Australia’s medical research community is in limbo after a cyberattack took down the ANZ Clinical Trials Registry (ANZCTR), a central research registry whose absence has left researchers unable to complete the registration process mandatory for new trials to begin.
All users of the ANZCTR portal and its companion Australian Cancer Trials website – both run by the University of Sydney and hosted by the NHMRC Clinical Trials Centre – were affected, the university said, with contact details and passwords among the data compromised.
Clinical trials – which are required to, for example, prove the efficacy of new medications for Therapeutic Goods Administration (TGA) approval – must be registered through ANZCTR before researchers enrol their first patient, often when they apply for formal ethics approval.
Affected users were emailed regarding the February 24 breach, with the ANZCTR – which manages details of at least 26,466 clinical trials in pharmaceuticals, surgical procedures, healthcare devices, and other fields – “temporarily deactivated” on 28 February.
Although Sydney University has spun up a read-only version of ANZCTR to allow searching existing data, researchers can’t register, update or change trial details, leaving them unable to recruit participants for new trials.
“At this stage of the investigation, there is no indication that any personal health data, whether identifiable or deidentified, has been compromised,” a Sydney University spokesperson told Information Age.
“We’ve apologised to those experiencing a delay in registering or updating clinical trial information, [and] work is underway to restore both sites as quickly as possible.”
With ANZCTR now paused for over a fortnight, the organisation is redirecting “concerned” researchers to other registries in the World Health Organization (WHO) Registry Network and its International Clinical Trials Registry Platform (WHO ICTRP).
Cybercriminals hitting healthcare from all sides
The breach is a blow for the ANZCTR, which in 2007 was among the first three trial registries worldwide to be recognised by the WHO for its data content, quality, validity, accessibility, unique identification, technical capacity, and administration.
It extends a streak of attacks on Australian healthcare organisations that have compromised, among others, hospitals, private insurer Medibank, Westmead Cancer Centre, e-prescriptions provider Medisecure, pathology firm MedLab, and IVF provider Genea.
In January, the government committed $6.4 million for a healthcare cyber threat information sharing network designed as a ‘cyber neighbourhood watch’ that, it hopes, will improve collaboration across a sector heavily reliant on often-vulnerable third-party providers.
That investment won’t help ANZCTR, which has reported only that “limited personal information” of trial administrators and contacts “was compromised”, and that it advised affected parties to reset their passwords and follow a range of cyber safety precautions.
The list of recommended precautions does not mention 2-factor authentication (2FA), access control security that stops reuse of stolen passwords – and its absence suggests that, like many healthcare firms, ANZCTR was still not using this “absolute bare minimum” security.
Although Sydney University did not elaborate on the vulnerability that allowed the site to be compromised, it “is enhancing the cyber security measures on the affected system,” the operators said, “to provide greater protection against similar incidents in the future.”
The university claims that it takes “a rigorous, standards-based approach to managing cyber security risks” but has so far made no representations about the integrity of ANZCTR’s data – a major risk for scientific research that relies on the absolute infallibility of clinical data.
Healthcare organisations still struggling with data security
Protecting sensitive data has proven challenging for healthcare organisations that often struggle to stay ahead of security threats: one audit of ten Irish clinical trial bodies, for example, found that just two had developed a preparedness plan for cyberattacks.
“Data is not the new oil, it’s the new uranium,” Christopher Neal, global chief information security officer with multinational Ramsay Health Care told Gartner’s recent Security and Risk Management Summit: “It’s really useful [but] you don’t want to leave it laying around.”
Since an audit revealed security issues, Ramsay has spent several years strengthening data protections, including finalising a data retention and deletion policy for data after it is no longer legally required to be retained.
“We instinctively knew we had a problem with unstructured data, and knew people had spreadsheets full of patient data all over the place,” Neal explained, explaining that data security is now “a standing agenda [item] on every full board meeting.”
Executives, he said, are watching “how we are improving the maturity of data governance, how we are assuring ourselves, and how we give training to data stewards and data owners on what they need to be doing… [to prevent] things from going to the wrong place.”
