Contact Us

Clinical trial data
and security:
Risks and

Author: Shane Schick

Clinical trial data can hold the key to improving healthcare, including the development of life-saving medicines and treatments. In addition to the critical research insights collected in clinical trials, they also produce some of the most sensitive and personal patient health data. That makes it essential for security professionals to keep this data safe from the prying eyes of malicious actors.

The nature of the information captured during clinical trials varies, but it can include everything from demographic data (such as age, gender and ethnicity) to details about a participant's previous health history and even readings from medical devices. In other words, reams of personally identifiable information (PII).

Trial administrators have always needed to ensure that data was protected based on existing best practices. Strong intrusion detection and event monitoring tools should be deployed, and IT must ensure software vulnerabilities are patched promptly.

As clinical trial data management becomes more decentralized, however, the security risks—including cyber espionage—are growing.

How clinical trial data management is evolving

Today's clinical trials are no longer confined to a single lab or research institution. As a research paper published in the journal npj Digital Medicine explained, digital technologies are opening up new possibilities to gather data from a much wider range of inputs.

Depending on the clinical trial in question, a study from The Journal of Medical Internet Research showed data might be collected from smartphone apps, for instance. Other information could come from wearable medical devices. Kits have been developed that allow blood testing to be done remotely, as reported in The Scientist.

This only adds to the list of touchpoints trial administrators need to protect, such as their facilities, personnel and data that might be transmitted to and from electronic health records.

Most industries focus solely on defending against data theft or attempts to shut down their network. However, Verizon's Cyber-Espionage Report points out that attempts to gain illicit access to information, like clinical trial data, can be even more challenging to combat.

Those behind cyber espionage attacks work by stealth, either obtaining data and escaping without detection or gaining and maintaining covert persistence on the network.

In the professional scientific and technical services sector, for instance, the Verizon report showed 80% of compromised data in cyber espionage attacks were classified as "secrets." This could include clinical trial data.

Where mobile solutions could fill clinical trial data security gaps

CenterWatch, a publication serving the clinical trials sector, has warned that having data from clinical trials fall into the wrong hands could jeopardize the outcome of vital medical research. Understanding where information could be compromised or exposed is the first step to preventing cyber espionage in this area from happening.

Two of the key stages in any clinical trial, for instance, are recruiting participants and then retaining them for the duration of the program.

The latter stage is particularly important, given that participants need to report back on results of a new drug or treatment—side effects, periodic assessments, etc. If research teams don't remain compliant in terms of reporting data over time, it could jeopardize the entire trial and result in termination. Trial administrators then have to start recruiting to begin all over again.

Managed services can help here by providing tools to secure devices that become part of the flow of clinical trial data management. The right partners can also assist in securing the way participants collaborate with trial administrators through channels such as video.

Trial administrators should also be aware of the ways cyber espionage attacks work and assess the data loss prevention solutions and practices they have in place.

According to the Verizon report, the most common approach besides hacking systems via backdoors and deploying malware is social engineering. In other words, attackers might use phishing campaigns to dupe clinical trial participants or personnel into clicking on malicious links or handing over credentials.

This means everyone involved in clinical trials should get the appropriate level of security awareness training. Administrators should also think about compiling a list of critical data inventory and fending off cyber espionage attacks through access controls and network segmentation.

It can be difficult for organizations to ensure compliance with all the necessary clinical trial data security areas on their own. A managed services provider can help organizations to respond to risks like cyber espionage and scale as needs change.

Discover how Verizon's managed security services can help you protect your assets and maintain the integrity of your data and applications.