Given their unique access to confidential patient data, pharmaceutical companies must take extra precautions not only in protecting information but also in crafting data security compliance practices that adhere to state and federal drug regulations.
SearchCIO-Midmarket.com site editor Wendy Schuchart sat down Nathan McBride, vice president of IT at AMAG Pharmaceuticals Inc., at the Gartner Symposium/ITxpo 2012 in Orlando, Fla., to ask about his data security compliance strategy, including whether bring your own device (BYOD) complicates the company's need for limited access to data.
Read the transcript from McBride's interview below, and watch the video to hear valuable data security compliance advice that speaks to the challenges experienced in a range of industries.
From a pharmaceuticals perspective, you must have specific security needs that maybe other verticals wouldn't have. Could you speak to that a little bit more?
Nathan McBride: Sure. Essentially, we have a lot more compliance rules around what we do with our data. Specifically, we have to deal with two main sets of compliance: One is the FDA's 21 CFR 11. That's to deal with the fact we need to be able to prove, without any doubt, that when a piece of data is generated and ultimately submitted to the FDA, that through its lifecycle it was never modified, altered, changed, improperly used or anything. To think about that in terms of scope, you have a document that may be created, ultimately submitted on paper or electronically. Wherever it may travel, we need to prove that it was there and not changed. So that's one.
More data security compliance advice
Pharmaceuticals CTO says that regulators need to understand cloud
Improving data management in the pharmaceutical field
The other is we have the Mass 201 compliance regulations, and this affects all companies in Massachusetts but biotech as well. This primarily has to do with employee data, protecting employee data. Now, the reason it impacts us is because we have patient data. Now this falls in between HIPAA and Mass 201. Essentially, Mass 201 dictates that if we have any employee data anywhere, whether locally hosted onsite or in the cloud, there can be no association between the employee's name and that particularly sensitive data, a social security number, for instance, home address. These things need to be disassociated. That presents a series of challenges with regards to protecting those potential systems, such as HRAS [human resource assignment system] … or patient data, which essentially means that data needs to be masked and extremely limited for access.
Does that complicate perhaps having BYOD initiatives in your company? Or prevent it?
McBride: In fact, no. It does not complicate it. We are very big on BYOD. We have been for some time. One of the points of us moving to cloud was this flexibility and mobility aspect. We wanted to empower the employee to be able to go anywhere at any time with any device and be able to access all of their data securely.
We removed the security around the corporate perimeter, and we erected perimeters around every employee. And more importantly, we erected perimeters around the data itself. So we're more ... we're not so concerned about what the employee may do on their machine. We're more concerned about where that data has originated, what they do with it once they have it. Its lifecycle ... all the way until the time it's been archived. We don't want the wrong data to get pushed out of an email, get put on a USB stick or somehow end up locally on a computer that's then lost or stolen.
For us, we have put everything, essentially, behind the browser. So regardless of what you use -- whether it's the PC we give you as an employee, the Mac that you bring in, the iPad, the name-it device, the thing at home, your Xbox, whatever it is, whatever that has a browser -- you access your data securely because every session starts from the beginning. All the way through the end are encrypted sessions in the browser.