Cloud Computing: Security in Clinical Trials

July 2, 2015
Arthur Wang

Applied Clinical Trials

There is a lot of buzz about “the cloud.” Formally known as cloud computing, the cloud relies on sharing of Information Technology (IT) resources.



There is a lot of buzz about “the cloud.” Formally known as cloud computing, the cloud relies on sharing of Information Technology (IT) resources (e.g., processors, memory, and storage) to achieve major improvements in capacity, performance, and reliability. Cloud computing focuses on maximizing the effectiveness of these shared resources as they are dynamically reallocated to where they are most needed. For clinical trial sponsors and clinical research organizations (CROs), benefits include quick access to powerful computing for processor-intensive data analytics, shorter implementation and validation to support rapid study support, and the scalable storage of voluminous study documents and trial data. The cloud has the potential to provide clinical trial sponsors and CROs an incredible opportunity to improve services to their customers and the sites, to share information more easily than ever before, and to improve operation efficiency at the same time. However, there are challenges to using the cloud, with many centered on client uncertainty of cloud information security. 

Cost and Trust. Some sponsor and CRO concerns are common to all potential private and federal cloud consumers. According to a survey by Meritalk, a public-private partnership focused on improving the outcomes of government IT, two of these common concerns account for most delays in adopting cloud strategies at federal agencies:

  • Most federal agencies are worried about cloud deployment due to security and control concerns, and

  • Majority of federal IT executives are apprehensive about the risks and costs of migrating existing application to the cloud;

Confusion of Cloud Models. The technology and terminology is also daunting, and in practice the cloud comes in several models (i.e., public, private, and hybrid) and three dominant service categories (Infrastructure as a Service, Platform as a Service, or Software as a Service [SaaS]). Sales engineers and security analysts may misrepresent or mistake one for another, even though they each bring specific security strengths and vulnerabilities.

There are three deployment models in cloud computing: public, private, and hybrid. The Wikipedia definitions of these three models are as follows:

  • A private cloud is cloud infrastructure operated solely for a single organization, whether managed internally or by a third-party, and hosted either internally or externally.

  • A public cloud is cloud infrastructure where the services are rendered over a network that is open for public use. Public cloud benefits include elasticity, scalability, and a per-usage pricing model.

  • A hybrid cloud is a composition of public and private clouds that remain distinct entities but are bound together, offering the benefits of multiple deployment models. A hybrid cloud can also mean the ability to connect collocational, managed and/or dedicated services with cloud resources.

A secure private cloud system is built around a high-security private database, networked to users through web-based SaaS, where each client’s data is protected in its own database schema.

Public cloud refers to storage infrastructure available to the general public where data may be stored in various database locations depending on availability. Security remains a major issue with public cloud computing, with the extent of security measures from each provider varying significantly. While a vendor may provide some base level of security, in many circumstances, it is up to the customer to select what additional security features they want for public cloud computing.  Clinical trial participants’ information should not reside in a public cloud unless there is proper security measurement.

So, which model should a CRO or clinical trial sponsor deploy? Clinical trial data have a stringent requirement for security, confidentiality, availability to authorized users, traceability of access, reversibility of data, and long-term preservation. Thus, sponsor and CRO cloud activities should take root in private or hybrid clouds, rather than public cloud infrastructure without proper security measurement.  

Privacy and Security Challenges. Data maintained in a cloud may contain personal, private, or confidential information that requires the proper safeguards to prevent disclosure, compromise, or misuse. Also, CROs and clinical trial sponsors may bring user information tailored to clinical trial needs. In order to protect this protected health information (PHI), CROs and clinical trial sponsors need to balance legitimate business interests in collecting and using PHI with reasonable privacy protection. However, cloud-based solutions pose challenges to ensure that only authorized entities can gain access to it.

When we use cloud environments, we rely on third parties to make decisions about our data and platforms in ways never seen before in computing. It is critical to have appropriate mechanisms to prevent cloud providers from using customers’ data in a way that has not been agreed upon. In order to meet the challenge, clinical trial providers and CROs must require the Cloud Service Provider (CSP) to contractually agree to sustain certain privacy and security standards. This is a nebulous area and somewhat open for interpretation, with no consensus established. It is the responsibility of the CSP to get the necessary certifications to meet the legal and business requirement. Strict guidelines must be established within the law and must be met. A covered entity needs to establish a strong Service Level Agreement (SLA) with the CSP to fully understand their liabilities and risks and to absorb those risks in the event of violation.

Malicious Use and Theft. Clinical trial sponsors and CROs continue to depend on computer systems that are extremely vulnerable to data breaches caused by technology deficiencies, theft, and insider misconduct. For example, the October 2013 security breach of the FDA’s Center for Biologics Evaluation and Research compromised 14,000 accounts. The audit conducted after the breach revealed that Web vulnerability could allow unauthorized users to view and change FDA data and cause key FDA systems to fail. For the most, technology deficiencies could be mitigated by strict policy enforcement and rapid patching of vulnerabilities. Cloud-computing systems can be designed to be safer than traditional client-server systems against the prevailing causes of healthcare data breaches.



Arthur Wang is a Network and Security Manager for Technical Resources International, Inc (


Related Content:

Online Extras