Following the recent One-Stop Shopping for Clinical Trial Management: The Value Proposition of a dCRO Paradigm webcast, I collaborated with Lisa Jamba (Service Line Architecture Specialist) and Mike Trudnak (Executive Director, IT) to answer attendee questions. The post below is a reflection of our efforts.
If you are interested in learning more about how Clinipace’s proprietary TEMPO™ eClinical platform transforms the way clinical research is managed – download our free eBook today.
Question: Given the ability for all to access the trial data, how do you handle the security of this critical information?
There are multiple layers of security that help to protect trial data captured in TEMPO™ – physical security, software security, and IT security policies.
For physical security, both the primary and geographically dispersed secondary Clinipace data centers have proximity access controls to ensure only authorized personnel can enter/exit the facility and monitor the contents inside with a variety of technologies. Proximity controls include two-factor method authentication requiring both a verified hand scan and pass code.
Round the clock monitoring (24/7) includes a combination of on-site security guards and sensor-driven security cameras. Within the facility, all Clinipace equipment is locked inside racks and a second layer of locked cages is available.
Software security involves using secure coding practices during the software development lifecycle and putting mechanisms in place to prevent unauthorized access. To check for vulnerabilities, random automated security audits of TEMPO™ sites are performed so they can be certified as “Hacker Safe”, which meets the security audit requirements for web site vulnerabilities for the following:
- Children’s Online Privacy Protection Act of 1998
- Health Insurance Portability and Accountability Act of 1996
- Gramm-Leach-Bliley Act: protecting financial information
- Sarbanes–Oxley Act
- Government Information Security Reform Act: vulnerability scanning requirements
To protect the network, Clinipace uses Check Point’s Firewall 1-UTM (Unified Threat Management), which is the industry’s number one firewall solution delivering the very best first line of defense. Using INSPECT, the most adaptive and intelligent inspection technology, FireWall-1 integrates both network and application-layer protection. As the industry’s leading Internet security solution, Check Point FireWall-1 provides the highest level of security, with access control, attack protection, application security, intrusion prevention, content security, authentication, Quality of Service (QoS), and Network Address Translation (NAT). For additional protection, all computers attached to the Clinipace network must have supported anti-virus software and be checked at regular intervals.
IT security policies provide a final layer of security for clinical trial data. A comprehensive set of policies and standard operating procedures (SOPs) are needed to clearly outline who can create, modify, and delete accounts to TEMPOTM, training requirements of users, password management, login failures, and timeout limits. User access levels are controlled through scoping accounts to roles on a ‘need-to-know’ basis. Password management includes forcing password expiration, storing passwords in an encrypted state, masking passwords during login, providing guidelines for building strong passwords, and formalizing that password sharing is prohibited. Failure limits ensure that unusual activity is flagged and evaluated and timeout limits help protect data by automatically logging off a user after extended inactivity. Before users are ‘let loose’ in TEMPOTM to enter and review data, they must attend training where the relevant IT policies are reviewed. It is important that every user realizes they also play a role in this complex security structure.
Question: How do you deal with confidentiality and privacy issues?
In most studies, clients do not collect data that would be classified as personally identifiable. While TEMPO™ is highly configurable to accommodate the data needs for a trial and could collect this type of information – Clinipace discourages clients from storing such data in the application. Any data that is stored is protected by the security controls discussed above.