10 ways to detect people who are a threat to your clinical trial

Flaskdata.io helps Life Science CxO teams outcompete using continuous data feeds from patients, devices and investigators mixed with a slice of patient compliance automation.

One of the great things about working with Israeli medical device vendors is the level of innovation, drive and abundance of smart people.

It’s why we get up in the morning.

There are hundreds of connected medical devices and digital therapeutics (last time I checked over 300 digital therapeutics alone).

When you have an innovative device with network connectivity, security and patient privacy, availability of your product and integrity of the data you collect has got to be a priority.

Surprisingly, we get a  range of responses from people when we talk about the importance of cyber security and privacy for clinical research,

Most get it but some don’t.   The people that don’t get it, seem to assume that security and privacy of patient data is someone else’s problem in clinical trials.

The people who don’t work in security, assume that the field is very technical, yet really – it’s all about people.   Data security breaches happen because people or greedy or careless.    100% of all software vulnerabilities are bugs, and most of those are design bugs which could have been avoided or mitigated by 2 or 3 people talking about the issues during the development process.

I’ve been talking to several of my colleagues for years about writing a book on “Security anti-design patterns” – and the time has come to start. So here we go:

Security anti-design pattern #1 – The lazy employee

Lazy employees are often misdiagnosed by security and compliance consultants as being stupid.

Before you flip the bozo bit on a site coordinator as being non-technical, consider that education and technical aptitude are not reliable indicators of dangerous employees who are a threat to the clinical trial assets.

Lazy employees may be quite smart but they’d rather rely on organizational constructs instead of actually thinking and executing and occasionally getting caught making a mistake.

I realized this while engaging with a client who has a very smart VP – he’s so smart he has succeeded in maintaining a perfect record of never actually executing anything of significant worth at his company.

As a matter of fact – the issue is not smarts but believing that organizational constructs are security countermeasures in disguise.

So – how do you detect the people (even the smart ones) who are threats to PHI, intellectual property and system availability of your EDC?

1 – Their hair is better organized then their thinking

2 – They walk around the office with a coffee cup in their hand and when they don’t, their office door is closed.

3 – They never talk to peers who challenge their thinking.   Instead they send emails with a NATO distribution list to everyone on the clinical trial operations team.

4 – They are strong on turf ownership.  A good sign of turf ownership issues is when subordinates in the company have gotten into the habit of not challenging the VP coffee-cup holding persons thinking.

5 – They are big thinkers.    They use a lot of buzz words.

6 – When an engineer challenges their GCP/regulatory/procedural/organizational constructs – the automatic answer is an angry retort “That’s not your problem”.

7 – They use a lot of buzz-words like “I need a generic data structure for my device log”.

8 – When you remind them that they already have a generic data structure for their device log and they have a wealth of tools for data mining their logs – amazing free tools like Elasticsearch and R….they go back and whine a bit more about generic data structures for device logs.

9 – They seriously think that ISO 13485 is a security countermeasure.

10 – They’d rather schedule a corrective action session 3 weeks after the serious security event instead of fixing it the issue the next day and documenting the root causes and changes.

If this post pisses you off (or if you like it),  contact  me –  always interested in challenging projects with challenged people who challenge my thinking.

Temperature excursions and APIs to reduce study monitor work

I did a lot of local excursions the past 3 days – Jerusalem, Tel Aviv, Herzliya and Haifa.   For some reason, the conversations with 2 prospects had to do with refrigerators.   I do not know if this is Freudian or not, considering the hot weather of July in Israel.

The conversations about refrigerators had to do with storing drugs / investigational product at the proper temperatures.

Temperature excursion is a deviation

The great thing about not coming from the clinical trials space is that you are always learning new things.

Yesterday – I learned that a Temperature excursion is a deviation from given instructions. It is defined in the WHO Model Guidance as “an excursion event in which a Time Temperature Sensitive Pharmaceutical Product (TTSPP) is exposed to temperatures outside the range(s) prescribed for storage and/or transport.

Storing drugs at the proper temperature is part of GCP. Here is an SOP for Monitoring and Recording Refrigerator & Freezer Temperatures

1 Introduction All refrigerators and freezers used for the storage of Investigational Medicinal Products (IMPs) must be temperature controlled, and continuously monitored and maintained within the appropriate ranges as defined by the protocol. ICH GCP Principle 2.13 states “Systems with procedures that assure the quality of every aspect of the trial should be implemented.”

Moving on:

5 Procedure
 Current maximum/minimum thermometers must be monitored as a minimum at least once on a daily basis on all working days, and recorded legibly on the temperature monitoring log.
 The digital maximum/minimum thermometer –
□ Should be read from the outside of the refrigerator without opening the door.
□ Have an accuracy of at least +/- 1 oC.
□ Be able to record temperatures to one decimal place.
□ Be supplied with a calibration certificate.
□ Have the calibration check on an annual basis.
 Temperature logs should be kept close to the refrigerator/freezer (but not inside) to which they relate for ease of reference, and should be clearly identified as relating to that appliance.
 A separate temperature record must be kept for each fridge/freezer. (The use of whiteboards as a method of logging results is not acceptable.)
 It is good practice to record the temperature at a similar time each day e.g., first thing in the morning before the refrigerator door is opened for the first time. This will allow review of trends in results recorded; help highlight any changes in temperatures recorded and deviation in refrigerator performance.

There is a lot of manual work involved looking at refrigerators

I believe a study monitor will spend 20’/day checking logs of refrigerator temperature readings. When you add in time for data entry to the site coordinators – that’s another 20’/day and then you have to multiply by the number of sites and refrigerators.   This is only the reading temperatures and capturing data to the EDC part of the job.   Then you have to deal with queries and resolving deviations.

For something so mundane (although crucial from a medical research perspective), its a lot of work. The big problem with using study monitors to follow temperature excursions is that the site visits are every 1-3 months. With the spiralling costs of people, the site visits are getting less frequent.

This means that it is entirely plausible that patients are treated with improperly stored drugs and the deviation is undetected for 3 months.

Whenever I see a lot of manual work and late event detection, I see an opportunity.

It seems that there are a few vendors doing remote monitoring of refrigerators.  A Polish company from Krakow, called Efento has a complete solution for remote monitoring of refrigerators storing investigational product.  It looks like this:

 

null

 

What is cool (to coin a pun) about Efento is that they provide a complete solution from hardware to cloud.

The only thing missing is calling a Flask API to insert data into the eCRF for the temperature excursions.

Once’s we’ve got that, we have saved all of the study coordinators and study monitors time.

More importantly, we’ve automated an important piece of the compliance monitoring puzzle – ensuring that temperature excursions are detected and remediated immediately before its too late.

Doctor-Patient Communication – the key to success and the struggle to succeed.

Katherine Murphy, Chief Executive of the Patients Association London once said,

“The huge rise in complaints in relation to communication and a lack of respect are of particular concern. Patients are not receiving the compassion, dignity and respect which they deserve.”

As clinical trial technology guys, you would assume that we love code more than we love the patients and site coordinators who use our software.

I took a random sample of  home pages from 3 of our competitors – and this is what I found.   We can discuss if real-time visibility to  data is going to make the clinical operations team more effective or not – but that is a story for another post.

EMPOWER YOUR CLINICAL TRIAL EDC + ePRO and a bunch of other features to make your clinical trial successful. ( viedoc )

Oracle Health Sciences InForm. Accelerate Clinical Trial Timelines While Reducing Trial Cost and Risk.

Collect and deliver higher-quality data faster through advanced data capture and query management, real-time visibility to data, standards-based, integrated workflows, and security best practices.

Faster, smarter medical research. Castor is the end-to-end data solution, enabling researchers to easily capture and integrate data from any source on one platform. Thousands of medical device, biotech, and academic researchers around the world are using Castor EDC (Electronic Data Capture), ePRO, and eTMF to accelerate their studies.

In this article we’ll discuss the doctor-patient communications gap as a generic problem. We will briefly examine the root cause of the problem and conclude by proposing a light-weight easy-to-use Web service for sharing and private messaging with patients and physicians as a way to ameliorate the problem.

Poor patient-doctor communications as a generic problem

Doctor-Patient communication is the key to the success of a treatment plan and reduction of hospital readmission. However, doctors and nurses often fail in communicating with their patients properly.

What is the nature of poor doctor-patient communications?

Some patients say that their doctors need to polish their communication skills; although they are excellent diagnosticians.

Other patients say that their doctors know how to talk, but seem to have no time to listen.

Many patients also complain that their doctors don’t explain things in terms patients can understand. Poor communications between doctors/nurses and their patients can come at a high cost, creating misunderstandings that can  lead to malpractice suits.

In a hospital setting, we often hear that patients feel that they are not getting any useful information while the medical staff feel that they have taken the time to communicate all the data that the patients and their families need in order to understand and comply with the treatment plan.

The question is why some doctors find it hard to communicate properly and share things with their patients in a desired manner while other doctors succeed in communicating the therapeutic plan to the patient in a manner that the patient understands.

Poor physician-patient communications is rooted in cognitive and cultural gaps

Patients are the experts at their personal feelings and experiences.  Physicians are the experts in the medical science.  Cultural and language differences and preconceived notions about the doctors role only contribute to the cognitive gap between emotion and science.

Besides the cultural and cognitive gaps, high patient volume and work overload is another root contributor to poor doctor patient communications.  This generally happens in poor countries. In the third world, working over capacity is one of the biggest barriers to effective communication. Hospitals, doctors and nurses are forced to admit more and more patients and are compelled to handle more than they can manage. Under such circumstances, health professionals cannot devote enough time to their patients let alone sit down with them in a quiet corner and explain the therapeutic plan.

Sharing and private messaging with patients  and doctors helps bridge the gaps

The solutions are out there.

In this always-on age of mobile medical devices and cloud services, both healthcare professionals and the patients have immediate access to the latest solutions that can help them communicate more effectively and efficiently. There are private social networks for healthcare that have been exclusively developed for sharing and private messaging with doctors, nurses and patients, enabling doctors and patients to interact and share where and whenever they need the interaction.

Neither the patient nor the physician need to be tied down to a proprietary healthcare provider portal.

Secure Web-based sharing and private messaging services improve the ways doctors and nurses communicate with their patients. This helps them improve the quality of service and lower operational costs, and enables doctors to treat more patients in less time and with less stress.

In summary

Poor patient-doctor communications has a number of causes and it is rooted in both cultural, language and cognitive differences.   Using a neutral medium such as online sharing and private messaging with patients and doctors helps bridge the gaps we discussed.

We’d love to hear what you think – please comment!

Thanks!

Urban medical legends

Because I was trained as a solid-state physicist I am skeptical of many medical claims – including the efficacy of digital health apps.  Gina Kolata wrote this post last week.  I’ll let you decide for yourself.

You might assume that standard medical advice was supported by mounds of scientific research. But researchers recently discovered that nearly 400 routine practices were flatly contradicted by studies published in leading journals.

 

(more…)

What takes precedence? GCP or hospital network security?

patient compliance in medical clinical device trials

This is a piece I wrote a while back on my medical device security blog – Cybersecurity for medical devices.

One of the biggest challenge of using connected medical devices in clinical trials is near real-world usage of devices that are not commercially-ready.

We have a couple of customers that are performing clinical trials of medical devices in the ER and ICU. The tradeoffs between cybersecurity and patient safety are not insignificant.

What takes precedence? GCP or hospital network security?

Data quality, protocol compliance and patient safety are the 3 main pillars of GCP.

What is more important – patient safety or the health of the enterprise hospital Windows network?

What is more important – writing secure code or installing an anti-virus?

In order to answer these question, we performed a threat analysis on a medical device being studied in intensive care units.  The threat analysis used the PTA (Practical threat analysis) methodology.

Risk analysis of a medical device

Our analysis considered threats to three assets: medical device availability, the hospital enterprise network and patient confidentiality/HIPAA compliance. Following the threat analysis, a prioritized plan of security countermeasures was built and implemented including the issue of propagation of viruses and malware into the hospital network (See Section III below).

Installing anti-virus software on a medical device is less effective than implementing other security countermeasures that mitigate more severe threats – ePHI leakage, software defects and USB access.

A novel benefit of our approach is derived by providing the analytical results as a standard threat model database, which can be used by medical device vendors and customers to model changes in risk profile as technology and operating environment evolve. The threat modelling software can be downloaded here.

(more…)

Why Microsoft is evil for medical devices

Another hot day in paradise. Sunny and 34C.

Not a disaster but still a PITA

We just spent 2 days bug-fixing and regression-testing code that was broken by Microsoft’s June security update to Windows operating systems and Explorer 11.    Most of the customers of the FlaskData EDC, ePRO, eSource and automated detection and response platform use Chrome or Firefox on their desktops.   This was no solace to site coordinators in one of the sites using Flaskdata.  They came into work on Monday and the hospital-standard Explorer 11 no longer supported our application.

Microsoft published KB4503259 as a cumulative security update but it was much more.  The update included major changes to the Explorer JavaScript engine. Its because of delightful black swans like this, running a SaaS business is not for the faint of heart.

I once wrote an essay on my cybersecurity for medical device blog called The Microsoft Monoculture as a threat to national security.

Why Microsoft is evil for medical devices

I suggested that the FDA might consider banning Windows as an operating system platform for medical devices and their accompanying information management systems.

One of my readers took umbrage at the notion of legislating one monoculture (Microsoft) with another (Linux) and how the Linux geeks are hooked on the CLI just like Windows users are hooked on a GUI.

The combination of large numbers of software vulnerabilities,  user lock in created by integrating applications with Windows,  complexity of Microsoft products and their code and Microsoft predatory trade practices are diametrically different than Linux and the FOSS movement.

The biggest threats to medical devices in hospitals is old Windows versions

One of the biggest threats to medical devices in hospitals is the widespread use of USB flash disk drives and Windows notebooks to update medical device software. With the infamous auto-run feature on Microsoft USB drives – flash memory is an easy attack vector for propagating malware via Windows based medical devices into a hospital network. This is one (and not the only) reason, why I am campaigning against use of Windows in medical devices.

This  has nothing to do with the CLI or GUI of the operating system and personal preferences for a user interface.

This has everything to do with manufacturing secure embedded medical devices that must survive in most demanding, heterogeneous and mission critical environment one can imagine – a modern hospital.

I never advocated mandating Linux by law for medical devices.

It might be possible to mandate a complex set of software security requirements instead of outlawing Windows in embedded medical devices as a more politically-correct but far more costly alternative for the the FDA and the US taxpayer.

Regardless of the politics involved (and they are huge…) – if the FDA were to remove Windows from an approved list of embedded medical device operating systems – the costs to the FDA would decrease since the FDA would need less Windows expertise for audits and the threat surface they would have to cover for critical events would be smaller.

How to measure clinical response in medical device clinical trials

clinical data management

It is 19:15 and daylight savings time.   It is too hot to go out and run or bike.  Time to write.

Today we were helping a customer with hardware issues. At the end of a long day, I started thinking that even hardware issues are valuable data to the decision-making process of measuring efficacy of treatment.

We specialise in reducing time to regulatory submission in clinical trials.  Our medtech customers use the Flaskdata.io platform to collect data from patients, devices and investigators and automate and prove efficacy of their device.  As Skolnick et al note in Compliance, Compliance, Compliance – the secrets of a successful clinical trial :

Although more commonly considered to be a phase 1 phenomenon, efficacy trials also attract professional subjects, particularly when entry criteria and endpoints are “soft,” such as trials using subjective rating scales which can be “gamed.”

Not good.  How do you measure a valid clinical response? The VAS scale for pain reduction can be gamed so is it a simple measure of pain reduction sufficient? My thesis advisor in solid state physics always said that he only does simple things (simple may be a mantra that many grad students hear while they trudging on a steep uphill slope of research).

Simple is not always sufficient

When you rely on a simple mode of clinical response you get a partial picture.

The clinical response to treatment is an important indicator of the therapeutic effect of a medtech device or drug. The value and interpretation of clinical response has to be carefully considered within the intended use by the patient.

Let’s consider a simple model of clinical response that is based on cause and effect.

-You use an electroceutical device and the pain is reduced as measured by a VAS scale.

-You stimulate vagus nerve and the patient has a bowel movement as measured by a ePRO.

Is this sufficient?  Maybe maybe not.   Did the device perform as expected?   Did the patient game the treatment?

A better model of assessing clinical response

Response assessment should be combined with other indicators of the patient’s condition to contribute to the decision-making process.

We can use additional connected devices in order to measure biological response and biometrics. With additional data, we can validate patient compliance and proper operation of the device.  We can also detect and respond to patients who game the treatment.

One example that comes to mind is measuring peptide levels in saliva (which requires a lab test) or skin temperature (which can be measured directly). Another example is weight differences between medication-compliant cohort and the placebo group. Weight loss may be indication of medication adherence in certain treatments and it is simple to measure.

For home-use devices, we can consider proper operation of the device itself. The device should provide 3 kinds of introspection.  (Introspection means that the device tells us how it’s doing and how it was used)

1.The device should record whether or not it functioned properly when used. A simple success/fail code will do.
2.The device should record proper operation; whether or not it was used properly. A simple count of number of operations will be helpful.
3.The device should record timestamps of operation to enable comparison with timestamps in the device log. The best solution is for the device to transmit log records via an API to a secure service with its internal timestamps. The timestamps will tell us if the device is using NTS properly, or if the clock is drifting. The timestamps will also help analyze multiple activations (mistakes or professional patients gaming the treatment).

More data helps us detect and respond to patient and device compliance issues

Device introspection will reveal that the patient misused the device, or the device failed. The first case is an issue of patient compliance. The second case is an issue of the device not providing the treatment as designed.

Listening to the device and to the body

The model of clinical response to treatment can be enriched with additional data sources from the device itself as well as biological response and biometrics measurements.

A richer model helps us detect and respond to patient compliance deviations.   The additional data also helps us understand if the investigational product is defective.   This is an advantage that medtech has over drugs.

 

 

Bionic M2M: Are Skin-mounted M2M devices – the future of clinical trials?

There is a lot of hype about wearables.   One of the best ways to correlate patient compliance with patient biometrics is for the patient to wear the sensor on her skin.

I started thinking about skin-mounted devices again after reading the press release about the BioSerenity Series B, so I dug up an essay I wrote 7 years ago on my security blog Cybersecurity for biomed.

BioSerenity, developer of solutions dedicated to personalized patient continuous care, raised €65 million, yesterday including €50 million in Series B equity financing led by Dassault Systèmes (who acquired Medidata for $5.8BN last week). Bioserenity makes textiles equipped with sensors for ECG and EEG.

What would happen if the personal appliance was part of the person?

In the popular American TV series that aired on ABC in the 70s, Steve Austin is the “Six million Dollar Man”, a former astronaut with bionic implants. The show and its spinoff, The Bionic Woman (Lindsay Wagner playing a former tennis player who was rebuilt with bionic parts similar to Austin after a parachuting accident) were hugely successful.

Modern M2M communication has expanded beyond a one-to-one connection and changed into a system of networks that transmits data to personal appliances using wireless data networks.

M2M networks are much much more than remote meter reading.

The fastest growing M2M segment in Germany, with an average annual growth of 47 percent, will be from consumer electronics with over 5 M2M SIM-cards. The main growth driver is “tracking and tracing”. (Research by E-Plus )

The evolution of epidermal electronics as a flexible tattoo-like place-on-the-skin device

Physiological measurement and stimulation techniques that exploit interfaces to the skin have been of interest for over 80 years, beginning in 1929 with electroencephalography from the scalp.

A new class of electronics based on transparent, flexible 50micron silicon film laminates onto the skin with conformal contact and adhesion based on van der Waals interaction. See: Epidermal Electronics John Rogers et al. Science 2011.

This new class of device is mechanically invisible to the user, is accurate compared to traditional electrodes and has RF connectivity.  The thin 50 micron film serve as temporary support for manual mounting of these systems on the skin in an overall construct that is directly analogous to that of a temporary transfer tattoo, as can be seen in the above picture.

Film mounted devices can provide high-quality signals with information on all phases of the heartbeat, EMG (muscle activity) and EEG (brain activity). Using silicon RF diodes, devices can provide short-range RF transmission at 2Ghz.  Note the antenna on the device.

After mounting it onto the skin, one can wash away the PVA and peel the device back with a pair of tweezers.  When completely removed, the system collapses on itself because of its extreme deformability and skin-like physical properties.

Due to their inherent transparent, unguarded, low cost and mass-deployed nature, epidermal mounted medical devices invite new threats that are not mitigated by current security and wireless technologies.

Skin-mounted devices might also become attack vectors themselves, allowing a malicious attacker to apply a device to the spine, and deliver low-power stimuli to the spinal cord.

How do we secure epidermal electronics devices on people?

Let’s start with some definitions:

-Verification means is the device built/configured for its intended use (for example measuring EMG activity and communicating the data to NFC (near field communications) device.

-Validation means the ability to assess the security state of the device, whether or not it has been compromised.

-RIMs (Reference Integrity Measurements) enable vendors/healthcare providers define the desired target configurations of devices, for example, is it configured for RF communications

There are 3 key threats when it comes to epidermal electronics:

1.Physical attacks: Reflashing before application to the skin in order to modify  intended use.

2.Compromise of credentials: brute force attacks as well as malicious cloning of credentials.

3.Protocol attacks against the device: MITM on first network access, DoS, remote reprogramming

What are the security countermeasures against these threats?  We can consider a traditional IT security model and a trusted computing model.

Traditional IT security model?

Very large numbers of low-cost, distributed devices renders an  access-control security model inappropriate. How would a firewall on an epidermal electronics device enforce intended use, and manage access-control policies? What kind of policies would you want to manage? How would you enforce installation of the internal firewall during the manufacturing process?

Trusted computing model?

A “trusted computing model”  may be considered as an alternative security countermeasure to access control and policy management.

An entity can be “trusted” if it predictably and observably behaves in the expected manner for its intended use. But what does “intended use” mean in the case of epidermal electronics that are used for EKG, EEG and EMG measurements on people?

Can the traditional, layered, trusted computing models used in the telecommunications world be used to effectively secure cheap, low-cost, epidermal electronics devices?

In an M2M trusted computing model there are 3 methods:  autonomous validation, remote validation and semi-autonomous validation. We will examine each and try and determine how effective each model is as a security countermeasure for the key threats of epidermal electronics.See: “Security and Trust for M2M Communications” – Inhyok Cha, Yogendra Shah, Andreas U. Schmidt, Andreas Leicher, Mike Meyerstein

Autonomous validation

This is essentially the trust model used for smart cards, where the result of local verification is true or false.

Autonomous validation does not depend on the patient herself or the healthcare provider. Local verification is assumed to have occurred before the skin-mounted device attempts communication or performs a measurement operation.

Autonomous validation makes 3 fundamental assumptions – all 3 are wrong in the case of epidermal electronics:

1.The local verification process is assumed to be perfectly secure since the results are not shared with anyone else, neither the patient nor the healthcare provider.

2.We assume that the device itself is completely trusted in order to enforce security policies.

3.We assume that a device failing self-verification cannot deviate from its “intended use”.

Device-based security can be broken and cheap autonomous skin-mounted devices can be manipulated – probably much easier than cell-phones since for now at least, they are much simpler. Wait until 2015 when we have dual core processors on a film.

In addition, autonomous validation does not mitigate partial compromise attacks (for example – the device continues to measure EMG activity but also delivers mild shocks to the spine).

Remote validation

Remote validation has connectivity, scalability and availability issues. It is a probably a very bad idea to rely on network availability in order to remotely validate a skin-mounted epidermal electronics device.

In addition to the network and server infrastructure required to support remote validation, there would also be a huge database of RIMs, to enable vendors and healthcare providers define the target configurations of devices.

Run-time verification is meaningless if it is not directly followed by validation, which requires frequent handshaking with central service providers, which in turn increases traffic and creates additional vulnerabilities, such as side-channel attacks.

Remote validation of personally-mounted devices compromises privacy since the configuration may be virtually unique for a particular person and interception of validation messages could reveal the identity based on location even without deccrypting payloads.

Discrimination by vendors also becomes possible, as manipulation and control of the RIM databases could lock out other applications/vendors.

Semi-Autonomous Validation

Semi-autonomous validation divides verification and enforcement between the device and the healthcare provider.

In semi-autonomous validation, the device verifies itself locally and then sends the results in a network message to the healthcare provider who can decide if he needs to notify the user/patient if the device has been compromised or does not match the intended use.

Such a system needs to ensure authentication, integrity, and confidentiality of messages sent from epidermal electronics devices to the healthcare provider.

RIM certificates are a key part of semi-autonomous validation and would be signed by a trusted third party/CA.

Semi-autonomous validation also allows for more granular delegation of control to the device itself or the healthcare provider – depending on the functionality.

Summary

Epidermal electronics devices are probably going to play a big part in the future of healthcare for monitoring vital signs in a simple, cheap and non-invasive way.  These are medical devices, used today primarily for measuring vital signs that are directly mounted on the skin and not a Windows PC or Android smart phone that can be rebooted if there is a problem.

As their computing capabilities develop, current trusted computing/security models will be inadequate for epidermal electronics devices and attention needs to be devoted as soon as possible in order to build a security (probably semi-autonomous) model that will mitigate threats by malicious attackers.

 References

1.Security and Trust for M2M Communications – Inhyok Cha, Yogendra Shah, Andreas U. Schmidt, Andreas Leicher, Mike Meyerstein

2.Epidermal Electronics John Rogers et al. Science 2011.

About flaskdata.io

We specialise in shortening time to submission for connected devices.  Our secure fast signal acquisition and automated detection and response platform can save you 6-12 months in your clinical march to market.

 

100X faster to deviation detection in medical device studies.

Automated Patient compliance deviation detection and response on the flaskdata.io platform for a connected medical device clinical trial is 100X faster than manual monitoring. Automated compliance monitoring analytics and real-time alerts let you focus your site monitoring visits on work with the PI and site coordinators to take total ownership and have the right training and tools to meet their patient recruitment and patient compliance goals.

The advantage of speaking softly

Bad feelings and lack of collaboration are a net loss for the clinical team

I started thinking about the constraints on our technology for automating patient compliance detection and response in connected medical device clinical trials.

The best technology for patient compliance automation will not help you get to FDA submission faster if the clinical operations team is dysfunctional.

Our great real-time patient compliance analytics can help a CRA whip through a site audit fast.

When the other CRA on the team is busy bad-mouthing team members and doing one-up stunts, the speed does not matter even if you suck it up and move on.  The bad feelings and lack of collaboration are a net loss.

The advantage of speaking softly

As many of you may know, I am a serious amateur musician. I play saxophones, clarinet and EWI in the JP Big Band.   (The band is appearing this Friday June 21, 2019 at 13:00 at JEMS Modiin – check out the event on Facebook over here).

Experienced wind instrument musicians know that when you play pianissimo, you can play faster. When you play softly, your intonation is better.   If you play softly with good intonation, then you can hear the other musicians in the ensemble.   When you hear the other musicians in the ensemble, then you can play better as a group.   An ensemble that plays softly with good intonation sounds better.   It sounds ‘tight’.     Playing softly with good intonation together as an ensemble, enables a wider dynamic range.   Wider dynamic range means that the entire group can be really pianissimo or totally forte-fortissimo.

The downside of being loud

On the other hand, if you play loud, you do not hear the other musicians.   Playing loud creates stress on your body and brain.  The stress wears you out and causes more stress because you are never sure you will hit that note or make that phrase.   The physical and mental stress caused by playing loud influences everyone around you, not just your own mind and body.

Let’s apply the idea of playing softly to collaborating with other people.

When you speak softly, people listen better.   You can deliver your message more effectively when people listen to you without feeling threatened.    If you speak softly with clear messages, you can hear the other people in your group.     A group that speaks softly sounds better.  It sounds ‘tight’.   A group that speaks softly can achieve a wider dynamic range of response because the group is not challenged by listening issues.

A wider dynamic range enables a group to respond faster and more effectively to problems and changes, because people are all talking at the same time in a cacophony of sound.

The downside of being loud at work

On the other hand, if you talk loud, you do not hear other people.  You only hear yourself.  Talking loud creates stress on your body and brain.  The stress wears you out and causes more stress because you are never sure you explained yourself properly   The physical and mental stress caused by speaking loud influences everyone around you, not just your own mind and body.

Cascade effects of speaking softly at work

Speaking softly goes beyond stress reduction and improved communications.       It enables you to build a much stronger core for the entire business / operation. Speaking softly has additional benefits:

– Makes it easier to confirm facts instead of based on authority and loudness.
– Makes it much easier to debate evidence
– When everyone speaks softly no one is an absolute authority on anything. The boss and the newest sales person on the team have equal input.
– Speaking softly enables the team to generate multiple hypotheses
– You don’t get too attached to an idea and start yelling about how good it is because it is, after all, your idea.

Living in an ideal world where the study nurse isn’t overwhelmed by IT

Tigran examines the idea of using EDC edit checks to assure patient compliance to the protocol.

How should I assure patient compliance to the protocol in a medical device trial?

I get asked sometimes whether automated patient compliance deviation detection and response  is not overkill.

After all, all EDC systems allow comparing input to preset ranges and data types (edit checks). Why not use this, already available off the shelf functionality, to catch non-compliance? As Phileas Fogg put it: “Learn to use what you have got, and you won’t need what you have not”.

Why edit checks are not enough

There are 4 issues with using EDC edit checks to enforce patient compliance:

Individual variations

The original purpose of edit checks is to catch data entry mistakes. As they are generated automatically, they need to be robust enough not to fire indiscriminately. The effect non-compliance has on clinical data can be far less clearcut. This is especially true when taking individual variation between patients into account.

Timing

Even if we were able to reliably catch non-compliance through clinical data alone, there’s the issue of timing.

Each hour of delay between non-compliance event and a prompt to return to compliance devalues the prompt. Delays could come from a) manually entering source data into EDC, b) edit check firing in batch mode rather than during data entry, c) the time needed to process the edit checks.  What’s the benefit of being told you were not compliant one week ago?

Talk of closing the stable door after the horse has bolted…

By the time the nurse contacts the patient, the damage has already been done. No reinforcement is possible, as a patient could (theoretically) be reminded about the need to be compliant with the interval of several weeks – in which case this will serve as a token reminder, nothing more.

The study nurse may not have spare time on her hands

Let’s assume we live in an ideal world, where the study nurse isn’t overwhelmed by thousands of edit checks firing for no reason, and where data flows into EDC with no delay.

Even if this is true, there’s still the small matter of actually reaching out to the patient. When compliance reaches 90% that’s considered a good result – so in the best case scenario, the nurse would need to reach out to patients in 10% of cases. Edit checks are meant to be resolved immediately. If the EDC used fires edit checks during data entry, then the data entry process will be paralyzed. If edit checks are fired in the background, then the whole data cleaning/query resolution process would stall.

Edit checks are not an operational tool

What would happen in reality, though, is that any edit checks introduced to monitor patient compliance would be overridden by site staff. Together with any legitimate edit checks designed to keep the errors out. Resulting in the same level of compliance and much dirtier database. And that’s best case scenario, if otherwise no data would be entered at all.

Tigran Arzumanov is an experienced business development/sales consultant running BD as a service, a Contract Sales Organization for Healthcare IT and Clinical development.