BARRING THE ELECTRONIC DOOR: HOW TO SECURE MOBILE DEVICES USED IN CLINICAL TRIALS

In the foreseeable future, biopharmaceutical companies that do not allow those working on clinical trials to have mobile access to the systems and data they need, will be at a competitive disadvantage. Internal users, investigator sites, Clinical Research Organizations (CROs), central labs, and other vendors all have a growing expectation that they can access trial data and applications “where they live,” in other words, on their mobile devices. Indeed, worldwide usage trends and prospective productivity gains make a compelling case for moving in a mobile direction. However, some inherent security risks complicate the landscape significantly, and decision makers should proceed with their eyes wide open. Here, we discuss the leading security risks to consider and offer recommendations on how to mitigate or avoid them.

By Richard Wzorek

MOBILE USAGE CONTINUES TO GROW

IN THE PAST FIVE YEARS, THERE’S BEEN A SUBSTANTIAL INCREASE IN THE NUMBER OF INTERNET USERS WHO RELY EXCLUSIVELY ON MOBILE DEVICES

1 http://www.marketingcharts.com/online/in-the-us-time-spent-with-mobile-apps-now-exceeds-the-desktop-web-41153/

2 http://www.marketingcharts.com/online/us-now-sees-more-mobile-only-than-desk-top-only-adult-internet-users-54072/

3 http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-network-ing-index-vni/white_paper_c11-520862.html

4 http://www.scality.com/100-exabytes-makes-big-data-look-tiny/

5 http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-network-ing-index-vni/white_paper_c11-520862.html

6 Clinicaltrials.gov, ISR Phase II/III trial trends report

THE CASE FOR MOBILE ACCESS

Mobile devices are now ubiquitous, with their usage long since eclipsing that of desktop devices. The crossover happened in 2014, and the gap continues to widen in favour of mobile computing.1 What is more, over the past five years, there has been a substantial increase in the number of Internet users who rely exclusively on mobile devices.2

Cisco systems are forecasting that by 2019, about 24 Exabytes (a billion Gigabytes) of data will be transferred to and from mobile devices each month.3 To put this intangible number into perspective, consider that a single Exabyte could transmit 119 billion songs that would last for 906,000 years.4

Mobile usage is also spread across the globe. The regional share of the data traffic forecasted above is expected to be:

Share of data traffic:5

Between 2012 and 2015 there has been double digit growth in the in the number of clinical trials in most regions of the world. The Asia Pacific region has seen material clinical trial growth led by countries like China (71%), Japan (54%), and India (37%). This growth in clinical trial volume is from the region that is forecasted to have the most significant mobile data volume over the next five years.

Given the popularity of mobile devices, it is no wonder that those involved with clinical trials—and most especially clinical investigators—would prefer to have the information and tools that they need to do their jobs accessible on smartphones and tablets. For instance, it is much more efficient for investigators to be able to work with clinical trial tools that are imbedded in their workflow for providing the standard of care than it is for them to have to switch systems and transport data from one device to another.

39+16+14+13+10+8Asia Pacific 39.1%

North America 15.7%

Central & Eastern Europe 14.4%

Middle East & Africa 12.5%

Western Europe 9.99%

Latin America 8.4%

Global Spread of Clinical Trials:6

HEALTHCARE INSTITUTIONS HAVE CAP-TURED THE ATTENTION OF CYBER-CRIMINALS

HEALTHCARE DATABASES CONTAIN VAST AMOUNTS OF PERSONALLYIDENTIFIABLE INFORMATION THAT DOESN’T “EXPIRE”

HACKERS AND FRAUDSTERS AND THIEVES, OH MY!

Cybercrime—the use of computers and the internet to commit criminal acts—includes infecting computers with malware, identity theft, theft of information for resale, and corporate espionage. It is a very mature and sophisticated business, as EMC2 explains:

The once-popular hacker stereotype of a lone, alienated techno-nerd breaking into an organisation’s systems for fun has given way to a truly frightening reality of coordinated groups of innovative cybercriminals who collaborate, facilitate, and strike aggressively. They rely on a range of advanced cyber-attack methods and social engineering techniques to steal sensitive data and then cash out in the real world, or in the same underground market where demand is well-publicised and fraudsters are well compensated.7

While financial institutions and retailers were once the primary targets of such crime, cybercriminals have now trained their sites on the healthcare industry. Statistics compiled by Go-Gulf indicate that the medical / healthcare community is now the most common target of cybercrime, with the banking, credit card, and financial industry being the least common.

Hospitals and clinics, specifically, are highly popular targets for cyberattacks, while also generally ill prepared to fend off intrusions. According to a KPMG study, 81 percent of healthcare executives admit that their organisation has been compromised by some form of malware, and only 53 percent consider themselves prepared to defend against cyberattacks.8

Healthcare institutions have captured the attention of cybercriminals for several reasons:

• The exchange of electronic healthcare information is a relatively recent phenomenon, and many institutions are still soft targets.

• Healthcare databases contain vast amounts of Personally Identifiable Information (PII) that doesn’t “expire.”

• Credit card and bank account data present only a narrow window of opportunity—i.e., typically the theft is discovered and the breach remedied quickly. Meanwhile, medical information fraud can go undetected for quite some time.

• Many financial services institutions and retailers have developed some expertise and experience in thwarting attacks, so criminals turn their attention elsewhere.

• The value of stolen healthcare data is at a premium.

• According to the World Privacy Forum, hackers and identity thieves will pay $50 for stolen medical information versus $1 for a stolen Social Security number.10

Medicine / Healthcare 38.9%

Business 35.1 %

Education 10.7%

Government / Military 9.9%

Banking, Credit Card, Financial 5.3%

9

7“Cybercrime and the Healthcare Industry,” EMC2 white paper, 2013.

8“Health Care and Cyber Security: Increasing Threats Require Increased Capabilities,” KPMG white paper, 2015

9Go-Gulf.com Web Technologies, http://www.go-gulf.com/wp-content/uploads/2013/06/cyber-crime.jpg

10https://www.worldprivacyforum.org/2006/05/report-medical-identity-theft-the-information-crime-that-can-kill-you/

HACKERS TROLL NETWORKS

DATA RESIDING ON A DEVICE THAT IS USED IN A PUBLIC PLACE ARE AT RISK FOR BEING COMPROMISED

THE SOURCES OF RISK: BYOD AND OUTSIDE NETWORKS

Bring Your Own Device (BYOD) Solutions

At first blush, allowing those involved in clinical trials to use their own existing mobile devices (smartphones and tablets) for trial work and participation seems like a financial “no brainer.” Why provision and then have to maintain and manage proprietary devices when parties already have the hardware themselves? It is not as simple as it sounds, however. The main issue relates to the number of device platforms that would have to be supported, particularly for global trials. Not only is there the matter of Android versus Apple operating systems, but there are multiple releases of each on the market. (This is especially true in Latin America where the secondary market for used devices is very strong.) Not all will have the latest security patches.

Public Hotspots and Guest Networks

Data residing on a device that is used in a public place—whether it be as an executive checks e-mail in a café, or as a study monitor reviews files at an airport—are at risk for being compromised. Usually, however, the device itself and the information on it are not the hacker’s ultimate target. Rather, hackers troll such networks in an attempt to use the mobile device as a vector to gain access to an organisation’s internal network.

REGULATORY COMPLIANCE

Because regulations on securing Personally Identifiable Information (PII) differ by country or region, trial planners must work closely with their legal teams as they plan and execute trials. Given the difficulties of complying with a variety of regulations related to the use of mobile devices, it is not unusual for this to factor into the decisions on where trials are conducted. Some companies prefer not to limit their global footprint and instead employ different device strategies in different countries for the same trial.

The following points illustrate the variety of regulations that sponsors may need to consider when architecting a mobile device strategy:

• The Security Rule under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 “sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.”11 As this rule has been in effect since April 20, 2005, it is generally well understood, and most companies have the procedures and policies in place to ensure compliance.

• Requirements in the EU are in a state of flux at this writing because in late 2015, the European Court of Justice declared the Safe Harbor Framework that governed transatlantic data transfers between the U.S. and EU invalid. The Safe Harbor provisions were deemed inadequate, and officials are in the process of developing a more rigorous mechanism.

• Russia has implemented a Data Localisation Law effective on September 1, 2015. This law requires that personal data of citizens of the Russian Federation are stored in databases domiciled in Russian Federation territories. The first guidance released by the Russian government was made public on August 3, 2015. With only a month to read and understand the clarifications, companies had little time to adjust their strategies, let alone their operational procedures.

• China, in its current draft cybersecurity law, is taking a similar stance to Russia and is requiring data collected in country to be domiciled in country. This current draft has been reported to contain very loose and sometimes vague language, so this is certainly something to keep an eye on as it develops.12

11https://www.hhs.gov/hipaa/for-professionals/index.html

12http://fortune.com/2015/07/08/chinas-proposed-cybersecuri-ty-law-impact-tech-companies/

SECURITY RECOMMENDATIONS

In order to reduce the risk that data on mobile devices are compromised, or that mobile devices are used as gateways into private networks, sponsor companies can take the following precautions:

• Preferably, employ a mobile web strategy such that no data are stored on the mobile device. The device can bear the icon of the application, giving it the appearance of residing on the device; however, in reality, the icon is merely a link to a web-based application. The information is actually stored on servers where it is well guarded.

• Aim to reduce the attack surface by limiting data on mobile devices to only those that are absolutely necessarily. If it is difficult to explain how certain data relate to a study endpoint, perhaps the data need not be stored.

• When an application must be native to the device, isolate it in a “sandbox” via a mobile device management system such as Good for Enterprise or MobileIron. Such software adds an additional layer of encryption and permits data to be erased remotely from devices that are lost or stolen. This solution involves an extra expense in software licensing, infrastructure, and support staff.

• Think carefully about the benefit / risk ratio of each proposed mobile feature and function. Using a smartphone’s camera to scan product barcodes may be a worth the risk, cost, and challenge involved in securing the device and its communications. Using a mobile device to decline a portion of a drug shipment due to a temperature excursion is likely not due to the fine control needed in those transactions; that function can more easily be performed on a desktop.

• Guard against communication interception with up-to-date HTTPS technology (e.g., TLS 1.2) and mobile browsers. Earlier versions of HTTPS are readily exploitable, and hackers can de-encrypt communication between devices.

• Connect mobile devices to company systems via a Virtual Private Network (VPN). VPN software creates a temporary and false Internet Provider (IP) address that disappears when the connection ends. It also forms an encrypted tunnel for the data transfer. While no VPN is 100 percent secure, hackers and the automated tools they use generally turn their attention to softer targets when they discover fake IP addresses.

REDUCING RISK ON MOBILE DEVICES

AIM TO REDUCE THE ATTACK SURFACE BY LIMITING DATA ON MOBILE DEVICES TO ONLY THOSE THAT ARE ABSOLUETLY NECESSARY

PLAN EARLY AND RELY ON A CROSS-FUNCTIONAL TEAMA MOBILE DEVICE STRATEGY SHOULD BE CREATED WITH INPUT FROM THE LEGAL TEAM, IT, INFORMATION SECURITY, AND DATA MANAGEMENT

• Constantly monitor threats (new ones are to be found daily) and ensure that mobile devices have the most up-to-date security patches.

• Understand what security leaders in other industries (such as financial institutions) are doing, and learn from their experience. Adopt and adapt best practices.

• Create and then abide by a rigorous Information Security Policy. (See box: Dust Off That Information Security Policy)

IMPLICATIONS FOR PLANNING

The technical and regulatory considerations involved in developing a mobile device strategy naturally require extra time and care in the early phases of trial planning. To ensure that there are no surprises that impede study progress or that create liability issues, sponsors should:

• Plan early. The ideal time to develop the mobile device strategy is during the feasibility phase. When all issues are discussed up front, the proper requirements can be given to systems vendors and developmental resources can be used most efficiently.

• Rely on a cross-functional team. The mobile device strategy should be created with input from the legal team, IT, information security, and data management.

• When qualifying sites, gather information on the mobile devices they use to ensure that they meet the necessary standards and will be supportable.

• Accept the fact that over the course of the study, there may well be material changes to system requirements due to changing regulations.

DUST OFF THAT INFORMATION SECURITY POLICY

An information security policy is not effective, of course, unless it is 1) kept up to date and 2) enforced. Many companies start off with good intentions and turn to high-powered consultants to prepare their policy. However, too many then let the policy collect dust. Information security policies must be kept current with the changing threat environment; an industry best practice is to review the information security policy on the same two-year cycle as other corporate standard operating procedures.

A sound information security policy must then be enforced. Is someone accountable for investigating policy violations? And, is the responsible function empowered to take action when violations are found?

www.almacgroup.com

CONSULT WITH THE RIGHT EXPERTS AND THEIR SYSTEM PARTNERS TO HELP ENSURE PROPER SECURITY OF DATA AND SYSTEMS

PREPARE AND PROTECT

Demand for access to clinical trial data and applications via mobile devices is unlikely to abate. However, sponsor companies must understand the technological, logistical, and legal implications of their decisions sur-rounding mobile computing. By consulting the right experts and selecting their system partners carefully, they can help ensure that their trial tech-nologies support productivity without jeopardizing the security of their data and systems.

GET IN TOUCH

UKAlmac Group(Global Headquarters)Seagoe Industrial EstateCraigavonBT63 5UAUnited Kingdom clinicaltech@almacgroup.com+44 28 3835 2121

USAlmac Group(US Headquarters)25 Fretz RoadSouderton, PA 18964United States of America

clinicaltech@almacgroup.com+1 215 660 8500

ASIA PACIFICAlmac Pharmaceutical Services Pte. Ltd.(Asia Pacific Headquarters)9 Changi South Street 3#01-01Singapore 486361

clinicaltech@almacgroup.com+65 6309 0720

AM1750

All our clients have unique needs. That’s why we develop unique solutions. This is the

Get the discussion started today!

Click here or email us atclinicaltech@almacgroup.com