Cybersecurity threats in clinical trials

According to the study Securing Healthcare IT Systems: Addressing Cybersecurity Threats in a Critical Industry, the pharmaceutical industry's "dependence on the technology aspects has also resulted in increased vulnerability from attacks by hackers and other unauthorized persons on the internet."

More specifically, the study mentions how clinical trial management systems (CTMS) have become integral in pharmaceutical operations. These systems handle the complex trial logistics, patient recruitment, data collection, and regulatory compliance.

As the study notes, "[CTMS] are involved in the entire testing and development phase of drugs...handling huge amounts of data which ensure that the systems run efficiently and securely." These systems also manage data integrity and security throughout clinical trials, making them a major target for cyberattacks.

Threats in clinical trials

Pharmaceutical companies often rely on technological advancements to store and analyze patients' protected health information (PHI) throughout clinical trials, research and development, manufacturing, and distribution.

Threats like "malware, ransomware, phishing, social engineering, insider threats, advanced persistent threats (APTs), and data breaches, have continuously caused loss of personal data as well as financial loss for companies."

A significant threat is ransomware, where cybercriminals use malicious software to encrypt a victim's data and demand a ransom to restore data access. The study explains, "Ransomware software is used to encrypt the data in a victim's computer, rendering it inaccessible until a ransom is paid."

A Microsoft Threat Intelligence analysis of 13 hospital systems found that "93% of the malicious cyber activity observed was related to phishing campaigns and ransomware, with most activity represented by email-based threats."

Jack Mott, enterprise email threat intelligence and detection engineer at Microsoft, explains, "Email remains one of the largest vectors for delivering malware and phishing attacks for ransomware attacks."

For example, in 2017, the WannaCry ransomware attack crippled the UK's National Health Service (NHS), leading to canceled appointments and disrupted services, and eventually impacting global healthcare systems.

These attacks use seemingly legitimate emails to deceive individuals into revealing PHI. "Phishing is a common method where attackers send emails that deceive the receivers with the hope that they will reveal their passwords through clicking of links," Securing Healthcare IT Systems states.

Insider threats, whether intentional or unintentional, are also a major risk to clinical trial data. The study points out that "almost 70% of all the cybersecurity threats are attributed to insider threats," with most threats resulting from human error. For example, when an employee inadvertently sends PHI to the wrong client or leaves a computer unattended, allowing unauthorized access to sensitive trial data.

Advanced Persistent Threats (APT) infiltrate systems over time, silently collecting sensitive information. In clinical laboratories, these attacks can go undetected for months, siphoning research data and potentially compromising years of work.

Data breaches can also occur when hackers exploit vulnerabilities in lab systems to steal personally identifiable information (PII), medical histories, or proprietary research data. Recently, a DM Clinical Research database of over 1.6 million clinical trial records was exposed online without password protection, potentially compromising sensitive patient information.

How HIPAA protects patients' PHI

HIPAA mandates that covered entities, including clinical trial researchers, safeguard patients' PHI.

As the study explains, "HIPAA requires that organizations must encrypt patient data in storage or transmission at all times." So, even if data is intercepted during a clinical trial, it cannot be accessed without the appropriate decryption key, mitigating the risk of unauthorized access.

Another HIPAA requirement is conducting regular risk analyses to identify and address potential threats before they are exploited. "Risk analysis should be conducted on a regular basis to identify any potential threats on time," the study advises.

HIPAA also mandates strict access controls to prevent unauthorized access to patient PHI. Organizations must "enforce access controls in electronic systems to prevent any unauthorized entries," so only authorized staff can access clinical trial data. For example, lab technicians might only need access to test results, while pathologists may need access to the full patient history.

FDA guidelines on clinical trials

In addition to HIPAA, pharmaceutical companies involved in clinical trials must comply with the Food and Drug Administration (FDA) guidelines. The FDA's regulation "21CFR Part 11 governs the use of electronic records and electronic signatures in place of traditional paper records and handwritten signatures in FDA-regulated activities."

For example, a pharmaceutical company conducts a trial for a new diabetes medication and they use an electronic data capture (EDC) system to record patient information, adverse events, and drug efficacy results. 21 CFR Part 11 mandates that this company implements:

1. Audit trails: Modification to patient data, like a dosage adjustment or an updated adverse event report, is automatically logged with timestamps, usernames, and reasons for the change.
2. Access controls: Only authorized clinical researchers, site investigators, and FDA auditors can access specific trial data.
3. Validation processes: The EDC system must be validated to confirm that it accurately captures, stores, and retrieves data.

Ultimately, pharmaceutical companies must comply with these requirements to maintain clinical data integrity and avoid potential violations.

Cybersecurity best practices for clinical trials

Implement a comprehensive cybersecurity

The study suggests, "A comprehensive cybersecurity strategy...should be determined keeping in mind the company goals and objectives as well as the mission statement." These should include cybersecurity measures that safeguard clinical trial data, patient information, and intellectual property.

Go deeper: HIPAA Compliant Email: The Definitive Guide

Have a Chief Information Security Officer (CISO)

A CISO can help organizations conduct regular risk assessments, develop cybersecurity policies, and train employees on cybersecurity threats and best practices. "CISOs must prioritize training and awareness programs to educate employees, vendors, and partners about the importance of cybersecurity," the study adds.

Investing in cybersecurity technology

The study also recommends that organizations invest in cybersecurity technology like encryption software, intrusion detection systems, and multi-factor authentication to protect sensitive data.

Preparing clinical laboratories for cyberattacks

According to a review on cybersecurity and information assurance for the clinical laboratory, clinical laboratories must now operate under the assumption that a cyberattack is a matter of "WHEN, not if."

Moreover, when a cyberattack occurs on an interconnected healthcare information system, it is likely to impact laboratory operations, often in a "significant to catastrophic way."

Historically, such large-scale shutdowns were considered unlikely and "difficult to comprehend/prepare for," but the past five years have proven otherwise, as evidenced by the review.

More specifically, laboratories should have "active cybersecurity education and training for laboratory staff." Institutions must also establish comprehensive response plans, including "robust incident response, information system contingency, continuity of operations, and disaster recovery plans for each laboratory/section."

For hospital-affiliated laboratories, these plans must align with "institutional cybersecurity incident response plans," as IT recovery efforts will largely be managed by central hospital IT teams. Laboratories must also recognize that critical patient care processes will take precedence when IT teams prioritize system restorations.

These response plans should include "communication and managing expectations for staff and clinical partners." For example, coordination with hospital departments, administration, IT teams, vendors, and outreach/reference lab clients can help set expectations about "what will be possible vs impossible during extended downtimes." Additionally, less-critical operations should be "triaged accordingly and granted longer allowances for recovery time."

Testing and training should be done regularly to measure the effectiveness of response plans and familiarize staff with cybersecurity procedures. Organizations should also keep backup systems and offline processes for laboratory operation in case of digital system compromise.

Multi-factor authentication and access control should be implemented to prevent unauthorized use of laboratory information systems, while data encryption and secure storage can assist in protecting against exposure of sensitive patient and research data as a result of cyber incidents.

Communication security is another major component of laboratory cybersecurity. Staff must use HIPAA compliant email and text messaging solutions, like Paubox, when sending confidential patient or lab information to safeguard patient PHI and prevent potential data breaches.

Laboratories should also consult cybersecurity experts to keep up with the latest threats and countermeasures.

Lastly, organizations must conduct a post-attack analysis to identify vulnerabilities, improve protocols, and prevent future breaches.

Read also: Using HIPAA compliant email to improve clinical trial recruitment

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

What is ransomware?

Ransomware is malicious software that encrypts a victim's data, with attackers demanding payment to restore access or prevent data leaks.