GDPR – What’s it all about and how does it affect me?

One of the hot topics I get asked about at almost every customer meeting these days, is GDPR.

With the secretary of state, Karen Bradley MP, having confirmed in the last few weeks that the UK will be implementing the EU General Data Protection Regulation (GDPR), I thought now would be a good time to share some information on this highly complex piece of legislation, which is causing sleepless nights for so many business owners and directors.

By way of background, GDPR has been developed to reflect the changing use of data in the digital world in which we now live. With the digital economy being primarily built upon the collection and exchange of data, including large amounts of personal data, which is often sensitive, there is a need to protect citizens’ privacy rights. GDPR is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

Whilst these aspirations are to be lauded, there is much concern amongst the business community as to the reality of understanding and implementing the legislation within their business. Whilst the implementation date of 25th May 2018 may still seem a long way off, the reality of the situation is that the changes this legislation requires many businesses to make are so far reaching that 18 months will be barely enough time.

The GDPR represents the most fundamental change in data protection legislation in the past 20 years, and is the first attempt to create meaningful and enforceable data protection laws for Europe’s 500,000,000+ citizens. The implications are far reaching and are set to majorly impact businesses of all sizes. The impact is businesswide, affecting not just IT, but every part of the business from sales and marketing to HR.

The new legislation also gives the regulator real "teeth" in terms of enforcement. For example if you do not comply with some of the fundamental provisions in the legislation, such as obtaining necessary consent, you can be fined up to 4% of your total worldwide annual turnover or €20 million, whichever is greater. While penalties of up to €10 million or 2% of your total worldwide annual turnover apply for not putting in place adequate security or for not reporting breaches when they occur.

To put this in context, the PCI Security Standards Council warned that had GDPR been in place last year, fines as high as £122 billion could have been levied against UK organisations based on the number of cyber security incidents in 2015. While this month’s high profile data breach at Tesco Bank could alone have racked up fines of almost £2 billion had it happened under GDPR.

And it is by no means just big businesses that are affected. In fact of the £122 billion of theoretical fines, £52 billion would have related to SME's.

The new legislation also requires that businesses must notify most data breaches to the Data Protection Authority without undue delay and, where feasible, within 72 hours. A reasoned justification must be provided if this timeframe is not met.

Consumers affected by a breach will also need to be notified without an undue delay in some cases, since this could leave them with an increased exposure to identity theft, financial fraud etc. This in turn leaves companies highly exposed to brand damage and potential customer payouts.

The level of fines and the potential reputational damage of forced disclosure has made the EU GDPR a board level issue rather than an IT issue.

It is a highly complex area, where the legislation is deliberately non-prescriptive (i.e. not prescribing a specific technology or security protocol) as the law makers have realised that to achieve its end goal the legislation needs to be broad brush enough to cover the multitude of ways that different businesses use data and the constantly evolving risks to data, such as cyber crime.

Whilst this makes the legislation more powerful, it also makes the implementation more complex, especially for small and medium sized businesses who do not necessarily have the in-house expertise to be able to unravel the legislation and apply it in the context of their own data and IT systems.

In fact, many of the small and medium sized businesses who we are working with, are just starting out on the journey to firstly identify what personal data they hold (which can be as simple as an individual's name or email address), and where this data is held.

From there, we are working with them to start putting in place the processes, procedures and technology needed to be GDPR compliant. Whilst it is not a short or particularly easy process, such safeguards are certainly a business necessity to survive and thrive in the digital era, and indeed a necessity for any business owner in the face of the potentially crippling fines and reputational damage that a data breach will cause under GDPR.

If you need any advice with assessing your readiness for GDPR, or with implementing or updating your policies, plans and technologies to be fully data protection compliant, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk

HIPAA Compliance - What your Pharmaceutical Business needs to know about Ransomware.

In my last blog, I discussed cyber security, in relation to GxP. This week I wanted to focus on one particular security threat that is very prevalent at the moment, and is growing at an alarming rate: namely "ransomware".

This particular type of cyber crime impacts heavily on both GxP and HIPAA compliance and as such it is vital that the Board of pharmaceuticals companies understand what the threat is, how at risk they are, how to mitigate the risk of being attacked, and what their plan would be to handle the situation were they to be the unfortunate victim of such an attack.

Ransomware is a form of malicious software (malware), which effectively hijacks your data by encrypting it and demanding payment of a ransom in return for the security key needed to decrypt it.

Email attachments and links in emails are the most common ways for Ransomware to enter an organisation, but it can also enter via business applications, websites, USB sticks or social media.

According to research by Osterman Research Inc carried out in June 2016, 54% of organisations in the United Kingdom had experienced ransomware attacks during the previous 12 months.

The sector most attacked was healthcare, which comes as no surprise as being so dependent on access to their critical information makes them prime targets for ransomware producing cyber criminals, particularly in settings like hospitals, where potential loss of life will justify the payment of a high ransom.

The same research shows that many ransomware infections are widespread. Only a tiny proportion of UK based organisations reported that ransomware infections spread to fewer than 1% of endpoints, but about one half reported more widespread infections. More seriously, one in 10 UK based organisations reported that their most serious ransomware infection had reached every endpoint on their network.

The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It also requires covered entities and business associates to implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack.

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach of the HIPAA Privacy Rule has occurred because the ePHI encrypted by the ransomware was acquired (i.e. Unauthorised individuals have taken possession or control of the information), and that is a disclosure not permitted under the HIPAA Privacy Rule.

Recent guidance from the HHS Office for Civil Rights has made it clear that a ransomware attack usually results in a breach of healthcare information under the HIPAA Breach Notification Rule. Unless the covered entity or business associate can demonstrate that there is a "… low probability that the PHI has been compromised," based on the factors set forth in the Breach Notification Rule, the entity must then comply with the applicable Breach Notification provisions, including notification to affected individuals without unreasonable delay, to HHS, and, in certain cases, to the media.

Naturally, this is a highly undesirable position for any pharmaceuticals company to find itself in, so what should the Board be doing in relation to the threats that ransomware presents to their HIPAA (and indeed GxP) compliance?

Well, at the moment myself and my company are engaged with our pharmaceutical clients to carry out the following types of work:-

• Reviewing pharmaceuticals current systems to identify risks and vulnerabilities to their electronic protected health information (ePHI).

• Working closely with the Board to come up with a risk mitigation plan to address any vulnerabilities identified, and then implementing the plan.

• Implementing a suite of technical measures, involving hardware, software, cloud technologies and security policies, to protect ePHI information from cyber threats including ransomware.

• Training and educating users (bearing in mind new threats are emerging daily and security vendors are constantly playing catch up, the staff will actually be the last line of defence against an attack and need to be educated accordingly).

• Devising, implementing and testing contingency plans including disaster recovery plans, frequent data backups, security incident responses and emergency operating procedures.

Over coming blogs, I will be exploring in more depth some of the key issues around IT compliance in relation to both HIPAA and GxP.  If in the meantime you need any assistance with assessing your risks around ransomware in relation to HIPAA or GxP, or with implementing or updating your policies, plans and technologies in light of new cyber security threats, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk.

GxP Data Integrity in Pharmaceuticals: The Importance of Cyber Security

We work with many pharmaceuticals companies and one of the most frequent questions I get asked is how businesses can manage the ever increasing risks around cyber security.

With the new MHRA GxP data integrity guidance now entering the final week of its consultation period, I thought it would be a good time to share some thoughts on cyber security in pharmaceuticals.

Cybercrime is now a widespread issue, with a study published by Osterman Research Inc in August 2016 showing that 72% of UK based organisations had suffered a security attack in the previous 12 months.

The types of attacks experienced are diverse, ranging from “phishing” attacks where criminals attempt to obtain access to confidential information or passwords, through to “ransomware” attacks where criminals hold your data to ransom by encrypting it and demanding money for its decryption.

The motivation behind these attacks varies from quick money making scams, through to much more sophisticated corporate and state level espionage.

Pharmaceuticals and healthcare, unfortunately, are a natural target of these criminals, as they are dealing with so much confidential material, ranging from patient healthcare information, to critical competitive IP.

In addition, with healthcare devices now becoming increasingly connected to the Internet, there have already been instances of hacking into such devices, with potentially devastating consequences if the dosage or other vital data is changed.

Data integrity is important throughout the pharmaceutical life-cycle, and GxP regulatory requirements have a focus on requiring confidence in the quality and integrity of the data used for decision-making.

As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Board level involvement with reviewing the risks and control measures that are in place.

Sadly, the days when a password and some antivirus software were good enough to defend your business from cyber security threats have long gone. Nowadays security policies have to involve a multifaceted approach, incorporating:

• Documented business security policies that are regularly reviewed and updated to reflect the ever-changing security threat landscape. 
• Regular user training and procedures to ensure people at all levels in the business understand how to reduce the likelihood of attack.
• A suite of integrated technological solutions to help guard against the wide array of threats now present.
• Effective and tested contingency plans to fall back on should the worst happen.

It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the temporary worker in administration who unwittingly opens a supposed "remittance advice" which turns out to be something a lot more sinister – potentially allowing cyber criminals to penetrate your network and intercept, hijack, change or delete your data.

To be successful in combating these threats, directors and owners within pharmaceutical businesses need to engage with IT specialists who can speak in their language, so that a shared understanding of the risks both from a GxP perspective and a technological perspective can be obtained, and a suite of effective control measures can be put in place.

Over coming blogs, I will be exploring in more depth some of the key issues around IT compliance in relation to both GxP and HIPAA. If in the meantime, you need any assistance with assessing or documenting your GxP compliance around cyber security, or with implementing or updating your cyber security policies in light of new threats, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk

Myths around Pharma downtime: "Resilience costs a fortune"

Over recent blogs, I've talked a lot about the cost and likelihood of IT systems downtime in pharmaceuticals, so today I wanted to consider what can be done to mitigate the risks in our highly regulated industry.

Is it really a case of having to accept that without massive investment IT systems will periodically fail? Well no, my experience is that whilst it is nigh on impossible to guard against every potential disaster, there is a much that can be done to safeguard any organisation against the majority of causes of costly downtime. A decade ago high resilience systems and sophisticated disaster recovery plans were the preserve of rich large enterprises, but with advancements in technology there are now many good solutions out there that are affordable for SMBs, and can guarantee system up-time.

Network monitoring tools can be very useful, as when configured correctly they can highlight potential problems before they cause costly downtime. This allows for proactive maintenance to pre-empt problems such as disk space filling up, backup errors or potential security threats. Many such tools are now available as a cost-effective charge per server per month, with the provider doing the monitoring and advising on any necessary remedial work before your business is affected by downtime.

The advent of virtualisation technology has also made restoration of full servers much easier, as there is no longer a dependence on having to restore onto near identical hardware. This means that with the right network design, backup technologies and procedures, the server infrastructure can be configured with some spare capacity, allowing a failed server or service to be restored onto another piece of hardware quickly and easily.

For services where the business cost or compliance implications of any downtime would be prohibitive, there are also real-time replication solutions available that allow data to be replicated "live" between primary and secondary server environments. Whilst these are still a bit more costly than some of the other options, they have still fallen in price dramatically over recent years and are within the reach of many SMEs now.

And of course cloud technology can also offer the benefit of your data being stored in multiple Data Centres, configured in a highly resilient arrangement. Although, as I have touched on in previous blogs, I would caution that no pharmaceutical company should take it for granted that any cloud solution offers this level of resilience or is fully MHRA / HIPAA compliant by default – due diligence is essential, and in many cases third-party add-on options are needed.

Resilience can also be built into Internet connectivity, with diversely routed circuits or circuits delivered via different media such as wireless and fibre, thereby protecting against the majority of Internet downtime. With falling costs of Internet connectivity, I sometimes find that it's even possible to achieve a dual Internet connectivity strategy for the same cost as the previous single line.

Many firewalls now also offer relatively low cost active/passive arrangements where one unit will take over from the other in the event of a failure, thus eliminating another single-point-of-failure from the network.

And user education and awareness also forms another vital part of the network resilience plan. Simple tips around password security and exercising caution with opening attachments or clicking on links, can go a long way to avoiding problems such as ransomware attacks, at very little cost.

In summary, there is much that pharmaceutical and life sciences businesses can do to ensure they are compliant and that they minimise the business risk of costly downtime. Changes in technology have meant that many of the solutions available today are affordable and practical for small and medium size pharmaceutical businesses.

If you would like to find out more about improving your network resilience, or you would like a review of your disaster recovery plans, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-IT.co.uk.

Myths Around Pharma Downtime: "We Have A Disaster Recovery Plan So We're Fine"

As I discussed in my previous blog, the majority of businesses have been affected by IT downtime in the last year, and in the highly regulated pharmaceutical and life sciences industry, it is critical that the Board have a thorough business understanding of their plans for coping with such an eventuality.

Aside from the lost productivity, lost revenue and potential reputational damage an outage can cause, having a disaster recovery plan is vital to meet pharmaceuticals GxP / HIPAA compliance obligations, in order to confirm that suitable technical policies are in place to ensure that sensitive data is not altered or destroyed.

Many of the pharmaceuticals and life sciences businesses that I work with have no in-house CIO, and as such sometimes I find that the Board are incorrectly reassured by the presence of an IT disaster recovery plan that was perhaps put together some years ago and has sat in the fireproof safe ever since.

This is a myth that I wanted to expel, as unfortunately, my experience is that this document needs to be constantly evolving, as our use of technology in the industry has moved on apace, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend to the Board of pharmaceuticals businesses that we work with to continually re-assess and test their plans around resilience, backup and disaster recovery, against their operational business needs and regulatory compliance requirements. Some points to consider would include:-

• How long could you afford for each of your various IT systems to be down for?

• How much data, if any, could you afford to lose?

• When did you last try a test restore of your data or email? Did it work?

• Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results show that recovery times and data loss met your business and compliance requirements above?

• Where are your backups held, and could you access them in the event of a disaster that say incapacitated your premises (or in a situation where the emergency services would not allow you access to your site?)

• In the event of a major disaster, what hardware would you restore your backups on to?

• If your offices were incapacitated where would you work from and how would you connect to your recovered system?

With ever increasing regulatory and market-driven pressures, the increase of globalisation, the advancement of technology and the changing expectations of stakeholders, my experience is that the disaster recovery plan needs to be a living, breathing document that is constantly reviewed and re-assessed to reflect the changing demands on the business.

If you would like help with reviewing or testing your disaster recovery plans to make sure that they meet your current regulatory and business requirements, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk

IT Downtime - Can Pharmaceuticals Afford To Bury Their Head in the Sand?

In my last blog I touched on the cost of IT downtime to pharmaceuticals and life sciences businesses. This week I wanted to expel one of the many myths around IT downtime that I often hear, which is "it will never happen to us!"

The inconvenient truth is that no pharmaceutical business can afford to bury their head in the sand when it comes to IT downtime. The EMC Global Data Protection Index 2016 study showed that  57% of UK businesses surveyed had suffered unplanned downtime in the prior 12 months. Across all organisations surveyed, the average length of unplanned downtime was 22 hours, whilst the average cost was a whopping $555,000.

The impact of IT downtime is dramatic, with a previous more in-depth study by the same organisation showing that of those businesses who experienced downtime:-

• 52% experienced a loss of employee productivity
• 34% lost revenue as a direct result of the outage
• 23% experienced a loss of customer confidence or loyalty
• 10% lost a new business opportunity

All sorts of things can cause a system failure, and although when I talk to clients in pharmaceuticals and life sciences most people's first thought is normally of fires, floods or terrorist attacks, my experience is that in reality a lot of downtime is caused by much more mundane things.

For example, the great British weather has much to answer for when it comes to IT downtime… How often has an outage been caused because the server room got too hot, or high winds blew down overhead cables, or rain flooded the basement or the local BT exchange? Then there was the site I went to recently where one part of the building had been disconnected from the rest of the network thanks to a local rodent chewing through an outdoor fibre optic cable!

Power issues and UPS problems are also a common source of downtime in my experience, as are software updates that are not carefully managed. And of course human error can play a part too.

In recent times we have all become hugely dependent on the Internet for much of our business operations, and this brings with it another potential source of costly downtime, with a recent survey by Beaming showing that:-

81% of businesses rely on email to function
51% use their Internet connectivity to also carry their voice calls
36% of businesses now rely on Internet connectivity to access mission critical cloud applications
34% use online sales tools
33% use the Internet to communicate with their mobile workforce

The same study shows that two thirds of UK businesses experienced Internet connection failures in the last year that prevented them from trading or accessing these vital online services. Of these:

• 13% started losing money immediately
• 28% suffered a financial impact after an hour of downtime
• 46% were losing money after four hours

Hopefully this goes some way to illustrate that these types of downtime issues can and do occur regularly, and as such no Pharmaceuticals Board can afford to bury their head in the sand. But the good news is that there is much that can be done to mitigate the risks and avoid the vast majority of costly downtime with a little judicious planning and investment.

In my experience, the combination of implementing the right technologies, policies, plans and user awareness/education are the key to building a resilient and reliable IT infrastructure which suffers minimal downtime.

If you have any questions or need some assistance with making your IT systems resilient, implementing systems monitoring or reviewing your disaster recovery arrangements, then please do not hesitate to contact me on 01494 444065 or email gary.swanwick@epoq-it.co.uk

How much would one hour of IT downtime cost your pharmaceuticals business?

That's one of the questions I find myself frequently discussing with the pharmaceutical businesses that I work with.

With technology now embedded intrinsically in almost every element of a pharmaceuticals business operations, network resilience, backups and disaster recovery plans have never been more important. And as anyone who has experienced network downtime will know, it is amazing how crippling an IT system failure is to the business.

From lost revenue, to lost employee productivity, the costs rapidly mount up while your system is down, your employees are idle and your customers potentially cannot contact you. It’s therefore worth spending a little time considering what would happen if your system does go down:-

• How much money will you lose?

• What’s the reputational damage?

• What are the Compliance implications?

• How long will it take to get your system up and running again?

• How much data or email will be lost?

• How will you operate your business in the meantime?

If you are unclear to the answers of any of these questions, then I would strongly advise that you take stock of your processes and procedures around network resilience, systems monitoring and disaster recovery, as my experience is that a little time and wise investment spent before something goes wrong can save your company a fortune – in fact it can sometimes just save your company!

Not only does IT system downtime lead to lost productivity and lost revenue, but the reputational damage it can cause can be immeasurable. And in the heavily regulated pharmaceuticals industry, the compliance implications can be catastrophic.

Over coming blogs, and because I wanted to expel some myths around system availability, I will be exploring some issues around downtime in pharmaceuticals. In these future blogs I will explore, discuss and advise on many of these myths, the likes of which include:-

1. “Well that won't happen to us”!

2. “We have a disaster recovery plan so we're fine!”

3. “Our systems are in the cloud so we don't need to worry about resilience or disaster recovery”

4. “Sophisticated network resilience and disaster recovery solutions cost a fortune”

However if in the meantime you have any questions or need some assistance with making your IT systems resilient, implementing systems monitoring or reviewing your disaster recovery arrangements, then please do not hesitate to contact me on 01494 444065 or email gary.swanwick@epoq-it.co.uk

Knowledge is Power for Pharma Bosses!

Many of the small and medium size pharmaceutical and life sciences companies I work with have no in-house CIO, and as such don't always have a full understanding of what IT systems they've got or what value, or indeed risk, those IT systems deliver to the business.

This lack of information can leave the Board in a precarious position, as they don't have the knowledge needed to make an informed business decision over the strategic use and direction of technology within their organisation. Whether you love or loathe technology, the reality is that IT is now a vital and integral part of every business challenge, and making empowered decisions about your strategic use of technology is critical to the ongoing success of your business.

With technology ever-changing, this is an area where no pharmaceutical or life sciences business can afford to stand still, without the risk of losing out to their competitors.

So I thought it would be useful to jot down a few pointers to make sure you have the information you need to make empowered decisions over the strategic use of technology in your organisation:-

* Do you know what technology you have got and what value it adds to your business?

* Do you know which technologies your competitors have deployed or are considering implementing and how that will impact on your competitiveness in the marketplace?

* Do your IT systems maximise Salesforce productivity? Are you making effective use of e-detailing and CRM solutions? How do your IT systems compare with the systems your competitors use? Do your salesforce hide behind IT problems as an excuse for not meeting target?

* In our highly regulated industry, are you confident that your IT system is fully compliant to HIPAA / MHRA / GxP standards?

* Are your current or future IT systems geared towards improving productivity and 100% overhead absorption?

* If you are involved in M&A activity, have you considered how easy/difficult, costly/cheap it will be to integrate the IT systems of the business you are acquiring with your own business? How will this impact on timescales and payback period on your investment?

* Do you know what new technologies are available in the pharmaceuticals and life sciences industry and which ones could add value to your business?

* Do you have a clear understanding of how future proof your IT systems are? If they have a limited lifespan (and let's face it, most things in IT do!), have you considered when you will replace them, and with what?

* Are your systems geared up to maximising business value when you come to execute your exit plan? (For more on this topic please see my Pharma Business Exit Planning blog)

Hopefully this goes some way to illustrate that whether your business goals are around expanding, gaining advantage over competitors, improving salesforce productivity, making an acquisition or exit planning, that making the right IT choices are integral to success.

And that all starts with having the right information.

If you would like to find out more about effective, strategic use of IT in Pharma, or you need information about your current IT system, then please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk.

Pharmaceutical Business Exit Planning – 6 Key IT Considerations to Maximise Value

I thought I would put pen to paper on this subject as I’ve recently been working with several pharmaceuticals clients who are now in the process of planning their exit strategy from the business and needed input to understand how their investment in IT would impact the value, and saleability, of their business.

Whilst looking forward to reaping the rewards of many years hard work, one factor that is often given little thought is that of IT systems. Of course we all take our IT for granted …. It just works (or at least hopefully it does… if not, then please ask me about our IT Support services for pharmaceuticals!). But of course with hundreds of different options for hardware, software, applications and cloud services, the reality is that every network is unique.

This isn’t an issue when running our own business, but when it comes to the potential sale of the business, then it’s something any potential acquirer is going to want to know about in detail as part of their due diligence. Integrating the IT systems of seller and acquirer is often no mean feat and may impact significantly on both the cost of the acquisition and the operational logistics and timescales of the merger.

Naturally we all want to maximise the value that we get when we realise our capital, and IT forms an important consideration, when you are going to be “dressing the business for sale”.

So here are some key considerations to think about when you start planning your exit strategy:-

• Do you understand what systems you’ve got and how they work to support, or indeed lead, the business?

• Do you have IT systems documentation to give a potential buyer that would enable them to assess the costs and complexity of integrating your IT systems with theirs?

• Do you have a clear understanding of how your IT services are maintained and supported, who the various third parties are that are involved, what contracts and notice periods are in place and the associated costs?

• Will your procedures and documentation around critical compliance issues such as cyber security and disaster recovery policies give your buyer the confidence and reassurance they need?

• Will the IT systems, processes or contracts that you have in place today negatively impact the value or saleability of your company?

• If so, what changes need to be implemented in preparation for exit?

My own experience is that these activities are best started early, as they can take significant time and effort to understand and implement, but are well worth the investment since they are a key part of forming the exit strategy and maximising the business value.

If you would like to explore pharmaceuticals exit planning further, or you need your current IT systems to be unravelled, documented or improved as part of your exit planning, then please do not hesitate to contact me on 01494 444065 or email gary.swanwick@epoq-it.co.uk.

The Cloud in Pharma – Is it appropriate in the highly regulated Pharmaceutical industry?

Unless you've been holed up in a bunker for the last few years, you can't have failed to have heard all the talk about cloud computing and IT cloud solutions.

But when I am meeting with pharmaceuticals companies, I often get asked the question "Are cloud solutions appropriate for us, in our highly regulated industry?"

Well that's a big question, and not one that has an immediate yes or no answer. Like many things in IT, it depends. There is no doubt that some cloud solutions offer great business benefits to pharmaceuticals. For example they facilitate remote working, enable digital collaboration and can improve salesforce productivity using cloud-based tools like e-detailing solutions.

On the technical side, the cloud provides bucket loads of storage for all the data we need to keep for compliance reasons, without the headache of in-house servers that need to be managed and endlessly upgraded. From a budgetary point of view too, cloud solutions provide the potential to do away with some or all of the in house IT equipment, avoiding large capital costs on hardware and moving to an environment where the network infrastructure is a flexible, pay as you go service which you can draw on as you need it.

So with all these benefits, surely the cloud is a no-brainer? Well in my mind there is no doubt that this is the way the IT industry is moving, and in years to come I don't think we'll be talking about cloud-based versus local network applications, because I suspect everything will be cloud-based by default. But as always in IT there is an evolution process, and at the moment some things work better in the cloud than others. In our highly regulated industry there are a lot of considerations around things like security, data protection, availability and compliance. And this is where careful due diligence is needed when selecting a vendor or cloud provider.

It's not always as obvious as you'd think either. Let's take Microsoft as an example. Office 365 is the latest incarnation of Microsoft's Office suite of software, and this time rather than the data being held on a local network, it's cloud-based. Now you might assume that a vendor like Microsoft would be a safe and fully compliant home for your data. But interestingly Office 365 'out of the box' isn't compliant by default; it needs certain plans and certain settings to be configured to make it so.

And like any IT project, the key to success is in the planning.

There's no doubt Cloud based solutions offer a lot of business benefits to pharmaceuticals. The key to successfully delivering those benefits, whilst mitigating the risks, is to engage with a partner who is knowledgeable about the specific compliance issues in our industry, and of course (like any IT project) to plan, plan, plan!

If you would like to explore the benefits of cloud solutions further, or you need advice on making your cloud based systems compliant, then please do not hesitate to contact me on 01494 444065 or Email gary.swanwick@epoq-it.co.uk