FRAMINGHAM (09/24/2003) - On May 4, 2003, a record number of digital attacks took place over the Internet. According to Mi2g Ltd., a digital risk management company, a total of 2,576 verified and successful digital attacks were waged on private, corporate, and government computers. The nature of the attacks ranged from Web site vandalism and digital broadcast interference to denial-of-service incidents. Motivated by surveillance, financial fraud, and identity theft, most such attacks focus on specific areas -- the operating system, network, database, Web server, or application.
The Internet is an increasingly hostile environment, as recent victims of Web site defacement attacks, such as The New York Times, CNN, the White House, Baltimore/Washington International Airport, and Wyeth Pharmaceuticals, will attest. These incidents didn't cause financial or personal damage; however, serious damage could have resulted if stock quotes or flight information had been changed. Last May, even the Internet Security Systems Web site was defaced. It seems as if no one is safe!
Given the frequency of Web site attacks, can data be safely stored on a server connected to the Internet? Yes, provided that the application is properly designed and the network and server properly secured. Supporting evidence comes from the OpenHack Challenge, a yearly event sponsored by eWeek, which invites hackers to break into a Microsoft or Oracle Internet-based Web application.
The most recent OpenHack contest took place in October 2002. The Microsoft application took 355,000 hits, Oracle 311,000. Both applications held up well, with no evidence of source code infringement, Web page defacement, or theft of data.
Nevertheless, pharmaceutical companies and research organizations that store clinical data in a Web-based electronic data capture (EDC) environment are concerned about data security -- as they should be. Microsoft and Oracle succeeded in protecting data because the applications, servers, and networks were properly secured. More than half of all Internet attacks succeed because of unpatched servers and server configuration errors.
Regular surveillance of the network and servers and expedited deployment of patches from software providers usually eliminate potential security problems. Microsoft's vulnerabilities can be identified using its free security baseline analyzer tool.
Internet vulnerability is also partly due to a lack of policies and standard operating procedures (SOPs) needed to protect data. According to Ernst & Young's 2002 Digital Security Overview, which surveyed 91 Fortune 500 companies, only 21 percent have formal digital security policies, while only 18 percent have "successful and complete" deployment, monitoring, and administration of those policies. And although 62 percent have secure e-mail deployed, only 24 percent are planning to do so.
Clinical data security in a Web-based EDC environment faces the additional burden of regulatory compliance (21 CFR Part 11, GCP, and HIPAA). It is essential to have security policies and SOPs that address the security of the application, network, system software, and databases. Written procedures (e.g., SOPs) must address the issue of patching servers. When a software vendor finds security vulnerability, it releases a "hot fix" to eliminate it. These hot fixes should be tested before being applied to the production server. Leaving servers unpatched increases the vulnerability of clinical data.
The Worm that Slammed the World
Shortly after the 2002 OpenHack Challenge, "SQL Slammer," a computer worm, grounded flights and prevented thousands of ATMs from working. It was one of the most damaging attacks on the Internet in recent years as networks across Asia, Europe, and America were effectively shut down. Curiously, security experts insisted that no "serious" damage was done, although the grounding of flights is hardly a trivial matter. The fact that many corporate businesses became inaccessible should be a wake-up call to everyone.
The SQL Slammer worm denies service to end-users by actively and aggressively scanning for other vulnerable Microsoft SQL servers, overloading many networks and eventually slowing down Internet traffic. Ironically, Microsoft issued a patch last summer that removed this specific weakness in SQL 2000 servers. However, due to the large number of unpatched systems, the worm spread rapidly across the Internet. The lessons that should be learned from the Slammer, and the recent Blaster, worm incidents are obvious: Be ready to take action according to SOPs, and apply a security patch to your server.
In an EDC system, the actions that authorized users can perform should be limited. Well-designed clinical trial EDC systems should have a role-based (principal investigator, clinical research associate, etc.) design with associated permissions, such as signing and printing, for each role.
To ensure privacy and additional message integrity, the EDC system should always use Secure Sockets Layer (SSL) technology to transmit data over the Internet. Use transaction management when electronic case report forms (eCRFs) are committed to the database to ensure information integrity for the database. There must be strong controls to prevent the database administrator (DBA) from altering records. Keep a permanent log of all changes to the database that the DBA cannot access. Periodically move the logs offsite. Finally, ensure that the logs cannot be accessed without the cooperation of two or more people.
Clinical data can be safely stored in a Web-based EDC system, as long as the application is properly designed, SOPs are followed, and the network and servers are configured securely.