The pharmaceutical industry is particularly vulnerable to information theft or leakage.
By Elaine S. Price, Co-founder, President and CEO of CYA Technologies
One of the most important business and technological challenges that pharmaceutical companies face today is keeping the massive amount of content related to research, development, clinical trials and manufacturing of new products secure when it is shared among internal and external parties. The repercussions of information theft, loss, leakage, or misuse are enormous, as sensitive information could be intentionally or accidentally provided to a competitor that can ruin an opportunity by developing a similar product based on your research. Millions or billions of dollars in patentable research could be lost or stolen.The pharmaceutical industry, so dependent on intellectual property and partnerships, and faced with long product lead times from discovery to general availability, is particularly exposed to the risks of information theft or leakage. Companies must be careful about sharing information with partners, research institutions, CROs, legal counsel, and the government throughout the life cycle of a drug, especially while performing due diligence to determine which organization will be chosen as a co-developer, researcher, test or manufacturing subcontractor, or a distributor. Concern about protecting information is not limited to external audiences. Employees have access to information and intellectual property needed to do their jobs, but they are also normally able to copy, print, save to disk and forward this information via e-mail.
Privacy regulations such as HIPAA also come into play, especially during clinical trials, which involve sensitive health information of trial participants that must be handled as mandated by HIPAA.>p>To combat the various means of information leakage or theft, and to help ensure compliance with privacy and other regulations, organizations should consider implementing the following security measures to protect their sensitive information:p> 1. Access control: Only making information accessible via an authentication method such as user name and passwordp>2. Encrypted storage: Preventing internal or external thieves from viewing information they obtained without authorizationp>3. Post-access control: Controlling the actions end users can perform with information they are authorized to viewp>4. Role-based administration: Uniformly assigning permissions to groups of users based on their role in an organizationp> 5. Auditing: Knowing who accessed the content, what actions were performed, and whenp>6. Immediate access revocation: Immediately denying access to information when it is no longer neededp>The challenge that organizations face today is to enable these security measures while maintaining the ability to collaborate internally and externally on sensitive information. While increased security is a requirement, it should not undermine collaboration, one of the essential elements for achieving business objectives.Until now, there was a gap between the need for collaboration and the need to protect and manage sensitive information. That gap has been filled with the introduction of a new category of enterprise software: secure collaboration. Secure collaboration technology enables organizations to collaborate internally and externally, while controlling the flow and use of sensitive information, and providing a clear audit trail indicating how, when, and where information is shared. Secure collaboration applies to any scenario that requires reviewing or collaborating on sensitive information, such as patent applications, new drug discoveries, outsourcing, and mergers and acquisitions.p> h5>Solutions Prior to Secure Collaboration/h5>Before the introduction of secure collaboration, the security and collaboration landscape was a patchwork of partial solutions that could not be combined to secure content while enabling collaboration. Access controls, firewalls, virtual private networks (VPNs), public-key infrastructure (PKI) and secure socket layer (SSL) provide authentication and secure transmission, but they do not control information use. Digital rights management (DRM) solutions control the use of information, but do not enable collaboration. Collaboration software and Web-based collaboration environments enable collaboration, but do not control information use.p>h5>Secure Collaboration Allows Businesses to Share and Control Information/h5>Secure collaboration provides the right mix of capabilities to enable organizations to share sensitive and valuable information with confidence. It combines authentication, access control, information-use control and the ability to collaborate while auditing all end-user activities. It allows an enterprise to access, secure, and collaborate on sensitive and valuable information.p> Secure collaboration does not require an organization to re-define its business processes and workflows. Content will still be shared with the same parties who normally need to view it, such as CROs, outside counsel, and the target or acquiring company in the case of an acquisition. The difference is that the content is accessed, shared, and used with control.p>The following paragraphs provide an overview of the features that an advanced secure-collaboration system should include today.p>h5>Framework/h5>To ensure that no one has the rights to audit and administer the entire system and access all of its secure content (administrators with such rights are also a security threat), a secure-collaboration system should include a framework that distributes administration among several roles, such as: security officer, administrator and auditor. This framework enables a secure-collaboration policy that includes checks and balances while allowing you to address the needs of your organization.p>h5>Security/h5>t1>Security is the foundation of secure collaboration, and the main reason organizations consider its implementation. There are four main topics that pertain to security within secure collaboration:p>1. Authentication. In order to ease implementation, a secure-collaboration system should use an authentication system already in place at your organization, such as LDAP or Active Directory.p>2. Information access. There are currently two approaches: Some vendors deliver encrypted files directly to end-user desktops; others keep the encrypted content on a secure server inside the firewall, while still making it available via the Web.p> For maximum security, content should remain stored and encrypted on a secure server and should not be delivered to users’ desktops, where it could be more easily decrypted and where it remains indefinitely. However, delivering encrypted files allows users who have laptops to work offline. In the future, vendors may support both options for flexibility, while educating customers about the advantages and disadvantages of each approach.p>3. Administration. Secure collaboration should accommodate various types of end users, who should be organized into groups so that the end users have the same content-use permissions applied to their group. For example, members of a CRO may only be authorized to view information, while researchers involved in new drug discovery may be authorized to annotate content that you provide for review.p>4. Post-access control. A secure-collaboration system should provide granular control of all end-user interaction with content. Actions such as viewing content, copying to clipboard, saving to disk, printing, print screen, number of access sessions and access dates should all be controlled.p>h5>Collaboration/h5>Without collaboration, business cannot exist. Another key feature of secure collaboration is the end user’s ability to collaborate on content and share ideas. End users should be able to annotate content, and it should also be possible to make their annotations public, so that others can view them, or private.p>h5>Control/h5>In order for an organization to rest assured and be able to prove to auditors and regulators that its secure-collaboration policy is working, a secure-collaboration system should:p> 1. Actively and frequently enforce end-user permissions by checking on their status at intervals less than one minute, enabling administrators to quickly modify or revoke end-user access rights.p>2. Maintain a complete history of the activities performed by each end user and administrator in the system.p>h5>Conclusion/h5>Our increasing ability to share information is offset by the staggering increase in information theft and its accompanying legal, financial, competitive, and public-relations exposure. Until now, there was no comprehensive means to secure sensitive information while maintaining the ability to collaborate. Secure collaboration is an emerging technology that helps protect information against theft, leakage, and misuse, while enabling compliance with internal and external mandates for information storage, access and security.p>b>About the author: Elaine S. Price is co-founder, president and CEO of CYA Technologies, a leading provider of business-continuity and secure-collaboration solutions. She has been an entrepreneur throughout her 20-year career in enterprise computing, by serving as CEO of three successful companies. Elaine’s career in the enterprise computing industry includes roles in programming, sales, and management. She is a frequent speaker at industry trade shows and is regularly quoted in articles on business continuity, secure collaboration and success in business./b>