Cybersecurity in Global Trials
Massive data breaches have dominated global headlines in recent months, and security experts predict this trend will continue.
According to Experian’s 2014 Data Breach Industry Forecast, the healthcare industry will be among the most susceptible industries to publicly disclosed and widely scrutinized data breaches.
With more data moving to the cloud and seamlessly across borders, the risk of complex international breaches increases. The question is not whether investigative sites will suffer a data breach, but when, and how serious the consequences will be for the clinical trials industry.
The high volume of digital health data creates a particularly attractive target for cyber thieves. In addition to the usual forms of financial, medical and insurance fraud connected to individual sets of data, a breach of clinical trial data also can expose sponsor organizations to competitive threats and legal risk.
The October 2013 security breach of the FDA’s Center for Biologics Evaluation and Research compromised 14,000 accounts and demonstrated that competitive pharmaceutical trade secrets, which the federal government stores, represent an opportunity for foreign interests to benefit from new drug discoveries without investing a cent.
Many data breaches begin not with a hacker, but with a lost laptop, failure to shred paper records, the thoughtless transfer of sensitive information to personal devices, the use of non-secure data files or systems or sloppy password practices. Kaiser Permanente suffered two breaches of patient data last fall. In the first incident, 670 patients learned a document with their information was sent to a recipient outside the Kaiser network. The second breach involved 49,000 patients at Anaheim Medical Center whose information was on an unencrypted USB flash drive that went missing.
Cybersecurity is not just a U.S. concern. In the U.K., health record security breaches by the National Health Service were up 20% last year, according to an investigation by Pulse magazine. Data from 55 hospitals indicated breaches included records dumped in public places, records given to the wrong patient and patient data given to relatives without permission.
In Korea’s worst data breach, citizens recently learned sensitive financial information for more than 20 million people was leaked by their credit card companies. The breach, which affected virtually all of Korea’s economically active citizens, was blamed on lax data security by the credit card firms.
Privacy and disclosure laws vary around the world, but nearly everywhere the stakes for such data breaches are higher than ever.
Global drug development companies have particularly high demands in the arena of data protection, as they must understand and comply with regulations in each country where they do business. In the European Union, for example, regulations are being enforced based on where the customer lives, not where the data resides.
In Japan, the fine for not disclosing a breach has been increased from 500 yen to 10,000 yen per record breached. This translates into a potential fine of about $7.5 billion for a breach of 100 million records.
In the U.S., HIPAA enforcement has improved since it was moved from Medicare Operations to the Office of Civil Rights under the HHS. HIPAA-covered entities and individuals who fail to protect patient information could face up to $1.5 million in annual fines.
Every organization, regardless of location, needs a comprehensive strategy for protecting private data and responding to attacks. But a recent survey by Rand Secure Data discovered 44% of companies that responded have no formal data governance policy, and 22% have no plans to implement one.
There is no foolproof way to physically protect digital records that are frequently accessed, altered and shared, sometimes internationally. But you can up the ante for hackers and malware by focusing on how you handle this data in the first place.
Your organization’s management team still may be more inclined to allocate budget to conventional but unnecessary expenditures than to data security. For those conducting trials in low-income or resource-constrained countries, reduce expenditures in these areas:
- Monitoring: Look for alternatives to standard monitoring requirements, such as training a local resource or arranging reciprocal monitoring between sites
- Data Safety Boards: Limit DSMBs when trials are short or have low risk
- Accreditation: Reevaluate the need for labs and trainers where Good Clinical Trial Laboratory practices are already in place.
With the proliferation of data threats, and the growth in clinical trials around the world, it’s time to educate management on the increased threats around data security, so that spending priorities start to recognize patient care also means protecting patient privacy and sensitive health data.
Matthew Howes is head of strategic services at inVentiv Digital + Innovation, the digital center of excellence for inVentiv Health. A leader in digital strategy, Matthew has provided the fuel for digital businesses visited by over 100 million people every month and generate billions of dollars in revenue every year.
This article was reprinted from CWWeekly, a leading clinical research industry newsletter providing expanded analysis on breaking news, study leads, trial results and more. Subscribe »