Jeff Wolniakowski, Chief Information Officer, Advanced Clinical
Many professionals in the life sciences industry are excited about the benefits decentralized clinical trials (DCTs) bring to the clinical research process and specifically to patients. The use of wearables, electronic consent forms, digital outcomes assessments, and other DCT technologies are transforming the way we gather clinical data and interact with study participants.
However, amidst all the excitement about what the technology can do, it is easy to forget about the risks it may introduce. Every time a sponsor or site adds a new technology to the DCT environment, they must be certain that the data they collect, clean, and/or analyze is protected at every step in its journey. Without this data security process, sponsors face the risk of data protection compliance penalties, lost data, and compromised study data integrity.
This is a common story that follows most digital transformations. Developers create innovative new platforms that promise to accelerate access to insights and enhance the user experience, without validating new risks. When problems occur, those developers must scramble to retroactively solve mistakes. If they have not documented the architecture or designated who is responsible for data oversight, these mistakes can be costly and time consuming to fix. And for highly regulated industries, the losses can be devastating.
The financial industry averaged $5.97 million in losses per data breach in 2022 alone, and the days to contain those breaches reached 277 in 2022. Whereas the average health care breach hit a record high of $10.10 million this year, this showed an almost 42% increase since 2020.
The pharma industry is equally at risk, and DCTs create hundreds of new vulnerabilities that hackers can target.
Uncontrolled Data Environment
The value proposition of a DCT is that it allows for clinical study visits and activities to take place outside of traditional clinical research sites. DCT approaches allow for flexibility, but also introduces a host of potential data security issues.
Before DCTs, all data was collected at on-site visits, where staff could rely on a defense-in-depth strategy, inclusive of a firewall with designated logins to keep data safe. But in DCTs, there is no way for sites or sponsors to create that kind of protection, especially in the home of a trial participant.
There are many integration points that patient data will follow as it moves from the original source to the trial database. Patients may use unsecured Wi-Fi, share data via unprotected mobile phones and laptops, and collect data on devices, like Fitbits or Apple Watches, where the data is hosted by an external vendor. Sponsors cannot control those integration points, which means that the data could still be at risk.
This does not imply that we should revert to paper assessments and handwritten research notes. Rather, it suggests that we as an industry need to take a close look at the technology infrastructure, software, and communication protocols we rely on to properly secure the data from the point of collection through to analysis.
Today’s approaches will require a collaborative effort between regulators, industry, and academia to establish standards for data collection in a decentralized environment.
Data Standards for DCTs
Organizations like the Decentralized Trials & Research Alliance (DTRA) are accelerating this work by assembling working groups to define standards and gather industry feedback. DTRA enables collaboration of stakeholders to accelerate the adoption of patient-focused, decentralized clinical trials and research within life sciences and healthcare through education and research. In addition, the FDA has provided draft Level 1 guidance for the remote collection of data in trials, focusing primarily on end-point management and record protection and retention.
Industry leaders who expect to make DCTs part of their permanent research process will benefit from participating in these conversations, which could help to shape standards that will enable safe but accessible data collection in the future.
DCT models, which operate in a global environment, can only succeed if patients trust that their data is safe, and if regulators are confident that these technologies can comply with all data privacy rules. With 71% of countries having put data privacy legislation in place, navigating the varying regulatory controls is complex. If the industry waits for a high-profile data breach to take action it could damage the reputation of DCTs as a reliable research model and trigger strict rules that may slow innovation.
Our industry is at the ideal point in time to proactively fine-tune the DCT data environment before these risks become a reality. This is still a novel topic, but I look forward to talking with our commercial, governmental, and academic peers about how we as an industry can fast-track development of standards to ensure DCTs continue to provide a flexible and safe data collection process that meets the goals of researchers while operating in a secure environment.