A chain-of-custody data map should be a central part of every clinical trial site.

The map draws a picture that shows the central data storage location, with links to the data sources on one side and backup storage options on the other. For example, the center of the map could be the site’s electronic case report form (eCRF) system, with arrows to the left pointing to nightly transmittal systems, direct entry, manual transcription and randomization coding, and arrows to the right pointing to backup systems hosted at the CRO or sponsor, remote reviews by IRBs, an electronic trial master file (eTMF) system hosted by the sponsor and other archives.

“I tell my clients it’s really in their best interest to create this type of chain-of-custody map for your data in a clinical trial because that gives you control over what’s available,” says John Avellanet, founder of Cerulean Associates. “I strongly suggest you be able to create this before you make any submission, and ideally before even a trial gets started. You should create this as part of your trial planning to show the data is under control,” Avellanet told attendees at a WCG CenterWatch workshop last week.

Clinical trial investigators can take the map and make their own notes on it, Avellanet said. This is vastly better than them going off and creating their own maps. “At that point, you have no insight into what’s going into the map and the flow.”

The map focuses attention on the data flow within a trial and keeps data-handling consistent, he said, which is key to maintaining data integrity, “because if you don’t know this information, you can’t be in control of this information by default.”

There have been too many data integrity breaches in recent years, says Steve Niedelman, lead quality systems and compliance consultant at King & Spalding. The FDA has taken numerous enforcement actions based on data integrity issues, Niedelman told CenterWatch Weekly. “Having this chain of custody provides greater assurance” to a regulator.

Avellanet said FDA inspectors — called “investigators” by the agency — are trained to look for certain red flags within the data chain of custody. Chief among these is any contract a site has with a vendor that doesn’t address data integrity. Agency investigators also will spot sites that assume their vendors’ subcontractors have the same procedures and protocols for compliance with the FDA’s electronic systems regulations in 21 CFR Part 11.

The FDA also will not accept sites that say they cannot validate a computerized data system because it’s cloud-based or is provided by a vendor. The FDA also expects sites to have a cross-functional vendor selection and evaluation process as well as consistently audit or otherwise monitor their suppliers.

Sites should challenge their data management vendors’ control by “jumping into the system at different points to assure that the data is being maintained and is accurate,” Niedelman says. “They need to be able to demonstrate that at some point they challenged the system to ensure that.”

On the vendor side, IT hosting and software vendors are also subject to being flagged if they don’t currently have any customers regulated by the FDA or other regulatory agencies, or if their security does not meet minimum requirements, such as ISO 27001, an international standard for information security management. Vendors that have periodic backup of network failures that go unnoticed are also subject to being flagged by the FDA, as are vendors that don’t have any long-term data corruption avoidance plans, don’t test the security of their systems or have inexperienced technicians.

The FDA, according to Avellanet, “is very well aware” that cloud computing carries more risks, and that the agency’s investigators also know sponsors “do not understand this concept of risk-based data integrity controls.” He called the situation “deeply troubling.”

“It is imperative for you to understand that it isn’t wrong moving your data to cloud providers. All it does is engenders greater risk. You will be the one that suffers, not Amazon.”

Avellanet added that ransomware attacks are a growing issue in the clinical trials space because the return on investment is huge. But even if the ransom is paid and criminals produce a decryption key, “there’s permanent damage to one out of every eight files that it encrypts, because they are using brute force encryption. So there’s always going to be data loss.”

“This is why one of the things FDA is starting to do is to ask about your ransomware protections. Because they’re under the understanding at this point that if you used a clinical site that got swept up in a ransomware attack, they’re just going to exclude the data. This is why it is imperative to get ahead of this.”

Susan Schniepp, distinguished fellow at Regulatory Compliance Associates, said sites and vendors alike need to pay close attention to cybersecurity, especially if they work in the cloud. “You can’t just assume that if it’s in the cloud, it’s safe and secure,” Schniepp told CenterWatch Weekly. “You have to take measures to prevent against infiltration or somebody hacking into your system to get the data.”

Schniepp says some clinical trial sites are “probably not in tune with the cybersecurity as much as they should be. Some of them are little clinics, little sites, they’re not the Mayo Clinic or Mount Sinai. I think there’s a niche segment of the industry where cybersecurity would be a concern and could potentially be easier to hack.” Schniepp says she doubts small sites are actually able to afford putting a ton of money into cybersecurity. “They’re probably just taking the basic steps.”

According to Avellanet, sites should initially request several records from their regulated suppliers, chief among them: a data integrity compliance plan that shows progress to date. Such plans are required if the supplier is a contract lab or a contract manufacturer, he said. “Nobody does this in 30 days. Most firms take three years to put this all into place. If they don’t have a plan, you’ve got a problem.” He also said suppliers should provide a list of computerized data system validations performed since their last audit, as well as a list of data integrity SOPs and policies they employ. Those could include good documentation practices; computerized system validations; change control and management; records retention and archiving; computerized system security; and backups and disaster recovery.

“These are things that you want to ask, because these are things that the FDA and other regulatory agencies look at during the PAI [pre-approval inspection] program.”

Avellanet said that before the pandemic, sites would typically “throw everybody in a room who might have insight into anything along this path, not just the clinical trial managers,” and spend a day mapping the entire process out on a whiteboard. “It’s basically recreating a huge part of the PAI from a system standpoint. If the investigators cannot put together some semblance of this on their own, then it really begs the question of whether or not your trial is being conducted under a state of control. That all leans more toward data rejection, and we all know the path that goes down.”