Regulatory Focus™ > News Articles > 2019 > 3 > Asia Regulatory Roundup: Singapore’s HSA Apologizes After Vendor Stores Data in Vulnerable Repositor

Asia Regulatory Roundup: Singapore’s HSA Apologizes After Vendor Stores Data in Vulnerable Repository

Posted 19 March 2019 | By Nick Paul Taylor 

Asia Regulatory Roundup: Singapore’s HSA Apologizes After Vendor Stores Data in Vulnerable Repository

Welcome to our Asia Regulatory Roundup, our weekly overview of the top regulatory news in Asia.
 
Singapore’s HSA Apologizes After Vendor Stores Data in Vulnerable Repository
 
Singapore’s Health Sciences Authority (HSA) has apologized to blood donors after a vendor stored their information in a vulnerable database. HSA learned the database lacked adequate safeguards from a cybersecurity expert and does not think other unauthorized people accessed the information.
 
Officials at HSA gave the vendor, Secur Solutions Group, access to registration-related information on more than 800,000 blood donors late last year for use in the updating and testing of a database. HSA gave Secur the project since the vendor was already handling online systems for registering with blood banks, making appointments and other carrying out other activities related to donations. 
 
The information shared by HSA included details such as the donors’ names, National Registration Identity Cards and, in some cases, their blood types, heights and weights.
 
Secur put the information into “an internet-facing server” at the start of 2019. Later, a cybersecurity expert told HSA that they were able to gain access to the information via a database client. HSA said the problem stemmed from Secur’s failure “to institute adequate safeguards to prevent unauthorized access,” adding that the vendor had acted without its knowledge or approval and against the terms of its contract with the regulatory agency.
 
HSA responded by working with Secur to disable the database and report the situation to the police. Based on the database logs, HSA thinks the foreign cybersecurity expert is the only person to access the information without permission. The expert told HSA they do not plan to disclose the contents of the database and is working with the agency to delete the information.
 
The database was secured within one hour of HSA learning of the problem from the Personal Data Protection Commission, according to The Straits Times, and there is no evidence that unscrupulous actors gained access to the information.
 
HSA’s lapse is the latest in a series of cybersecurity failings at health authorities in Singapore. Over the first few months of 2019, the Ministry of Health has revealed that personal health information on 14,200 people with HIV was leaked online. A separate issue led to 7,700 people receiving the wrong healthcare subsidies. Authorities blamed the subsidy error on a vendor, too.
 
Cybersecurity lapses are potentially particularly damaging for regulators. HSA, like all drug and device regulators, handles commercially and personally sensitive data of considerable value to hackers. The blood donor lapse does not appear to have compromised such data, but is a black mark against an agency that businesses and patients trust with highly sensitive information.
 
To ensure that HSA repays that trust by protecting the information, HSA is now stepping up  “checks and monitoring” of its vendors, HSA CEO Mimi Choong wrote in a letter to blood donors. 
 
HSA Notice, HSA Letter, The Straits Times
 
Australia to Accept Northern Hemisphere Safety Data From Flu Vaccine Manufacturers
 
Australia’s Therapeutics Goods Administration (TGA) plans to accept influenza vaccine data generated in the northern hemisphere in requests for enhanced safety surveillance exemptions. TGA clarified its position in a note about the planned adoption of European guidance on the oversight of seasonal flu vaccines.
 
In Europe, which brought the guidance into effect in 2014, manufacturers of seasonal flu vaccines are required to conduct enhanced safety surveillance to facilitate the timely detection of reactogenicity and other unexpected adverse immune responses. TGA plans to adopt the guidance detailing the requirements for enhanced safety surveillance, but is proposing to diverge from the European model in several areas.
 
TGA will require applications to register new seasonal influenza vaccines to include risk-management plans, including plans for enhanced safety surveillance, as happens in Europe. The agency will then evaluate the need for enhanced safety surveillance options on a case-by-case basis. Vaccines included in national safety surveillance programs, such as AusVaxSafety, are unlikely to need additional sponsor surveillance.
 
Sponsors with products that are not in such programs can share data with TGA to make their case against the need for enhanced safety surveillance. TGA will accept product-specific safety data from the northern hemisphere that show the absence of safety signals in company submissions arguing against the need for additional monitoring in Australia.
 
TGA’s willingness to waive enhanced safety surveillance requirements will rest, in part, on whether the strain has changed between the northern and southern flu seasons. The agency expects vaccine manufacturers in this situation that want to proceed without extra safety precautions to take certain actions.
 
“If there has been a strain change for a vaccine that will not be included in a national safety surveillance program in Australia and the sponsor proposes not to perform enhanced safety surveillance because of the availability of relevant product-specific safety data from the Northern Hemisphere, then this strategy should be discussed with the TGA as soon as the safety data from the Northern Hemisphere are available,” TGA wrote.
 
TGA published the note as part of a consultation on its planned adoption of 12 European guidelines. The agency is accepting feedback on the proposed adoption of the guidelines until 29 April.
 
TGA Notice
 
TGA to Continue Accepting UK Batch Certification in No-Deal Brexit Scenario
 
TGA has confirmed it will maintain the supply of medicines from the United Kingdom into Australia in the event of a no-deal Brexit. The agency will accept batch certification on Medicines and Healthcare products Regulatory Agency (MHRA) certificates to prevent the erection of barriers to importation.
 
If the UK leaves the European Union without a deal, MHRA will cease to be part of the network of regulators TGA considers to have comparable standards. However, a mutual recognition agreement between the UK and Australia signed in January means companies in both countries can continue to test and certify products before shipping them overseas.
 
The confirmation of the situation comes shortly after TGA outlined the steps it will take to ensure the uninterrupted supply of medical devices. That will necessitate legislative changes, but TGA thinks the end result will be similar to that in the drug sector, with minimal effects on supply.
 
TGA Notice
 
China Seeks Feedback on NASH Clinical Development Guidelines
 
China’s Center for Drug Evaluation (CDE) has released draft guidance on the clinical development of treatments for nonalcoholic steatohepatitis (NASH). The guidance details the endpoints and clinical trial designs sponsors should use when developing treatments for the liver diseases.
 
Publication of the CDE draft comes months after the United States Food and Drug Administration (FDA) set out its position on the clinical development of NASH drugs. Notably, both documents state late Phase II trials should last 12 to 18 months, a requirement that some ongoing mid-stage studies do not meet.
 
CDE is open to the use of noninvasive biomarkers, such imaging changes, to assess efficacy in earlier, proof-of-concept clinical trials but wants sponsors to use histological endpoints from Phase 2b onward. Both positions mirror those adopted by FDA.
 
The CDE document diverges from FDA’s guidance in other areas, though. CDE highlights endocrine, metabolic and renal adverse events as specific safety concerns for sponsors to consider. Those issues are absent from the FDA guidance, although both agencies cite concerns about links between NASH and cardiovascular and hepatic adverse events in their safety sections.
 
CDE is accepting feedback on the draft until 13 June.
 
CDE Notice (Chinese)

Regulatory Focus newsletters

All the biggest regulatory news and happenings.

Subscribe