Securing the drugs industry

Pharmaceutical companies operate in a broad community of partners, collaborators and competitors. Allowing other organisations into your network can be risky, but keeping them out may be a more costly mistake.

Pharmaceutical companies operate in a broad community of partners, collaborators and competitors. Allowing other organisations into your network can be risky, but keeping them out may be a more costly mistake.

On 26 March 2007, the spouse of a salesperson for the US pharmaceutical firm Pfizer loaded peer-to-peer file-sharing software on a company laptop, inadvertently publishing some 2,300 files from the laptop's My Documents folder. The accidentally shared data included names, social security numbers, addresses and phone numbers for about 17,000 members of staff.

For a pharmaceutical company whose data is its livelihood, an event of this type this is brand-threatening but always a possibility, simply because of the scale of its operations. UK-based pharmaceutical group GlaxoSmithKline, for example, has 15,000 employees who work on discovering new medicines, and it spends £8m a day on research and development.

Mollie Shields-Uehling, chief executive of the US-based Safe Biopharma Association, says, "For each new drug application, there are between one million and six million pages of paper that have to be saved by the company and stored for the life of the drug, plus some significant amount of time after the drug comes off the market. All the clinical trial data, all the case-report forms, everything."

If that were not a big enough data-storage requirement, many pharmaceutical companies work through collaboration with global partners. These partners in turn collaborate with others, and may work for many clients at a time. There are constant battles with competing manufacturers, regulating bodies and counterfeiters, all taking time and money to combat, all requiring a perfect evidence trail to prove a case against.

Security is a challenging and ongoing process, says James, a CISSP-qualified IT security professional working in the perimeter team of a major pharmaceutical company. "There are a lot of small laboratories doing business and a lot of small laboratories working together on one project. They must share data, but, at the same time, they might be working with a competitor," he says.

Urs Wuergler, an IT security professional in charge of authentication at another major pharmaceutical company, says that virtual private networks (VPNs) are a critical technology in such an environment. "Pharmaceutical companies have thousands and thousands of medical representatives worldwide - many of them hardly ever work in an office. If their VPN connections do not work, they cannot access any information, because they do not usually keep data on their local hard drive for security reasons."

Yet the technology is not without its problems. James says his own VPN has growing pains and is difficult to control. "We have to set up the VPN with certain security requirements. Most of the time, a smaller company will be flexible, but sometimes it is challenging with larger companies. We are not really flexible, we have a policy, and that is the way it is."

Bureaucracy can cause tension between business and IT, James says. "Sometimes the policy is quite restrictive, and it will take them a long time to become compliant. So they may say it is proprietary data when it is actually confidential, just because they want the link to be set up quickly."

Complying with policy causes more problems for James than technology does. He says some research labs have extremely sensitive equipment that is unable to risk running conventional security software. "They have hardware that cannot run anti-virus software because they cannot afford to have any system that affects the data. And this lab has to be connected.

"We have a segregated network, but most of the time this is where virus infections come from they have this machine that is not running anti-virus software and they do some research on the internet. We have the policy, but if the end-user does not comply"

James says he would like more segregation on the network, and is looking at network access control systems, but the network's size and numerous international connections make changes difficult.

Phil Huggins, chief technology officer at security consultancy Information Risk Management, agrees that a distinctive feature of pharmaceutical enterprises has been the importance of protecting intellectual property. He says the need to shield research and development networks from interconnected manufacturing and production networks is another feature of the industry.

James says the nature of the industry means that a risk-based approach has to be taken. Sometimes a new partnership link is worth the risk. "Connections have to be approved by higher management, and they are looking at how much money the research is worth. They will take the risk that if something goes wrong the business will be accountable rather than the IT department," he says.

Rising to the challenge

But there is no sense that the risks involved are stifling the pharmaceutical industry, or even significantly hindering it. Cost is involved, but the industry has taken the explosion of electronic communication in its stride.

Safe Biopharma is an industry collaboration created to maximise the use of electronic communication. The association is determined to increase the use of electronic communications throughout all business processes.

Shields-Uehling, its chief executive, says that four years ago the industry wanted to know what was preventing "full electronic end-to-end processes without paper back-up". The conclusion it drew was that the lack of a standard electronic identity carrying the same legal weight as a "wet signature" on a piece of paper was standing in the way of progress on this front.

Unfortunately, existing standards did not fit the pharmaceutical model, so leading players - including AstraZeneca, GlaxoSmithKline, Procter & Gamble, Johnson & Johnson and Merck - founded Safe Biopharma in 2005 to create the new standard.

This is now in place and has been implemented in many applications. "To do anything within a company, it has to be regulatory compliant, and it has to meet the needs of regulatory bodies in the US, in Europe and around the world," Shields-Uehling says.

"Any time you change a process internally it has to be clear that the new process is not going to involve more risk, that the regulatory bodies accept it, that companies know what is required for compliance, and that regulators know how to audit it."

Secure identity and signatures are enormously important: intellectual property arguments can hinge on the exact time research was conducted and the authenticity of a signature. Regulators may mine clinical trial data going back years to show a company did or did not conduct its affairs correctly, and that the researchers were suitably qualified.

Huggins says, "Pharmaceutical companies are very strongly driven by protecting research and development data. When they look at the client end, they are protecting their brands. And in the manufacturing area they are clearly aware that a malicious attack that produces bad drugs would be disastrous for them. They are very motivated to protect.

"I think regulation is an issue, but, unlike the retail sector, where the Payment Card Industry Data Security Standard has given everyone a good sharp prod, in pharmaceuticals they have been very focused around the ­requirement."

But focused or not, IT professionals are struggling to integrate the tools and find applications that operate seamlessly with the business processes - at least at the right price.

Wuergler says generic drug manufacturers do not operate at the same profit margins as well-known brands. "They tell me that the standards are very nice, but they simply cannot afford them because the margin is so low. We have to look at completely different solutions. We want to have cheaper suppliers, different suppliers, more suppliers that are aimed at small- and medium-sized businesses."

Although it is tempting to view the pharmaceutical sector as being sewn up by a handful of giants with absolute central control, the reality is more like a system of titanic planets circled by thousands of assorted moons all orbiting just out of reach.

Connecting these varied sites leads Huggins to believe that end-point security is a key focus for the coming years, where Wuergler suspiciously eyes virtualisation and outsourcing as troublesome trends. As in all sectors, it pays to be vigilant and up to date with technology, but as Pfizer found out when its secure data was published on a peer-to-peer network, keeping the right people in and the wrong people out will continue to be vital.

● This article was originally published in Infosecurity Magazine

Read more on IT risk management