Earlier this year, a substantial cyber attack impacted the pharmaceutical giant Merck, and it’s recently been revealed that the attack cost it $135 million in revenue. It’s clear to see, therefore, that there’s a huge potential for damage to businesses who don’t have the security measures in place to prevent hacks.
So, in the wake of Merck’s third quarter report, it’s a good time to assess whether or not your business’s security measures are as robust as they should be.
Recognise the challenges
There are a number of specific challenges posed to the pharmaceutical industry regarding data security. For example, the process of developing medicines and services through regulatory approval requires extensive periods of sharing sensitive data with medical professionals, regulators, developers and partners. There are also a number of mobile and portable devices in use, particularly in gathering data via sources such as personal medical devices and wearable devices, heightening the likelihood of casual data loss.
The pharmaceutical industry is especially vulnerable to hacks, given that the stakes are so high: it costs upwards of $2.6 billion to research and develop a successful drug and can take as long as ten years to do so, making it an industry that’s likely to be targeted by cybercriminals. It’s important to recognise these unique challenges right from the beginning so that you can implement a security policy that takes all of these matters into account.
Start with encryption
Take a look at the types of information you’re currently protecting behind encryption, as well as the sophistication and effectiveness of the encryption itself. Encryption is the basis for any security policy in the pharma world, so encrypt everything that counts as ‘sensitive information’, including (but not limited to) patient details, drug trial information and IP about the drugs you’re developing.
Roll out world-class training
Another crucial step to take is to provide high-quality training to ensure everyone within your organisation understands the importance of data security, as well as the best practices they need to follow to ensure data stays secure. Often this is best delivered in a combination of face to face training sessions with targeted e-Learning sessions specifically developed for those with higher levels of access. But, don’t just roll out the training once and consider it a finished job. Instead, regularly update and refresh the training (an inevitably given how quickly technology advances), and incentivise uptake for the training as well as rewarding the highest scorers.
Define BYOD policies
As well as rolling out the best training possible, take the opportunity to review your ‘bring your own device’ policy. This is particularly relevant if your employees are working outside of your office area, using their own equipment for work (including their mobiles phones or laptops), or removing devices from the office or lab.
Review access permissions
Now’s a good time to review the level of access granted to individuals across your company, and externally too. Your organisation may operate most efficiently when all internal staff have unrestricted access to shared folders, but to maintain higher levels of security, you may wish to grant access on a case by case basis.
Think about the access enjoyed by third parties outside of your business too, including regulators, developers and consultants for example. Experienced consultants such as those at Alacrita, for example, will be well-versed with the importance of data security, and as a result will take all the necessary steps to ensure high security, requesting permission to access certain information without expecting to have access to everything. But, don’t be afraid to push back or set restrictions – it’s better to grant access ‘piecemeal’ after taking protective measures against the risks of sharing information.
Finally, accept that there may be things you simply don’t know about, especially as technology continues to develop. For example, if you start collecting data from wearable tech or via an app you’ve sold as a service, you may need expert assistance to ensure the data is secure across all stages of its journey. It also needs to remain secure while you’re using the data, and you may need to contract a third party to help you put the correct measures in place to guarantee robust security.
Take steps to bolster your security measures – not only will doing so guard against substantial financial losses, but it will also protect against reputational damage, customer and stakeholder trust, and the possibility of fines – all of which are arguably just as devastating.