In Information Security, Data Privacy, And Quality We Trust

Watch our webinar Unified Platform Defined available on-demand to learn the five pillars of a unified platform and how it solves clinical research challenges today and positions your business for the future state of trials.

This is our five-part blog series on the most important characteristics of a unified technology platform. Read about the other four characteristics in this blog series: interoperability, collaboration, single-source of truth, and scalability.

Data is one of the top assets for any company. A 2018 study conducted by the Ponemon Institute reported that the global average cost of a data breach is $3.86 million, up 6.4 percent from the year before. The report also found that the average cost of each lost or stolen record containing sensitive and confidential information rose 4.8 percent to $148.^[1]

Cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which is comprised of many companies that still rely on aging computer systems that do not use the latest security features.^[2]

We take information security, data privacy, and quality management very seriously at Medidata. Our customers trust us to protect the data that they have placed in our care and this is a key driver to ensuring world-class data protection and information security practices. With data security and privacy being critical to the success of clinical trials, we build it into every step of the Medidata Rave Clinical Cloud^TM platform - from design to APIs.

A unified clinical platform should be based on a unified data protection strategy which includes information security, data privacy, and quality functions. Together, these form the foundation of a secure, stable, and scalable cloud platform with robust data governance and an inspection-ready quality management system. At Medidata’s recently held NEXT London conference, our Global Compliance and Strategy team discussed how the integration between our Information Security, Data Privacy and Quality Management functions delivers such a unified data protection strategy for the entire Medidata platform. Watch their discussion.

Unified Information Security Protection

Medidata takes a security-by-design approach, building in controls at the design phase. We use the most advanced technologies and techniques to protect data against the newest cyber threats. Encryption, malware protection, and data loss prevention are provided at the perimeter and platform levels. Multi-factor hardened systems, along with proprietary techniques, are continually tested and validated by independent parties.

Network security is a round-the-clock priority for us. Medidata starts with border protection that includes routers and load balancers that provide high availability even during a distributed denial-of-service (DDoS) attack. Border protection is bolstered by firewalls that deny all inbound and outbound ports with no identified business purpose. Authorized data that passes through the firewall is subjected to a series of malware scanners and an intrusion detection/ prevention system. Networks are scanned frequently and undergo annual third-party assessments to identify and correct any new Internet vulnerabilities.

Application security. During application development, Medidata performs numerous internal tests. Products in development undergo rigorous security testing, including an internal hacking phase where we attempt to uncover and patch subtle issues that are detectable only through an intimate knowledge of our source code. Then we evaluate the interoperability of our products to improve their resilience.

We also submit Medidata software to third-party assessors who identify and patch any vulnerabilities that may have made it through our initial testing. We analyze vulnerabilities discovered during internal or external testing and remediate them. Our team has 90 days to resolve issues before they are elevated to the Chief Information Security Office (CISO) for review. Resolution extensions may be granted for situations when a patch isn’t available from a software manufacturer or when a repair requires extensive development and testing before the product is deployed.

Physical security. Medidata has extensive experience in designing, constructing, and operating data centers. Our physical security is military-grade, consisting of building guards, use of smart-ID badges for electronic access, video surveillance, and biometric scanners. Our data center buildings are non-descript and their locations are only disclosed on a need-to-know basis.

Unified Data Privacy Protection

As with security, we adopt a privacy-by-design philosophy. Privacy protection is built into the entire service lifecycle. From our GDPR-ready data processing exhibit to our integrated data governance program, Medidata is committed to positive accountability and oversight for stewardship of sensitive clinical trial data across our entire platform.

Medidata protects data from workstation to destination using Transport Layer Security (TLS1.2) encryption. Encryption at rest is in place across the entire environment, using Advanced Encryption Algorithm (256 bit).

Global privacy regulations vary considerably. We review the privacy policies of countries around the world and make sure our controls comply with the most restrictive standards for data transferred and stored in the U.S. We have been self-certified in the EU-US Safe Harbor program since 2011, and in 2016 we joined the replacement for Safe Harbor–Privacy Shield.

Medidata was one of the first life science companies to achieve ISO 27018 certification for protecting personally identifiable information (PII) in the cloud.

Quality Management

The third and final component of Medidata’s unified protection strategy is our inspection-ready Quality Management System. This is inclusive of policies and procedures to ensure that our software products and services are developed, implemented, and maintained in a manner that meets the needs and expectations of our clients and ensures compliance with applicable regulatory requirements. Medidata publishes a SOC2+ report that provides an independent opinion on the design and operating effectiveness of the controls that govern the Medidata Rave Clinical Cloud including, but is not limited to but is not limited) to the Quality Management System, security, IT hosting operations, software development life cycle, and data integrity (e.g. Electronic Record/Electronic Signatures..)

Click here to learn more about Medidata’s leading commitment to providing trust and transparency over data protection, security, privacy, and quality functions.

^[1]https://www.ibm.com/security/data-breach

^[2] https://www.reuters.com/article/us-cybersecurity-hospitals/your-medical-record-is-worth-more-to-hackers-than-your-credit-card-idUSKCN0HJ21I20140924