Cybersecurity issues are not new to the clinical research community. What is new is how quickly, frequently and effectively new threats are developing, making it even more important for clinical trials to be vigilant in protecting the accuracy and privacy of their subjects’ data.
In April, for example, security researchers at Ben Gurion University in Israel announced they had developed malware that can add tumors to CT and MRI scans or hide real cancerous nodules. The researchers were able to access and manipulate several images.
“This isn’t Photoshop,” said Katherine Mahoney, associate director of transparency at Vertex Pharmaceuticals. She told MAGI east conference attendees last week that researchers altered the images’ coding effectively enough that they managed to fool radiologists 90 percent of the time, even when the radiologists were aware of the malware experiment.
Researchers should consider whether a heart rate monitor on a FitBit records an actual heart rate or just an estimate, for example. They also need to check that the subject is really wearing the monitor and not giving it to someone else to wear or putting it on their pet, she added.
“Yes, we have had situations where we’ve said ‘yeah, that’s not a human doing all that walking,’” she told the audience.
Charles River Labs also recently suffered a data security breach when parts of its information systems were accessed by an unauthorized intruder. Upon noticing “unusual activity” in mid-March, Charles River launched an investigation with the help of federal law enforcement and cybersecurity experts that is still ongoing (CenterWatch Weekly, May 6, 2019).
Data privacy and cybersecurity currently are “hot buttons” for the FDA and other authorities as well. “Regulators are starting to get tired of ... significant data breaches” and they’re levying significant fines in response, Mahoney warned.
The FDA addressed the issue in a draft guidance it released in April 2018. Multiple Function Device Products: Policy and Considerations includes several fictional examples of devices that could be prone to data breach problems. The first example, a Transcutaneous Electrical Nerve Stimulation (TENS) device controlled by an app on a wearable device, would need appropriate cybersecurity controls to ensure the reliability and security of the connection, the guidance says.
A second example features a monitor that measures and displays physiological parameters, transmitting them to a hospital’s electronic health records (EHR) system using a built-in Wi-Fi card. The Wi-Fi and network connections both could introduce a cybersecurity risk, the guidance says, and the interface software could be open to data corruption in the transfer from the monitor to the EHR system.
These examples illustrate some of the most pressing data security concerns, which can be broken into four categories, according to Mahoney. First, the confidentiality of subjects’ data must be secured using encryption and other methods. Second, data integrity must be ensured, as the Israeli experiment illustrated.
Third, even the cleanest and most reliable data is useless if you can’t get to it, so access and availability protections must be in place to prevent “hijacking” and “ransoming” of data.
Mahoney recalled the 2017 attack of the WannaCry ransomware that targeted computers running outdated versions of the Microsoft Windows operating system, encrypted their data and demanded ransom payments in Bitcoin.
Healthcare organizations, including academic medical centers, are especially vulnerable to such attack in part because large machines, such as MRIs, often run on old operating systems that no longer receive updates and patches. To protect against such threats, organizations must ensure that older machines are isolated from any networks or other connections so they don’t infect other machines if they are breached.
The fourth category of data issues, authenticity, can be a particular problem in trials that use consumer-grade mobile and wearable devices to gather data, Mahoney said.
Wearables and other connected devices are vulnerable to data loss if the raw data isn’t encrypted when it’s transmitted. “You have to think about what kind of data we have and what’s ... most import to protect” and treat that data like the crown jewels, Mahoney said.
The bottom line: “You have to be on high alert,” she cautioned. In fact, organizations need to understand that it’s a matter of when, not if. A security breach is inevitable, she said.