A question of security
Agreements for externalised and collaborative research can take a variety of structures, explains Kevin Cronin, chief commercial officer at Core Informatics: ‘Contract research organisations (CROs), small biotechs, and other niche organisations often offer defined services that pharma customers do not have available in-house. These could be anything from sample analytics, to small molecule chemistry, antibody discovery, or biologics screening in the emerging biologics space.
‘Alternatively, the sponsor company may be providing funding for, or collaborating with an academic or industrial partner that has scientific expertise in a research area relevant to a particular biological pathway or drug target. Another possibility is a true collaborative research program, through which the partners are sharing or developing IP – possibly for multiple projects.’
Whatever the relationship between parties, the major concerns about collaborations are, understandably, centred on data security, and particularly tracking sensitive data, ensuring it remains secure and that its integrity isn’t compromised. ‘It’s important that only authorised people in each partner organisation can see the data,’ Cronin continues. ‘Whenever we are involved in conversations with our clients, the topic inevitably turns to secure information exchange. Scientists commonly use email for the exchange of Word, Excel, Powerpoint and PDF documents – these methods are not secure and further lead to inconsistent sharing of information. It is hard to keep track of who has sent what data, and who has received and potentially passed on that information.’
Some organisations may choose to send or receive data in a format that summarises information to ‘play it safe’ and minimise issues with insecure transfer of information. However, summarised data often cannot be used to support decision making, Cronin suggests: ‘If scientific organisations are to derive the maximum value from their collaborations or outsourced work, they need to be able to work together across systems that provide secure data exchange, and the ability to share and analyse data directly with their partners or service providers to accelerate outcomes.’
To meet the needs of both functionality and security for externalised research, software providers have turned to the cloud. ‘Cloud-based packages offer partners a way to exchange data, through a web browser, in a secure environment,’ Cronin stresses. Core Informatics offers its own Core Collaboration solution as a cloud-based environment for partners or outsourced research and scientific service providers to share data, workflows and applications. Sited on the Amazon Web Services (AWS) cloud, Core Collaboration allows users to set up and disassemble single or multitenant deployments of the software easily and swiftly, to allow partners access to defined levels of data. Cronin adds: ‘Customers can set up the security and access levels for individuals or groups, and transfer packets of data or enforce consistent workflows and data collection procedures, as appropriate.’
Because cloud solutions for collaborative research are typically provided as a software as a service (SaaS), the upfront and IT investment costs are far lower than they typically might be for an on-premises platform, even an out-of-the box solution, Cronin points out. ‘With cloud-based software the total cost of ownership is not front and centre.’
Customers can essentially configure the required security permissions and access to functionality to fit their needs, as well as the needs of the collaborators: ‘Our cloud solutions are easily configurable without the need for custom coding. This means that we can use our marketplace of applications as building blocks for common workflows, such as high-throughput screening for biologics, or next generation sequencing, which may form part of that outsourced or collaborative work.’
Another overarching problem when externalising any research or workflow is how to align your normal working processes and protocols with those of your partner or service provider, comments Paul Denny-Gouldson, vice president for strategic solutions at IDBS: ‘It doesn’t matter whether you are big pharma wanting to outsource or collaborate using your own protocols, or if you are a CRO, CMO or platform company that needs to externalise a process. One of the major questions is, “how far can I allow my working processes to be changed to facilitate that externalised work, and what constraints do I need to put in place?”’ Ideally an organisation will have a centralised team that can deal with establishing the groundwork, legal framework, business rules and informatics infrastructure for all externalised work, Denny-Gouldson states: ‘But in reality, most pharma companies haven’t yet set up a dedicated team to centrally manage all of those processes and policies.’
The situation becomes even more complicated when you are transferring physical samples or compounds as well as packets of data: ‘Once you get into the latter stages of development or into manufacturing, then the likelihood is that an organisation will have a laboratory information management system (LIMS) in place that can track and manage samples, both within the home organisation and once they are passed out to collaborators or service providers. However, at the research or early development stage there may not be an infrastructure in place for sample management.’ Another issue is how to incorporate data coming back into an organisation, into the overall scientific discovery and development workflow. ‘Data being returned will often be in a PDF, or Word document, and so someone will have to key that data back into the company’s internal systems to make it usable. This causes delays, and opens up opportunities for manual errors and data integrity issues,’ said Denny-Gouldson.
Couple these factors with the intricacies of setting up security permissions for any sort of externalised project or workflow, and it is understandable that organisations from both sides are calling for much simpler, more streamlined software that can facilitate the process. ‘Essentially, you want to be able to have your partner, collaborator or service provider online within a day, and be able to configure your collaborative working environment and processes for sending, receiving and integrating data, metadata and collaborative processes and protocols, in both directions.’
Many software providers are therefore turning to the cloud as an enabling platform, says Denny-Gouldson, concurring with Cronin’s comments. ‘We do need to understand that cloud is not the solution, rather it is a way of enabling solutions. Cloud provides the potential to open secure lines of communication between organisations, track processes, streamline data-capture and repatriate new data back into an in-house informatics infrastructure,’ Denny-Gouldson notes. Cloud is also changing the way that scientific software is administered. ‘Gone are the days when you had to have an army of IT people behind the scenes overseeing the distribution of logins and passwords, and managing other security features. With cloud we are witnessing a more simplified working environment, in which only need-to-know data is transmitted up to the cloud for sharing with your partners.’
Importantly, security measures should be in place to prevent the transfer of data by unauthorised personnel. It all boils down to three basic levels of security, Denny-Gouldson suggests. ‘Administrators can sign people on and off the system, contributors can edit and add data, and viewers can only see data that their security level permits. As long as your policies, processes and legalities have been agreed and instigated, then it could feasibly be possible to set up a cloud infrastructure for sharing data within minutes, based on this security model.’
Cloud software is also being designed to be user friendly, removing the need for time-consuming and expensive training. And as cloud software is generally offered as a SaaS, it is often more easily deployed and configured, with the maintenance and upgrades remaining the responsibility of the vendor.
Just last month IDBS launched E-WorkBook Cloud as an enterprise, cloud-based SaaS platform that Denny-Gouldson claims is ideally positioned to assist collaborative and outsourced R&D. The platform comprises several modules to facilitate data-capture and analysis, integrated work and resource planning, sample and inventory management, and to support biology R&D and chemistry workflows: ‘The E-WorkBook Cloud environment can address all the issues associated with externalised and outsourced research. Within that cloud environment we have E-WorkBook Connect, which offers the collaborative environment. E-WorkBook Inventory allows users to create and manage information around samples, while E-WorkBook Request facilitates workflow and process tracking. Its an enterprise-centric environment that connects data from the organisation’s firewall-protected E-WorkBook platform, into the collaborative cloud environment.’
The availability of safe environments to facilitate externalisation and collaboration is one thing, but human behaviour plays a huge role in how effective or safe those environments are, particularly with respect to data security and tracking, explains Paul Bruton, senior consultant at UK-based analytics and data science consulting firm, Tessella, which is part of engineering consultancy Altran. ‘Of course there are technical considerations when managing, formatting and transferring data outside of your firewall, but it is critical that everyone involved in a collaboration or partnership must know who owns the transferred data, who is allowed to see that data, and how that data should be transferred between partners. Accidentally sending information to the wrong client, partner or collaborator could have catastrophic consequences.’
While there have historically been concerns about putting sensitive information outside of corporate firewalls into the cloud, companies are now starting to embrace cloud solutions, Bruton points out. ‘Fears about the security of cloud as a platform for managing research data and other sensitive information are not unfounded, but we need to focus more on whether people might unwittingly give security or access keys to individuals who aren’t authorised, or whether data is being sent through insecure mechanisms.’
Work in a multi-occupancy or collaborative laboratory and the security issues become even more acute, because data may be left on screen, or be accessible in notebooks, printed reports or datasheets. Analytical results are also held in instrumentation such as mass spectrometers, and will have to be cleared from the instrument’s storage, Bruton points out. ‘The first questions that need to be asked when setting up collaborative or externalised partnerships are, “who is going to be interacting with my data? Are they researchers, managers, or administrators, for example? Who will they interact with?” And then we ask: “Where are the touch points for potential security issues?” ’
It can be a good idea to offer personnel some sort of training so that they are aware of potential issues, they are confident using the informatics software, and they know how to negotiate and adhere to the security measures in place, Bruton suggests. ‘It’s particularly important to understand not just who owns the data, but who can publish it, and who can use it to make decisions.’
Collaborative software that sits in the cloud offers a very secure platform for exchanging information, Bruton states. ‘Software developers should look to meet Jericho Forum guidelines that define both the areas and the principles on which to base a de-perimeterised future, and which offer a benchmark for assessing standards for software systems and solutions. Vendors are building in flexibility and ease of configurability, so that many different types of organisations can set up and provide access to specific data collections.’
Choosing the right solution, whether cloud or on premise, will depend on the type of information that is going to be exchanged, and how many partners there will be. And, from a utilitarian perspective, you need to ensure that data can be sent in a format that doesn’t compromise its integrity, or its utility by the recipient. When thinking about the most appropriate software to facilitate the management of externalised research, it’s important to start from a position of ‘need’, Bruton stresses. Put in place a safe, secure and easily negotiated platform that will fulfil the needs of externalised work, and the risks of accidental inappropriate human behaviour are reduced: ‘But it’s important to remember that a software solution is effectively like a manual car. It’s still the people who will be changing the gears.’