Data Security in Pharmaceuticals: Compliance is Key — But not Enough


It seems like we learn about a new data breach almost every day. And unfortunately for the pharmaceutical industry, it is an attractive target for fraudulent behavior.

As a professional in the pharmaceutical industry, you likely know that the typical drug costs more than $2.5 billion to develop and takes 10-15 years to bring to market. There is a particular need for pharmaceutical companies to protect drug recipes and research given the richness of their intellectual property (IP). As these organizations rely more and more on technology to conduct business, the industry has become particularly vulnerable to cybercrime.

Adding to that, there are key challenges in the pharmaceutical industry. IP and regulated data come in specialized forms. Mobile and portable devices increase the risk of casual data loss. The process of taking therapies and medicines from research through regulatory approval requires years of sharing sensitive data with physicians, clinics, regulators and partners. Drug trials gather large amounts of patient data that must be treated with great care to comply with HIPAA and other privacy regulations. Given all of these factors, data security is of the upmost importance.

From insider negligence (the leading cause of data breaches), to the absence of BYOD policies or BYOD policy implementation, to unencrypted medical devices, to inadequate security defenses, the risks are high, and the implications of cybercrime within the pharmaceutical industry go well beyond the obvious financial damage. It can also impact consumer trust in the business and the company’s reputation and overall stability.

As a pharmaceutical executive, what can you do to mitigate these risks, comply with security-related regulations and safeguard your organization’s sensitive data? Following are three best practices to consider:

1. People – Verify, verify, verify. In a pharmaceutical company, there are many people involved in the development and launch of a drug. From the employees working on each phase to the patients participating in drug trials, the amount of confidential information is massive. Adding to that complexity, employees likely use a myriad of endpoint devices in their work, including desktops, laptops, tablets and removable media. Given all of this, the need for setting who has access to what kinds of information and being able to track how and where that information is being used and shared is critical. Implementing authentication – across users, devices and the network – can help support this and bolster efforts to ensure that sensitive information does not end up in the wrong hands.

In addition, with regards to people, it’s essential that any security measures introduced take into consideration a “frictionless” user experience. If something is too hard to follow, appears cumbersome or disrupts a user’s typical workflow, it is less likely to be adopted.

2. Policy – It’s Not Set and Forget. Having the proper security policy in place with clearly outlined processes – and ensuring the policy and processes are followed – is paramount. It should take into account best practices on adoption capabilities (easy to interpret, implement and adhere to), employee education and training procedures (not just during new employee orientation but on a regular basis), and accountability measures. A good rule of thumb is to update and continually reinforce the employee code of conduct.

3. Protection – Encryption is the Foundation. There are many different ways of protecting sensitive data, but the basis of any security and data leakage protection initiative should be encryption. Pharmaceutical organizations should encrypt everything sensitive and confidential, including IP regarding what’s in a drug, drug trial information, patient details, etc.

HIPAA requires that covered entities determine if encryption is a “reasonable and appropriate” security measure to implement in their environment. If the Office for Civil Rights has a different interpretation of “reasonable and appropriate” however, serious fines could follow. Best practice is to implement encryption to significantly reduce the risk of non-compliance. Although the Security Rule provides flexibility with implementing technical safeguards, there is no flexibility when it comes to the Breach Notification Rule. If lost or stolen data is not encrypted, covered entities must notify the Department of Health and Human Services, all affected individuals and even the state and local media in some cases. However, if lost or stolen data is encrypted and the covered entity has proof (audit logs) breach notification is not necessary.

The risk of liability from a data breach is enormous, and the associated fines are becoming more and more painful. Being compliant, while clearly important, is unfortunately not enough to ensure your data is safeguarded. It takes establishing, implementing and following the right processes around people, policy AND protection to support an effective security strategy. Hackers are getting smarter every day, and the most hacked organizations are in healthcare. Don’t let your company be one of the statistics.