How Cybersecurity Protects Participants in Clinical Trials

Special thanks to Zack Wilkinson, Information Security Manager at Florence, for his contributions to this article. 

Cybersecurity in clinical trials matters. We’re all afraid of having our data stolen, and data breaches of companies like Facebook, Instagram, and TMobile have made people hyper-aware of where their personal information is going. This personal data includes Protected Health Information (PHI), which is often stored in clinical trial software programs. 

But cybersecurity isn’t just an issue for patients—it’s a major financial issue for sponsors. 

If sponsors lose their intellectual property or their trial data in a software breach, they could also lose the millions of dollars they’ve invested in a specific drug trial. Accenture found that healthcare providers who don’t have the necessary cybersecurity measures in place could put $305 billion of patient revenue at risk over the next five years. 

Clinical research staff can run secure clinical trials that protect their participants and their sponsors’ investments without becoming cybersecurity experts. But they’ll have to work with their software vendor to achieve this goal. Here’s how to make cybersecurity for clinical trials a reality.

The Basics of Cybersecurity for Clinical Trials

Before your site, sponsor, or CRO can craft a cybersecurity plan, you need to understand what cybersecurity means for clinical trials specifically. 

Clinical trial software is vulnerable to the same issues as any other form of software: breaches where hackers steal data, and ransomware attacks where data is held hostage for payment. However, clinical trial software carries some extra forms of risk. 

Hackers could tamper with a wearable medical device, destroying the data from a trial or, worse, putting a patient’s health at risk. Even if hackers only access medical records or trial data, a breach could make that data invalid. 

Sites and sponsors would also have to inform regulatory agencies of the breach, which could lead to the drug or device not being approved. It’s also all too easy for a data breach to cause violations of the California Consumer Privacy Act (CCPA), the E.U. General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA.) Fortunately, there are cybersecurity steps you can take to protect the data at your site, CRO, or sponsor and to make breaches less likely. 

The COVID pandemic showed us that clinical trial software is a necessity, not only for making trials run faster, but for including patients who can’t travel to academic medical centers on a regular basis. 97% of sponsors now use or plan to use remote monitoring with their sites. 

Sites, sponsors and CROs need to adopt technology to remain competitive in the clinical trial space, which means they need to understand cybersecurity.

Compliance Is Not Cybersecurity 

Compliance regulations like HIPAA and FDA 21 CFR Part 11 apply to cybersecurity: however, compliance and cybersecurity are not the same thing

Compliance regulations were created to ensure that clinical trials were ethical and that healthcare workers protect patient data. Cybersecurity also helps protect patient data, but it involves technologies and processes like firewalls, password changes, security monitoring, and infrastructures that most Clinical Research Associates, Clinical Research Coordinators, and Principal Investigators aren’t experts in. 

So how do you go about running secure clinical trials when you don’t have cybersecurity experience?

Start Your Cybersecurity Plan at the Top

A cybersecurity plan needs support from the top executives at your research organization. If the leadership team doesn’t support the plan, the security or IT team won’t have the funding and support they need and everyone at your organization won’t receive the security training they need. 

It’s also important to create a plan for what happens if a data breach occurs. Though it’s reassuring to think “A breach won’t happen if we have security,” that’s not always the case. Your organization should have a response and recovery plan and a breach recovery budget in case the worst occurs, since a data breach can cost businesses $3.8 million per incident.

Find the Right Cybersecurity Vendors

Once the leaders of your organization see cybersecurity as a valuable investment, you need to make sure you’re working with third-party vendors who share that commitment. It’s not enough to blindly trust that your software vendor has the appropriate security measures in place. 

When choosing a software vendor, ask them if they offer:

  • data backups
  • secure authentication
  • access controls
  • data encryption
  • regular security updates

A good vendor will want to answer your questions about security and will offer videos, guides, and/or live training to help your users learn how to use the software securely. They will also provide all of the security features listed above. You shouldn’t have to worry about whether your data is encrypted or your software has received security patches–that responsibility lies with your vendor. 

If you want to learn about Florence’s privacy and security features, our Compliance page is a good place to start.

Consider Special Security Needs of CROs 

Your software vendor is an important partner for all clinical trials, but trials that incorporate a Contract Research Organization (CRO) need additional cybersecurity guidelines. Even the most experienced CRO often works with multiple sponsors who have different forms of data and different data security requirements. 

Because of this, CROs need a data security plan for each trial they run. This plan should include requirements around data transfer, since emailing trial data to a sponsor or downloading it to a USB drive raise very different security risks than using a software platform for data transfer. Your vendor should help you create SOPs and explain how data is stored, transferred, and protected within their platform.

Make a Plan for Medical Devices

Wearable medical devices present additional cybersecurity concerns. These devices are often connected to hospital software systems and the Internet, and because they have direct impacts on patients’ health, their security is especially important. 

Two major groups bear responsibility for the cybersecurity of wearable devices. The first is medical device manufacturers, who are responsible for complying with federal quality system regulations (QSRs) and validating all software changes. 

The second group is the sites, CROs, and sponsors who will receive data from the devices. Which brings us to the question: once you have buy-in from your external vendors, how do you make sure your own site, sponsor, or CRO is secure?

3 Critical Components of Secure Clinical Trials for Sites and Sponsors

Once you gain support from your organization and coordinate with your external vendors, you’re ready to implement your internal cybersecurity policies. Florence’s Information Security Manager, Zack Wilkinson, shared what he believes are the three essential components of cybersecurity for any clinical research organization: 

  1. Security Awareness Training
  2. Incident Response
  3. Data Protection

We’ll break down each of these so you can use technology securely during your in-person, decentralized/hybrid, or virtual clinical trials.

1. Security Awareness Training

Ultimately, every person at your research organization is responsible for protecting sensitive data. This means every person deserves security awareness training. Your IT department may already provide security awareness training, but your software vendor should provide training specialized to their product.

The Online Trust Alliance (OTA), a group of cybersecurity firms, also recommends that all users regularly update their passwords. You can ask your software vendor if their software requires this and remind your team to regularly update their passwords. 

You should also work with your software vendor to create Standard Operating Procedures (SOPs) that cover how each employee should use the software and protect data.

2. Incident Response

Even if your site, sponsor or CRO takes cybersecurity seriously, a security breach is more a matter of “when” than of “if.” Your organization needs a robust Incident Response Plan to ensure that when an incident does occur, you can remediate it quickly and ensure it does as little harm as possible to your organization. 

Cyber insurance can also provide essential assistance to organizations responding to security incidents and data breaches. Peter Sullivan, an attorney who specializes in cybersecurity, recommends that all research organizations carry cyber liability insurance to help cover the costs of profit loss, forensic and legal services. He also says it’s important to have a strong, trusting relationship with your software vendor and local law enforcement agency. 

When a breach occurs, you should notify your Institutional Review Board, your sponsor (if you’re a site or CRO), and any other internal stakeholders as soon as possible. Depending on the nature of the breach, you may also need to notify the FDA. 

Finally, you can use your cyber liability insurance to hire a cybersecurity forensics team, who can tell you how a cyberattack occurred, what vulnerabilities you have, and how you can fix those vulnerabilities.

3. Data Protection

While there are many considerations around data protection, our Information Security Manager recommends prioritizing three data protection measures that ensure only authorized individuals can see private data. Your software vendor should offer all of these features so that the burden doesn’t fall on your research staff. 

a. Secure authentication

Ask your software vendor if each person from your organization will have an individual login that requires a password. Users should also be automatically logged out of the software after a set period of inactivity and locked out after a set number of failed login attempts. 

If you want to embrace software with eSignatures, you need to make sure the signatures have a separate verification process that corresponds with FDA 21 CFR Part 11. Each user will need to re-enter their password when they sign a document and provide their purpose for signing. Florence automatically offers all of these features, and you should make sure any software you choose comes with them built in. 

b. Access control

Access control means that users receive access and permissions based on their particular roles and job duties. For example, the clinical research coordinator at your site and the monitor from your sponsor could need very different access and permissions. 

The Online Trust Alliance recommends following the principle of least privilege, giving each person the minimum amount of access they need to do their job. 

However, ultimately the choice of how much access to provide should lie with your site. You just need to ensure your software has the appropriate roles and permissions functionality to let you make that choice. Your vendor should also be willing to help you set up roles and permissions customized to your needs. 

c. Encryption for data-at-rest and data-in-transit

You need encryption both for data you’re storing and for data you’re sending to your sponsor, a CRO, your IRB, or regulatory bodies like the FDA. Just the same as locking valuables in a safe or lockbox, you want to encrypt (“lock”) valuable data so it can only be accessed by authorized individuals. 

If you look at various safes and lockboxes, you’ll notice they have different types of locks on them, and some locks are more secure than others. In the same way, there are different methods of encryption, and some methods are more secure than others. You want to make sure your software vendor not only provides encryption with their service but that the encryption method follows industry standards and best practices. In other words, a lockbox doesn’t provide a lot of protection if it has a cheap lock on it.  

But if all of this seems overwhelming, don’t worry. You don’t need an in-depth understanding of cybersecurity to use clinical research software. You just need to know what topics to ask your software vendor about. If they can’t answer your questions about what security measures or encryption they’ve put in place, you should look for a different vendor.

Planning Your Secure Clinical Trials

Once you understand the basics of secure clinical trials, you can look for a software vendor that offers secure authentication, access control, and data encryption. You can then work with your IT team, your software vendor, and other parties like medical device companies or CROs to create SOPs, provide user training, and develop an incident response plan. 

With all of these plans in place, your site or sponsor can embark on secure clinical trials that are more likely to produce private, reliable data. Cybersecurity will protect your intellectual property, your revenue, and, most importantly, your patients.

To learn more about data privacy at your site or sponsor, check out our Beginner’s Guides to CCPA and GDPR.

References

Brettler, D. (2021). Hidden Cyber Security Risks in Clinical Trials. Conner Strong & Buckelew. Retrieved October 18, 2021, from https://www.connerstrong.com/wp-content/uploads/2019/05/CSB_Cyber_Risk_Clinical_Trial_v1.pdf.

Longworth, C. (2021, June 16). Keeping clinical trial data safe – handling cybersecurity in a risky world. Pharma Phorum. Retrieved October 18, 2021, from https://pharmaphorum.com/views-and-analysis/keeping-clinical-trial-data-safe-handling-cybersecurity-in-a-risky-world/.

Passut, C. (2020, December 14). Clinical trials need to be on high alert for cybersecurity threats. CenterWatch RSS. Retrieved October 18, 2021, from https://www.centerwatch.com/articles/25180-clinical-trials-need-to-be-on-high-alert-for-cybersecurity-threats.