|Home | About | Journals | Submit | Contact Us | Français|
Organizations that have limited resources need to conduct clinical studies in a cost-effective, but secure way. Clinical data residing in various individual databases need to be easily accessed and secured. Although widely available, digital certification, encryption, and secure web server, have not been implemented as widely, partly due to a lack of understanding of needs and concerns over issues such as cost and difficulty in implementation.
The objective of this study was to test the possibility of centralizing various databases and to demonstrate ways of offering an alternative to a large-scale comprehensive and costly commercial product, especially for simple phase I and II trials, with reasonable convenience and security.
We report a working procedure to transform and develop a standalone Access™ database into a secure Web-based secure information system.
For data collection and reporting purposes, we centralized several individual databases; developed, and tested a web-based secure server using self-issued digital certificates.
The system lacks audit trails. The cost of development and maintenance may hinder its wide application.
The clinical trial databases scattered in various departments of an institution could be centralized into a web-enabled secure information system. The limitations such as the lack of a calendar and audit trail can be partially addressed with additional programming. The centralized Web system may provide an alternative to a comprehensive clinical trial management system.
Fully functional databases can be expensive to either purchase or develop, which makes their use difficult or impossible for some small studies. Our group tested open-source systems such as OpenClinica (openclinica.org/), TrialDB (ycmi.med.yale.edu/trialdb), and more recently, Cancer Central Clinical Participant Registry (C3PR, //cabig.nci.nih.gov/tools/c3pr) of Cancer Biomedical Informatics Grid™ (CaBIG) program of the National Cancer Institute (NCI). These open source systems are less expensive than commercial systems, but a lack of customer support is a major drawback. Commercial systems such as Oracle Clinical SiteMinder™, TrialMinder™, and Velos (www.velos.com) cost more and need special programming. Implementation of these systems is time consuming and costly. They may not be suitable for small organization with limited resources and/or with limited number of trials especially phase I, II, and multicenter trials.
This creates a dilemma for investigators lacking the necessary resources or who cannot justify the expense associated with the use of such databases. Under these circumstances, a common approach is to develop a series, often fragmented, of databases to accommodate the assortment of data needed for the study. Consequences may include inadequate security, difficulty in data access and data sharing across databases. Other issues derived from these databases include a lack of standard terminology and difficulties in querying, reporting, and database management .
This indicates, therefore, a need for a simple, secure, cost-effective, and easy-to-set-up system. We tested this possibility by enabling Web accessibility to a Microsoft Access™ database and applying additional security measures such as digital certifications [2–4]. The web-based trial system is important especially for multi-center trials since it allows data collection from various departments or institutions over the web . We report here a procedure to transform a standalone database into a web-enabled system with reasonable functionalities including the enhanced security by applying digital certification, a way to authenticate both users and machines.
We installed a standalone authentication system using Microsoft Certificate Authority (CA) that is a part of Windows™ 2003 server for user identification; an Active Directory (AD) for user account management; and a Web server using Microsoft Internet Information Server (IIS) for the Web interface. The system architecture is shown in Figure 1. The certificate authority issues digital certificates to client computers, server computers, and the CA itself. An additional Remote Access Server (RAS) is implemented to allow remote access . A connection between clients and the database was created through a method for client-database connection (Open Database Connectivity, ODBC). The secured connection was created by enabling Secure Socket Layer (SSL) over Hypertext Transfer Protocol (https). The detailed installation procedure is in the Appendix.
The databases are located on two Intranet servers and accessible by various departments and programs. We centralized databases by consolidating data from four individual Access™ databases on campus. As shown in Figure 1, we developed the integrated system for data collection, user authentication, server authentication, and secure network communication. To access the database, a client must have a digital identification (certificate 3), a user account, and a secure connection. The authentication server is trusted among clients and servers.
We designed the data entry gateways for various entities within the University (Figure 2), for protocol-related information (Figure 3), and for commonly used reports (Figure 4). We tried to minimize the changes needed for the interfaces within the forms. Database query and reporting over the web follow the same scheme as using the standalone Access™ database. The sample code for the programming is in the Appendix.
To setup and maintain the system, one person with a background in Computer Sciences is required with part-time effort. The system can be an alternative to those organizations that cannot afford costly commercial products such as Oracle Clinical SiteMinder™, TrialMinder™ (oracle.com), and Velos™ (velos.com) systems. The direct cost for hardware, software, and personnel is around US $56,000 based on 2008 prices as shown in Table 1.
There is a need for a simple and easy-to-set-up system for data entry, queries, and reporting. Our data is collected from various departments or programs on the campus. Centralization of these databases offers not only Web-based data collection but also Web-based data entry, query, and reporting.
The secure connection and secure server are widely used for sensitive network transactions. The secure connection is achieved through encryption and SSL technology. The authentication of both server and clients is achieved by application of the digital certificates. The advancement of encryption and web-based technologies makes it possible to enter, retrieve, and transmit data over the Internet with reasonable security , for a multi-center clinical trial , for example. The scripting language may enable these functions to collect trial data and provide a sophisticated user interface [9,10]. In our study, we have successfully applied the technology for the same purpose.
The system we developed may not need regular programming for maintenance although the constant change of data elements requires changes in data entry forms and in report designs – especially for multicenter clinical trials [11–14]. Other organizational issues such as ownership of both data and the centralized system need to be addressed during implementation.
The lack of functions such as calendar and audit trails is the major disadvantage of using an Access™ database for clinical trials. Although not the focus of the study, these issues need to be addressed by additional software add-ins, modules, or programming. The creation of a temporary table, for example, for all changes after initial data entry, may be a partial solution to the lack of an audit trial.
The clinical trial databases scattered in various departments of an institution could be centralized into a web-enabled information system. We report an easy-to-follow procedure to transform a standalone database such as an Access™ database into a secure web-based information system. Although it has certain limitations such as the lack of a calendar and audit trail, it could function, with additional programming, as an alternative to a comprehensive clinical trial management system.
The authors would like to thank colleagues in the Biostatistics and Bioinformatics Unit for helpful discussions, Mrs Laura Gallitz for proofreading, and Drs O. Dale Williams and Alan Cantor for helpful discussions. This project has been funded in part with US federal funds from the National Cancer Institute, NIH under CA-13 148 and from the NCRR, NIH under 1UL1RR025777.
This is a technical manual for installing the AD, IIS, CA, SQL server and typical coding for ASP.
Setup procedure and settings:
Setup procedure and settings:
Setup procedure and settings:
Setup procedure and settings:
We used ASP to access the data source and manually code a password. The Web-based applets will run within the HTML Web-browser to connect to the database for data entry and query purposes and is not visible to clients.
Example code within the ASP for data entry:
|SetConnec = Server.CreatObjet(“ADODB.Connection”)|
|CN.Open“DSN = xxx;|
|uid = yyy;password = zzz;”|
|SetrsInsertInfor = Server.Create|
|sqlQuery = “INSERTintoinfor_patient(trial_infor) values (“‘+trial_data+”’)”|
|Connec.open sqlQuery, rsInsertInfor|
|Set rsInsertInfor = Nothing|
|Set Conne = Nothing|
where Dim Connec is to define a variable called Connec that is an object name created in the server. DSN is data source is named xxx, uid user ID, and user password zzz. ‘rsInsertInfor’ is a record set name that is set to insert data by running a query named ‘sqlQuery’. The result is to insert into a table named ‘infor_patient’ one piece of information (trial_infor) with value = trial_data. The query statement can be elongated to include as many pieces of information with corresponding values into different columns of the same record /a row in a table.
For data retrieval purposes, the procedure is the same except for the sql statement where ‘SELECT trial_data FROM infro_patient WHERE…’ will be used instead of the INSERT statement. To filter the data, a condition can be set after ‘WHERE’. The retrieved data can be formulated to what is desired by end users.
The user account such as sa for administrators or any other account can be used to open connection. User account name and password plus digital certificate must be supplied in order to connect to the database through the IIS.
Query-based reporting can be achieved through the following codes, which pass the values collected through the web interface to the variables within Access queries.
|Option Compare Database|
|Dim macroName As String|
|Dim P1 As String|
|Dim P2 As String|
|Public Sub WebAccessHandler(macroName, P1, P2)|
|Dim query_Num As Integer|
|Dim query_Name As String|
|Dim QD As QueryDef|
|Dim old_Query As String|
|Dim new_Query As String|
|Dim target_1 As String|
|Dim target_2 As String|
|If P1 = “” Or P1 = Null Or P2 = “” Or P2 = Null|
|Select Case macroName|
|query_Name = “DQ_invesitgatorInitiated”|
|query_Name = “DQ_noOFprotBYnatprotTimeWindo”|
|query_Name = “DQ_noOFprotBYphaseTimeWindo”|
|query_Name = “DQ_noOFprotBYprogramTimeWindo”|
|query_Name = “DQ_noOFprotBYtypeTimeWindo”|
|P1 = “#” + P1 + “#”|
|P2 = “#” + P2 + “#”|
|target_1 = “[start date (mm/dd/yy):]”|
|target_2 = “[end date (mm/dd/yy):]”|
|For Each QD In Application.DBEngine(0).|
|If query_Name = QD.Name Then|
|old_Query = QD.SQL|
|new_Query = QD.SQL|
|new_Query = Replace(new_Query, target_1, P1)|
|new_Query = Replace(new_Query, target_2, P2)|
|QD.SQL = new_Query|
|QD.SQL = old_Query|
The arguments of the subroutine map to all variables from web. The subroutine retrieves the macroName from the first argument and determines whether there exists any parameter other than macroName passed from the web. If no other variables are passed, the subroutine will run the macro according to the macroName variable; if other variables are received, the subroutine will modify the query by memorizing the original query and replacing the target variables with the values from user, run the specify macro and recover the original query after executing the macro.
Reprints and permissions: http://www.sagepub.co.uk/journalsPermissions.nav
Access™ and Windows™ are trademarks of Microsoft.