Is our data safe in the cloud? Part 2 of key questions to ask an eClinical SaaS Vendor.

In this second part of the series on “Key Questions to Ask an eClinical SaaS Vendor” we will tackle data security. 

When providing sensitive data to applications that live “in the cloud”, as most Software-as-a-Service (SaaS) products do, security is often a top concern.  While the topic of data security can be vast and complicated, we will break it down to a few key elements for you to consider when choosing a CTMS from an eClinical SasS vendor.

Let’s review a typical scenario:

  • You and your team, the end users, access the SaaS-based application via your web browser and Internet connection.
  • You must have a valid account and valid login credentials, and your account has certain privileges within the application.
  • The SaaS application is software that is running on one or more remote servers that are connected to the public Internet, that is, “the cloud”.   Therefore, the data you provide to the application is also living on one or more remote servers in “the cloud”.
  • The remote servers reside in one or more highly secure data centers, which are specialized facilities with environmental controls, limited physical access and solid Internet connectivity. 
  • The servers and data center may or may not be owned by the SaaS application vendor.  It is common for vendors to rent dedicated server resources and data/or data center space from service providers who specialize in data security.  SaaS applications and data can be securely and effectively managed without ever touching the physical servers.  There are pros and cons to both owning and renting the data center and servers.

How important is data security?  Clearly, security is very important for eClinical applications that contain sensitive data.  But let’s play devil’s advocate for a moment.  Have you ever sent sensitive information or a confidential file attachment over email, particularly to someone outside your organization?  Most of us have.  Email is a very convenient form of communication and file transfer, but is not secure.  Once that email gets out of you secure internal network, there are many ways in which your content or attachments can fall into the wrong hands.  So just keep in mind that when questioning your SaaS vendor about security, that the day-to-day actions of your team also play a vital role in data security.

There are five key areas to consider, and we will touch on five key questions in each area.

Physical Security

Consider who can enter the data center and touch the servers that contain your data, as well as the precautions to keep the servers running in case of power outage or natural disaster. Questions to ask:

  1. Where is the data center located, and who manages it?
  2. How is physical access to the data center controlled, monitored, logged and audited?
  3. Is there redundancy (i.e. backup) in the critical systems, such as power and networking?
  4. What environmental safeguards and disaster prevention measures are in place?  Typical measures include climate and temperature controls, fire detection and suppression, etc.
  5. Is media (e.g. hard drives, tape backups) sanitized prior to being reused, so any sensitive data remaining on that media is obliterated?

Server security

Consider who has the “system administrator” rights to access the server operating system and files, and what precautions are in place to keep hackers out.  This is different from Physical Security, because you do not need physical access to a server in order to access or download files or data stored on the server.  Questions to ask:

  1. Is the server dedicated to my organization (“single-tenancy”), or are multiple customers co-mingled on the same servers and database (“multi-tenancy”)?  Multi-tenancy models are typically more cost effective, but extra measures should be taken to ensure that one client does not gain access to another client's sensitive data (either unintentionally, or maliciously).
  2. Who has access to the application and database servers, and what authentication methods are used (passwords, digital keys, etc.)?
  3. What policies are in place for hiring, training and termination of personnel who have access to sensitive client data?
  4. How are the servers locked-down (“hardened”) to avoid unauthorized access, and how do you keep security patches and updates current?  A “hardened” server is securely configured by removing un-needed files and disabling services that are not being used.
  5. Is customer data ever stored in a non-secured location, or transferred over an un-secured connection?

Application Security

Consider who can access the application, how are they authenticated and what measures are in place to keep unauthorized users out of the system.  Here we will assume the application is a “closed system” such that user accounts are controlled and login credentials are required to access the application.  Questions to ask:

  1. Does the application meet web standards, that is, does it run on all common browsers and platforms (PC and Mac) with no additional downloads or plug-ins needed?  Standard web solutions are most likely to leverage the standard browser security features, which is a good thing. Plug-ins or required downloads should be more heavily scrutinized, as they may have broader security repercussions.  
  2. Are “strong password” practices enforced, such as password length, composition and expiration rules? Be sure that user passwords are not sent via email or logged.
  3. Is the application built on an industry-standard platform that continues to evolve to meet and overcome potential security threats?
  4. Are secure connections from your browser to the server enforced (such as “https” which typically displays a padlock icon on your browser)?  If not, you are at particular risk when using public wi-fi, where passwords and data may be visible to malicious users on that network.
  5. Is there a controlled process for opening, maintaining, auditing and closing user accounts?  You should ensure there is a clear process for revoking access to a user that quits or is terminated.

Application Roles and Privileges

Consider, for those who have access to the application, how the application restricts access to various data sets or modules, including restriction on what data is viewable and/or editable.  Questions to ask:

  1. Is role-based access supported, and do the user groups make sense to your organization?
  2. Do the user groups support appropriate access for both internal and external (e.g. vendor team or service provider) users?
  3. If your application is geographically-based, can the application restrict user access to specific countries, regions or sites?  Perhaps you have a vendor covering a specific country or region, and you want access for that vendor to be restricted to those countries.
  4. If your application includes blinded or masked data, do the user groups allow both blinded and unblinded access within the same system while keeping unblinded data hidden from blinded users?
  5. Can the roles be customized to fit your team, organization and/or clinical studies?

General Security Practices

Consider some general security practices which span the areas covered above.  Questions to ask:

  1. How are security incidents detected, handled and reported (e.g. unauthorized access to sensitive data)?  Can you expect to receive a call from your vendor if a security incident occurs?
  2. Does the vendor audit their security features and policies on a regular basis?  This may include review, re-assessment, updates and enforcement checks on all SOPs and/or security policy.
  3. Does the application support any regulatory standards, such as 21 CFR Part 11?
  4. Does the vendor have a designated security lead (responsible for defining, documenting and enforcing policy), and if so, can you contact that person with questions or concerns?
  5. What is the frequency of application releases, updates and patches?  If you want a SaaS application that continues to innovate and evolve, as well as a vendor who can respond quickly to application issues (security-related or otherwise), then look for a frequent release schedule (e.g. monthly).

Since each organization has different requirements and priorities, there is no set of “right” answers to these questions.  Asking these questions will help you assess a general “security profile” for a vendor, and allow you to weigh that against your other considerations, such as convenience and cost.

In the next post of this series, on data backup and recovery, we will touch on additional aspects of data security, like securing archived data on laptops and removable media.  

At Trial By Fire Solutions, we pride ourselves on offering a secure, affordable, SaaS-based Clinical Trial Management System (CTMS).  For a product demo, or to find out more, please contact us.  As always, we welcome your feedback.