No data should either enter or leave the server unless it’s encrypted using strong Secure Sockets Layers (SSL) and RSA public keys. The servers themselves should be subject to fully redundant monitoring by security guards, video, and controlled access. Ideally, there will also be a backup server at a separate location to protect against disaster. A multi-layered EDC security approach is necessary to protect your digital and physical assets. At Medrio, we strengthen our approach by hosting all of our infrastructure on a leading global cloud provider that encrypts at the infrastructure level and Transparent Data Encryption (TDE) to encrypt resting customer data at the database file level.
- No such thing as too much vigilance
To maintain data integrity, any change to any data endpoint should be subject to electronic audit trails. Your EDC should perform automatic backups of customer data and maintenance of servers on a frequent basis. The firewalls and antivirus software that protect those servers should be continuously updated–even on an hourly basis, or more frequently if needed.
- Secure data transfers
To further reinforce data integrity, make sure your EDC has access management capabilities in place. User-restricted access is necessary to ensure that employees are only given access to processes and information necessary for their job function. It also ensures safer transfers of data between sites, facilities, and sponsors when authentication workflows are built-in to your EDC software. Medrio goes a step further by maintaining encryption during the transfer of data between teams and facilities. We even apply network segregation to ensure isolation of systems housing sensitive customer data to ensure there are multiple levels of authentication.
- A complete regulatory checklist
A wide array of regulations govern the clinical research industry, including 21 CFR Part 11, Annex 11, Privacy Shield, Good Clinical Practice, and HIPAA. To meet the demands of today’s complex regulatory environment, your EDC software should be compliant with as many of these as possible—and employ a well-rounded set of Standard Operating Procedures to maintain that compliance. Medrio has made it a top priority to meet these compliance standards and support new guidance as it is rolled out through regulatory bodies. We do this by continually performing in-depth analyses of regulations globally and regionally where our clients operate. This includes all compliance standards listed above, as well as GDPR, CDASH, CDISC, ISO 9001, HITECH, and many others.
- Setting you up for success
Your EDC provider should have disaster recovery and data loss prevention workflows put in place to ensure you are secure in any situation. This includes recurring disaster recovery checks and maintenance of failover sites. It also encompasses recovery point objects for situations when data may be lost. But most importantly, your EDC should have data security built into their onboarding so that employees are trained before being granted access to a system containing sensitive patient data. Company-wide training reinforces your EDC’s commitment to data protection while reducing insider risk and increasing data literacy.
Security Standards for a Digital World
Incorporating data privacy and protection into your clinical workflows can be challenging. The data security landscape is always evolving, so it is imperative that your EDC provider be a partner in maintaining data integrity and privacy throughout the course of your trial.
At Medrio, we pride ourselves on being an extension of your data security team. The framework for our comprehensive security program was built from ISO 27001 standards, as well as guidance from industry leaders such as OWASP and NIST. We do this to deliver the highest standards of confidentiality, integrity, and data availability on the market.
You may not always be able to predict or prevent risks to your data. But with the right EDC, you can make sure you have the best possible protection and preventative measures in place. And when that time comes, Medrio will be ready.