Manage Learn to apply best practices and optimize your operations.

Information security and compliance in the life sciences, revisited

Information security and compliance have special meaning for the life sciences, given the potential for reputation harm and privacy breaches.

A while ago, I wrote a tip focusing on information security and compliance in the life sciences industry. My central point was that there are unique conditions in the life sciences industry that lead to information security practices above and beyond those expected in other fields. Those special circumstances include:

  • The nature and duration of the product development lifecycle.
  • Regulatory-mandated systems validation.
  • The privacy and continuity risks involved in dealing with human test subjects.

More on information security and compliance
Life sciences have special information security and compliance needs

Biometric security data adds layer of privacy compliance risk
I also showed the application of lessons learned in life sciences to other industries. I received some commentary on that tip from people in the life sciences industry that are insightful and worthy of further discussion; I would like to share them here.

[Note: All correspondents have requested anonymity for their companies and themselves. I know them personally, so they were able to contact me. I would welcome comment from other readers at]

Good Automated Manufacturing Practices

"You focus on 21 CFR Part 11, which is only part of the wide array of regulations and standards which apply. 21CFR11 only covers electronic records and signatures, whereas many of the challenges we face stem from computer system validation requirements that are covered in a wide array of other regulations and standards. In general, the use of Good Automated Manufacturing procedures, v5, provides the most widely used baseline of controls for this area."

This is a sage observation, and I am rightly chided on this point. Good Automated Manufacturing Practices (or GAMP) are procedures developed by the International Society for Pharmaceutical Engineering that recognize the unique aspects of manufacturing ethical pharmaceuticals. Specifically, GAMP calls for quality. Security is a part of quality, not only in finished products but also in every phase of the manufacturing process, including design, implementation, testing, etc. While GAMP is only applicable to pharmaceuticals, this is a valuable concept applicable to all industries.

Information security and compliance on medical devices

"The paper focuses on pharmaceuticals rather than medical devices, which are a much different breed of beast than pharmaceuticals."

It's true enough that not all of what I wrote applies to medical device companies, but there is a central point that I would like to stress again: When a company is dealing in the health and safety of human beings, it faces challenges that are different from those in which information security and compliance failures might be harmlessly addressed after the fact. The reputational effects of information security mishaps are significantly greater in life sciences than those that deal in numbers, services or sales.

Privacy in clinical trials

"I think you overplay the privacy issue a little bit. In general, pharmaceutical, life sciences and medical device companies do not have access to the personally identifiable information [PII] of people involved in clinical trials. By design, we try to remove all personal data in order to not compromise the experiment (e.g., blinded trials), irrespective of the privacy issues. However, one avenue that is starting to become an issue … is the ability to remove PII from material that is not structured data. For example, if you start collecting and analyzing images, blood or genetic material as part of a clinical trial, the ability to anonymize such content is difficult, if not impossible. So how do you protect such samples and the data that is generated from them?"

With respect to this correspondent's first point, I do not completely share his confidence about the unavailability of personally identifiable information in the research and testing processes. As with so much in 21st century society, much of clinical testing has been outsourced to clinical research organizations, independent laboratories and academic researchers. Moreover, many of these outsourced operations are based in countries where, to be charitable, privacy, information security and compliance practices for the life sciences are not as highly evolved as in the West. Considering the recent announcement of cyberattacks on Google and further reports of such events by at least 33 other companies, I am not sanguine about the privacy of extremely sensitive data involved in clinical trials.

As to the second point, the ability to discern PII in seemingly irrelevant information, I believe that this is a problem that will grow in a wide variety of industries and even more so across industries. I see the possibility of a lot of trouble ahead, when the vast repositories of information maintained today are combined with the Internet and the aforementioned cyberattacks. If, for example, an attacker could learn that someone bought a piano, took $10,000 from the bank and enrolled in a music school, he could zero in on an individual, his address, lifestyle or where and when he come and goes. If that person were a government official or an executive, he might be very vulnerable, indeed.

Health-related services and personal privacy

"Another privacy issue opens up as we start looking to add information services to our products. There is a lot of hype in the industry about the development of software-based coaches to assist in disease management. Two of the biggest disease management challenges are to get people to modify behavior and to stay on the drug regimen that will help their disease.

The reputational effects of information security mishaps are significantly greater in life sciences than those that deal in numbers, services or sales.
As you might imagine, having software on a mobile phone or via a cloud-based service that helps coach you on appropriate behavior and when to take your medicine opens a huge issue from a privacy perspective. The same holds true for using social networking sites to get communities of interest to develop around a disease area. How do you protect people's privacy if they engage in conversation on a site dedicated to the management of an ailment? Does participating in such a forum constitute medical PII, since there is a high likelihood that each participant has the malady being discussed? What happens from a regulatory perspective if someone makes a negative comment about a medicine in such a forum; does that trigger an adverse event reporting event? If the answer to any of these questions is yes, how do you connect with the author if you have provided anonymous access to guarantee his or her privacy? What happens if Jean Smith wants to participate in an online forum about diabetes, registers as John Doe, and then makes comments about how her/his medication is causing him/her extreme headaches, nausea and other adverse events? How would the company respond? Could someone use that to taint the reputation of a company?"

As we say in Brooklyn, "Whoo boy!" Every technological advance brings both potential and actual problems. Yes, the protection of privacy is a definite counterpoint to the protection of those who might benefit from personal disclosure. For example, stopping the spread of a disease might imperil the privacy of someone already afflicted with it. Should disclosure be the exception or the rule? I have no clear answer. I will be looking into this matter and awaiting further developments.

The original tip seemed so simple: The life sciences pose unique issues for information security, compliance and privacy. The lessons from them have wider applicability. What I have learned from the correspondence on the subject is that innovations in information technology create larger issues, which in turn manifest differently in all industries.

Steven Ros,s CISSP, CISA, MBCP, is founder and principal of Risk Masters Inc. Let us know what you think about the story; email Follow @ITCompliance for compliance news throughout the week.

Dig Deeper on Industry-specific requirements for compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.