Cybersecurity in Service Provider Selection and Qualification: A Critical Aspect of Modern Clinical Research

In today's rapidly digitalizing world, the importance of cybersecurity in clinical research cannot be overstated. As we increasingly rely on digital tools and third-party service providers for critical processes, the risks associated with cybercrime have grown exponentially. Even more, recent artificial Intelligence (AI) solutions deliver real-time data and insights through a modern, integrated experience, enabling drug development companies to make decisions faster, reduce study timelines, and bring therapies to market faster.

We can see that digitalization of our world is a reality that we have to cope with. This article intends to explore the current landscape of cybersecurity in the context of service provider selection and qualification, with a particular focus on the pharmaceutical industry and clinical research organizations (CROs).

Introduction

The digitalization of clinical activities, including electronic case report forms (eCRFs), electronic clinical outcome assessments (eCOAs), and cloud-based databases, and recently applications based on AI, among others, have revolutionized the way we conduct clinical research. However, this digital transformation has also opened new avenues for cybercriminals to exploit with critical impact for the companies. The challenge is how to benefit the digital world and to minimize and mitigate the risks generated. The objective of cybersecurity is to reduce the risks weighing on the information system, in order to limit their impact on operation and business activities of organizations.

The current situation

The landscape of cybersecurity in the pharmaceutical industry does not scape of the reality of continuous cyberattacks. Consider these statistics as examples:

1. 98% of organizations have at least one third-party vendor that has experienced a data breach.
2. 73% of organizations have faced at least one significant disruption caused by a third party in the past three years.
3. Data breaches cost organizations an average of $4.88 million and increasing every year.
4. Network or data breaches are the top security breach impacting organizations, affecting 51.5% of companies.

These figures underscore a critical reality: cybersecurity is a business of all the companies—sponsors and service providers—as it is only as strong as that of its weakest vendor. Data is the core asset nowadays.

In the clinical research environment, the dependence on third-party service providers is particularly high. From interactive voice response systems (IVRS) providers to eCOA platforms and data management teams, for functional and even for full-service outsourcing, the exchange of sensitive data is constant, volumes are considerable, and the criticality of data is high as we transfer sensitive personal data. This high level of interdependence makes the industry particularly vulnerable to cyber threats at different levels of the system.

Regulatory landscape

Recognizing the critical nature of health data, regulators have stepped in to ensure its protection. The regulations are not standardized and very different form one country to another, which makes the situation more complex. Europe, for example, has one of the most regulated environments regarding data security and privacy. In France, for instance, the Hébergeurs de Données de Santé (HDS) certification is required for entities that host personal health data. This certification, governed by Decree No. 2018-137 of 26 February 2018, covers five key hosting activities:

1. Provision and maintenance of physical sites
2. Provision and maintenance of virtual infrastructure
3. Provision and maintenance of the application hosting platform
4. Administration and operation of the information system
5. Backup of heath data

That’s the reason why companies and service providers need to continuously to get and maintain international certifications such as ISO 27001 that provides a framework for information security management systems. These regulations and standards form the backbone of cybersecurity efforts in the industry, and we will not be able to work with companies that cannot ensure the security of data that they collect or manage for other companies.

Vendor information risk process

To address the cybersecurity risks associated with third-party vendors, many companies, have implemented vendor Information risk processes. This process evaluates vendors based on three key criteria:

1. Relation to critical business functions. (e.g., research & development)
2. Type of data stored or managed (e.g., confidential product information or personal data)
3. Criticality of the service to the company and level of access to internal systems

CROs, given their critical role and access to sensitive data, typically meet all these criteria and are thus subject to rigorous cybersecurity assessments.

Cybersecurity assessment in CRO qualification

The cybersecurity assessment has become an integral part of the CRO qualification process for clinical studies. The assessment typically involves the following steps:

1. Verification of valid and recognized cybersecurity certifications
2. If certifications are lacking or invalid, a detailed assessment via a specialized platform
3. Evaluation of the assessment results (accepted/accepted with corrective actions/rejected)

The assessment covers various areas, including data privacy, data protection, third party management, and business continuity. It also evaluates the CRO's capacity to identify, protect, detect, and react to cyberattacks.

Risk management

The cybersecurity of service providers is a question of risk management, and it should be adapted to the needs of the sponsor. In cases where a CRO's cybersecurity assessment is insufficient, a business needs to evaluate the risks that they would be exposed to if they select the vendor. While this approach should be used sparingly, it provides a mechanism for balancing business needs with cybersecurity requirements.

CRO selection and qualification process

The CRO selection and qualification process is a multi-step journey that integrates cybersecurity considerations:

1. CRO identification
2. Service qualification (including data privacy)
3. Cybersecurity assessment
4. Evaluation of qualification and cybersecurity results
5. Contract signature
6. Start of services

This process ensures that cybersecurity is considered from the outset and remains a key factor throughout the engagement with the CRO.

Conclusion

As the digital landscape of clinical research continues to evolve, so too must our approach to cybersecurity. The integration of cybersecurity assessments into the CRO selection and qualification process represents a critical step in protecting sensitive data and maintaining the integrity of clinical trials and it should be integrated into the standard qualification process.

To conclude, the key takeaways I would like to provide are:

1. Collaboration between digital and business teams is essential to ensure comprehensive cybersecurity.
2. Cybersecurity assessments should be a standard part of CRO selection, qualification, and ongoing audits.
3. The criticality of data managed in clinical studies necessitates robust cybersecurity measures.
4. Continuous work with service providers to develop improvement plans and mitigate risks is crucial.

Our responsibility is to ensure data protection of consumers and patients. In an era where cyber threats are increasingly sophisticated and frequent, this responsibility has never been more important.

The pharmaceutical industry, with its wealth of sensitive data and critical research, must remain at the forefront of cybersecurity efforts. By integrating cybersecurity considerations into every aspect of vendor selection and management, companies can better protect themselves, their research, and most importantly, the patients they serve.

Martin Rodriguez, Medical Strategy & Operational Effectiveness Head, Opella