Keeping clinical trial data safe – handling cybersecurity in a risky world

The development of vaccines for COVID-19 has been a masterclass in effective collaboration and applied digitisation in healthcare. However the increased complexity and involvement of different parties, exposes drug development to heightened threat levels. Abel Archundia discusses how COVID-19 has highlighted the importance of securing clinical trials against cyber threats.

A process that historically would have taken at least eight years took around ten months to complete, thanks to close cooperation and effective data exchanges between researchers, business partners, governments and international institutions. By mid-May 2021, seven different COVID vaccines were in use in at least one country, and close to 1.5 billion doses were administered to people worldwide.

Both the breakneck speed and scale of this vaccine generation and distribution were remarkable and encouraging for the future development of treatments for various conditions. They highlight the importance of mastering two positive and related trends in healthcare right now: close collaboration across increasingly complex supply chains and sophisticated use of data.

These trends combine to increase the pace of innovation and the precision of therapies. Leading academic research institutions and pharma/biopharma players exploring therapeutic areas such as immuno-oncology or cell and gene therapy no longer start ‘analogue only’ projects because of time and productivity shortcomings. Instead, principal investigators start with protocols designed with digital techniques in mind.

However, data-intensive, decentralised clinical trials also present a major risk to healthcare participants through cybercrime and data privacy vulnerability. As healthcare organisations scale up digital transformation initiatives, novel problems arise: how to share data without exposing intellectual property or patient data to bad actors?

And how is accountability for a safe and reliable collaboration changing? Evidence demonstrates there is a cost to be paid when these questions go unanswered, given the impunity with which attackers operate.

Many still think of the traditional, vertically integrated ‘Big Pharma’ corporation developing therapies and manufacturing drugs in-house. In today’s landscape, though, the average number of supply chain participants in healthcare for both R&D and Manufacturing is proliferating, often as a result of specialisation and concentration on core competencies.

This demands that organisations collaborate with others in their ecosystem to fill in the gaps. Consider how manufacturing capacity constraints required dynamic contracting to keep pace with demand in the early months of the coronavirus pandemic, including active collaboration among traditional rivals. New technologies and improved data flows among areas – for example, for production planning – are seen as essential to increased agility and will consequently become more widely used.

Clinical trial records often include very detailed information about individuals: habits and genetic information about a patient or their immune system. Criminals target healthcare organisations to gain access to these sensitive individual records – Protected Health Information (PHI), Personally Identifiable Information (PII) or Personal Credit Information (PCI) – but also for their intellectual property or trade secrets.

All are highly attractive because they are readily marketable. Studies reveal that 90% of cyber-attacks on healthcare organisations were financially motivated (Verizon, CrowdStrike). ISTARI research and DarkOwl reports show that transactions involving a health record priced them 7x higher than an equivalent financial record due to health records’ granularity and specificity.

As a result, cyber attacks within the healthcare and pharmaceutical industries have become more frequent and damaging. A recent study by BlueVoyant revealed that 16 out of 20 companies in the sector had mid- to high exposure to basic and advanced threats. If even a major health tech company such as IQVIA, which participated in AstraZeneca’s COVID vaccine trials, can be targeted, forcing researchers to track their patients using pen and paper, what of smaller companies down the chain?

Governments and regulatory bodies endeavour to improve cybersecurity by establishing stringent compliance requirements. However, it is vital to understand that compliance is not security. HIPAA in the United States, a regulatory reference, was designed to protect patient privacy but not necessarily data security. For example, it does not check password re-use or the usage of data-loss prevention tools. Regulation lags well behind risk in the dynamic bad-actor landscape and is not designed to provide guidance on enabling technical safeguards. Additionally, compliance is expensive to maintain, and information (including that of threats) remains siloed.

Therefore, it is up to individual organisations to foster a culture of resilience and vigilance, especially in those areas that work with sensitive patient and trial information, going well beyond compliance to consider what assets are most valuable for trade in the dark web. As a Global Pharma CIO, I have learned the hard way that preparation is the best defence.

  • Executive leadership and collaboration. There is a misconception that cyber resilience is driven solely by technology. In practice, the first step is to recognise it as a business imperative to be led from the top. Which are the crown jewels most worth defending? In addition, advancing the training, habits and alertness of teams adds a strong layer of defence towards improving the specificity and speed of response. The ISTARI CORE-S framework provides actionable guidelines to help executives lead with personal conviction towards better business outcomes.
  • Breach response. Executives should assume a breach is a matter of when, not if. Preparing for an incident includes checking your incident response capability and testing the chain of command. How confident are you in your data backups? Are you otherwise prepared to pay a ransom?
  • Supply chain and vendors. Urgently expand your understanding of third-party risk to consider second-and third-tier suppliers. Hold these global organisations accountable to improvement and highlight coaching and supplier-development opportunities. How is the Value at Risk distributed across your extended ecosystem?

Determined senior leadership combined with today’s cyber technology solutions and a programmatic approach across the supply chain can protect the reputation of clinical trials, the principal investigators, the company and, most importantly, the data of the participating clinicians and patients. These are the crown jewels of any R&D organisation. Treat them as such. Successful leaders recognise the competitive advantage of building cyber resilient organisations and how they enable highly performant business strategy.

About the author

Abel Archundia is the managing director of Global Life Sciences & Industrials at ISTARI, a cyber risk management company focused on building cyber resilience for businesses.