Navigating data protection and cybersecurity in clinical trials

Guide for biotech and medtech companies

As biotech and medtech companies conduct clinical trials, safeguarding data privacy and cybersecurity become increasingly crucial. Failing to protect confidential and sensitive information can damage stakeholder trust, compromise the results of the study, and risk the safety and wellbeing of participants.

Helen Poliviou is the founder and managing director at PureCDM, a leading provider of high-quality clinical data services. Helen is answering your questions on data protection and cyber security in clinical trials.

Helen Poliviou

Helen Poliviou has worked in the life sciences sector for over 25 years and has dedicated the last 13 years supporting biotech and medtech innovation with leveraging technologies and data-driven strategies to optimize clinical trial operations.

Helen is a strong advocate of maintaining scientific rigor and integrity when conducting clinical trials and believes that organizations of all sizes and budgets should have access to high quality data services.

Under her leadership, PureCDM has been empowering start-up companies to navigate the complexities of clinical research, ultimately advancing the development of life-changing therapies and technologies for the benefit of patients worldwide.

1. What is data protection and why is it important in clinical trials?

Data protection is the process of safeguarding sensitive and confidential information from:

• unauthorized access
• use
• disclosure
• or destruction.

2. What laws and regulations govern data protection in clinical trials?

The regulations that govern data protection in clinical trials includes:

• ICH GCP guideline, International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use?(ICH) Guideline for Good Clinical Practice (GCP), the internationally agreed standard to ensure ethical and scientific quality in designing, recording, and reporting trials that involve human subjects.
• GDPR, General Data Protection Regulation in the European Union,
• HIPAA, Health Insurance Portability and Accountability Act in the United States, PIPEDA, the Personal Information Protection and Electronic Documents Act in Canada, and the Australian Privacy Act in Australia.

3. What is cybersecurity and why is it important in clinical trials?

Cybersecurity is the practice of protecting digital systems, networks, and sensitive data from cyber threats such as unauthorized access, hacking, and data breaches. In clinical trials, cybersecurity is crucial to protect high value data assets and the confidentiality and integrity of clinical trial data, which can contain sensitive personal and medical information. Failure to protect clinical trial data can compromise the safety and efficacy of the results, risk patient safety, and damage the reputation of the sponsor.

4. Who is responsible for data protection in clinical trials?

Sponsors are responsible for ensuring data protection in clinical trials, even if they outsource certain activities to a CRO or other vendors. The ICH GCP guideline states that sponsors must ensure that vendors and other parties involved in the study adhere to applicable regulations and guidelines related to data protection and cybersecurity. This includes providing oversight of vendor activities and ensuring that vendor contracts include provisions for data protection and cybersecurity.

5. What is the role of the EDC vendor in cybersecurity?

Electronic data capture (EDC) vendors play an essential role in clinical trials and in ensuring data protection and cybersecurity. They develop the technology and software necessary for electronic data capture, management, and reporting of clinical trial data.

EDC vendors are responsible for ensuring that the software they develop, and data hosting facilities meet regulatory requirements and industry best practices for data protection and cybersecurity. This includes design features that incorporate access controls, change control, electronic signature, data back-up and recovery, and monitoring tools to detect and prevent data breaches and other security incidents.

6. What is the role of clinical data management (CDM) in ensuring data protection in clinical trials?

CDM plays a crucial role in ensuring data protection and cybersecurity in clinical trials from:

• Evaluating EDC vendor compliance.
• Ensuring that clinical databases are designed and implemented in a way that meets regulatory requirements and industry best practices.
• Managing access to the database, ensuring that only authorized and trained personnel have access to clinical trial data.
• Ensuring clinical trial data protection during transmission and storage.
• Conduct regular data audits to ensure that clinical trial data is managed appropriately and that there are no unauthorized changes or access.

7. What measures can biotech and medtech companies take to protect their clinical trial data?

• Working with reputable data vendors and EDC systems that have appropriate security measures in place and who comply with relevant regulations.
• Implementing internal secure data transfer protocols to protect data during transfer from external sources to the sponsor.
• Using company owned secure data storage solutions that are fit for life sciences data, such as compliant cloud storage services with multi-factor authentication and access control features.
• Conducting regular security risk assessments and vulnerability testing to identify and address potential security threats.
• Providing employee training on data protection and cybersecurity best practices, such as safe data handling procedures and password management.
• Implement policies and procedures that outline sponsors approach to data protection and cybersecurity in accordance with relevant regulations, such as the Australian Privacy Act, HIPAA and GDPR. These policies and procedures should cover areas such as data access controls, data transmission encryption, data storage security, and risk management, most relevant when receiving data during study conduct or at the end of the clinical trial.
• In addition, sponsors should work closely with their CROs to ensure that cybersecurity measures are in place throughout the clinical trial process.
• By taking a proactive approach to data protection and cybersecurity, sponsors can ensure that they are meeting their legal and ethical obligations to protect the privacy and confidentiality of clinical trial data, while also minimizing the risk of data breaches and cyber attacks.

8. Where is my clinical trial data stored?

Clinical trial data is stored securely in cloud-based or central data facilities managed by EDC vendors or third-party providers. Encryption is used to protect against unauthorized access or tampering during transit and storage. After study completion, the clinical database is archived, and data is returned to sponsors for secure storage. Sponsors may choose to store the data securely or have the EDC vendor store it for a fee.

For Australian companies, there are certain considerations to keep in mind when selecting a data storage facility. Ensure that offshore data centres comply with applicable data privacy laws and regulations. For example, if you have sites or partners in the EU, GDPR will apply and may include obtaining explicit consent from study participants for the transfer of their data to an offshore location.?Ensure appropriate measures are in place to securely encrypt the data during transfer and storage and that contractual arrangement clearly state data ownership and control.

Disclaimer: The information provided is for educational and informational purposes only and should not be construed as legal or professional advice. The laws and regulations surrounding data protection and cybersecurity in clinical trials vary by country and jurisdiction, and it is the responsibility of each company to ensure compliance with applicable laws and guidelines. This information should not be used as a substitute for consultation with qualified legal or professional advisors with expertise in data protection and cybersecurity.