With all the data breaches and accidental employee leaks, it’s difficult to find a truly secure and HIPAA compliant place to store and share sensitive medical data, especially when it comes to clinical research and trials.
Maintaining the privacy of documents and information collected and maintained during a clinical trial is very important to the success of the trial. On the patient side, they are giving up personal information including their schedules and habits as well as complete medical histories. This is a barrage of information to entrust to those in an industry that often gets ranked one of the highest when it comes to data breaches.
According to the IBM-sponsored 2016 Cost of Data Breach Study: United States, healthcare (and financial services) have the most expensive breaches because of compliance fines and a “higher than average rate of lost business and customers.”
On the clinical side, the original data, plus all of the data collected from the trials are a very important part of the trials. This intellectual property must be kept private and secure until trials are completed.
Not only is there a risk of clinical espionage — stealing and selling of results and proprietary research, but a risk to the development of a pharmaceutical, medical device or procedure that could make vast improvements to the health of a number of people around the world.
The Trouble with Clinical Research Management Platforms
While platforms like OnCore give clinical researchers an entire platform to work with, it’s just one of many platforms that hospitals and labs use for managing clinical data. Some trials can force research specialists to use 5 or more electronic data capture (EDC) platforms to manage the substantial amount of sensitive information that comes along with the trial. Even worse, the platforms research specialists use can change every study.
The chances of a data breach are enhanced by constant platform changes, the human error involved in learning each of these systems and the different ways to manage data within them.
In fact, in 2013, the highest authority in drug evaluation and research, the FDA, had a study breached — likely due to a combination of these types of issues. The FDA’s Center for Biologics Evaluation and Research had 14,000 accounts compromised, revealing everything from critical trade secrets to sensitive personal health information (PHI) of patients.
While the FDA refused to go into details of the breach, wary of exposing further any vulnerabilities, it was suspected that they weren’t encrypting passwords. The FDA also advised 5,000 of those users to change passwords and to monitor their credit reports.
How does stuff like this happen? According the CenterWatch, it can often be the error or negligence of employees. Hackers can cast a wide net by creating phishing emails that are designed to look like internal emails. Employees not realizing the difference can click on links contained within the emails and then enter credentials when prompted. And just like that, a hospital that was simply part of the hacker’s widely cast net suddenly becomes the target.
99 Problems and Intellectual Property Theft & Data Breach are Two
On a global scale, the effects of a breach and theft of clinical trial research causes long-lasting damage. Breaches like the 2013 FDA event give an unintentional opportunity for foreign countries or companies to take advantage of pharmaceutical discoveries without ever having to put efforts or money in the R&D of it.
It’s not been released yet how the The New York State Psychiatric Institute was breached this summer. The Institute is part of the New York-Presbyterian University Hospital of Columbia and Cornell, a hospital ranked #1 in New York City and #3 nationally in adult psychiatry services.
But between the dates of April 28th and May 4th, 2016, parts of the institute’s systems were hacked, affecting over 21,880 different individuals. It was not publicly announced until June 17, 2016, allowing 50 days to elapse before these individuals could put any sort of identity protections in place.
It went beyond PHI, though, to an even worse situation. When hackers broke into these servers, they gained access to 11 different mental health studies that covered topics ranging from the experiences of children who were exposed to the events of September 11th, the mental health status of students from schools in Queens and Washington Heights and emotionally disturbed youth and their caretakers in Westchester County.
This adds a very human element to a very vulnerable population. A population that was likely to be re-traumatized by these breaches.
The hospital’s spokesperson said many of the records accessed were coded and hackers would likely have to reverse engineer the data to decode it. However, none of the data was encrypted, because it wasn’t considered “practical during active research.”
Build A Better Data Prison
In this rundown of major flaws of how the healthcare industry, including clinical researcher user error and the handling of critical PHI and trial data, two things become immediately apparent. First, these organizations, whether in healthcare, life sciences, biotech or pharmaceuticals, must find ways to decrease employee error and negligence. Second, there needs to be a stronger investment in platforms that offer encryption of data both at rest and during transfer.
To the first point, this is where businesses can take security into their hands. With a data management platform that includes file sharing and storage, IT personnel have control of granular user permissions and roles to dictate who has access to what data and when they have it. Everyone in the company should not have any more access to data than necessary. IT will also have individual control of what can happen with each document or file, whether it’s to set expiration dates, download limits or passwords on it.
Additionally, and this is very important when it comes to breaches, the IT department should have access to the movement, location, access and IP addresses of every user. They need to understand the full lifecylce of this data. This will be important in identifying where breaches come from, if they are breached at all. But it can be used for prevention. If the platform offers visual dashboards, it’s easier for IT to track typical traffic and to notice when something out of the ordinary occurs. On top of this, there needs to be security training for employees as well as specific regulations in place, as well as confidentiality agreements.
If NYSPI had better encryption, they could have avoided their breach. That would have been data the hackers could not have read, even if they had captured it. Platforms should have no less than 128-bit encryption and stored at rest using AES 256-bit encryption. At 128-bit, a supercomputer would theoretically take a billion years to decrypt that data.
Where Can You Find This Data Prison?
SmartFile delivers an on-premises file management platform, called FileHub to help organizations manage and safeguard sensitive information. It gives your team the necessary tools to manage the research, documents and files they use on a day to day basis. This includes everything from access to internal and even external secure file sharing.
FileHub also gives IT insight into the activity and behaviors of the users and their files. You can contact a sales consultant to learn how FileHub can be integrated into your network.
Concluding Thoughts
Protecting any healthcare documents, especially clinical research and trial documents, should be a top priority of the healthcare industry. While tasks like clinical trial data sharing are important, if handled poorly by the researchers or IT, the trial can be put at risk. In the future, with proper training, care and technology, these organizations can do a better job of protecting their intellectual property and their most vulnerable individuals.