Monday, August 4, 2014

How do you ensure clinical data safety in the cloud?

We recently had a chance to sit down with Partnerships in Medical Device Clinical Trials partner company Clinovo to discuss some of the benefits of cloud computing for clinical trials.  Over the next few weeks, we'll examine our interview with Marc Desgrousilliers, the Chief Technology Officer of Clinovo.

Today, he answers the question:
How do you ensure clinical data safety in the cloud?

 That’s a very good question. There is a lot of hesitation and fear due to this topic because the FDA’s 21 CFR Part 11 regulation requires clinical data to be secure and private. Sponsors must audit the cloud solution provider to make sure that it has documented operational controls around data security.

For example, sponsors need to find out how, and where, the clinical data is stored. Is it encrypted on the way to the storage system? Is it encrypted at rest while the data is stored? Can it be accessed either locally in the data center or remotely on the cloud? You also have to have service level agreements with your cloud provider around your contract, but also when your contract terminates. What happens to the clinical data? How does it get destroyed? How can you ensure that no one has access to the part of the disc where the data is stored?

Another recommendation is to audit the sponsor and evaluate if it is SSAE 16 compliant. SSAE is a new standard in terms of operational controls that is replacing SAS 70. It’s also a good idea to see if they can show you their Type I, Type II report with a test of the controls that are in place to see if they are appropriately designed and can effectively protect the data against a security breach.

You can download the audio and PDF to Marc's entire interview here.

No comments: