Data security for Pharma

The Chief Information Security Officer perspective

Gary Secrest spent a career at the National Security Agency helping develop Public Key Infrastructure (PKI) concepts, one of the technologies that are part of the SAFE-BioPharma standard. Upon retirement, he joined Johnson & Johnson and was tasked with organizing its global IT security. In that role, Secrest considered how best to educate his fellow executives about managing the risks of global Internet communications. While at J&J, he joined with other Big Pharma IT experts to develop the SAFE-BioPharma standard. Retired from J&J, he now serves as volunteer vice-chairman of the SAFE-BioPharma Board of Directors.

Asked for his views about what a decision maker should ask of his IT security people, he offered the following:

1. How can we be sure that the person accessing our information is who he says he is?

The enterprise needs to control access to proprietary and other sensitive information. That, in part, requires a level of trust that the identity being presented belongs to the correct person. If not, any amateur hacker will be able to access company systems to fraudulently obtain information. SAFE-BioPharma identity credentials require use of standardized identity proofing events to ensure that the individual is uniquely linked to the identity credential and the credential is uniquely linked to the digital signature.

2. How strong are the mechanisms we use to make someone prove who he is before we allow access? How do we trust the authentication of the identity he presents?

Strength of authentication is an important concept. Strong authentication makes it more difficult for a hacker to impersonate an authorized user. The most common form of authenticating identity—ID and password—is surprisingly weak. Two factor authentication, for example, ID and password and Onetime Password (OTP), is strong.

3. Do we have strong access control processes and procedures in place to assure that only authorized individuals are being granted access to our information?

In addition to authenticating identity, organizations must decide which information the authenticated party is authorized to access.

4. Is our information protected as it moves from our system to the cloud and back?

The only way to ensure information is protected while in transit over the Internet is to encrypt the transmission link with strong cryptographic techniques that are able to meet today’s standards. Many tools are available which make encryption implementation relatively straightforward.

5. Is our information protected while stored in the cloud?

The best way to protect sensitive information while stored in the cloud is through encryption. This encryption is distinct from encryption of information in transit and requires different tools. Control of the cryptographic keys used to accomplish the encryption of information in storage is critical to this protection.

6. Do we know the value to the company of all information sent to the cloud?

Information classification (i.e. determining the value of information to the company) is a necessary component of information security. Obviously we want to assure robust protection for the most sensitive information. We might employ security techniques such as encryption, restrict the list of people authorized to have access, and require strong authentication for those individuals in order for them to gain access. For less sensitive information, we might not use encryption and require less stringent authentication. You cannot make these important risk decisions if you do not know the value of (or properly classify) your information.

Cloud computing is rapidly transforming IT systems throughout the pharma industry globally. Early efforts centered on data exchange among clinical researchers in industry, academia and government research institutions; now it is impacting sales and marketing activities, human resource management, enterprise-level document sharing and even corporate financial reporting.

The impetus for this transformation is the lower hardware cost and reduced maintenance burden for keeping busy executives connected and communicating throughout the enterprise. However, as headlines routinely appearing about security breaches attest, there is risk as well: ensuring that data integrity is kept whole, and protecting data from unauthorized access. To address that risk, companies need to evolve a battery of security and identity-protection protocols. One of these, tailored to the needs of the life sciences industry specifically, is the standards established and managed by the SAFE-BioPharma Assn.*

By now, most are familiar with some aspect of “the cloud:” computing using extensive networks of servers that permit centralized data storage and access to a host of services and resources. Generally, the benefits of cloud computing are explained in terms of using an Internet-based infrastructure to share services and only pay for the computing capabilities as needed. This promises clients comparable privacy, security and control at somewhat lower operating costs. It all makes so much sense, and 50% annual growth rates of cloud computing companies are demonstrating it. Talk about silver linings!

Increasingly, the pharmaceutical industry is becoming cloud-reliant. Over the past few decades, pharma has morphed from the vertically integrated to being decentralized and more collaborative. The collaborations are creative and diverse: a promising compound owned by one entity in need of development by another; involvement by an entity in going from small batch production to supplies for clinical trials; engagement of sites in places that were once out of consideration; collection and analysis of data; and regulatory submissions. On and on through the process until, hopefully, the medicine leaves pipeline for market.

That’s one iteration of many.

Perhaps industry’s most promising ascent to the cloud is part of TransCelerate BioPharma’s cross-industry initiative focused on advancing innovation in research and development. Among its eleven initiatives that are aimed at increasing quality, patent safety, and accelerating development timelines, the Shared Investigator Platform is the one that will rely most on cloud computing. An industry first, it is projected to be in the form of a subscription-based investigator platform that is expected to transform the way clinical sites collaborate with pharmaceutical companies on clinical trials.

Importantly, TransCelerate identifies one of the key benefits as substantially reducing costs to member companies by eliminating their need to run their own portals and by reducing the “build effort” for companies without online portals. The platform will allow investigators, using single sign-on, to interact with multiple sponsors. Sponsors will use the shared infrastructure for investigator training, site feasibility surveys, document exchange, and management of facility and investigator information. With experience and time, the TransCelerate cloud is expected to be used for even more purposes.

Construction of TransCelerate’s Shared Investigator Platform has been outsourced to the IT services organization, Cognizant (Teaneck, NJ).

For all the silver linings, clouds also have dark sides. One of the most problematic: How does the cloud know that the person requesting services is who she says she is? It’s an important question about identity and the many factors linked to identity in the digital environment.

Aware of the identity management issue, Cognizant decided to adopt the global SAFE-BioPharma standard for digital trust. The standard comprises a set of rules defining how an online identity should be structured and how digital signatures on electronic documents should be formed.

The need for the SAFE-BioPharma standard was anticipated by a group of pharmaceutical IT visionaries in 2002. Then, like now, many in the industry understood that electrons would take the place of paper, but they didn’t understand how to make that transition in a way that would work. The visionaries, with input from FDA and EMA, placed the issues on the table: privacy, security, regulatory compliance (and did so before the final Title 21 CFR Part 11 rule, FDA’s criteria for “...electronic records, electronic signatures, and handwritten signatures executed on electronic records as equivalent to paper records and handwritten signatures executed on paper.”)

The industry-developed SAFE-BioPharma standard is a way for companies to address the issues and to meet requirements of other US and global technology standards without requiring each to invent its own siloed solution. The standard became operational a few years later under the eponymous SAFE-BioPharma Assn.

Those confounded by the confusion of acronyms and initialisms related to security and identity can take comfort knowing that the SAFE-BioPharma standard is the only standard created by and for the pharmaceutical industry to manage cyber identities worldwide.

Like an international driver’s license, digital identity credentials compliant with the SAFE-BioPharma standard are universal. Issued one time, each credential takes the place of the many online identities currently plaguing and confusing site personnel.

“Any SAFE-BioPharma-compliant credential is essentially a passport to the Internet,” explains Mollie Shields-Uehling. “It’s issued one time and among other things can be used to access portals for multiple trials within multiple companies. Its use will eliminate a lot of aggravating and costly redundancy, one of TransCelerate’s key goals.” As president and CEO of SAFE-BioPharma from its outset, Shields-Uehling is a major educator/advocate on standardized digital identities and their use in applying digital signatures.

As she explains, it’s not simply about issuing credentials. It’s also about managing them. By following the standard, companies are able to manage who has access to which sites, and with that they can safely control access to valuable and confidential trial-related information assets.

It’s worth noting in our fast-developing cloud sphere that many of the identity credentials compliant with the SAFE-BioPharma standard can be used to apply legally binding and regulatory compliant digital signatures to electronic documents. This permits faster review, exchange and signing of cloud located documents, which in turn, shortens all types of processes—clinical trials included.

These are no ordinary electronic signatures. They are closely associated with the identity of the person applying the signature, and each signed document is protected with its digital signatures for life. If a signed electronic laboratory notebook or any other important document is ever altered, the signature indicates that it is no longer valid. The importance of this secure form of signing is reflected in the regulatory bodies now requiring it. These include the US Drug Enforcement Agency for its ePrescription of Controlled Substances regulation and the European Medicines Agency, which requires digital signatures on its own outgoing correspondence requiring legal signature, and starting later this year, on all electronic submissions.

Notably, last year, Adobe added SAFE-BioPharma to its Adobe Approved Trust List (AATL). As a result, any person with a SAFE-BioPharma identity credential can sign a PDF document in Adobe Acrobat or Reader, and the signature will be trusted automatically by any other user of Adobe Acrobat or Adobe Reader anywhere in the world.

Consider the efficiencies that come with sharing documents parked in the cloud. Researcher 1 at Company A is working on a trial with Researcher 2 at Company B and with Researcher 3 at the National Cancer Institute. Both company researchers are credentialed under the SAFE-BioPharma standard. The NCI researcher’s credential is under the US Government’s system. Nonetheless, all three are “interoperable.” They’re able to work together, and sign and exchange documents in a fully electronic environment just as though they’re all working in the same organization. This interoperability is possible because the SAFE-BioPharma standard was designed (with FDA and other government input) to be cross-certified with the US Government’s proprietary online identity and credential management system for issuing and managing electronic identity credentials. That interoperability means that any industry identity credential compliant with the SAFE-BioPharma standard will be trusted by any US Federal agency.

This is a real situation involving NCI, AstraZeneca and Bristol-Myers Squibb. The US Government promoted it as a best-case example when announcing its campaign to promote the use of “trusted identities in cyberspace.”

Standardized trust is one of the factors contributing to the gathering of bright clouds across the life science horizon.

Take for example, Exostar’s Life Sciences Identity Hub. Identity hubs provide an efficient way to manage identities across disparate computer systems, and as every executive knows, they are plenty. A classic example of “build it and they will come,” more than 500 organizations currently participate in Exostar’s Life Sciences Identity Hub.

Why? Daniel Pfeifle, Exostar’s VP, sales and marketing, explains that an important challenge facing life science and healthcare companies is being able to securely enable business processes in the cloud while ensuring regulatory compliance and better alignment with evolving governmental online processes. The Exostar hub uses credentials compliant with the SAFE-BioPharma standard. “We find that globally-accepted identity credentials issued under the SAFE-BioPharma Trust Framework provide secure and trusted access to proprietary toolsets, analytics, and other internal/external applications in the cloud,” Pfeifle says.

Among the benefits of this approach are faster development of solutions, the single “Internet passport” instead of multiple identities, less cost, elimination of paper audits, faster on-boarding of entire systems, more flexibility, etc.

Being the wunderkind of industry, clouds are raining down on every aspect of the business, including logically, facilitating networks among medical personnel. Cegedim, a leader in life science customer relationship-management solutions, is offering its Docnet portal, a cloud-based professional social network, allowing medical personnel to consult on the latest medical, clinical and drug information; to network and participate in discussions with their colleagues; to serve their patients; and to consume value-added information and services sponsored by life sciences manufacturers. Participant identities are authenticated to the portal following the SAFE-BioPharma standard.

As with other industries, clouds are fast becoming central to pharmaceutical operations. The forecast? Few functions in our growing culture of collaboration will not be impacted. The concerns? We need to comply with standardized approaches to identity trust when using cloud technology. The smart money? We can place that on the executives asking the right questions of their Chief Information Security Officers.

*SAFE-BioPharma® is a trademark of SAFE-BioPharma Association. Any use of this trademark requires approval from SAFE-BioPharma Association.

ABOUT THE AUTHOR

Jon Weisberg is director, communications and public relations for the SAFE-BioPharma Association. Weisberg was a senior public relations executive with Bristol-Myers Squibb Company. He is President of Weisberg Communications Company, a public relations and communications consulting firm. He has supported SAFE-BioPharma since 2005, writes for several pharmaceutical trade publications in the US and Europe, and blogs on non-pharmaceutical topics for the Huffington Post.