The media are filled with stories of popular anger towards certain industries, financial services and the life sciences industry chief among them. It seems that the national tenor as reflected in Congress is that we have given too much money to the first, and the second is charging us too much.
Security in the product lifecycle
On one level, the information security and compliance issues at life sciences companies are no different than those for other manufacturers. Products must be developed, warehoused, delivered, sold and accounted for; at any point in this chain of processes, a breach of security will have financial and operational repercussions. Whether the products in question are widgets or medicines, it would seem, the type (if not the scale) of impact will be the same, company to company.
This view, however, overlooks the unique dimensions of the life sciences industry. The companies are more than manufacturers. The big pharmaceutical companies are research and development organizations with unique ethical and regulatory requirements. They make life-saving or -enhancing goods that must be completely secure throughout their lifecycle, or human beings may suffer terrible consequences.
The reputational impact of errors is probably more extreme in pharmaceuticals than in any other industry. All industries are information-driven (or bound) today, pharmaceutical companies no less so. But the underlying meaning of much of the information -- human health -- is the spur to regulatory requirements that underlie extraordinary information security programs in this industry in particular.
Foremost is the differentiation between the systems that manage the commercial side of the business from those that drive the research and manufacturing aspects of pharmaceuticals. The latter are referred to as validated systems. In the United States, the Food and Drug Administration (FDA) has set certain rules for information security and control of systems designated as validated in regulation 21 CFR Part 11. In summary, it calls for "Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify or delete electronic records."
In both theory and practice, this requires mechanisms to control who can and cannot see certain records, electronic notification, date and time stamp of applied signatures, and an established audit trail for these highly sensitive systems. The effect is to raise compliance with information security requirements to the level of strategic necessity for the ongoing activities of the drug companies.
On top of the regulations of the FDA, these companies face compliance with the dictates and guidelines of the U.S. Department of Health and Human Services, Office of Inspector General, the Securities and Exchange Commission, the Department of Justice, the European Medicines Agency, the Japanese Ministry of Health and numerous other regulatory agencies. Moreover, the accelerating global regulatory activity regarding consumer privacy and the inappropriate exposure of consumer information necessarily draws attention to pharmaceutical manufacturers (especially the so-called Big Pharma) more than others.
Product development information risks
It is important to understand the extraordinarily long and costly product development cycle for ethical drugs that adds extra risk for these companies. The process begins with basic biochemical research to identify compounds that might be useful for solving a health challenge, safely and effectively. At this point, the information is both sensitive, in the sense that it has health implications, and secret because of the enormous commercial possibilities for an as-yet-unpatented formula. The challenge of protecting this information is exacerbated by turnover within the industry. Biochemists and pharmacists move from company to company, taking their knowledge with them, sometimes in their heads but sometimes on flash drives and CDs. The economic impact of data leakage is particularly strong at this point.
Here, the pharmaceutical manufacturers face a new set of regulatory requirements in the form of the Health Insurance Portability and Accountability Act in the United States, the European Union Privacy Directive and associated laws. Keeping in mind that all the information passes through not only the company but also numerous contract research organizations, academics and statisticians, the possibility of a privacy breach is a widespread risk, especially as the test results are transmitted globally.
For regulatory approval, the manufacturers must show a complete chain of research results over time. If there were to be data loss, no matter the cause, the results could be disastrous for the company. Once a product has been submitted for patent, it has only a limited time in which to market it on an exclusive basis before patent rights expire. The first part of that period is consumed by clinical trials that may last for years, even a decade, before the drug can be brought to market. Should the data be noncontinuous, the trial may have to be repeated at the cost of lost time -- and money.
Lessons applicable to other industries
Pharmaceutical companies are not the only ones worried about data leakage prevention, privacy, business continuity and regulatory compliance. But the scale of their information security needs and the very visible results of failures put these companies on a higher plane, in which security is a strategic imperative for the success of the company. Those in other industries might benefit from their experience:
- Intellectual property has to be protected over a very long period, in the face of numerous inadvertent errors and malicious attacks.
- Security processes must be developed not only for the company's employees but also with a wide range of third parties -- researchers, distributors, test subjects -- in mind.
- Control rationalization satisfies many compliance needs with a single set of controls -- but it's a difficult feat, with many overlapping and occasionally contradictory regulatory requirements.
- The security needs of different aspects of a business, from research through manufacturing, sales and accounting are different but must be implemented in a complementary fashion.
- Someone in senior management, generically referred to as a chief risk officer, must be in a position to make tough decisions as to what are acceptable risks and how much must be invested to mitigate the unacceptable ones.
Steven J. Ross, CISSP, CISA, MBCP, is founder and principal of Risk Masters Inc. Let us know what you think about the story: email firstname.lastname@example.org.