 
|
|
In partnership with:
Published in the September 2007 issue Danger on the drugs networkPharmaceutical companies operate in a broad community of partners, collaborators and competitors. Allowing other organisations into your network can be risky, but keeping them out may be a more costly mistake, finds William Knight On 26 March 2007, the spouse of a sales person for the US pharmaceutical firm Pfizer loaded peer-to-peer file-sharing software onto a company laptop – inadvertently publishing some 2 300 ‘My Documents’ files. The accidentally-shared data included names, social security numbers, addresses and phone numbers for approximately 17 000 members of staff. For a pharmaceutical company whose data is its livelihood, an event like this is brand-threatening but always possible, simply due to the scale of operations. UK-based pharma group GlaxoSmithKline alone boasts 15 000 employees working at discovering medicines, and spends £8m ($16m, €12m) a day on research and development.
And according to Mollie Shields-Uehling, chief executive of the US-based Safe Biopharma Association, “for each new drug application, there are between one and six million pages of paper that have to be saved by the company and stored for the life of the drug plus some significant amount of time after the drug comes off the market. All the clinical trial data, all the case report forms, everything”. If that wasn’t mountainous enough, many pharmaceutical companies work via intense collaboration with research partners around the globe. These partners in turn collaborate with others and may work for many clients at a time. There are constant battles with competing manufacturers, regulating bodies and counterfeiters, all taking time and money to combat, and all requiring perfect evidence to prove a case against (see below). Security is a challenging and ongoing process, says Tom Brown (not his real name), an CISSP-qualified information security professional working in the perimeter team of a major pharmaceutical company. There are “a lot of small laboratories doing business and a lot of small laboratories working together on one project. They must share data but at the same time might be working with a competitor,” he says. Urs Wuergler, another CISSP in charge of authentication at another major pharma company, says that VPNs (virtual private networks) are a critical technology in such an environment. “Pharmaceutical companies have thousands and thousands of medical reps worldwide – many of them hardly ever work in an office. If their VPN connections do not work, they cannot access any information, because they don’t usually keep data on their local hard drive for security reasons.” Yet the technology is not without its problems. Brown says his own VPN has growing pains and is challenging to control. “We have to set up the VPN with certain security requirements. Most of the time a smaller company will be flexible, but sometimes it’s challenging with larger companies. We are not really flexible, we have a policy, and that’s the way it is.” Business technology friction The bureaucracy can cause tension between business and IT, Brown adds. “Sometimes the policy is quite restrictive and it will take them a long time to become compliant. So they may say it’s proprietary data when it’s actually confidential, just because they want the link to be set up quickly.” Compliance to policy causes more problems for Brown than the technology. He explains how some research labs have extremely sensitive equipment unable to risk running traditional security software. “They have hardware that can’t run anti-virus (AV) because they cannot afford to have any system that affects the data. And this lab has to be connected,” he explains. “We have a segregated network, but most of the time this is where virus infections come from; they have this machine that is not running AV and they do some research on the internet. We have the policy, but if the end user doesn’t comply...” Brown says he would like more segregation on the network and is looking at Network Access Control systems, but the network’s very size and numerous international connections make changes difficult. Phil Huggins, chief technology officer of UK-based security consultant Information Risk Management, agrees that a distinctive feature of pharmaceutical enterprises has been the importance of protecting intellectual property and the need to shield research and development networks from more closely interconnected manufacturing and production networks. Yet, of course, the technology exists to enable the business, and Brown admits the nature of the beast means a risk-based approach has to be taken; sometimes a new partnership link is worth the risk. “Connections have to be approved by higher management, and they are looking at how much money the research is worth. They will take the risk that if something goes wrong the business will be accountable rather than the IT department,” he says. Collaborating on collaboration But there is no sense that the risks involved are stifling the pharmaceutical industry, or even significantly hindering it. Cost is involved, but the industry has taken the explosion in electronic communication in its stride. Safe Biopharma is an industry collaboration created to maximise the use of electronic communication. The association is determined to increase the use of electronic communications throughout all business processes. Shields-Uehling, its chief executive, says that four years ago the industry wanted to know what was preventing “full electronic end-to-end processes without paper back up,” and the conclusion was the lack of a standard electronic identity, fully authenticated and non-repudiable carrying the same legal weight as a “wet signature” on a piece of paper. Unfortunately, existing standards did not fit the pharmaceutical model, so leading players – including AstraZeneca, GlaxoSmithKline, Proctor & Gamble, Johnson & Johnson and Merck – founded Safe Biopharma in 2005 to create the standard. This is now in place and has been implemented in a large number of applications. “In order to do anything within a company it has to be regulatory compliant, and it has to meet the needs of regulatory bodies in the US, in Europe and around the world,” explains Shields-Uehling. “Any time you change a process internally it has to be clear that the new process is not going to involve more risk, that the regulatory bodies accept it, that companies know what is required for compliance and that regulators know how to audit it.” Who you know, not what you know Secure identity and signatures are enormously important: intellectual property arguments can turn on the exact time research is conducted and the authenticity of a signature; lawsuits may be challenged by a scientist’s log book only if there is proof of witness identity; and regulators may mine clinical trial data going back years to show a company did or did not conduct its affairs correctly, and that the researchers were suitably qualified. Huggins says pharma companies are “very strongly driven by protecting R&D data. When they look at the client end they are protecting their brands. And in the manufacturing area they are clearly aware that a malicious attack that produces bad drugs would be disastrous for them. They are very motivated to protect; I think regulation is an issue but, unlike the retail sector where PCI DSS [payment card industry data security standard, see last month’s article] has given everyone a good sharp prod, in pharma they have been very focused around the requirement.” But focused or not, security professionals are struggling to integrate the tools and find applications that operate seamlessly with the business processes – not least at the right price. Wuergler explains how generic drug manufactures do not operate at the same profit margins as well-known brands. “They tell me that the standards are very nice, but they simply cannot afford them because the margin is so low. We have to look at completely different solutions; we want to have cheaper vendors, different vendors, more vendors that are aimed at small and medium sized businesses.” So while it is tempting to view the pharmaceutical sector as being sewn up between a handful of giants with absolute central control, the reality is more like a system of titanic planets circled by thousands of assorted moons all orbiting just out of reach. Connecting these varied sites together leads Huggins to believe end point security is a key focus for the coming years, while Wuergler suspiciously eyes virtualisation and outsourcing as troublesome trends. As in all sectors, it pays to be vigilant and up-to-date with technology, but as Pfizer found out when its secure data was published on a peer-to-peer network, keeping the right people in and the wrong people out will continue to be vital. PHARMA BATTLES FOR IP Intellectual property cases are common in the pharmaceutical sector: the following were resolved in July and August this year alone. They tend to rely heavily on genuine, authenticated scientific notes and audited data trails. * US firm Par Pharmaceutical Companies agreed to pay Ortho-McNeil,
a division of US group Johnson & Johnson, royalties as part
of a settlement over a patent dispute for the pain drug Ultracet
More from September 2007 An injection of new ideas Secure on paper?
|
|
