VA seeks to make clinical trial data more secure
In an attempt to make its information even more secure, the Department of Veterans Affairs (VA) is changing its approach to the use of Electronic Data Capture (EDC) systems and applications by its centers that offer clinical trials and other services.
EDC systems that did not meet Federal Information Processing Standard (FIPS) 140-2 encryption standards from the National Institute of Standards and Technology (NIST) but followed other encryption “compensating controls” were previously allowed by special waiver from the VA’s chief information officer. Allowance of the waiver, which allows the VA centers to use various EDC solutions, is now being discouraged by new CIO LaVerne Council. The impact on clinical research involving veterans, however, should be minimal at best.
The VA is responsible for the security of veterans’ personal/health information until it reaches a sponsor. VA Handbook 6500 requires the tool to encrypt data “at rest” and “in flight,” meaning that the database and the means of transmitting the data via the Web must comply with the Federal Information Security Modernization Act (FISMA) of 2014—the federal information security standard. “In flight” refers to the transmission of the data over the Internet and must have an FIPS 140-2 certified encryption standard. FIPS Publication 140-2 is published by NIST and is the government computer security standard used to accredit cryptographic modules. The NIST tests and maintains lists of approved cryptographic modules.
James Breeling, M.D., director of bioinformatics at the VA’s Office of Research & Development, said FISMA mandates that every federal department, including the VA, must place certain security standards on all of its technology and test those controls using a third-party authority. The waiver, he noted, allows the VA to have alternate security that are slightly below the FISMA standards, although he emphasized that the agency’s technology security already has become significantly stronger over the past decade.
Timothy O’Leary, M.D., the VA’s chief research officer, voiced similar sentiments.
“The VA has taken steps over the last 10 years to become much more secure,” said O’Leary. “I would trust VA research data as much or more than that at a university or hospital. Indeed, as a research subject at VA, I have entrusted my own personal health data to VA, and have no doubt that VA will keep it safe and secure.”
Nevertheless, Council, who joined the VA after being confirmed by the Senate earlier this year, is clamping down on the use of the waiver. Breeling said doing so may help EDC vendors to maintain FISMA compliance by making it clear the VA may not accept lesser levels of compliance in the future.
“What’s newsworthy here is that there’s an attempt to change the traditional culture at the VA,” he said. “I take it very seriously.”
Use of the waiver has been common, he noted, since the advent of Web-based clinical trials management software tools over the past 10 years.
Breeling added that although some clinical research “theoretically” could be halted by the stricter waiver policy, the chances of that happening are small.
“So far, no research has been stopped,” he said. “My goal is that no research will ever be stopped.”
The Office of Research & Development has been improving the lives of veterans through healthcare discovery and innovation for more than 90 years. Its research is different from other clinical efforts because it focuses on health issues that affect veterans. It is part of an integrated healthcare system with a state-of-the-art electronic health record, and according to the department’s website, it “has come to be viewed as a model for superior bench-to-bedside research.”
The VA’s research process begins with a focus on the veterans’ everyday health needs, as well as consultation with regional and national VA clinical leaders. Solutions are then identified and developed through research in laboratories and clinics, and occasionally in the community. The solutions subsequently are applied to patient care, or translated into new or improved programs, as quickly as possible.
The various achievements by VA investigators, more than 60% of whom also provide direct patient care, have won three Nobel Prizes, seven Lasker Awards, and many other national and international honors.
The VA’s research encourages collaborations with university partners, other federal agencies, nonprofit groups, and private industry—efforts that further the program’s impact on the health of veterans and other Americans.
The Office of Research & Development consists of four separate research services that form a cohesive whole exploring all phases of veterans’ healthcare needs. The four services are: a Biomedical Laboratory Research & Development Service; Clinical Science Research & Development Service (which includes a Cooperative Studies Program); Health Services Research & Development Service; and Rehabilitation Research & Development Service. Each service oversees a number of research centers.
This article was reprinted from Volume 19, Issue 44, of CWWeekly, a leading clinical research industry newsletter providing expanded analysis on breaking news, study leads, trial results and more. Subscribe »