Viedoc Security – Technical and Organizational Measures

  • Published by Viedoc System 2024-07-11
  • Print

Introduction to Viedoc

Viedoc™ is a web-based software application that allows clinical trial sponsors and investigative sites to easily and securely collect, validate, transmit, and analyze clinical study data. It is intuitive, user-friendly, powerful, and compliant with regulatory requirements.

Viedoc offers a fast and efficient way to handle the data processing needed for clinical trials. The only requirement is a web browser with internet connection. Ease of use and next to no requirement of end user training are key.

Application security measures

Access

Viedoc is accessed using a standard web browser. The browser must have JavaScript enabled, allow session cookies and access to local web storage. Viedoc does not require any data to be stored on the client between sessions but makes use of a few persistent cookies to enhance user experience if this is allowed. These cookies contain no personal identifiable information.

Authentication

Primary authentication is performed by a combination of user ID and password. The user chooses both components without interaction from any other party. The user ID must be unique, and the password must conform to a complexity policy. Passwords cannot be reused for a configurable number of generations (default 10) and are valid for a configurable number of days (default 90). All passwords are one-way-encrypted (salted strong hash) and are only communicated from the client to the server (thus never back to the client). All login attempts are logged, and suspicious activity generates alerts monitored by the Viedoc operations team.

In addition to this, two-factor-authentication (2FA/MFA) can be enabled which means a one-time password will be sent to the user after primary authentication, using SMS. This can be enforced:

  • Viedoc, version 3: (by administrator) for individual users, for all users in a study having a specific rights group, or for all users on a specific study site.
  • Viedoc, version 4: (by study manager) for all users in a study but can also be enabled by the users themselves.

The user account is locked from further login attempts:

  • Viedoc, version 3: After five failed login attempts. After this, the account cannot be used until unlocked by an administrator. On accounts that are not locked, there is a feature that enables users to reset their own password using a challenge-response procedure involving email.
  • Viedoc, version 4: After three failed attempts to enter a correct password. After this, the account cannot be used until unlocked by either an administrator or the user by using the self-service to reset their own password using a challenge-response procedure involving email.
  • ViedocMe, version 3: The number of failed login attempts before lock is a study setting. After this, the account cannot be used until unlocked by site personnel.
  • ViedocMe, version 4: After three failed login attempts. After this, the account cannot be used until unlocked by site personnel.

An authenticated session expires when the user logs out or when a timespan of user inactivity has passed, whichever occurs first. The timespan of inactivity is:

  • Viedoc, version 3: 30 minutes of no user requests to the server. This includes when the browser was closed without first logging out.
  • Viedoc, version 4: 20 minutes where no user activity could be detected (mouse movements/clicks, keyboard input) or if no heartbeats have been detected from the browser during the last five minutes (indicating that the browser was closed without first logging out, or that internet connectivity was lost).

Password complexity policy:

  • Viedoc, version 3: Eight characters of which at least one alphabetical and one numerical
  • Viedoc, version 4: Eight characters of which at least one uppercase alphabetical, one lowercase alphabetical, one numeric, and one special character (!, @, #, $, %, ^, &, _, +, and so on).

Viedoc version 4 also support the option of authenticating all users belonging to an email domain with Single sign-on (SSO) using SAML 2.0, which enables organizations to impose their own security standards on the platform.

Privileges

Privileges inside Viedoc are controlled using a configurable role-based permission system that supports the principle of least privilege. Users are only granted privileges to perform the actions defined for their user role in the given study.

Data isolation

Isolation of data within organizations, studies, and study sites is managed by application design. Control mechanisms to prevent data leakage also prevent Viedoc support personnel from accessing data unless explicitly invited, by a study administrator, with a role that can access data.

Data privacy

Viedoc complies with GDPR, HIPAA, APPI, and GB/T 35273-2020 legislations. User provisioning in Viedoc 4 is opt-in at all levels and a self-service user account decommissioning feature is available.

Data retention

Study data retention period is controlled by the customer. Until a study is disposed of, no data can be deleted but only marked as obsolete to ensure compliance with the regulatory requirements concerning traceability and audit trails.

The study disposal procedure for:

  • Viedoc, version 3: Is managed by the Viedoc operations team on customer request
  • Viedoc, version 4: Through a customer self-service feature that involves both the Organization manager role and the Study manager role and that includes a quarantine period before permanent removal during which the Organization manager role can revert the action.

Data correction

All data collected in the system, except for some usage data (detailed in the privacy policy) collected by automated means, can be corrected by the users through application features. History of corrected data can be found in audit trails. In the event of unintentional or erroneous entry of personal identifiers and in order to manage any conflicting regulatory requirements (of an unalterable audit trail) and privacy legislation in such situations, a selective masking filter can be applied on top of the audit trail (for roles other than regulatory inspectors) until the study is disposed of.

Data controls

Binary uploads inside the system, where allowed through features, are scanned for malicious code inside a sandbox to prevent accidental distribution of malware through Viedoc.

Secure development

Viedoc is designed and developed in-house using a methodology derived from the risk-based approaches and documentation requirements defined by GAMP5. A secure development policy ensures that personnel are trained in secure systems development and that security controls are an integral part of the operational capabilities of Viedoc.

Third-party security review

A white-box third-party security review of the codebase and technology stack is performed on a regular basis.

Other technical and organizational measures

Management System

An integrated management system for quality and information security is implemented and includes all activities, departments, and infrastructure. The information security aspects are certified according to ISO/IEC 27001:2022.

Data transmission

To ensure authenticity, integrity, and confidentiality, all data transported over internet is encrypted using Transport Layer Security (TLS), that is all communication between end user and Viedoc is encrypted in-transit.

Data storage, backup, and recovery

All data is encrypted at rest and replicated to redundant storage in separate data centers at separate geographic locations. In addition, backups are made, encrypted, and transferred to a third location, having cold storage. The disaster recovery point objective (RPO) is 2 hours and the disaster recovery time objective (RTO) is 24 hours. Restoration tests of cold-storage backups are automated and performed on a daily basis.

Antivirus and anti-malware

All Viedoc servers have antivirus/anti-malware protection that is monitored by the Viedoc operations team. Virus/malware signature databases are continuously kept up to date.

Network segmentation, firewalls, and anti-DDOS

All Viedoc servers are protected by network segmentation and firewalls. The endpoints are DDOS-resilient and protected by web application firewalls using stateful inspection. All traffic is logged and monitored.

Email

SPF records are configured, DMARC reports are monitored, and all email is encrypted in-transit using StartTLS when this is supported by the remote party.

Data centers

Viedoc infrastructure is hosted in data centers with state-of-the-art surveillance and access control, redundant internet and power feeds, and protection against theft, fire, and natural disasters.

Alerts, status, and incident management

Health checks with automated operational qualification are performed every five minutes. The Viedoc operations team monitor and respond to a number of triggers to identify penetration attempts and other suspicious activity. A public status portal is available and continuously updated with the latest operational status of the systems. Incident response procedures are in place.

Vulnerability testing and penetration testing

Vulnerability scans and encryption tests are performed on a monthly basis to uncover any exposure to new threats. Extensive third-party penetration tests are performed on a recurring basis.

Disaster recovery testing

Disaster recovery testing is performed regularly to ensure that any unplanned outages will be properly handled if they should arise.