The pharma industry needs to implement stronger measures to prevent data thefts and plug loopholes in their data security systems By Sachin Jagdale
At every level of a product life cycle, from idea to product, pharmaceutical companies have to worry about protecting their sensitive data. Especially during the early stages of product development as they provide the competitive edge to the company. However, there is no dearth of avenues for data to get leaked, for instance, it is not uncommon to hear about cases of marketing plans being stolen. Patients’ information getting leaked and in-house employee passing on the confidential data to rivals etc. have also been reported globally, time and again.
Protecting pivotal data
Though every piece of data is important for the industry, loss of a certain type of information can badly affect the business of a company.
Dr Parijat Kanetkar, Consultant, Chemicalli explains, “Confidential technical data for R&D projects, government data related to the public (personal information and social security numbers), technical data related to pharma, biotech products and chemicals which are the IPR of the manufacturing companies, trading information, internal email discussions for a potential business deal (leaked to the press), confidential health related information of patients are major targets for the miscreants.”
The pharma industry perhaps ranks highest among the most data sensitive industries in the world. Though data theft is not a rare phenomenon for the industry, involvement of its own employees in the data leakage is what worries the industry the most. So much so that it is sometimes easier for pharma companies to keep check on external efforts of stealing data, identifying in-house culprit requires real luck.
As Joseph Kiran Kumar, Head – Information Technology, Eisai Pharmaceuticals India points out, “Around 70 per cent of the data leakages can be attributed to be the handiwork of existing employees. With around 80 per cent companies not having a policy that protects the data from the leaving employee makes the situation even more vulnerable.”
Pharma companies invest billions of dollars to develop one new molecule. So, data leak of any sort during the molecule development phase could even cast shadows on the future of the company.
“Data pertaining to critical business processes, personal data are usually the targets. For the research- based organisations data that has greater Intellectual Property (IP) value is the prime target. There have been many instances where such data was stolen. Costs for IP theft within the UK pharma, biotech and healthcare sectors were reported in the OCISA report to cost £1.8 billion annually, primarily due to the large volume of data generated by this industry,” adds Kiran Kumar.
Many companies now allow their staff to work from home and often provide the necessary gadgets to their employees to help them operate from anywhere they want. Many assignments also require modern-day employees to travel extensively, within the country and overseas. These circumstances have caused employees to extensively rely on online methods of communication, data storage etc. This, in turn, has also increased the chances of data being stolen. Thus, it has become imperative for pharma companies to take appropriate measures to secure their data.
Measures to secure data
Firewalls, DLP systems, UTM, Disk Encryption etc. have been in use for a long time in pharma companies to ensure data security. Aware of the fact that the data security is as important as product manufacturing, the industry is always keen to adopt the latest and the most effective solutions in data protection. Regardless of the size of the company, compromise on data security is not permitted or expected.
Kanetkar lists some of effective ways to secure data. He says, “Implementing a tiered data protection and security model including multiple perimeter rings of defence to counter applicable threats is one of the ways to protect data. Logical (authorisation, authentication, encryption and passwords) and physical (restricted access and locks on server, storage and networking cabinets) security ensures that the confidential data is guarded in the best possible manner. Besides this, data erasure is a method of software-based overwriting that completely destroys all electronic data residing on a hard drive or other digital media to ensure that no sensitive data is leaked when an asset is retired or reused.”
Rajashri Survase-Ojha, Founder and Managing Director, Raaj GPRAC, asserts that besides adopting effective technology, it is important to take some precautions at the human level as well. She explains, “One should know who has physical access to fixed and removable data-storage media and devices. Leverage access logs as well as perform background checks of contractor and third-party personnel who will be handling your data and media. Identify the weak links in your data-movement processes and correct those deficiencies. Data-discovery tools can be used to identify sensitive data that may not be adequately protected. Avoid letting data security become a bottleneck to productivity, because that is a sure way to compromise a security initiative. The more transparent the security is to those who are authorised to use the data, the less likely it is that they will try to circumvent your efforts.”
Kiran Kumar claims that his company has all the necessary technological tools as well as a security infiltration detection security operations centre (SOC) in Japan which monitors the networks with Palo Alto suite of security tools, but points out that no tool can give 100 per cent security.
Evolving role of technology
While many measures are being put into place to ensure this goal, problems persist. With the widespread adoption of technology, now the onus of preventing data thefts and plugging loopholes in the data security systems now lies with the technology/ security solution providers to a great extent.
Ojha narrates some of the technologies which have been implemented by many companies (especially MNCs) for tracking the activities of their employees. She says, “Attendance through Google sheets which is also GPS embedded to identify location from where the sheet has been signed in is one way of keeping vigil. VPN Log in/ Log out with GPS locator is another option. Use of Employee Monitoring Softwares to track activities of employees who are travelling abroad and what they do on company time is also common.”
Being an MNC, Eisai Pharmaceuticals India’s operations have spread across different countries. Their staff works from different locations/ offices with varied kinds of data. Joseph Kiran Kumar gives the details of the solutions employed by his company. He informs, “USB ports are disabled (except for the data card access). Employees are not allowed to download any software or any executable file as they are restricted only for administrator access. Though they are free to access the Internet they shall be restricted from accessing the sites that are blocked by the organisation. When a user is working from within our network through VPN additional policies would come in to secure the access. As of now, we haven’t deployed any tool to track their activities. However, an alert from our security operations centre would be sent to the administrators about access to the sites that are not deemed necessary for business. We have a strong information security policy defined as per ISO 27001 standard. A compliance undertaking is usually taken from all the users to conform to the policy. Strong policies along with the tools can help and deter insiders with malicious intent.”
Challenge to conquer
On one hand, pharma companies are getting smarter and use more advanced methods/ technologies to protect their data. On the other hand, hackers are also coming up with equally strong ways to breach data security.
Kanetkar describes various loopholes in the security system which hackers can exploit to steal the data. He says, “An unencrypted Wi-Fi/LAN system would enable any unauthorised entry to gain access to the main frame. This would also enable the hacker to override the firewalls thereby giving him all administrative controls for taking possession of the required data. Phishing attacks are also observed these days to constantly deceive the viewer/ user to reveal their confidential information. Many homes have a basic, not so strong ISP. This enables potential hackers to gain access to private information.”
With each passing day, drugs are becoming more effective and target-oriented, however the mechanism involved in their development is also becoming very complex. Data generated throughout the entire R&D process would be enormous and highly unique. The percentage of money spent by the industry in R&D activities has also increased considerably over the last few years. In this changing scenario, there is a surge in the expectations from the data security providers.
Kiran Kumar says, “In future major challenges that the data security service providers should be braced for include security of IOT devices, identity and theft management, mobile data security management, develops security and cloud security.”
He concludes, saying, “There is a common parlance in the security community which says that only two types of companies exist. The ones whose security has already been breached and the ones whose security will be breached sooner or later.”