IRB takes data storage to the cloud

Accessibility advantages to using cloud storage

IRBs run on data and paper — and lots of it. Some organizations may find themselves running out of space to store the reams of paper that are needed to catalog the scores of research and submission data. This has led some IRBs to look for alternative methods of data storage. But an IRB can’t live without paper — or can it?

To solve this problem, some IRBs have turned to electronic systems and cloud storage. “The cloud” refers to an off-site place, usually the Web, where data is stored. There are no in-house servers or computer systems used for the storage. Examples of cloud storage include Web-based email programs, online document sharing programs, or sites from where users can stream videos. Basically, “it’s just a big spot to store stuff,” says Walden Leverich, CEO of Tech Software in Melville, NY. The non-cloud alternative, he says, is in-house installed servers and desktop systems.

With cloud storage, researchers can easily move files between people. Everyone involved with the IRB or a particular study can access the data remotely without having to worry about being blocked by the institutional firewall. And, as Leverich points out, getting IRB and research data access for anyone outside of the institution can practically take an act of Congress to get approved.

“There are a lot of things they don’t want outside people to get at,” he says. The issue, though, is that IRB members and researchers may do a lot of after-hours work from home and may have difficulty getting behind the firewall. “Hosting a cloud-based solution, they can get into it with their password,” he says.

“The beauty of having the databases is we can access them from anywhere,” says Kimberly Irvine, CIP, CIM, executive vice president and chief operating officer of Biomedical Research Association of New York (BRANY). “It makes it a lot easier to make information available to a wide variety of people and makes the information available at a variety of locations.”

BRANY has been using cloud databases since 2000. Instead of uploading everything to the database all at once, the IRB slowly phased it in until all the documents were electronic. IRB members received one-on-one training and webinars to learn the system. Once everyone got used to it, the IRB expanded to using electronic submission forms for researchers.

“IRB members are able to access information from anywhere with the right permissions,” Irvine says. “There’s so much more flexibility in the process — people don’t have to sit in a room and fumble through the paper. When we first started expanding to electronic databases, we had the naysayers who said they still needed their binders and paper and were skeptical, but now they are amazed of all they can do with the workflow available. That’s been kind of interesting to witness.”

There is also an infrastructure advantage: All that’s needed to access the cloud is an Internet connection and a browser. “There’s no software, no need to wonder whether it’s set up on certain machines,” Leverich says. “The IRB doesn’t have to worry about data backups being done, or about maintaining servers involved — that’s all on the cloud provider.”

Keeping everything secure

Certainly one of the biggest questions when considering a cloud system is security. Will sensitive research participant data be kept safe? Keeping the data secure is not just up to the cloud provider — IRB members must also do their part to keep information safe.

“Our job is to make sure things stay secure and compliant, though it stays compliant to the degree we can keep it compliant,” Leverich says. “The in-house user community is still using the system. If the in-house staff doesn’t do their job in security, we can’t do ours.”

For example, “If you’re a user and you log into that system at Starbucks and you walk away and leave the screen up, that’s a big security risk,” he says.

Part of keeping data secure in the cloud system is to educate IRB members on their roll in the process. “You have to educate the users to know that they’re not supposed to share passwords and access with others,” says Raffaela Hart, BS, CIP, CIM,vice president of IRB and IBC Services at BRANY. “They have to help maintain security. Sometimes submissions have information related to the research visits, and that could contain info that may be identifiable. We have to worry about that, too.”

“It brings a new set of concerns because third-party providers are now sort of mediating the relationship between researcher and subject,” says Michael Zimmer, PhD, assistant professor and director of the Center for Information Policy Research at University of Wisconsin-Milwaukee. For example, if a researcher is using Facebook sidebar ads to recruit subject for a study on drug use, Facebook would know if a person clicked on that particular ad. The concern that arises is whether Facebook would then collect and use that data for other purposes, such as marketing. “That takes extra work to be concerned about what Facebook knows about the research subject — do we need to be worried about Facebook collecting data? The challenges with cloud services is that it presents all these issues IRBs may not have thought about before,” Zimmer says.

“A lot of times the concerns make sense — the level runs the gamut from ‘I’m not worried about it’ to ‘It’s a big, important thing for the contract.’ Different IRBs have different needs — it’s the nature of local context like everything else,” Leverich says. “Community needs and risks are different. All IRBs have different acceptable risks for the cloud component.”

Making the switch?

Here are a few points for IRBs to consider when thinking of switching to a cloud-based system:

  • Before you do anything, vet potential cloud vendors. Be sure to perform due diligence into a company’s practices, security, and facilities before deciding to make the switch. “Find out where the vendor secures their data, what server facility they’re using, if they have the right security and backup procedures in place — those were things we took into consideration when vetting the vendor,” Irvine says “We looked at where they were housed and where they would be in proximity to us.”
  • Have a plan in place when switching from a paper-based system to an electronic interface. “It’s going to be a transition for researchers and reviewers who are used to a paper system,” Leverich says. “You’re going to have to have a process in place for dealing with that transition.” And when moving to electronic processes, some IRBs take the opportunity to reconfigure work flow and submission forms. “Make sure you have a plan in place before choosing a new solution, or work with your solution provider to develop one early on,” he says.
  • Consider whether you want a fully paperless system, or want the system to mirror the paperwork. “It all really relates to your IRB process. If you meet in a room all the time, maybe it’s worthwhile to have paper or have documents in front of you,” Hart says.
  • Think about how the IRB’s standard operating procedures (SOPs) could be affected. For example, going paperless may mean documents will no longer require a hand signature, though signature requirements may be listed in the SOP. “What do you do if you don’t have a signed document?” Irvine says. “If you’re moving to something paperless, then all your SOPs need to be changed to not require signatures anymore. Think of all the things that lead up to having documents signed and what you have to modify. We were recently working through that and didn’t realize how many times we talked in the SOPs about signing documents.”
  • Who will own the data? If the cloud system is managed by a third party, there may be some concern from IRB members and researchers about whether the management company will own the data — or, worse yet, share or sell the data to other companies. “You want to make sure when you’re choosing cloud services that it’s clear you’re not giving the service your data,” Zimmer says. “You’ll want to know if there’s anything in the contract about whether to share the data with anyone. I would suspect they would all say they don’t, but you want to validate.”

Some things to clarify with cloud management services, Leverich says, include: How will you get your data out if you decide to switch providers? Are you the only person using that data, or can the cloud provider aggregate that data and do things with it? What’s the stewardship of that data, and what are the restrictions? What are the tracking and auditing capabilities in the system for changing data?

The risks of data sharing, Zimmer says, are almost non-existent. “Most of the contracts protect against these things, and most companies would go out of business if they were selling the data,” he says.

Zimmer also suggests considering what kind of encryption a cloud system has, and whether a clinical trial participant’s IP address can be logged in a way to allow re-identification.