The Clinical Trial Sponsor's Roadmap To Avoid EMA (Cyber) Perdition

For years now, clinical research and clinical trials have been relying on technology and specialized vendors to design, launch, gather and analyze data, and gain commercialization approvals for medical products being studied. There has been a continued emphasis on technological solutions to streamline the conduct of clinical trials and using novel solutions to bring about efficiency and bring down the cost of conducting clinical research.¹ Clinical trials and, by extension the healthcare sector, are one of the sectors most vulnerable to cyberattacks.² The FDA has fully embraced the resultant data to guide regulatory decision-making and has been increasingly focused on data integrity and medical device cybersecurity, but has not addressed or established cybersecurity expectations for the conduct of clinical trials. The European Medicines Agency (EMA), however, has.³

In its latest guideline by the Good Clinical Practice Inspectors Working Group (GCP IWG), set to come into effect in 2022, EMA’s Guideline on computerized systems and electronic data in clinical trials goes beyond the traditional software validation and data integrity expectations. It actually sets requirements and expectations pertaining to user management and ongoing security measures, including:

• Patching management
• Physical security
• Firewalls
• Vulnerability management
• Platform management
• Use of bi-directional devices
• Antivirus software
• Penetration testing
• Intrusion detection system
• Internal activity monitoring
• Security incident management
• Authentication method
• Remote authentication and password managers
• Remote authentication
• Password policies
• Password confidentiality
• Inactivity logout
• Date and time
• Remote connection.

Beyond the security expectations, EMA is placing emphasis on the sponsor and/or the investigator to ensure that vendors supplying cloud solutions are qualified to meet the requirements of Annex 4. So, if you are planning or have started a clinical trial under EMA jurisdiction, do you know if your vendors are following these guidelines? EMA has adopted an evaluation of the threat sources when analyzing the clinical trial risks.  A threat source is characterized as:

1. the intent and method targeted at the exploitation of a vulnerability; or
2. a situation and method that may accidentally exploit a vulnerability.

The list of threat sources is quite large; NIST Special Publication 800-30 Guide for Conducting Risk Assessments,⁴ appendix D, has table D-2 with a useful taxonomy of threat sources.

So, what should be the plan for a sponsor and/or CRO of a clinical trial that is subject to EMA guidelines? How would a sponsor go about assessing and, more importantly, proving that the vendors meet the requirements defined in the EMA guidelines?

It is important to understand that different methods may be used for the assessment of cloud security. When assessing the protection of some types of information, it may be adequate to rely on the cloud service provider’s self-assessment, possible other certifications, and contractual commitments. When assessing the protection of other types of information, it is advisable to additionally require verification by an independent external party. The reliability of the verification results greatly depends on the reliability of the methods used. For instance, the degree of reliability achieved by studying documentation is not similar to also using technical testing for the verification of cloud service protection.

The most crucial step would be to evaluate and memorialize what risk is posed by a particular vendor.  The Cybersecurity and Infrastructure Security Agency (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force⁵ has produced a free standardized template of questions as a means of communicating ICT supply chain risk posture in a consistent way among public and private organizations of all sizes. The purpose of this assessment is to normalize a set of questions regarding an ICT supplier/provider implementation and application of industry standards and best practices. These questions provide enhanced visibility and transparency into entity trust and assurance practices and aid in informed decision-making about acceptable risk exposure. The assessment can be used to illuminate potential gaps in risk management practices and provides a flexible template that can help guide supply chain risk planning in a standard way. There are other tools available to collect information to help determine how security risks are managed across different risk domains, like the Cloud Security Alliance CSA STAR Assessment,⁶ where participating organizations submit the Consensus Assessments Initiative Questionnaire (CAIQ) to document practices, and the Standardized Information Gathering (SIG) Core Questionnaire⁷ used by organizations to perform an initial assessment of third-party vendors.

Based on the information provided by the vendor, the sponsor or CRO should concentrate on the risks identified or on verifying that indeed the objective evidence is available. Special emphasis must be on the following 10 areas:

1. System Description

The cloud service provider’s description must include:

1. The service and deployment models and related service level agreements (SLAs).
2. The principles, procedures, and security measures, including control measures, of the cloud computing service life cycle (development, use, disposal).
3. Description of the infrastructure, network, and system components used for the development, maintenance/management, and use of the cloud computing service.
4. Change management policies and practices, particularly the processes of changes affecting security.
5. Processes for significant abnormal events, such as procedures in major system failures.
6. The roles and division of responsibilities between the sponsor and cloud service provider relating to the provision and use of the cloud computing service. The description must clearly indicate the measures for which the sponsor is responsible in ensuring the security of the cloud computing service. The cloud service provider’s responsibilities must include an obligation to cooperate in the resolution of incidents.
7. Operations transferred or outsourced to subcontractors.

2. Security Responsibility

It is essential to specify the security responsibilities to enable the persons in charge to perform the security duties they are responsible for. If not otherwise described, all security responsibilities lie with the management of the organization. The purpose of specifying a cloud computing policy is to make clear which security duties are the responsibility of the customer and which are the responsibility of the service provider. It is suggested that sponsors verify that:

1. Instructions and training are provided for the personnel on appropriate handling of information to be kept secret.
2. Training on the handling of information to be kept secret is provided on a regular basis and the persons participating in the training are documented.
3. Compliance with the security instructions is monitored and the need to amend the instructions is regularly assessed.
4. Information security-related security trainings and security awareness development programs tailored for the target groups are available and mandatory for all internal and external employees of the cloud service provider.

3. Evidence of Security Management

It is important that the objective evidence provided demonstrate that security incident management is:

1. planned,
2. instructed and trained,
3. documented at an adequate level for the environment, and
4. practiced.

4. Business Continuity

The plans concerning business continuity and preparedness are verified, updated, and tested at regular intervals (at least once a year) or always after substantial changes concerning the organization or environment. The testing also concerns sponsor’s, other customers, and major third parties that are affected by these matters. The tests are documented, and the results are considered in future security measures concerning the continuity of business.

​​5. Clearance

The backgrounds of internal and external employees with access to sponsor’s information or shared IT infrastructure must be checked before the beginning of employment, using procedures enabled by local law.  The trustworthiness of individuals associated with the handling of classified information must be checked and monitored by clearance procedures of a relevant level. Within the limits allowed by law, the background check must include at least the following:

1. Authentication of identity.
2. Verification of job history.
3. Verification of educational background.

6. Basic Protection Planning

The cloud service provider is to maintain a risk assessment procedure that takes into account protection against common network attacks and the protection measures are scaled so that common network attacks do not compromise the confidentiality, integrity, or availability of the service or the information processed through the service. All connected IT systems are to be treated as unreliable and be prepared for common network attacks. Preparing for common network attacks also includes measures such as keeping only the necessary functionalities running. A functionality should be limited to the narrowest subset that fulfils the operational requirements (e.g., limitation of the visibility of functionalities). In addition, measures such as prevention of spoofing and limitation of the visibility of networks should be considered. Particularly at internet interfaces, protection against (distributed) denial-of-service attacks must also be ensured.

​​7. Access Rights Management

The cloud service provider’s access rights management has to ensure that only authorized users have access to the data processing environment and the protected information it contains. A sponsor can utilize the following requirements to verify and document the existence of a properly functioning access rights management program, which will be important for Annex 3 of the EMA guidance:

1. There is an agreement or other documented verifiable grounds underlying the access rights (e.g., employment relationship, agreement on work to be performed in the environment).
2. The life cycle of credentials must be managed for all user credentials so that only necessary credentials are valid and active, and unnecessary user credentials are immediately deleted.
3. Access rights must be limited to the subdivision required by a functional need. Unnecessarily extensive rights allow the user or process in question or an attacker that gains possession of the credentials unnecessarily extensive room for action. Limiting access rights to the minimum can reduce risks from intentional and accidental actions as well as malware.
4. Administration rights are only used for administration measures. A user account with administrator privileges should not be used for web browsing or e-mail.
5. Ensuring the access rights are up to date requires that the access rights of all employees, suppliers, and external users are reviewed at regular intervals, such as every three months.
6. There is a clear procedure for modifying and deleting rights in case of changes in job description and particularly upon termination of employment. The division of responsibilities between the cloud service provider and the sponsor must be considered because the cloud service provider is responsible for the access rights management of the system configuration related to the provision of the cloud computing service, while the sponsor is responsible for the access rights management of the part that is built on the service provider’s service configuration. In assessing the part for which the sponsor is responsible, it is recommended to take specifically into account that corresponding requirements also apply to the sponsor and any service providers associated with the customer’s part.
7. Access rights management is based on the least privilege principle:
   1. A predefined process exists for the creation, approval, and maintenance of user accounts.
   2. Users of the information processing environment are only provided with the information, rights, or authorizations that are necessary for them to perform their duties.
   3. A list of the system users is maintained. A record is kept of each granted access right.
   4. When granting access rights, it is checked that the person receiving the rights is an employee or otherwise entitled.
   5. There are guidelines on the processing and granting of access rights.
   6. Access rights are kept up to date. When user accounts and rights are no longer needed (e.g., a user leaves the organization or a user account has not been accessed for a specified period), they are deleted.
   7. A clear and efficient procedure is in place for the immediate reporting of any changes in personnel to the relevant parties as well as an efficient procedure for making the required changes.
   8. Access rights are regularly audited, at least every three months.

8. Identification/Authentication

It is important that the authentication method(s) is protected against man-in-the-middle attacks, and no additional information is disclosed in the login phase, before the actual authentication of the user. The authentication credentials must always be in an encrypted format if they are sent across the network, the authentication method must be protected against replay attacks, and the authentication method must be protected against brute force attacks.

9. Vulnerability Management

It is expected that a cloud service provider’s vulnerability management involves continuous monitoring and development of the system environment, so that software suppliers’ vulnerability patches can be installed as quickly as possible. In addition, the sponsor shall verify that:

1. Software is kept up to date with the supplier’s version support. No active updates are to be published for outdated software versions, which means that it may be impossible to repair security vulnerabilities.
2. The effects of vulnerability patching measures on the service are considered. If performing patching causes an interruption to the sponsor’s service, the patching should be scheduled in a way that minimizes inconvenience to the customer or during a previously agreed upon service break. It may be advisable to test the patches first in a test environment to ensure that the patches do not cause unexpected changes in the service.
3. Active vulnerability management can be carried out by:
   1. Clearly establishing responsibilities and division of duties for vulnerability patching,
   2. monitoring system development and the security status of any software used for the provision of service, and
   3. agreeing on continuous monitoring procedures, e.g., by scanning one’s own environment to detect known vulnerabilities.

10. Physical Security

If deemed necessary, based on service and/or location of what is being provided, physical security measures should be evaluated. Physical security measures are to deny surreptitious or forced entry by intruders; to deter, impede, and detect unauthorized actions; and allow for segregation of personnel in terms of access to information on the need-to-know basis. Such physical security measures shall be determined on the basis of the cloud provider’s risk management process.

Summary

Computerized systems are being increasingly used in clinical research. The complexity of such systems has evolved rapidly during the last years from eCRF and ePROs to various wearable devices used to continuously monitor trial participants for clinically relevant parameters and, ultimately, to the use of AI. EMA is declaring that to maintain data integrity and privacy protection of trial participants, computerized systems used in clinical trials must have security processes and features to prevent unauthorized access and accidental or deliberate data modification. Threats and attacks on systems containing clinical trial data, and corresponding measures to ensure security of such systems, are constantly evolving. These attacks have taken place,⁸ will continue to take place, and, as such, EMA is mandating that sponsors and CROs address security and data protection concerns.

About The Author:

John Giantsidis is the president of CyberActa, Inc, a boutique consultancy empowering medical device, digital health, and pharmaceutical companies in their cybersecurity, privacy, data integrity, risk, SaMD regulatory compliance, and commercialization endeavors. He is also a member of the Florida Bar’s Committee on Technology and a Cyber Aux with the U.S. Marine Corps. He holds a Bachelor of Science degree from Clark University, a Juris Doctor from the University of New Hampshire, and a Master of Engineering in Cybersecurity Policy and Compliance from The George Washington University. He can be reached at john.giantsidis@cyberacta.com.