Data security compliance a top-of-mind concern for pharmaceutical firm

Data security compliance a top-of-mind concern for pharmaceutical firm

Data security compliance a top-of-mind concern for pharmaceutical firm

Date: Jan 02, 2013

Given their unique access to confidential patient data, pharmaceutical companies must take extra precautions not only in protecting information but also in crafting data security compliance practices that adhere to state and federal drug regulations. site editor Wendy Schuchart sat down Nathan McBride, vice president of IT at AMAG Pharmaceuticals Inc., at the Gartner Symposium/ITxpo 2012 in Orlando, Fla., to ask about his data security compliance strategy, including whether bring your own device (BYOD) complicates the company's need for limited access to data.

Read the transcript from McBride's interview below, and watch the video to hear valuable data security compliance advice that speaks to the challenges experienced in a range of industries.

From a pharmaceuticals perspective, you must have specific security needs that maybe other verticals wouldn't have. Could you speak to that a little bit more?

Nathan McBride: Sure. Essentially, we have a lot more compliance rules around what we do with our data. Specifically, we have to deal with two main sets of compliance: One is the FDA's 21 CFR 11. That's to deal with the fact we need to be able to prove, without any doubt, that when a piece of data is generated and ultimately submitted to the FDA, that through its lifecycle it was never modified, altered, changed, improperly used or anything. To think about that in terms of scope, you have a document that may be created, ultimately submitted on paper or electronically. Wherever it may travel, we need to prove that it was there and not changed. So that's one.

More data security compliance advice

Pharmaceuticals CTO says that regulators need to understand cloud

Improving data management in the pharmaceutical field

The other is we have the Mass 201 compliance regulations, and this affects all companies in Massachusetts but biotech as well. This primarily has to do with employee data, protecting employee data. Now, the reason it impacts us is because we have patient data. Now this falls in between HIPAA and Mass 201. Essentially, Mass 201 dictates that if we have any employee data anywhere, whether locally hosted onsite or in the cloud, there can be no association between the employee's name and that particularly sensitive data, a social security number, for instance, home address. These things need to be disassociated. That presents a series of challenges with regards to protecting those potential systems, such as HRAS [human resource assignment system] … or patient data, which essentially means that data needs to be masked and extremely limited for access.

Does that complicate perhaps having BYOD initiatives in your company? Or prevent it?

McBride: In fact, no. It does not complicate it. We are very big on BYOD. We have been for some time. One of the points of us moving to cloud was this flexibility and mobility aspect. We wanted to empower the employee to be able to go anywhere at any time with any device and be able to access all of their data securely.

We removed the security around the corporate perimeter, and we erected perimeters around every employee. And more importantly, we erected perimeters around the data itself. So we're more ... we're not so concerned about what the employee may do on their machine. We're more concerned about where that data has originated, what they do with it once they have it. Its lifecycle ... all the way until the time it's been archived. We don't want the wrong data to get pushed out of an email, get put on a USB stick or somehow end up locally on a computer that's then lost or stolen.

For us, we have put everything, essentially, behind the browser. So regardless of what you use -- whether it's the PC we give you as an employee, the Mac that you bring in, the iPad, the name-it device, the thing at home, your Xbox, whatever it is, whatever that has a browser -- you access your data securely because every session starts from the beginning. All the way through the end are encrypted sessions in the browser.

More on Managing governance and compliance

  • canderson

    Key enterprise mobile management software and technologies

    VIDEO - In the final part of this webcast series, enterprise mobility consultant Bryan Barringer lays out the most important mobility management software and techniques.
  • canderson

    Don't let BYOD legal issues sink your BYOD initiative

    VIDEO - Companies best be aware of the legal issues that accompany their BYOD initiatives, mobility consultant Bryan Barringer explains in part one of this webcast series.
  • canderson

    BYOD best practices call for mobility governance team

    VIDEO - In part two of this webcast series, enterprise mobility expert Bryan Barringer discusses BYOD best practices to confront the challenges that accompany mobility.
  • compliance

    Definition - Compliance is the act of being in alignment with guidelines, regulations and/or legislation. Organizations must ensure that they are in compliance with software licensing terms set by vendors, for example, as well as regulatory mandates.
  • Will new net neutrality regulations spur investment and innovation?

    News - The FCC gave new net neutrality regulations the go-ahead, but the battle for an open Internet is hardly over. In this #GRCChat recap, find out whether the new regulations mean good news for innovation and consumer privacy.

    ( Mar 17, 2015 )

  • Emerging cyberthreats exploit battle between compliance and security

    News - While regulatory compliance is valuable and necessary for enterprises, cyberthreat experts say a compliance-centric security strategy may leave organizations with few resources to ward off emerging cyberthreats.

    ( Mar 05, 2015 )

  • COBIT 5 (Control Objectives for Information and Related Technology 5)

    Definition - COBIT 5 is the fifth iteration of a popular framework that's used for managing and governing information technology (IT).
  • audit program

    Definition - An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations. 

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: