Marcus Schembri-Wischik, head of legal – data protection & clinical operations at TauRx Pharmaceuticals, explains why safeguarding data is as important as safeguarding health.
The one thing that’s vital to any clinical trial is the patients. No matter what disease you’re trying to fight, you need people who are brave enough to trust you with their health, their lives, and as illustrated by recent high-profile cyberattacks, their data. Without the courage and hope of our patients and their families, we would still be trying to treat Alzheimer’s disease in test tubes and lab mice.
The purpose of said clinical trials is to show that our medication is safe and effective, which means gathering a huge amount of intimate data about our patients – their health, whether they are sexually active, genetic testing, information about their race and ethnic origins, and so on.
This is all data that none of us would want to make public if we didn’t choose to. As the person in charge of data protection at TauRx, it is my job to make sure we keep all that data safe.
Ransomware attacks
Organisations including Marks & Spencer, the Co-op and Harrods were recently subjected to high-profile ransomware attacks, reportedly from the same hacking group. It’s a situation that M&S has said will hit profits by around £300 million – equivalent to a third of its profit.
It’s the thought of something like that happening to our data that keeps me up at night. My heart goes out to the data protection officers at organisations like Marks & Spencer, the Co-op, and West Lothian Council, whose education network was also the victim of a ransomware attack.
So how do we safeguard our patients’ data? GDPR (General Data Protection Regulation) tells us to take technical and organisational measures. I rely on my cybersecurity colleagues for help with the technical side, but I lead the organisational response.
We only collect data that will help us develop a potential treatment for Alzheimer’s disease. Knowing someone’s first name or home address won’t help that, but knowing their blood pressure or kidney function might. In the case of M&S, telephone numbers, home addresses and dates of birth were among the data potentially stolen in the attack, although no useable card or payment details were obtained.
We cannot leak data we don’t have, so it is only the clinicians who are overseeing the administration of our drug that know who the patient is and where they are from. That is the first step.
In the second instance, like all good companies, we have processes and plans, risk assessments and policies. We train our staff to know what to do, but also why they do it. We train them that it’s not simply a legal obligation to follow, but ultimately, proving ourselves worthy of the trust our patients have in us.
Cyberattack simulation
It’s worth noting that staff at M&S had taken part in a cyberattack simulation last year, and according to chief executive Stuart Machin they “were able to respond quickly and take the right actions immediately”. That has undoubtedly saved them from an even worse outcome than the one experienced, one the company said will see disruption continue into July.
Lastly, we demand the companies and clinics we work with keep the same high standards we hold ourselves to. We audit, inspect, advise and encourage. Data is king. We need to keep it that way to protect ourselves and those patients brave enough to take part in our trials.
Of course, no one is perfect. A culture of blame or shame means that people don’t step up and admit that they’ve messed up. In the worst case, they try to fix things by themselves or ignore problems in the hope they’ll go away.
In the same way that our work to treat Alzheimer’s disease is a team effort so too is our GDPR compliance. We’re in this together, we’re doing this to keep good people safe, and we’re doing it to make the world a better place for the patients and their families who live with Alzheimer’s disease.
And that’s what gets me out of bed in the morning – regardless of how much sleep I’ve lost worrying about what could happen.
