GxP Data Integrity in Pharmaceuticals: The Importance of Cyber Security

We work with many pharmaceuticals companies and one of the most frequent questions I get asked is how businesses can manage the ever increasing risks around cyber security.

With the new MHRA GxP data integrity guidance now entering the final week of its consultation period, I thought it would be a good time to share some thoughts on cyber security in pharmaceuticals.

Cybercrime is now a widespread issue, with a study published by Osterman Research Inc in August 2016 showing that 72% of UK based organisations had suffered a security attack in the previous 12 months.

The types of attacks experienced are diverse, ranging from “phishing” attacks where criminals attempt to obtain access to confidential information or passwords, through to “ransomware” attacks where criminals hold your data to ransom by encrypting it and demanding money for its decryption.

The motivation behind these attacks varies from quick money making scams, through to much more sophisticated corporate and state level espionage.

Pharmaceuticals and healthcare, unfortunately, are a natural target of these criminals, as they are dealing with so much confidential material, ranging from patient healthcare information, to critical competitive IP.

In addition, with healthcare devices now becoming increasingly connected to the Internet, there have already been instances of hacking into such devices, with potentially devastating consequences if the dosage or other vital data is changed.

Data integrity is important throughout the pharmaceutical life-cycle, and GxP regulatory requirements have a focus on requiring confidence in the quality and integrity of the data used for decision-making.

As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Board level involvement with reviewing the risks and control measures that are in place.

Sadly, the days when a password and some antivirus software were good enough to defend your business from cyber security threats have long gone. Nowadays security policies have to involve a multifaceted approach, incorporating:

• Documented business security policies that are regularly reviewed and updated to reflect the ever-changing security threat landscape. 
• Regular user training and procedures to ensure people at all levels in the business understand how to reduce the likelihood of attack.
• A suite of integrated technological solutions to help guard against the wide array of threats now present.
• Effective and tested contingency plans to fall back on should the worst happen.

It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the temporary worker in administration who unwittingly opens a supposed "remittance advice" which turns out to be something a lot more sinister – potentially allowing cyber criminals to penetrate your network and intercept, hijack, change or delete your data.

To be successful in combating these threats, directors and owners within pharmaceutical businesses need to engage with IT specialists who can speak in their language, so that a shared understanding of the risks both from a GxP perspective and a technological perspective can be obtained, and a suite of effective control measures can be put in place.

Over coming blogs, I will be exploring in more depth some of the key issues around IT compliance in relation to both GxP and HIPAA. If in the meantime, you need any assistance with assessing or documenting your GxP compliance around cyber security, or with implementing or updating your cyber security policies in light of new threats, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk

Myths around Pharma downtime: "Resilience costs a fortune"

Over recent blogs, I've talked a lot about the cost and likelihood of IT systems downtime in pharmaceuticals, so today I wanted to consider what can be done to mitigate the risks in our highly regulated industry.

Is it really a case of having to accept that without massive investment IT systems will periodically fail? Well no, my experience is that whilst it is nigh on impossible to guard against every potential disaster, there is a much that can be done to safeguard any organisation against the majority of causes of costly downtime. A decade ago high resilience systems and sophisticated disaster recovery plans were the preserve of rich large enterprises, but with advancements in technology there are now many good solutions out there that are affordable for SMBs, and can guarantee system up-time.

Network monitoring tools can be very useful, as when configured correctly they can highlight potential problems before they cause costly downtime. This allows for proactive maintenance to pre-empt problems such as disk space filling up, backup errors or potential security threats. Many such tools are now available as a cost-effective charge per server per month, with the provider doing the monitoring and advising on any necessary remedial work before your business is affected by downtime.

The advent of virtualisation technology has also made restoration of full servers much easier, as there is no longer a dependence on having to restore onto near identical hardware. This means that with the right network design, backup technologies and procedures, the server infrastructure can be configured with some spare capacity, allowing a failed server or service to be restored onto another piece of hardware quickly and easily.

For services where the business cost or compliance implications of any downtime would be prohibitive, there are also real-time replication solutions available that allow data to be replicated "live" between primary and secondary server environments. Whilst these are still a bit more costly than some of the other options, they have still fallen in price dramatically over recent years and are within the reach of many SMEs now.

And of course cloud technology can also offer the benefit of your data being stored in multiple Data Centres, configured in a highly resilient arrangement. Although, as I have touched on in previous blogs, I would caution that no pharmaceutical company should take it for granted that any cloud solution offers this level of resilience or is fully MHRA / HIPAA compliant by default – due diligence is essential, and in many cases third-party add-on options are needed.

Resilience can also be built into Internet connectivity, with diversely routed circuits or circuits delivered via different media such as wireless and fibre, thereby protecting against the majority of Internet downtime. With falling costs of Internet connectivity, I sometimes find that it's even possible to achieve a dual Internet connectivity strategy for the same cost as the previous single line.

Many firewalls now also offer relatively low cost active/passive arrangements where one unit will take over from the other in the event of a failure, thus eliminating another single-point-of-failure from the network.

And user education and awareness also forms another vital part of the network resilience plan. Simple tips around password security and exercising caution with opening attachments or clicking on links, can go a long way to avoiding problems such as ransomware attacks, at very little cost.

In summary, there is much that pharmaceutical and life sciences businesses can do to ensure they are compliant and that they minimise the business risk of costly downtime. Changes in technology have meant that many of the solutions available today are affordable and practical for small and medium size pharmaceutical businesses.

If you would like to find out more about improving your network resilience, or you would like a review of your disaster recovery plans, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-IT.co.uk.