Editor’s Note: The US Food and Drug Administration’s (FDA’s) revised draft guidance document, “Guidance for Industry: Electronic Source Data in Clinical Investigations” is attached here. The agency’s Federal Register notice discussing the document and requesting comments by January 22, 2013, is attached here.
The draft guidance document is a landmark event in federal cybersecurity regulation since it recognizes the agency’s duty to ensure the cybersecurity of third-party data on which it relies.
The Data Quality Act (DQA) sets standards for the quality, utility objectivity and integrity of data disseminated by federal agencies. The White House Office of Management and Budget (OMB) has defined “integrity” to refer to the cybersecurity of the data. Moreover, the DQA applies to data agencies receive from third parties, such as private sector companies, on which it relies in information disseminations.
The draft guidance document is a recognition that the FDA needs to ensure the integrity/cybersecurity of data it receives from the public. For example, in discussing the use of electronic case form reports, the draft document states that:
Sponsors should include (e.g., in the data management plan) information about the intended use of computerized systems used during a clinical investigation. A description of the security measures employed to protect the data and a description of the flow of electronic data should be prepared.
The document also discusses the agency’s access control requirements for third-party systems used to generate electronic source data in clinical investigations:
When identification of data originators relies on log-on codes and passwords, controls must be employed to ensure the security and integrity of the authorized user names and passwords (21 CFR 11.300(a)). When electronic thumbprints or other biometric identifiers are used in place of an electronic log-on/password, controls should be designed to ensure that they cannot be used by anyone other than their original owner.
The FDA’s request for comment is thus both noteworthy and praiseworthy since it demonstrates: 1) the seriousness with which it takes its duties under the Data Quality Act to ensure the integrity/cybersecurity of data on which it relies; and 2) the agency’s commitment to a full and open public participation in its regulatory policy development processes.
The public should expect that all federal agencies will establish formal or informal requirements for the cybersecurity of information submitted to the government.
Leave a Reply