How safe is your data?

How safe is your data?

It's the age of contract research organisations conducting clinical trials for global pharma companies. But there is always suspicion when it comes to sharing sensitive information. Arun Bhatt and Rutika Vara talk about the security concerns in CROs


Arun Bhatt
“We take data protection and privacy very seriously. The accountant in India can see the data on his screen but he can not take a download of it or print it out—our program does not allow it.” — Jaithirth Rao, MphasiS, in The World Is Flat by Thomas Friedman.

“To cope and recover from a single security breach the cost on average is $14 million per company per breach”— Ponemon Institute.

Data security is today's buzzword in the biz world. With the adoption of the BPO model and dependence on Contract Research Organisations (CRO) for clinical trial management, the pharma industry has to wake up to the data security threat. CROs, particularly, are expected to provide effective data security.

Data covers all the facets of information shared between the sponsor and the CRO during the clinical trial project. Data flows from the sponsor to the CRO starts with the request for proposal and continues throughout the duration of the clinical trial project. The data includes paper or electronic documents —protocol, case record form (CRF), investigator's brochure, regulatory dossier for IND submission, informed consent documents, completed CRFs, monitoring reports, audit and inspection reports, raw data, statistical tables, and final study report. The CRO needs to share these data with both internal stakeholders—employees, external stakeholders—investigators, EC, trial subjects, health authorities, and vendors—central lab, couriers, translators, EDC suppliers. As the CRO is central to the sponsor's relationships with these stakeholders, it has to put in place, effective security measures.

For the sponsor and the CRO, data security is driven by the business need to protect data from loss, unauthorised access, modification, destruc-tion or disclosure. In addition, regulatory guidelines ensure the authenticity and integrity of data. ICH-GCP guidelines, Indian GCP and USFDA's September 2004 guidance for Computerised Systems Used in Clinical Trials, recommend that the sponsors maintain a security system that prevents unauthorised access to the data.

The level of data security differs depending on the types of data:

Public data is available to general public, including individuals outside the CRO. Public data may be shared without limit.
Internal data is insensitive information that is used in the daily course of managing clinical trials. If internal data, for example, staff phone numbers are made public, little or no loss would be incurred.
Confidential data is sensitive data. If this data is altered inappropriately loss could occur. Examples include protocols, sponsor SOPs. Access to confidential data should be provided to limited personnel in the CRO on a need-to-know basis.
Restricted data is highly sensitive data. If such data is compromised or inappropriately modified, it will lead to significant loss, which can lead to regulatory compliance breach. Examples are the raw data after database lock, statistical tables and study report. Access to this data should be closely controlled. Technical safeguards like passwords and encryption should be used to prevent access by unauthorised personnel.
Breach of data security can occur during any data transaction, that is, during transfer of data within or among clinical study sites, from clinical trial CRO to data management CRO and from CRO to central lab. Sometimes, employees accidentally disclose information while working during travel. Employees who have remote access to company intranet might leave documents open, exposing the data to leakage or tampering. There are instances of intentional break-ins by using another person's identity, for example, badge or password. Sometimes an unhappy employee or site staff might destroy the records by inserting a virus. Besides, loss or damage to data can also occur as a result of major calamities. For instance, a lot of research data was lost during the recent Katrina hurricane. The sponsor and the CRO should have data security system policies and procedures to guard against all major security concerns.

The security policy should cover both paper and electronic data. It should include relevant physical and electronic security procedures including disaster recovery measures.

The physical procedures would consist of:

Access control—swipe cards, restricted entry to visitors and vendors, limited access to archival section, alarm system to notify in case of tampering the login username and password or the act of forceful entry to the premises.
Paper trail—archived control copies, controlled distribution of document copies, confirmation of destruction of unused copies, for example, protocol synopsis for feasibility studies, draft and final reports.
Secure storage—fire proof cabinets, locked cabinets for paper documents and CDs, fire safety, smoke and fire alarms and burglar alarms.
Security obstacles— disallowing mobile phones with camera, CDs, pen drives, record of laptop model and numbers.
The electronic proce-dures would include:

Access control— authentication to validate identity of employees, encryption, to ensure that information is not viewed or tampered with during transmission, secure passwords or biometric identification for logging in, read only access to prevent accidental data modification, automated screen savers and log-out to inhibit access to unattended displays after particular time.
Non-repudiation—to establish an indisputable time-stamped audit trail of creation, modification, maintenance and transmit using the data entry system.
Digital signing—to attach legally binding electronic signatures to documents and forms.
Technological obstacles—firewalls to isolate internal and external networks, restricting use of pen drives and CDs in computers and laptops.
Back up procedures—regular backup through CDs or tapes storage in bank lockers and another location.
Data security system should describe legal procedures, for example, confidentiality of disclosure agreements from all persons who are likely to receive data like employees, investigators and vendors. The policy should also discuss necessary actions in case of a breach of security, for example, dismissal from employment, civil liability or criminal prosecution.

In the post-IPR era, there is a tug-of-war in India between global pharma companies expecting data exclusivity and Indian pharma companies opposing this move
The system will work only if the employees are adequately informed about their responsibilities for guarding the sponsor's data and are thoroughly trained to the use of physical and electronic systems. To quote Bruce Schneier, “People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.”

In the post-IPR era, there is a tug-of-war in India between global pharma companies expecting data exclusivity and Indian pharma companies opposing this move. Besides, Indian industry's capability of reverse engineering to make economic generics, has created an atmosphere of suspicion in post-IPR era. These concerns have made the global sponsors obsessive on the potential misuse of their valuable data. The sponsors expect the Indian CROs to establish a comprehensive data security system to ensure that their data is in safe hands. If Indian CROs want global business, they have to be ready to face the security challenge!

(The writers are the President and Assistant Manager of Data Management of ClinInvent Research Pvt Ltd)