With banking, stock trading, and now health records becoming electronic, what’s stopping someone from obtaining every detail about our lives? In clinical research, keeping Protected Health Information (PHI) – patients’ personal and identifiable information — secure is the key concern. Losing this means potentially harming the patient, running afoul of laws like HIPAA, and eroding the integrity of your research, as well as your ability to conduct future meaningful research. Let’s look at how this plays out in the real world.
Take Lynn, lead coordinator conducting a diabetes clinical trial at a community hospital, who happens to also be my mom. To save herself and her team unnecessary headache from disorganized regulatory and source management, she decided to make the move from paper records to electronic with a new online system. She didn’t know very much about the details of how the software worked, but it made very bold claims for quality features and an impenetrable security system.
The team switched to digital, and for a few months everything was finally going smoothly – quick document upload, clean organization, and easy communication between coordinators. Then on a Monday morning, Lynn came into work, went into the system to check on some documents awaiting PI signatures, and everything was wrong. Patients records had been tampered with, moved around, and even deleted, and the software tools no longer worked – they had been hacked.
Learn more about how to make the transition to digital securely.
How could this have been avoided? What questions should Lynn have asked before considering this new tool? Knowing the basics can go a long way in protecting your information, and we’ve done our research to help find these answers.
Possible questions to ask:
- Is this HIPAA compliant?
The very first question, before going any further, should be about HIPAA. If you are not 100% certain that a software is completely in line with HIPAA regulations, it’s not worth your time. At Florence, we make sure that every hosting environment we work within has proof of HIPAA compliance to keep all our partners safe.
- Is my research protected at in transit and at rest all times?
This might seem like a feature that should happen automatically, but not necessarily. Data should be protected as it is sent back and forth from your browser to our server, and also while it sits in our database in storage. Different approaches to encryption make this possible but they might not always be there. Be sure your vendor uses SSL in transit and uses strong encryption mechanisms at rest.
- How is my data being protected?
Ask about encryption, or converting information into unreadable code that cannot be deciphered by unauthorized users. There are 2 types:
– Goal: Significantly lowers the probability of a hacker accessing data if the PHI database is somehow compromised
– How?: All PHI data is encrypted before storing in the database,and is decrypted only after retrieving from the database using security keys retrieved from a secure location, not the actual program code.
– Goal: Provides an even higher level of security by encrypting all data at the hardware level
– How? Per guidance from NIST Special Publication 800-111, a hosting provider can encrypt all PHI data from any server by using a master key. For example, Florence uses Amazon Web Services as a hosting provider.
- Does the vendor have digital Standard Operating Procedures (SOPs) in place?
SOPs not only ensure that your vendor is delivering reliable applications through planned processes, but they also ensure vendor employees will treat your application and data responsibly. Don’t be afraid to get into a vendor’s knitting to ensure your data is safe.
Before using a software for storage and management of protected information, these questions need to be asked. If the answers cannot be provided, you should move on quickly.
It’s also worth noting who already uses that program. Is it completely brand new with no users or has someone validated it? In this case, it’s comforting to hear that others have taken the initial risk for you. For example, in the last month Florence passed security at the largest research institution on the west coast of the US (send us an email for details).
How might have Lynn’s story ended differently? If her team had followed a security checklist during vendor evaluation, she would have been in a different place. In review, here’s a five-item checklist of what to ask about the next time you talk data security with a research vendor:
- Is this HIPAA compliant?
- How do we onboard it at our site to maintain HIPAA compliance?
- Is this 21 CFR Part 11 compliant?
- How is data encrypted; what standards do you use?
- How is your application secured?
- Are SOPs in place at your organization? Are there special SOPs we should follow while using your application?
At Florence we have a both a Chief Security Officer and a GCP team with FDA audit experience. They can help you make the digital transition—whether you’re using our digital system or our competitors. Send us an email at firstname.lastname@example.org or request more information about keeping your data and documents safe and secure.