Clinical Trials in the Cloud (Part II)

The other day I posted an overview of the new OpenClinica Optimized Hosting offering. Since then we have received requests for more detail on how we secure the data in a customer’s OpenClinica instance against unauthorized access. This is obviously a very important topic!

The particular questions were asked in the context of HIPAA–particularly the HIPAA Security Rule–and the answer below is framed in this context. But even if HIPAA is not relevant to you (because you have no PHI in your OpenClinica instance, you’re not part of a covered entity, or you’re outside the U.S.), the safeguards described below are generally applicable best practices and can be applied in the context of most security compliance/regulatory regimes.

In general the requirements of the HIPAA Security Rule can be summed up as:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI you create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure workforce compliance.

Adhering to these requirements is generally demonstrated via a risk analysis that determines reasonable and appropriate security measures for protecting ePHI, and implementing administrative and technical safeguards consistent with the risk analysis (see http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html for more info). These safeguards may include:

Administrative Safeguards

  • Implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Limit uses and disclosures of PHI to the “minimum necessary.”
  • Appropriate training, authorization, and supervision of workforce members who work with e-PHI
  • Regular review and evaluation

Technical Safeguards

  • Implement technical policies and procedures that allow only authorized persons to access electronic protected health information.
  • Ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
  • Implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

So how do we do this? Many of these safeguards have long been in place as part of the SOPs and other controls we have for our staff and suppliers. The OpenClinica application itself enforces controls such as password policies, audit history, role based access control, and user access log. On top of these safeguards, what’s notable with OpenClinica Optimized Hosting are the specific controls surrounding this new hybrid/cloud-based hosting environment. Below are excerpts of our new Standard Operating Procedure associated with OpenClinica Optimized Hosting. The full SOP and supporting documentation are available as part of a compliance audit.

Excerpt from SOP-SA002 – Managing Hosted OpenClinica

7.1               Security

7.1.1                       Access to any customer instance is limited, via login credentials, to authorized customer users for the web interface only. Customers have no access to the server itself [except through defined application and programmatic interfaces].

7.1.2                       All OpenClinica employees are granted access only to computer and networking areas necessary to perform their duties.

7.1.3                       Each customer’s installation is separate, and cannot be accessed from any other customer installation.

7.1.4                       Connection to a hosted instance is encrypted by means of secure socket layer.

7.1.5                       Application server and database server are secured via firewall, hardened to remove nonessential access credentials, and strong password compliance.

7.1.6                       Hosted systems are constantly monitored for latencies and intrusion.

7.2.1     Installation qualification is performed on initial setup of the OpenClinica Optimized Hosting environment image, and documented in an IQ Report. Qualification items are checked by inspection, review of vendor documentation, or direct testing as appropriate; items are specified in the Installation Qualification Protocol.

7.2.2     Installation qualification for each customer instance is performed when configuring that instance, and is documented in an IQ Report. Qualification items are checked by inspection, or direct testing as appropriate.

We conduct qualification of our own IT practices and our data center provider to assure security, reliability, availability, performance, and data protection within our hosted services. Items reviewed include:

  • Data Center physical security procedures
  • Data center HVAC, power conditioning, and fire suppression systems
  • Disaster prevention and disaster recovery processes
  • Back-up and data retention procedures
  • Network redundancy
  • Firewalls
  • SSL certificate (encryption)
  • System and network monitoring (for latencies, intrusion, and failure prediction)
  • Load balancing

Our data center has a SAS 70 Type II security certification, a well known security certification that originated from financial industry compliance requirements and aligns well with the requirements of the clinical trials industry. We regularly audit their policies and procedures in the context of our quality system, including review of the SAS 70 Type II audit report they provide. Our data center assures secure and reliable operation in part by maintaining appropriate physical resources at the  facility. Fire suppression, conditioned power, and redundant HVAC all protect computing equipment against damage from extreme conditions, while physical access security and surveillance guard against unauthorized intrusion. The full report is available for our customers to review as part of a compliance audit.

The above are some highlights of our multi-tier strategy to ensure the highest level of security of critical clinical data while maintaining accessibility and ease-of-use. Like any good security strategy, we treat it within the company as a dynamic function, subject to regular review and assessment. We recognize our strategy must always be evolving to respond to emerging threats and new requirements. At the end of the day it is the combination of process and technology controls, and subjecting these controls to continual scrutiny, that leads to strong security.

– Cal Collins

Clinical Trials in the Cloud

I got a phone call the other day from a longtime OpenClinica user about the announcement of our new OpenClinica Optimized™ Hosting. He remarked on how leading companies in the industry (including his) are making big investments in cloud computing products and services, because these technologies provide easy-to-access functionality on an infrastructure that is more redundant, scalable, and cost-effective than you could hope to build or buy on your own.

However, in the clinical research field, putting together such an offering is not for the faint of heart. Though our free OpenClinica Community Edition has been installed and run by users on cloud servers for years, our OpenClinica Enterprise Edition offering (which carries regulatory guarantees) would have to meet rigorous reliability, security, and regulatory compliance requirements. How can this be accomplished if you don’t actually know where your data physically resides at any point in time on the cloud?

Prior to the launch of Optimized Hosting, we offered each hosted customer a dedicated server or two server (application + database) setup. This provided a certain peace of mind from knowing that your clinical data lives on a dedicated piece of hardware, but for many the costs were high and suffered from the inherent limitations of being tied to a physical machine. At the end of last year our data center partner achieved SAS 70 Type II certification for their cloud services, and we decided it was time to begin diligence on a cloud-based offering for OpenClinica.

We have spent the past 9 months listening to our customers’ needs and concerns, a designing and testing a solution. The resulting OpenClinica Optimized™ Hosting is an innovative hybrid architecture that provides the best of both worlds:  the scalability, high availability, and flexibility of the cloud combined with the peace of mind that your data lives in purpose-built dedicated hardware.Clinical Research in the Cloud

In short, OpenClinica Optimized Hosting offers greater fault tolerance, with better scalability and performance, at a lower cost than alternatives. Here’s how it works:

Application

Each OpenClinica application instance is a cloud server cloned from an image that has been qualified according to our exacting installation instructions. We configure the instance according to the customer’s supplied configuration parameters and complete operational qualification (OQ). The instance is typically available and ready for production use within a day or two. Thanks to the cloud, computing resources are instantly scalable on-demand.

Database

Dedicated (non-cloud) high performance database machines are configured in a master/slave relationship to provide instant data replication and fault tolerance. By utilizing multiple slave databases located in different geographic regions, the OpenClinica Optimized Hosting database cluster is designed for zero data loss even in event of nuclear strike. The servers use the fastest hard disk technology available today (Fusion-io®), dramatically improving database performance. For example, in our testing, we commonly see data extracts run up to 10x faster than in the prior environment. Database servers are physically isolated via CISCO ASA firewall to eliminate all nonessential access credentials.

Validation and Compliance

OpenClinica Optimized Hosting provides maximum flexibility and transparency in the area of change control and compliance. It has been constructed around a carefully designed set of controls to ensure all updates are fully tested (and documented) in the environment prior to release, and that customers can have upgrades and maintenance releases applied according to their individual schedules and priorities.

One of the great advantages of OpenClinica is the choice it offers – you can use and extend the open source licensed code, you can choose between OpenClinica Community Edition and OpenClinica Enterprise, you can deploy it locally or choose the hosted option. Or, any combination of the above. The new Optimized Hosting environment enhances that choice by providing a fast, reliable, and cost-effective way to get up and running with OpenClinica.

For more on security in OpenClinica Optimized Hosting, see Clinical Trials in the Cloud – Part II.

– Cal Collins