‘Mask Up’ to Threats: Clinical Experimental Data
August 13, 2021
By Daniel Yan and Joseph Amato
Over the past year-and-a-half, the well-publicized rush to produce medicines in response to COVID-19 shifted the focus of targeted attacks by cybercriminals to enterprises in the life sciences sector and renewed the spotlight around clinical experimental data security.
Without the proliferation of experimental data and a worldwide effort, the recent widespread adoption of lifesaving medicines like vaccines, antivirals, and monoclonal antibodies would not have been possible. This criticality and scale, while stunning, has also brought to light the multiple threats that unauthorized access to experimental data poses to an enterprise undergoing trials to support the adoption of the product by regulators and medical professionals, as well as the general public. Deep threats resurfacing during the pandemic response and traditionally associated with experimental data chiefly include:
- Ability to manipulate experimental data;
- Ability to view an individual’s personally identifiable information (PII) and health history; and
- Increased cybersecurity and intrusion detection concerns.
When it comes to the important mission of safeguarding experimental data against threats, there are principally two distinctive ‘broad strokes’ that life science enterprises can consider implementing: one, strengthening data handling, and two, optimizing data administration.
‘Mask Up’ to Threats: Strengthening Data Handling
Key efforts here are controls and governance. Nothing is more essential than the fundamental methods and protocols that drive and guide how data within an enterprise should be classified, handled, and retained. There’s simply tremendous inherent operational risk if an enterprise isn’t properly enabled in this regard.
With the exposure of personal data generally pertinent to clinical trial data, the growth of data privacy legislation was inevitable. Companies and government agencies handling PII in the U.S. must comply with Health Insurance Portability and Accountability Act (HIPAA) requirements, and the vast majority must also comply with the European Union’s General Data Protection Regulation (E.U. GDPR), and many international and local follow-on laws. Hence, an organization is likely exposed to regulatory risk as well when it comes to clinical trial data.
When instituting controls and governance to the operations around handling clinical data, it’s important to first understand the degree of sensitivity for the data set, as it may lead to varying requirements. There are generally two drivers of best practice requirements: regulatory compliance and operational excellence.
From a regulatory compliance standpoint, it is important to first completely and accurately identify what data elements exist amongst the enterprise’s operational processes. General advice is to consult with data-related subject-matter experts to perform a full-scale discovery and risk assessment to identify:
- What data elements are present in-house and, to a broader sense, pertinent to the operations of the enterprise?
- What legal/regulatory risks are present based upon the aforementioned geographic implications?
This should help to ultimately determine what essential requirements there are and subsequently what specific process controls and governance routines are necessary.
From an operational excellence standpoint, well-functioning data governance and process controls also help deliver significant competitive advantages as they facilitate processes and procedures in data handling, which effectively leads to reliability, traceability, and authenticity. When constructing the governance and controls framework with operational excellence as an objective, it is generally critical for an organization to identify opportunities of adopting a methodical approach to decision-making using data where feasible.
‘Mask Up’ to Threats: Optimizing Data Administration
Once essential controls and governance are founded, to optimize the efficiency of governing the workflows and lifecycles around clinical trial data, a great option to leverage is implementing a clinical trial management system (CTMS). CTMSs manage the operations, processes, and data involved in clinical studies and trials. An effectively implemented CTMS centralizes all trial and study data; standardizes and streamlines workflows; and tracks and optimizes site, participant, investigator, and trial processes.
Pharmaceutical companies, medical research institutes, and research centers managed by hospitals are all common users of CTMSs. An effective CTMS assists these enterprises in planning, managing, and monitoring the entire lifecycle of clinical trials. Leading CTMS solutions are designed to adhere to industry regulation so that trials can maintain compliance according to both institution and industry.
Implementing Clinical Trial Management System
Implementing a CTMS is no small feat for any size enterprise. Depending on size and the availability of critical resources, budget and timeline constraints are primary determining factors into the accessibility of such an implementation project. Once buy-in from internal and external stakeholders is achieved, multiple best practices can be installed to facilitate project success for information security:
- Align CTMS implementation with clinical trial kick-off;
- Construct and act upon key systems development lifecycle (SDLC) considerations; and
- Adequately restrict internal CTMS access.
Overall, a more complete and sound controls and governance framework will aid an enterprise in building upon and maintaining the robustness of a firm’s security posture surrounding critical clinical experimental data, and an optimally implemented and operationalized CTMS will help streamline the efficiency of relevant data security administration. While the challenges can vary among enterprises, adoption of these best practices should be kept top of mind while preparing for any clinical trial activity.