Unification of data from patient medical records, hospital reports and clinical trial protocols is a tempting yet extremely dangerous idea.
Data breaches endanger your clinical trial success
Medical privacy and breaches of personal health information (PHI) has been a hot topic for several years. For the clinical trial industry, the main concerns are decline in recruitment resulting from lack of confidence in data handling and instances of breaches that affect data integrity that adversely affect NDA and MA applications in major markets, which precipitates administrative action taken by national regulators in response to local incidents.
European legislators rely extensively on administrative measures implemented by national competent authorities. Although specific and detailed EU-level legislation exists, specific information about data breaches, cases and incidents, volume and type of affected data, root causes and analysis of consequences is largely missing. According to Howard and Gulyas (2014), this lack of organized event records is currently an empirical obstacle but provides opportunity to generate new knowledge about data and privacy protection that could bolster future trial recruitment.
In the U.S., summary details of breaches that involved more than 500 individuals are available at the OCR portal called Wall of Shame for everyone to analyze. Disclosure obligations in HIPAA made the problem of data breaches in healthcare obvious and protection of the privacy of patients has been an important part of physicians’ code of conduct. This offers lessons learned to mitigate systemic vulnerabilities that undermine trial participation.
New EU legislation on data privacy, including PHI, is very thorough and detailed. The regulation provides for numerous exceptions for handling PHI for variety of legitimate purposes including scientific research. Important objectives of public interest including public health research override data subject’s rights, including the right to be forgotten. Recognized risks to data subjects include discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality and economic or social disadvantage. Appropriate measures against unauthorized disclosure, theft or loss of data shall include organizational measures, certification, secrecy clauses in contracts, codes of conduct, design of applications, and data pseudonymization and encryption. Processing of high-risk data also requires impact assessment. Data breaches are reportable to national supervisory authorities. Only high-risk data breaches are subject to notification to the data subjects. Breach of personal data may result in high administrative fines for the controllers and/or processors as well as liability for material and non-material damage caused to data subjects. The regulation makes no mention of a pan-European registry of personal data breaches. To ensure consistency of enforcement across the 28 EU Member States, the European Data Protection Board shall maintain a registry of decisions of national supervisory authorities and court rulings in data privacy matters.
Scientific research, specifically clinical trial data, is subject to yet another set of rules. In 2014, the European Medicines Agency (EMA) developed Policy 0070 on publication of clinical trial data. The policy covers both clinical reports and individual patient data, submitted under the centralized marketing authorization procedure or as part of Article 58 procedure (Reg. 726/2004), including extension of indication and line extension. In addition, the policy covers data submitted by a third party in the context of Market Authorization Application or post-authorization procedure or as additional clinical data for scientific assessment. To access the database, users can choose from two options: general information and other non-commercial purposes and academic and non-commercial research purposes. The user has to promise that he or she will not download, save, edit, photograph, print, distribute or transfer the clinical reports, and will not seek to re-identify the trial subjects or other individuals from the Clinical Reports in breach of applicable privacy laws.
Although it may not be self-evident from reports available in Europe, experiences from the other side of the Atlantic show that exploitation of medical data for nefarious purposes is on the increase. Value of medical records on the black market is 60 times higher than credit card data. Cybercriminals are increasingly using stolen medical records for healthcare fraud, identity theft or fraudulent tax returns. Medical data typically include many details such as family and employment history, next of kin, addresses and phone numbers. Medical identity theft and record tampering can be life threatening.
Two thirds of US healthcare data breaches go undiscovered for months or even years.
What makes the situation even worse is limited ability of health data controllers and processors to detect data breaches in real time. According to Verizon report, two thirds of healthcare data breaches go undiscovered for months or even years. The Verizon Enterprise Solutions’ inaugural Protect Health Information (PHI) Data Breach Report found more than 392 million medical records were disclosed during 1,931 data breaches over a 20 year period across many market sectors and businesses worldwide.
In 2012, a well-publicized UK breach caused concerns over insecure transfers and processing of medical records by a consulting firm using Google BigQuery. The dataset in question contained all three areas of collection (inpatient, outpatient and A&E) and the system was able to provide detailed analysis including linking the data to Google maps. The incident called into question NHS care.data initiative despite reassurances that the data shared for research purposes were anonymized.
The re-use of medical records for public health research is encouraged in the new data privacy law, explicit consent of data subjects is not required. The EUROREC Institute (EuroRec), a not-for-profit organization, that promotes the use of high quality Electronic Health Record systems (EHRs), published on its webpage a series of papers on the enhancements allowed by technological platform EHR4CR. According to HRS (1999), consent requirement to access medical records for observational studies does indeed lower participation.
In 2014, RAND Europe completed a pan-European survey of 26,000 EU citizens to explore their views on data privacy and security. The respondents were presented with choices in real-life scenario of health data storage on a device that would provide access to specified categories of medical and fire and rescue personnel. In general, respondents preferred to store only basic health status, identification, and lifelong health conditions, but not other health conditions and medical history. The overall pattern is that respondents would restrict access to medical personnel only and would not share their data with insurers, academic research companies, and pharmaceutical industry.
The Americans are paranoid about medical privacy.
According to Verizon report, people are withholding information – including critical information – from their healthcare providers because they are concerned that there could be a confidentiality breach of their records.
UK attitude to health data mining is different.
NHS European Office facilitates a joint response between NHS England, the Health and Social Care Information Centre, Public Health England and the Department of Health, to discuss how proposals to revise the EU law on data protection could have a significant impact on information governance and management processes in the NHS. In the UK, the public is increasingly aware of the risks of identity theft and the need for data security. Electronic systems make confidential data more easily and rapidly accessible to a wider circle of recipients than paper systems, with greater potential for breaches of confidentiality.
Along with health data breaches, another concern emerged. Experts have pointed out vulnerability of medical devicessuch as insulin pumps, defibrillators and pacemakers to hacking, with potentially fatal consequences for the patient. In 2013, concerns over medical device security led to disabling of wireless features of Dick Cheney’s pacemaker. In Europe, medical devices are governed by the Medical Device Directive and medical devices guideline (MEDDEV). The MEDDEV defines the concepts of input data (“any data provided to software in order to obtain output data after computation of this data“) and output data (“any data produced by a software“) embedded in the new definition of software. In July 2016, the EC issued additional guidance on qualification and classification of standalone software used in healthcare settings (MEDDEV 2.1/6). Unpatched software in medical devices is an important vulnerability that needs to be taken into account during data collection.
Eastern Europe has its specific challenges when it comes to handling medical records. The systems are highly centralized, and clinical trial data are often merged with other medical and administrative information. Totalitarian past, history of politically motivated murders (Bozovic/Loncar, Serbia), liberally used forced isolation of patients (tuberculosis, psychiatry) or their criminalization (STDs, substance abuse), poor organizational management practices and minimum accountability for errors, in combination with outdated equipment and paternalistic approach to patients, make this region especially vulnerable to exploitation of medical records for illicit purposes. Most importantly, this troubled local history profoundly affects patients’ trust and willingness to participate in clinical trials.
Healthcare records are ideal source of information about vulnerable persons for victim profiling and consequent exploitation by organized crime. The region is a source of sex workers and for-profit organ donors. In 2013, court in Kosovo found two of the seven defendants guilty of running an organ trafficking ring. In December 2016, Kosovo’s Supreme Court ordered a retrial of doctors and officials who were previously convicted of involvement in dozens of illegal kidney transplants, to great disappointment of the European police and justice mission in Kosovo (EULEX) that helped the Balkan country develop its justice system.
In 1993, the American Psychiatric Association stated that the actions of Bosnian Serb leader “Dr. Karadzic as a political leader constitute a profound betrayal of the deeply human values of medicine and psychiatry,” and castigated him as “accountable for the policy of ethnic cleansing, organized rape, mass murder, and the establishment of concentration camps.” Disturbing suggestions have emerged that Karadzic deliberately used his psychiatric training to create military and political policies that would create fear, terror and extensive posttraumatic stress disorder in civilian populations (Dekleva and Post, 1997).
Patients’ trust in data management systems and confidence that the data will not be shared inappropriately is essential to their willingness to participate and to meeting enrollment targets.
Newest developments suggest that the worst is yet to come: three weeks ago, ISIS-linked hackers going by the name of Tunisian Fallaga Team have attacked and defaced several NHS websites. The hackers replaced legitimate web pages with graphic photos of the war in Syria. Even if no patient data is compromised, such incidents have profound impact on public confidence when they occur.
Centralization of healthcare information systems, digitalization, merging previously disparate and compartmented data pools, and combination of clinical trial data with inpatient, outpatient, A&E and administrative records in interconnected databases, increases substantially the value of such records to any threat actors. Vulnerability assessments of information systems need to take into account all human-machine interfaces, user behavior, awareness and training, and breach detection mechanisms, as well as historical experience and its impact on patients’ trust and consequently recruitment of subjects in clinical trials. Opportunity for exploitation increases exponentially with number of individuals having legitimate access to any one of these interconnected compartments, as well as number of entities involved in access control. Closed data collection systems, disconnected from all other hospital information systems, that leave minimum opportunity for improvisation, creative or unauthorized use and human error, are instrumental in maintaining data integrity and security in high-risk regions.
Veronika Valdova is managing director at a consultancy that provides solutions to complex problems in the high stakes and high consequence environment of Global Pharmaceuticals, including clinical research, healthcare informatics, and public health. We blend established, Pharma sector methodologies, innovation, and adaptations/transfers from other sectors to identify and resolve consequential practices that pose risk and often result in avoidable patient casualty.