Clinical Research and AI-First Engineering Diagnostic Review

Flashcards covering clinical research fundamentals, HIPAA and 21 CFR Part 11 compliance, secure engineering, and AI-first development principles.

GCP (ICH-GCP E6)

An international ethical and scientific quality standard for designing, conducting, recording, and reporting clinical trials to protect subject rights and ensure data credibility.

Phase I

A sequential stage of clinical testing focused on safety and dosage in a small group, often healthy volunteers.

Phase II

A clinical trial stage focusing on early efficacy and side effects in patients.

Phase III

The pivotal stage of a trial before approval, intended to confirm efficacy and monitor adverse reactions in a large patient population.

Phase IV

Clinical trials conducted for long-term safety monitoring after a drug is already on the market.

CTMS

Clinical Trial Management System; the system of record for operations including site management, monitoring visits, and milestones.

EDC

Electronic Data Capture; a system used to capture and manage clinical trial data electronically through Case Report Forms (CRFs).

eSource

Original data captured electronically at the point of care, meaning there is no prior paper source.

eISF

Electronic Investigator Site File; the digital platform for storing a research site’s essential documents.

Sponsor

The entity that owns the investigational product and funds the clinical trial.

CRO

Contract Research Organization; an organization that performs trial activities outsourced to it by the sponsor.

SMO

Site Management Organization; an organization that provides management and operational support across multiple research sites.

Informed Consent

An ongoing process where a subject voluntarily agrees to participate in a study after being fully informed; it must be documented before any study-specific procedures occur.

Randomization

The process of assigning subjects to treatment arms by chance to reduce selection bias and balance confounders.

SDV

Source Data Verification; the process of comparing data in the EDC/CRF against original source documents to catch transcription errors.

IRB / IEC

Institutional Review Board / Independent Ethics Committee; a body that protects the rights, safety, and well-being of trial subjects by reviewing protocols and consent forms.

SAE

Serious Adverse Event; an event that results in death, is life-threatening, requires hospitalization, or causes significant disability or congenital anomaly.

Protocol Amendment

A change to the trial's master plan that generally requires IRB/IEC review and regulatory/sponsor approval before implementation.

PHI

Protected Health Information; health information tied to an identifiable individual, characterized as an identifier combined with health info.

Minimum Necessary

A HIPAA principle requiring that only the minimum PHI needed to do a task is used or disclosed.

BAA

Business Associate Agreement; a contract required when a vendor or subcontractor handles PHI on behalf of a covered entity.

Breach Notification Rule

A regulation requiring that breaches affecting $500+$ individuals be reported to HHS within $60$ days of discovery.

Safe Harbor Method

A method of de-identification that involves removing $18$ specified categories of identifiers.

Audit Trail

A computer-generated, time-stamped, and tamper-evident log that records who performed what action and when in a regulated system.

CSV

Computer System Validation; documented evidence proving a system consistently performs its intended function.

ALCOA+

A data integrity acronym standing for Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available.

GxP

An umbrella term for 'Good Practice' guidelines, including GCP (Clinical), GMP (Manufacturing), and GLP (Laboratory).

SQL Injection (SQLi)

A vulnerability where untrusted input is executed as code or a query; the best defense is using parameterized queries or prepared statements.

IDOR / Broken Access Control

A vulnerability where users reach data or actions they should not, such as changing an ID in a URL to read another user's records.

XSS

Cross-Site Scripting; injecting scripts into pages viewed by others, mitigated by output encoding and Content Security Policy (CSP).

Encryption in Transit

The protection of data moving between client and server, requiring TLS 1.2 or higher for PHI.

Encryption at Rest

The protection of stored data, with AES-256 being the recommended standard.

AuthN vs. AuthZ

Authentication verifies identity ('who are you?'), while Authorization verifies permissions ('what are you allowed to do?').

Secure SDLC

A development lifecycle that integrates security practices like threat modeling and code review from the beginning ('shift-left').

Spec-Driven Development

An AI-first practice of leading with a clear specification (goals, constraints, criteria) before letting an agent implement code.

MCP

Model Context Protocol; tools that allow an agent to reach real systems like repositories, databases, and APIs through a standard interface.