Research sites face unprecedented challenges in data security

"When people steal your private information it looks bad — it makes people nervous."

Clinical trial sites trying to ensure data security face the rapidly changing threat of increasingly small and mobile technologies capable of breaching privacy and confidentiality, experts say.

Data security and privacy issues that were top priorities 10 years ago are eclipsed by new challenges today, says Elizabeth Buchanan, PhD, director of center for information policy research at the school of information studies, University of Wisconsin in Milwaukee, WI.

For example, social websites and the transformation of formerly private websites to public sites have created numerous data privacy issues for investigators who conduct research online, Buchanan says.

Accidental security breeches can and do happen to anyone, even those renowned for secrecy and vigilance like Apple — which learned recently that one of its i-Phone prototypes was lost in a bar and ended up sold to gizmodo.com for $5,000. Lost cell phones and laptops are very common and could easily happen to any clinical trial site, says Jeffrey A. Cooper, MD, MMM, director of Huron Consulting Group of Washington, DC.

"We tend to think we can put our cell phones somewhere safe or lock our laptop in the trunk of the car and they won't be stolen," Cooper says. "But the fact is that in this day and age and with the sensitivity of information that's on a laptop, you can't just assume that."

For example, CREDANT Technologies of Addison, TX, reports that more than 30,000 mobile phones and thousands of laptops, iPods, and memory sticks are left behind in New York taxicabs every six months to a year, Cooper says.

"You should assume that these devices will get lost or be stolen, and you should have something in place so your subjects will not suffer the consequences of that," he says.

There also have been some notorious cases in which researcher's laptops were stolen for the hardware, not for the data.

"The problem is when people steal your private information it looks bad, and it makes people nervous," Cooper says.

Cooper and Buchanan offer these ideas of high-tech security issues and how to deal with them:

Disappearing mobile devices: Clinical trial sites should assume that an investigator or coordinator or someone else involved with research will lose a mobile device with research data at some point in time.

"The general vulnerability is the same, but now it's applied to smaller things that get lost more quickly," Cooper says. "People need to no longer consider the loss of a mobile device or even the loss of a computer as being an unanticipated event."

There are a number of ways CT sites can improve mobile device security.

"The number one thing an investigator can do is encrypt his mobile devices," he adds. "That's certainly possible to do, and it's relatively inexpensive, and it provides a very large amount of protection."

Another simple action to take is to use password protection on mobile devices whenever it's possible, he says.

If research staff is using USB memory sticks or flash drives to transport CT data from one computer to another, then they should secure these with encryption software.

"I use TruCrypt, which if you type it into the Internet, you'll find a website where it can be downloaded for free," Cooper says. "It's industrial strength, and you can completely encrypt the USB drive so it will save the data securely."

The only way to read the encrypted memory stick would be to run it through TruCrypt, using the password the user created.

"When you type in the password it appears to be a non-encrypted device on your laptop, so you copy it, take it off," Cooper says. "It's not difficult to use, and it's pretty straightforward."

Handling IP addresses: Information studies, research in computer science and engineering, and epidemiology are among the areas that use transaction log analysis. Buchanan notes.

"This is where you look at IP addresses to see where people are coming from, what kinds of access points there are and so forth," she explains. "It's a means of looking at patterns in usage."

In the European Union, the governments consider IP addresses to be a form of identifiable information. The United States does not treat IP addresses this way, she adds.

"Late last year, the EU said the IP address is personally identifiable, and, as such, it should be considered open for ethics board review," Buchanan says. "As researchers now do trans-border research using the methodology of transaction logs, they might be faced with two different realities."

First, they might never have to go to their U.S.-based IRB when doing a transaction log, but if some subjects are based in the European Union or Canada, there's a very different reality, she says.

"This is something that's starting to bubble up because the Internet is global," Buchanan says. "It's great, but it's also confusing because there are different regulations and different approaches to understanding the Internet."

Backing up data: CT sites need to regularly back up data or risk data not being available when needed.

They can do this by investing in external hard drives that easily connect to laptops and desktop computers, or they can have tape back-ups, Cooper says.

"There are two issues in backing up data, and the first is considering the loss of data," Cooper explains. "The second is about business continuity."

Research site managers and investigators should consider both of those issues when determining how much they are willing to invest in data back-up.

"Usually the back-up is a cost in terms of time and money, so you have to balance that cost versus how much you're willing to live without the data for some period of time," he says. "Consider how much you're willing to lose in data."

If an investigator believes that losing a week's worth of data would be undesirable, but not a disaster, then the goal should be to back up data once a week, he suggests.

"If you want to back up data daily, then do it daily," he adds.

To some people it might be worth the additional effort to back up data each time they make a change, but for most the trade-off would be at a longer interval for backing up data.

To maintain business continuity, a site might invest in out-of-region data back up.

For instance, some CR sites in New Orleans, LA, lost their research data when Hurricane Katrina struck, followed by flooding. Sites that used data back up at off-site locations where the hurricane was not an issue, were able to retrieve most data fairly quickly.

Many hospitals use off-site data back up, and companies like SunGard in Wayne, PA, specialize in this field, Cooper notes.

"They house computers for major companies and have computer software pre-set," he adds. "So if your computer system blew up, they could flip a switch, and you're connected to back-up hardware."

This type of solution is very expensive, so research sites have to weigh the potential benefits with the cost by asking themselves these questions:

  • What are the potential disasters in our area?
  • What is the cost of mitigating them?
  • What are we willing to live with?

There are other options, as well. For instance, a clinical trial site could buy its own computer to use as a back up in a remote location.

Cooper once used this back-up method, spending money on the initial computer equipment and then paying a monthly fee to access the remote computer for backing up data. For even more money, sites could use a rent-a-server for $300 to $400 a month, he adds.

"You could do periodic tape back-ups and store them offsite," Cooper says. "Another thing you could do is store things on a cloud server that has less security to it, but you'd have to make sure the back-ups are encrypted."

Protecting passwords: Another risk to CR sites is the potential of a lost password.

"If you lose your password, you're in trouble," Cooper says.

"There are programs that will simply encrypt your hard drive, so that anything you put on there is encrypted," Cooper says. "The only thing you have to be careful of is if you have a strong password and lose it."

It's like having your valuables in Fort Knox and losing the key, he adds.

"When people die at a site, problems can happen," Cooper says. "I periodically give all my passwords to my wife to keep somewhere safe."

For research sites, the password back-up might be in a safety deposit box or safe or locked drawer.

"If there's a laptop on a desk, and a password is in a locked drawer, then I'll assume that password goes with that laptop," Cooper says. "If the password is located somewhere else in the building then it's safer."