With the proliferation of software solutions containing sensitive data, many individuals, technologists, and corporations are rightfully concerned about the pervasive threat of large-scale penetration of private and public clouds. The hacking of big-box retailer Target in early December 2013 is a prime example of how malicious hackers can penetrate a network and abscond with private data. What ensued in the wake of the data heist was a flurry of credit card cancellations, bank account holds, lowered credit limits, and otherwise bad tidings—just at the outset of the holiday season. Bah, humbug!
The key takeaway from this incident is that any company that maintains your private information must take added precautions to secure your data. Target, while an innocent victim of hacking, on the surface appears to have lacked appropriate measures to systematically monitor suspicious behavior or detect network intrusion. Regrettably, the hackers went unnoticed for more than two weeks. Over the next several months, we’ll learn if Target was negligent in its security vigilance.
There are many parallels between the hacking of Target’s systems and cloud software providers. After all, when you swipe a credit card at a merchandiser and your data is stored, you’re in effect using a public cloud. Your information is housed with other customer data in a remote location (i.e., not your home) and accessible to third parties. It isn’t much different from when you provide sensitive data to a Software as a Service (SaaS) provider through a web browser. The underlying mechanisms are the same. Ultimately, data at rest is vulnerable. When you use a SaaS provider, you need to be confident that your provider is employing the most rigorous security precautions, following strict governance protocols, and actively monitoring threats.
At SureClinical, we serve the BioPharma market. Data privacy concerns are amplified given the Public Health Information (PHI) data that is stored in our cloud. Moreover, we are required by the FDA, EMA, and other governing bodies to enforce security protocols that are largely considered more stringent than commercial entities. We further view security governance as our ethical responsibility to our life sciences customers. To that extent, we launched our Certified Cloud™, which includes the following key components designed to enforce both physical and programmatic data security:
- Data center compliance: Our data center and corresponding personnel policies are independently audited to ensure compliance with HIPAA, European Safe Harbor, PCI DSS Level 1, SAS 70 Type II, and SSAE-16 requirements.
- Data center security: Our facilities hosting are in nondescript and secured locations that are permanently manned by on-site guards with CCTV cameras. Multifactor biometric authentication is required for access, and all equipment is further segmented within locked cages monitored by CCTV cameras.
- Power and environment: The data center utilizes an N+1 architecture with redundant UPS systems, backup power generation, and resilient cooling systems. Data centers are located above sea level, utilize dry pipe, water-based fire suppression systems, incorporate moisture monitoring and dedicated pump rooms for water ingress, and meet or exceed local seismic ordinances.
- Physical segregation of customer data: SureClinical has optimized its fast virtualized server environment to ensure rapid deployment while meeting the most strenuous requirements of FDA 21 CFR Part 11 for protection of clinical trial data. SureClinical’s physical segregation of customer data approach maximizes the efficiency of cloud infrastructure while delivering the highest levels of cloud data privacy and security.
- Two-factor authentication: SureClinical’s Certified Cloud provides integrated two-factor authentication for electronic signing (pat pending) as well as strong authentication techniques to verify user identification and limit system access per FDA and EU regulations.
- FIPS-140-2 Level 3 compliance: SureClinical’s Certified Cloud is the first cloud solution for health sciences to offer a secure cloud-based digital signing service that enables investigators to electronically sign documents outside the firewall, making the 100% paperless eTMF a physical reality. Our patent-pending signing services support digital certificate signing (PKI x.509). All PKI signing transactions utilize US NIST tested and approved FIPS-140-2 Level 3 technologies.
- Software security: SureTrial utilizes role-based security permission for varying levels of system access with view-only, read/write, edit, and restricted settings. All passwords are 128-bit SSL encrypted.
- Audit trail: All cloud instances include an exportable, read-only time-stamped audit trail that adheres to FDA requirements for user activity and electronic signing events. Audit trails are permanent with no ability to overwrite.
- Continuous infrastructure monitoring: We use proactive infrastructure monitoring 24×7 throughout our global-certified cloud platform to ensure uninterrupted service.
- Security audits: Quarterly PCI compliance testing, intrusion detection scans, and security audits are conducted by independent testing agencies to ensure ongoing security compliance.
While no security system is fail-safe, we at SureClinical are committed to exceeding industry security best practices and compliance regulations to safeguard our clinical trial data. The recent hacking of Target shines a spotlight on the importance of data security in an increasingly distributed landscape of data and IT resources. As a health sciences practitioner, you should feel comfortable questioning your policies and procedures around data security: Does your current SaaS provider or internal IT resources meet tough data governance and security regulations? If not, it may be time to rethink your selected vendor or IT approach. After all, Target, a $73 billion company, had its security compromised for more than ten days.