Clinical Trials Need to Be on High Alert for Cybersecurity Threats
Cybersecurity in the clinical research world is “a little bit special,” one expert says, because sites must deal with confidentiality, data privacy and integrity, as well as the breach notification process imposed by regulators. And never has the threat to trial data been so high.
Interpol, the Department of Homeland Security and IBM are warning about the efforts cyber criminals are putting into stealing COVID-19 vaccine and treatment data. “There is chatter out there among the bad guys, saying they were going to start getting really aggressive about going after healthcare,” says Melissa Markey, an attorney with Hall, Render, Killian, Heath & Lyman. “Believe me, that includes research, particularly around COVID-19 and especially in either treatment or vaccine development. Both of those are big targets right now.”
The Online Trust Alliance (OTA), an organization of various security firms, put together a list of core best practices that sites can use to develop a strategy for protecting trial participants’ personal information. The two most essential recommendations are to enforce effective password management policies and to follow the principle of least privilege, a concept the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency defines as providing only the minimum necessary access for the shortest duration necessary.
“As you go into the more sensitive information, you limit the access you can get in there,” Peter Sullivan, principal for the Sullivan Group, said in explaining so-called least-privileged user access. “That then limits the number of people who could get in there and open up a portal.” He said OTA also recommended that sites regularly attempt to hack into their own systems, require authentication for all incoming and outgoing email, and continuously monitor, in real time, the security of their systems and firewalls.
Sullivan said the complexities of trials — which include wearables, servers and medical devices — provide so-called touchpoints for hackers to seize trial participants’ private information and other trial data. But he warned that hackers won’t stop at sites.
“They could travel down the internet to the CRO, the sponsor and their systems,” Sullivan said. “They would have touchpoints where the backups are connected. And if you’re connected to the FDA or any other vendor, those could potentially be a portal for this information.”
“One of the biggest [security challenges] that we’re seeing right now is when you go into any environment and you get access to Wi-Fi,” Sullivan said. “In our office, we have two Wi-Fis — a standard Wi-Fi for our clients that come in, and a corporate Wi-Fi that is bifurcated from our main systems.” Sullivan said an expert hacker could come to his office and potentially jump from one network to the other, “but we have IT people monitoring that to try and shut that down as quickly as possible.”
OTA’s recommended best practices, in terms of infrastructure security, includes implementing the Always On Secure Socket Layer (AOSSL) protocol to help ensure data exchanged between a wireless device and a website is encrypted. The organization said using Extended Validation Certificates (EVSSL) will help distinguish between legitimate websites and those being run by hackers.
OTA also recommended implementing Certificate Authority Authorization (CAA) to avoid issuance of unauthorized certificates for websites, and to deploy bot detection and mitigation to help prevent brute force attacks, which experts say could damage one out of every eight encrypted files — a devastating prospect for sponsors (CenterWatch Weekly, Dec. 7, 2020).
In terms of best practices for response readiness in case of a cyberattack, OTA recommends that sites perform a complete risk assessment of their operational processes and review their data stewardship practices. It also recommends establishing, and then confirming, relationships with data protection authorities, law enforcement and incident service providers.
“We’ve handled breaches before where, because of the nature of the breach we also have data integrity issues that require regulatory responses going to study sponsors, IRBs and the FDA,” Markey said. “When you’re dealing with the response, you’re going to need assistance that understands the entire scope of the regulatory framework. You’re also going to need a forensics firm that understands some of the unique software that we use in clinical research.”
“Having a really good forensics team — one that really understands what they’re doing, knows how to do a good investigation, will find all of those little footsteps through the network and all of those little traps that the criminal bad guys left behind — is absolutely critical.”
Echoing Markey, the OTA suggested using forensics services to determine how a cyberattack occurred and if any additional vulnerabilities were present. Employees should also be trained in better password practices and in how to identify social engineering and other online scams. Markey also said sites should make sure that their systems’ and devices’ security patches are up to date.
Sullivan — who advises sites, sponsors, CROs, IRBs, clinical service companies and their affiliated vendors — said the trials industry is justified in fearing that hackers could penetrate a clinical site’s systems and steal PHI to identify trial participants, or worse. Such breaches could, by extension, be devastating to sponsors, who would not only be vulnerable to fines by regulators, but also lawsuits from investors if their drug timelines are interrupted.
All entities in the clinical trials space should consider the monitoring of their systems a 24/7/365 obligation. “Technology is moving very quickly, but we sometimes forget that we don’t have all of the correct software or controls in place because we are moving health information via wireless or the internet,” he said.
While there are no general privacy or data protection laws at the federal level in the U.S., to date, four states — California, Maine, Nevada and Vermont — have enacted their own laws to protect consumer information. Markey said clinical trial sites should “keep in mind that a lot of times these laws don’t look like, on first blush, to apply to clinical trials — but they end up applying to clinical trials because we are dealing with data in different ways now, especially since the COVID-19 pandemic hit.
“We are using electronic collection of data in different ways now, and we’re using websites. So, some of these [state] website rules now do apply in clinical trial settings, and we have a lot more enforcement agencies looking at research and trying to make sure that we’re doing the right thing for privacy and security activities in the research space,” Markey said.
EU and European Economic Area (EEA) citizens who participate in clinical trials are protected by the General Data Protection Regulation (GDPR), which took effect in 2018. The law gives trial participants control of their personal data and covers the import and export of such data outside the EU and EEA. Aurea Flores, director for research quality, regulatory and compliance with HonorHealth Research and Innovation Institute, told the conference that despite the UK’s decision to leave the EU, it still plans to comply with the GDPR.
Sullivan said he recommends that his clients carry cyber liability insurance, some of which could provide $1 million in coverage or more. Such coverage could provide funding for loss of profit, forensic and legal services. Markey concurred, adding that insurance premiums are much lower than the cost of recovering from a cyberattack. “If you get the right policy, that can actually give you a better return on investment than if you go out and grab whatever policy is out there,” she said.
“Basically, just continue to test, respond and develop a plan,” Sullivan said. It’s not a question of if, but when, the hack occurs.”