Guide for biotech and medtech companies
As biotech and medtech companies conduct clinical trials, safeguarding data privacy and cybersecurity become increasingly crucial. Failing to protect confidential and sensitive information can damage stakeholder trust, compromise the results of the study, and risk the safety and wellbeing of participants.
Helen Poliviou is the Managing Director at PureCDM, she is answering your questions on data protection and cybersecurity in clinical trialri
Helen Poliviou, Managing Director, PureCDM
Helen holds a Bachelor degree with Hons in Molecular Genetics and Protein Biochemistry from the University of Melbourne. She has more than 25 years of clinical data management experience working with all stakeholders in health and life sciences research at a global level, Helen’s expertise and industry acumen led her to found PureCDM—a provider of high quality data solutions that are tailored for each client. Her strong and strategic industry partnerships ensure exceptional service across the board, delivering successful programs. She is highly respected and a trusted name in the industry.
Q&A with Helen at PureCDM
1. What is data protection and why is it important in clinical trials?
Data protection is the process of safeguarding sensitive and confidential information from:
- unauthorized access
- use
- disclosure
- or destruction.
2. What laws and regulations govern data protection in clinical trials?
Several regulations govern data protection in clinical trials, including the:
- ICH GCP guideline, International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) Guideline for Good Clinical Practice (GCP), the internationally agreed standard to ensure ethical and scientific quality in designing, recording and reporting trials that involve human subjects.
- GDPR, General Data Protection Regulation in the European Union,
- HIPAA, Health Insurance Portability and Accountability Act in the United States, PIPEDA, the Personal Information Protection and Electronic Documents Act in Canada, and the Australian Privacy Act in Australia.
3. What is cybersecurity and why is it important in clinical trials?
Cybersecurity is the practice of protecting digital systems, networks, and sensitive data from cyber threats such as unauthorized access, hacking, and data breaches. In clinical trials, cybersecurity is crucial to protect high value data assets and the confidentiality and integrity of clinical trial data, which can contain sensitive personal and medical information. Failure to protect clinical trial data can compromise the safety and efficacy of the results, risk patient safety, and damage the reputation of the sponsor.
4. Who is responsible for data protection in clinical trials?
Sponsors are responsible for ensuring data protection in clinical trials, even if they outsource certain activities to a CRO or other vendors. The ICH GCP guideline states that sponsors must ensure that vendors and other parties involved in the study adhere to applicable regulations and guidelines related to data protection and cybersecurity. This includes providing oversight of vendor activities and ensuring that vendor contracts include provisions for data protection and cybersecurity.
5. What is the role of the EDC vendor in cybersecurity?
Electronic data capture (EDC) vendors play an essential role in clinical trials and in ensuring data protection and cybersecurity. They develop the technology and software necessary for electronic data capture, management, and reporting of clinical trial data.
EDC vendors are responsible for ensuring that the software they develop and data hosting facilities meet regulatory requirements and industry best practices for data protection and cybersecurity. This includes design features that incorporate access controls, change control, electronic signature, data back-up and recovery, CFR21 Part 11 (this is validation and monitoring tools to detect and prevent data breaches and other security incidents.
6. What is the role of clinical data management in ensuring data protection in clinical trials?
CDM plays a crucial role in ensuring data protection and cybersecurity in clinical trials from:
- Evaluating EDC vendor compliance.
- Ensuring that clinical databases are designed and implemented in a way that meets regulatory requirements and industry best practices.
- Managing access to the database CDM to ensure that only authorized and trained personnel have access to clinical trial data.
- Ensuring clinical trial data protection during transmission and storage.
- Conduct regular data audits to ensure that clinical trial data is being handled appropriately and that there are no unauthorized changes or access.
7. What measures can biotech and medtech companies take to protect their clinical trial data and ensure data?
- Working with reputable CRO data vendors and EDC systems that have appropriate security measures in place and who comply with relevant regulations.
- Implementing internal secure data transfer protocols to protect data during transfer from external sources to the sponsor.
- Using company owned secure data storage solutions that are fit for life sciences data such as compliant cloud storage services with multi-factor authentication and access control features.
- Conducting regular security risk assessments and vulnerability testing to identify and address potential security threats.
- Providing employee training on data protection and cybersecurity best practices, such as safe data handling procedures and password management.
- Implement policies and procedures that outline Sponsors approach to data protection and cybersecurity in accordance with relevant regulations, such as the Australian Privacy Act, HIPPA and GDPR. These policies and procedures should cover areas such as data access controls, data transmission encryption, data storage security, and risk management, most relevant when receiving data during study conduct or at the end of the clinical trial.
- In addition, sponsors should work closely with their CROs to ensure that cybersecurity measures are in place throughout the clinical trial process.
- By taking a proactive approach to data protection and cybersecurity, sponsors can ensure that they are meeting their legal and ethical obligations to protect the privacy and confidentiality of clinical trial data, while also minimizing the risk of data breaches and cyber attacks.
8. Where is my clinical trial data stored?
Clinical trial data is stored securely in cloud-based or central data facilities managed by EDC vendors or third-party providers. Encryption is used to protect against unauthorized access or tampering during transit and storage. After study completion, the clinical database is archived and data is retuned to sponsors for secure storage. Sponsors may choose to store the data securely or have the EDC vendor store it for a fee.
For Australian companies, there are certain considerations to keep in mind when selecting a data storage facility. Ensure that offshore data centres comply with applicable data privacy laws and regulations. For example if you have sites or partners in the EU, GDPR will apply and may include obtaining explicit consent from study participants for the transfer of their data to an offshore location. Ensure appropriate measures are in place to securely encrypt the data during transfer and storage and that contractual arrangement clearly state data ownership and control.
Disclaimer: The information provided is for educational and informational purposes only and should not be construed as legal or professional advice. The laws and regulations surrounding data protection and cybersecurity in clinical trials vary by country and jurisdiction, and it is the responsibility of each company to ensure compliance with applicable laws and guidelines. This information should not be used as a substitute for consultation with qualified legal or professional advisors with expertise in data protection and cybersecurity.
