The pharmaceutical industry deals with copious amounts of personal data, which means that adequate data protection and cybersecurity are non-negotiable. Even two years after the introduction of the General Data Protection Regulation (GDPR), the Information Commissioner Office is still fining companies who fail to fully protect their data.
There are two sides of the data protection issue facing the pharma industry. One side involves companies that deal with the public – these are the companies highly involved in medical research and clinical trials. The other side consists of the companies that mostly deal with processing internal personal data, meaning data of their staff, costumes and suppliers. It is imperative that both sides of the industry are compliant when processing data.
Before any data can be processed, though, a lawful basis must be established. This is fairly simple and straightforward for pharma companies whose most significant processing activities relate to their staff. For companies that process “special categorizes of data, through research and clinical trials etc.,” a separate lawful basis must be established. In addition to GDPR-established lawful bases, local legislation may also need to be considered, whether this be local data protection laws or laws and regulations specific to the pharma industry.
Data protection is especially significant for the pharma industry because of identifiable data. Anonymous data is not subject to GDPR evaluation, but identifiable data is required to be. Companies that process identifiable data “must consider the requirement for informed consent under the Clinical Trials Regulation (CTR) and how this interacts with consent under the GDPR.”
What Does Ensuring Compliance Mean for Pharma?
- The GDPR requires any company that processes large amounts of special categories of personal data to appoint a data protection officer, either by recruitment of a new employee or via an outsourced data protection officer.
- One impact of the GDPR is individuals gaining more awareness and exercising tighter rights to their personal data. This means pharma needs careful processes in place that deal with subject access requests – how they respond and handle these requests is important.
- A GDPR requirement is that controllers implement a written contract with their processors – pharma must ensure that contracts with service providers have adequate protections in place to protect personal data processing.
- Pharma’s ability to react fast and effectively in the event of data breaches. The risk of data breaches is especially high when it comes to special categorizes of personal data.
- Higher safety and control around data transfers. Data protection complexity grows when pharma companies transfer personal data internationally.
The last two issues listed are perfect segues to cybersecurity in the pharma industry. According to Bio-IT World, “between 2018 and 2019, 510 healthcare data breaches of 500 or more records were reported, representing a 196% increase in such attacks.”
Furthermore, the costs of data breaches within the healthcare system are astronomical. Panda Security reports “the country with the highest [data breach] costs is the United States, where the average costs is $8.19 million, or $242 per record. The industry with the highest [data breach] costs is healthcare: $6.44 million for a breach and $429 per record.”
The COVID-19 pandemic has acted as a catalyze in pharma’s shift to digital, an industry who is historically known for lagging behind other major industries when it comes to the digital transformation. Managing data transfers in a highly secure fashion has never been more necessary.
3 Ways Pharma Can Guarantee Competitive Cybersecurity
Data Management Efficiency
It is well known that the healthcare sector has been late to the game where technology is concerned. Imagine if there was no longer a need to rely on the difficult-to-manage, outdated, and costly systems that are currently in place to manage data. Instead, communication processes and automated security policies could be streamlined into “a single, cross-network platform,” which would result in a significant increase in threat visibility and simplify the IT processes and reduce the burden placed on IT personnel.
File Transfer Integration
Once a data management system is established, “a centralized standard file archive can greatly reduce miscommunication between partners and properly scan any outside data exchange for malware or other potential cyberattacks.” If executed correctly, handling both internal and external data will reduce risks and would be beneficial for nurturing a trustworthy reputation.
Automating Financial Accounting Data
Financial accounting within the health system is time consuming and very costly – the U.S. market alone represents a share of at least $446 billion. Payment fraud remains a major risk and can easily be missed by IT professionals who are heavily burdened with accounting platforms and general security concerns. An automated financial policy can eliminate the need for human intervention. Bio-IT World describes this as, “[a cohesive policy] could include a poll every 30 seconds, automatically picking up a file and transforming it from an xml to plaintext, and then returning a notification of receipt within two minutes to emulate the process within other potential company branches, retail chains, third-party vendors, or healthcare providers.”
As pharma continues to have a major role in the healthcare sector, establishing high-quality data protection and infallible cybersecurity will be a difficult-to-reach but incredible accomplishment.