Pharma’s Critical Data is Under Siege

The pharmaceutical industry does not only have to worry about bad actors targeting their data. They also must meet the requirements of numerous compliance frameworks throughout their development, testing, and production phases. Many of these frameworks focus on personal privacy, which is especially important considering the sensitive nature of the data gathered.

Some of the most common compliance frameworks that pharmaceuticals need to consider are:

HIPAA – The Health Insurance Portability and Accountability Act (HIPAA) explicitly targets the PII of patients or study subjects. PII is very prevalent in research data and clinical trials where human subjects are involved. Protecting this data is crucial as breaches result in hefty fines like the $16 million Anthem health assessed in 2018 by the Office of Civil Rights (OCR), which oversees HIPAA enforcement. In addition, the OCR can mandate corrective action plans — assessment and implementation of prescribed controls to bring the organization up to HIPAA standards— that are costly and bound by strict timelines.

GDPR – The General Data Protection Regulation (GDPR) is a European privacy law that gives power to consumers over how their data is gathered, retained, and used. It requires that organizations explain to the consumer what information is retained or shared with third parties and offer a way to opt-out. While this regulation only applies to European citizens and residents, it is essential to determine whether researchers, trial patients, or other entities — anyone on which the company collects data — fall into this category. Failure to adhere to GDPR comes with major fines up to $24.1 Million or 4% of annual gross revenue, whichever is higher.

CCPA – The California Consumer Privacy Act (CCPA) is similar to GDPR. It allows consumers greater visibility and control into how their data is being gathered and managed, but it applies directly to citizens and residents of California. For any company researching in the US, this act is likely to apply. While its fines are less impactful than GDPR, they still impose a $2500 fine for every unintentional violation and $7500 for every intentional violation. When any breach can contain thousands or millions of records, these fines quickly scale as a violation can be assessed per record.

SOX – Congress created the Sarbanes Oxley Act (SOX) to help combat financial fraud and misrepresentation. This act applies to all publicly traded companies in the US and contains numerous business requirements such as data access, information security, data backups, and change management. Failing to protect organizational digital assets adequately can result in fines of up to $5 million and 20 years in prison for CEOs and CFOs.

CGMP – Current Good Manufacturing Practice (CGMP) is FDA guidance directed toward manufacturing in the pharma industry to ensure every batch of medicine meets quality standards and is safe and effective. This guidance outlines specific guidelines for handling and protecting data to maintain accuracy, integrity, and confidentiality. Failure to comply with these standards can lead to seizures and injunctions as well as possible criminal prosecution for those involved.

GDocP – Good Documentation Practices covers methods for recording, correcting, and managing data and documents. It is a crucial component of GMP (Good Manufacturing Practices) and is included in GxP, an umbrella of ‘Good Practices.’ These practices include Documentation (GDocP), Distribution (GDP), Clinical (GCP), and Laboratory (GLP). For Pharma and MedTech, managing data and documents is vital for the safe development of potentially lethal products. It provides traceability and accountability of goods and products to monitor and guarantee quality.

One key tenant of innovation is sharing data, especially in the healthcare and pharmaceutical industries. Even though it would help patients and drive revenue, many pharmaceutical businesses are hesitant to share data due to concerns about the risks that sharing data exposes. Sharing data can knock pharmaceutical companies out of compliance with a broad array of data privacy regulations, provide competitors with valuable insights, and increase the likelihood of data theft or loss.

As such, many businesses are overprotective of their data which slows down innovation. Efforts to protect data often include data consolidation with minimal access. While these millions of data records could greatly benefit the use of machine learning in developing new treatments, access limited by these overzealous controls inhibits visibility and contextual analysis, which impedes the machine’s ability to gain comprehensive insights. Concerns about the risk of exposure and the lack of data sharing make it easy for organizations to meet compliance regulations but hinder the development of new treatments.

Traditional encryption as a solution for maintaining privacy and limiting access to data often only contributes to the slowdown. Many existing encryption solutions aren’t scalable, are database-specific, and thus limit the ability to leverage cloud or distributed infrastructure in ways commonly used in other industries. In addition, field-level encryption —required for many compliance frameworks — makes searching data slower as many existing solutions decrypt field by field to see if it matches the search string. This creates a performance bottleneck, making most implementations of this solution impractical.

When data is the cyber criminals’ primary target and the focus of most compliance requirements, then a security program centered around that data makes sense. By applying the principle of least privilege to the data, you ensure compliance with several privacy regulations and protect the confidentiality of the individual’s information. Preventing unauthorized changes guarantees the data’s integrity which is vital for accurate treatment or research results. But confidentiality and integrity shouldn’t prevent those who need this information from accessing it reasonably. In the same respect, the availability of the data should never risk either its confidentiality or its integrity. Maintaining the confidentiality, integrity, and availability of the data is known as the CIA triad and forms the foundation of a mature information security program.

Encryption

Encryption works across the entire CIA triad to protect the confidentiality of the data and prevent it from being unintentionally altered while keeping it available for authorized users. Encryption uses complex mathematical formulas to take the data provided and turn it into an unreadable format for anyone except those who have access to a secret known as a key. Those with access to the key can decrypt it — turn it back into its original form — and access it. Protecting the key and limiting access to it is crucial for maintaining secure encryption.

Tokenization

A variation of encryption is tokenization that takes sensitive data and transforms it into non-sensitive “tokens” used in place of the original data. These tokens are the same length and format as the original data field, but are indecipherable and cannot be reversed like encryption. The organization’s internal systems store the tokens while the actual data is stored in a token vault. These tokens, if stolen, are of no use to bad actors because they are only a representation of the data and, without the token vault, are worthless.

Protect Sensitive Data from Direct Access

Both tokenization and encryption allow organizations to securely protect data from those who should not have access to it, preventing them from making changes to it. This is imperative for meeting many of the compliance mandates to which modern pharmaceutical organizations are subject. Many of the existing encryption and tokenization solutions may protect data, but they cannot fully integrate into the IT infrastructure. This makes access slower and more complicated. Modern solutions should seamlessly integrate to efficiently allow authorized access while protecting data.

Centralize Access Control Based on Identity

Role-based access control (RBAC) is an essential component of modern data security technology for protecting and assigning data access. It ties access back to enterprise-class identity and directory services tools. Instead of assigning permission on a user-by-user basis, they can be set by any combination of user, group, role, or other stored parameters. RBAC saves time in configuring and managing user access through group memberships with set access for specific data. Users can simply be added to the groups as needed.

For many organizations, this type of information resides in Microsoft® Active Directory™, which serves as the single source of truth for information about users, roles, and groups. As users are added or removed centrally from this information store, their access and permissions adjust simultaneously. This reduces tedious permission changes to individual applications every time a user changes roles or leaves the organization.

Access Only What Is Needed to Do The Job

As a best practice and a requirement for several compliance mandates such as HIPAA and SOX, the principle of least privilege needs to be enacted and enforced. This principle dictates that individuals only have access to the minimum amount of data and resources required to perform their job duties. Many organizations suffer from excessive permissions — access assigned to a user in bulk or access that persists the user has switched roles. Excess permission increases risk in many ways, from external threat actors stealing credentials to well-meaning employees accessing data outside the scope of their duties.

Limiting the access an individual has narrows the scope of damage and reduces the overall impact of a successful attack. If credentials are stolen when least privilege is in place, cybercriminals will only have access to limited resources based on the role of the stolen account. Reducing the amount of data available goes a long way toward lowering potential remediation costs and fines associated with a breach.

Current trends in cloud computing and remote workforces necessitate data sharing for collaboration and cooperation. With today’s global and remote workforce, collaborating no matter where the individual is located is crucial for getting the job done. Along with this, Cloud computing brings scalability and a flexible pay-as-you-go price that allows pharma companies to efficiently run studies and conduct research without having to invest in permanent infrastructure.

Leveraging these advantages requires baking security into the solution. Having controls such as encryption and RBAC are only half the battle; knowing what is happening to your data is equally crucial. Extensive monitoring leveraging artificial intelligence (AI) and machine learning (ML) assess behavior patterns for data access that help profile bad actors early in attacks.

Watch What Is Happening To Your Data

In a pharmaceutical environment, the risk of credential theft is high. Tracking the usage patterns of users and roles in accessing sensitive data helps to identify threats or compromises. Traditional encryption tools do not have this capability. Even Security Information and Event Management (SIEM) systems do not have the breadth of visibility as they work off user access logs.

Advanced monitoring solutions that tie directly to the data sources process the access granted and its utilization across users and roles. It identifies anomalous behaviors such as access at an odd time, excessive data querying, data accessed outside of normal usage patterns, or “known threat” signatures of attack tools. Assessing this information manually requires a significant staffing investment. ML tools have evolved to rapidly process large volumes of data and draw actionable insights that can lead to alerts that security teams can review.

Embrace The Cloud For Scalability

Cloud technologies allow pharma companies to rapidly scale computing power as needed without investing in persistent hardware. It allows for the creation of mobile tools for recruitment, enrollment, and compliant data collection from participants, allowing extensive studies to be conducted efficiently.

Managing cloud infrastructure requires tools that can directly interact with multiple cloud providers to allow organizations to lift and shift their programs across providers as needed. Being able to tie in RBAC and encryption directly to multiple sources provides the necessary access control for data and the privacy mandated to maintain compliance.

Sotero has experience in helping pharmaceutical companies succeed. One of the world’s premier biopharmaceutical companies faced the challenge of securely delivering clinical trial information to downstream systems to analyze the effectiveness of a new drug. It was crucial to quickly get the data into their systems because the drug’s effectiveness decreases with time. Securely doing this delayed the data availability by an entire month because their existing process forced a manual transfer of the data. This caused the drug development cycle to be extended.

The organization turned to Sotero for a solution. Our platform enabled them to directly connect to the production clinical trial platform and encrypt sensitive elements in the system. It kept the data encrypted in transit to each downstream system, ensuring confidentiality throughout the process. Rolebased access controls allow the company to control the specific data available to each user and specify in a granular manner what fields were available. This allowed them to provide users access to the data set without risk of exposing sensitive patient-level information.

By working directly with the IT and data teams, Sotero helped the organization deploy, test, and validate the Sotero Protect solution in just a matter of weeks. The results of this deployment were immediate. The organization was able to meet security and privacy requirements related to the storage and use of sensitive data in both production and downstream systems. The improvements in the process of data handling enabled Sotero to achieve GxP certification, which is applicable across all pharmaceutical and healthcare organizations. From this, the customer was able to realize faster drug development and shortening the data’s time-to-value from a month to hours.