Electronic CRF Security Requirements

Requerimientos de seguridad de un CRD electrónico

If you need an electronic CRF software, you can contact us at info@klindat.com

Information systems security has gained enormous prominence in recent years.

The growing importance of data protection has placed cybersecurity at center stage in all industries globally.

Undoubtedly, information security also plays a central role in the field of clinical research considering that critical data such as patients’ health and genetic information are handled in this industry.

Faced with the increased risks related to cyberattacks and the severity of information losses, clinical research software vendors must ensure truly robust security measures.

More specifically, this is the case for electronic case report forms (eCRFs), which are web-based software applications used to collect, clean, and transfer data in clinical trials.

What security measures should electronic CRFs have?

In this article we will explain the essential security requirements that every eCRF must have.

Personal, unique, and non-transferable username and password

First of all, an essential security requirement in the use of electronic CRFs is that each person using the system must have a personal, unique, and non-transferable username and password.

The eCRF system must provide the personnel who have been authorized to use the platform with their personal credentials in a secure manner.

In turn, users should not share their usernames and passwords with anyone else, as these credentials are personal and non-transferable.

It is also important to note that general or impersonal usernames should not be used —for example, the name of a department or institution— as each user should correspond to a real person with their real name, surname, and e-mail address.

Access to authorized users only

Users and passwords created in an electronic CRF should be assigned only to duly authorized personnel.

A user request form signed by a person responsible for the clinical study, such as the principal investigator of the hospital, can be used to ensure that the people receiving credentials are authorized users.

Typically, each clinical site participating in a study will have two or three authorized users —e.g., investigator, study coordinator, and data manager— since in the absence of one of them, there is always someone who can be responsible for entering the data into the eCRF.

It is also important that authorized users have restricted access only to the eCRF sections or forms that are applicable to them (e.g., they will have read-only access to certain data). This is to prevent a user from being able to modify information in which they have a particular interest.

Periodic password changes

Another important security measure when using an electronic CRF is the periodic renewal of the password.

It is not advisable for a user to keep the same password for an extended period of time, as this increases the chances of the password being discovered and used by unauthorized people.

For this reason, the eCRF system itself should demand —automatically— every so often that the user changes their password, in order to minimize the risks of theft and misuse of credentials.

Password encryption

An additional element of security in an electronic CRF application is password encryption.

Encrypting user passwords means that when a password is generated, no one else —not even eCRF administrators— can see it.

This complete encryption of passwords guarantees absolute confidentiality of personal credentials and eliminates the risk of illicit disclosure of these passwords.

User lockout after failed login attempts

Like other software tools, eCRF systems must have a mechanism for blocking users when someone unsuccessfully attempts to access the platform on repeated occasions.

Repeated unsuccessful login attempts —by using incorrect usernames or passwords— may be due to an unauthorized intruder login attempt.

Typically, an electronic CRF should allow a maximum of three or four failed access attempts, and, after that, it should lock the username used, which can only be unlocked by a system administrator.

Access control system

A good eCRF must have a robust access control system.

This system consists of a module that registers all accesses and disconnections from the platform.

The access control module should record at least the user’s identification, the date and time of connection and disconnection, and the IP address from which they have accessed.

This information allows system administrators to monitor logins and logouts from the platform in order to detect any suspicious activity.

Audit trail module

The audit trail module is another fundamental element related to the security of an eCRF software.

Basically, an audit trail module is a record of each of the actions or activities performed on the various forms and fields of an electronic CRF.

A good audit trail system must be able to record who has accessed a specific form, and when, including the values entered in each field (and any subsequent modifications).

In other words, the audit trail module ensures traceability, allowing the complete reconstruction of each of the actions performed on the forms and fields of the eCRF, and generating a history of activity that can be audited.

Automatic disconnection after a period of inactivity

A real risk that arises in the use of a software application is its misuse when the user leaves the screen while it remains active and accessible.

It is not uncommon —in a hospital environment— for people using computers to have to perform several tasks at the same time —in different rooms or departments— which means that at certain times they may physically leave their computers (with the possible risk of inadvertently leaving them accessible to others).

Given this risk of access by unauthorized persons, electronic CRFs must have an automatic logout mechanism after a certain period of inactivity.

Encrypted communication between client and server

Web-based electronic CRFs use Internet communications between clients and servers.

On the one hand, the “client” refers to the user who uses a computer to access the eCRF system and enter data via a web browser.

On the other hand, the “server” refers to the eCRF system itself which is hosted on a web server.

Therefore, whenever you use the electronic CRF, a communication between client and server takes place, which must be protected against possible interceptions.

Web-based electronic CRFs use the Secure Sockets Layer (SSL) encryption protocol to preserve the security of client-server communications.

Anonymization of information in the database

Another relevant security element related to the use of electronic CRFs is the anonymization of the information in the database.

This measure prevents a piece of data from being linked to the identity of a specific patient.

The data anonymization plays an important role when exporting the information, performing statistical analyses, and drawing conclusions from the study.

Backup copies

Finally, an eCRF must have a robust backup system to ensure data recovery in the event of an unexpected major incident.

There are many threats on the Internet, and on the least expected day an attack or a loss of connectivity can occur, which can seriously threaten the eCRF’s continuity of service.

Therefore, it is vital that an eCRF has a documented and tested procedure for daily backups, including the ability to quickly restore the system in the event of a prolonged outage.

Conclusion

Information security has never been more important than it is today.

Conducting clinical trials requires the use of highly secure electronic CRFs that integrate the protective measures described in this article.

Before selecting an eCRF system, clinical trial sponsors should ensure that the chosen software includes security mechanisms that guarantee data integrity, and rapid recovery in the event of serious incidents.

Share This Post

More To Explore