Contributing Experts at Medrio: Neil McClenney, VP of Compliance at Medrio
Clinical trial data is a sponsor’s most crucial asset. Data enables treatments to progress to the next research phase or ultimately receive regulatory approval. Without robust and reliable data, it would be impossible to make informed decisions about the safety and efficacy of new treatments.
With this in mind, Medrio CDMS/EDC upholds high standards for data security. In this article, we explore how we keep your data safe, secure, and protected by:
If you want to learn more about how Medrio protects your data, watch our 2-minute demo video. You can also download the full infographic with the same information included in the blog.
Staying Compliant
To protect your clinical trial data, it is imperative to stay compliant by abiding by regulations and best practices. While not comprehensive, the below list highlights regulations and best practices Medrio CDMS/EDC both adhere to and recommends for robust data security.
Industry Best Practices
FDA Guidance for Industry
Electronic Source Data in Clinical Investigation: This guidance gives suggestions for capturing, reviewing, and preserving electronic source data in FDA-regulated clinical investigations. It also highlights the shift to electronic formats to improve data reliability and traceability.
Computerized Systems Used in Clinical Investigations: This document discusses managing computerized systems that handle clinical data destined for FDA submission. It highlights the importance of this data in determining safety and efficacy, ensuring data is of the highest quality and integrity.
ICH Guidance for Industry
E6 (R2) Good Clinical Practice: This document sets international standards for ethical and scientific conduct in trials involving people. It aims to create a unified framework across ICH regions to ensure regulatory authorities can accept clinical data consistently.
ISO Standards
ISO 9001 Certified: This standard sets criteria for a quality management system. It applies to all types of organizations, with a focus on customers’ satisfaction and continual improvement.
Regional Regulatory Requirements
European Union and United Kingdom
Annex 11: Computerised Systems: This annex is about the validation and qualification of computerized systems used in GMP-regulated activities. It makes sure that these systems don’t compromise product quality, process control, or quality assurance while minimizing process-related risks.
General Data Protection Regulation (GDPR): This regulation allows the processing of personal data for research and archiving purposes under certain conditions. These conditions include using safeguards such as technical and organizational measures, data minimization, and processes for protecting personal privacy.
United States of America
Health Insurance Portability and Accountability Act (HIPAA): HIPAA privacy and security regulations aim to safeguard the confidentiality of patient health information created or managed during healthcare services.
FDA 21 CFR Part 11 Compliance: This guidance provides criteria for acceptance by FDA of electronic records, electronic signatures, and handwritten signatures executed to electronic records.
Data and Information Security Best Practices
SOC 2 Type II Audited: A SOC 2 exam gives a detailed report on a service organization’s controls for security, availability, processing integrity, confidentiality, and privacy.
ISO/IEC 27001: A globally recognized standard for information security management systems (ISMS). It sets requirements for establishing and maintaining such systems, ensuring organizations effectively manage data security risks.
ISO/IEC 27701: A privacy extension to ISO/IEC 27001. Medrio is certified as a controller that enhances the existing Information Security Management System (ISMS) with additional requirements to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS).
EU-US Data Privacy Framework Certified: This certification ensures an adequate level of data protection for personal data transferred from the EU to US companies in the EU-U.S. Data Privacy Framework.
EU Model Clauses (available upon request): Agreements between service providers and their clients use EU Model Clauses to ensure that personal data transferred outside of the European Economic Area follows GDPR.
Maintaining an Expert-Trained Team
At Medrio, we are committed to maintaining the highest standards of data security and regulatory compliance. We do this by hiring experts, standardizing training across employees, and working regularly with external audit experts.
Medrio Team
Our expert team, including a dedicated privacy officer, always stays updated on the latest developments in regulatory guidelines and compliance standards. They continuously monitor and improve our system security to protect data and uphold our commitment to data security and privacy.
Internal Standard Operating Procedures (SOPs)
Our internal training programs reflect our commitment to maintaining the highest levels of data security. Medrio employees receive thorough training on SOPs for data security and IT-related scenarios, including disaster recovery.
External Audit Experts
We regularly engage external auditors, who ensure we are following all necessary software and procedural controls. Experienced auditors help ensure we not only meet but consistently exceed industry standards and regulations, improving our overall data security.
Supplying World-Class Solutions
Our data security strategy is of the utmost importance as we maintain and build our suite of solutions. Here is a sneak peek of a few ways we protect your data in Medrio CDMS/EDC.
Production Infrastructure
Medrio is housed within Google Cloud Platform‘s (GCP) multi-tier virtualized architecture. Our shared security responsibility model ensures redundancy, reliability, scalability, and high availability.
- GCP: Responsible for the security of the underlying cloud infrastructure. For example, physical infrastructure, availability zones, and edge locations.
- Medrio: Responsible for securing platform deployment in GCP. For example, customer data, identity access management (IAM), and encryption.
Server Protections
Multiple facilities are maintained in the US, EU, and China so that there is redundancy within regions to protect against lost functionality. Network connectivity is provided through multiple Tier-1 internet providers to ensure optimal performance and reliability.
Data Backups
We perform a full backup of all electronically stored customer data every night. Incremental backups of customer data occur every 15 minutes in a secure facility separate from the production environment.
Highly Configurable Roles and Permissions
Some vendors require you to use pre-built roles or limit the number of roles you can have within the platform. Medrio allows you to customize roles and permissions to ensure you restrict data access as appropriate or necessary.
Audit Trails
Our audit trail offers transparency by tracking data interactions with timestamps, providing regulators complete visibility into data pathways.
Data Security, Without Compromise
Supporting over 9,500 trials in 100 countries and capturing data from more than 1M+ participants without a data security incident. Learn more about how Medrio can protect your data.
