Data Security is Top of Mind for Many Organizations. Ours Too.

Data Security is Top of Mind for Many Organizations. Ours Too.

The shift to electronic medical records (EMRs) through health care has opened up possibilities for mining those data for many purposes, including clinical trial recruitment and feasibility assessments. However, as more systems access this sensitive electronic protected health information (ePHI), data security is often top of mind. 

The Deep 6 AI approach to data security

At Deep 6 AI, we take data security seriously and develop close working relationships with the security, compliance, and IT team(s) at each hospital/health care organization (HCO) that wants to deploy our technology. Before we begin implementation, we conduct extensive security reviews with the HCO’s team, which may include security assessments and questionnaires. Ultimately, we collaborate to ensure that our systems are in compliance with the HCO’s existing protocols and security measures. 

Deep 6 AI conforms to the highest standards in healthcare security. Our cloud security framework is built on standards issued by National Institutes of Standards and Technology (NIST) and International Organization for Standardization (ISO). Additionally, our systems are fully HIPAA-compliant, and we are in the process of obtaining a SOC2 Type 2 certification, which is expected to be complete in Q4 2021.

To enable our software to easily access and query EMR data in real time, we work with the hospital systems to extract the data for upload via industry-standard secure file transfer protocol (SFTP) to a Deep 6-managed Amazon Web Services (AWS) Virtual Private Cloud (VPC). AWS utilizes the most rigorous security and privacy features in the industry and supports more security standards and certifications than any other provider. VPC provides us the advanced technology, features, and multiple layers of security that AWS is known for, in an isolated network controlled by us. With AWS VPC, each organization has its own secure cloud, data do not leave that cloud server once transferred there, and data from different hospital systems do not intermingle. Our team has a recommended cloud setup that can be modified to suit each HCO’s requirements, or we can model the setup on previous HCO implementations for extracting PHI from its networks.

Following implementation, we use rigorous permissions and a built-in audit trail that captures who has accessed the data, who has changed queries, and how those queries were changed. Access to the system is managed via the HCO’s single sign-on (SSO) protocol and follows the HCO’s existing user management rules. Ultimately, the HCO controls what users are able to do within the system.

Who “owns” the ePHI? Who can access it?

Many recruitment solutions try to capitalize on and extract their own value from the patient data they mine from EMRs. Deep 6 AI’s philosophy, however, is that clinical trial sites and HCOs own their data and act as their own data brokers. Data are never moved from the AWS cloud, scraped, or resold, and no one at any other location can see the data unless the site approves.

Our software accesses the ePHI to respond to queries by sponsors, CROs, and physicians within that protected AWS environment, sharing only site-level information. For example, when a sponsor or CRO conducting a feasibility assessment queries the system to see how many patients are potentially available for their trial, the system only shows the number of patients meeting the criteria at that site. But, sponsors and CROs are not able to access the specific ePHI.

Similarly, physicians and researchers at an HCO can query the data to assess feasibility of conducting a trial at their institution or the feasibility of their own protocols, but the specific ePHI is not shared with them until a registered institutional review board (IRB) protocol number is entered in the system and validated against the database. If that physician/researcher is approved to view ePHI for that study, they’ll then be able to access it.

If a study is terminated, the IRB protocol number is no longer valid. Since a valid IRB protocol number is required to access patient data from a query, without it, ePHI is no longer accessible, although the feasibility counts can still be viewed.

“Is it secure?” is often one of the first questions we get asked. The answer, in short, is “Yes.” By working closely with the HCO’s security, compliance, and IT teams, we ensure that we integrate all of that organization’s existing security measures — and then some. Our goal is to create an implementation plan that allows organizations to feel confident, safe, and in control. 

Have questions around your specific use case?  Our team is always happy to talk through how a Deep 6 implementation could be conducted at your organization. 

To see for yourself how Deep 6 AI’s patient recruitment software can match patients to clinical trials in minutes, not months, schedule a demo today.

About The Author

Nour Malki