GxP Data Integrity in Pharmaceuticals: The Importance of Cyber Security

We work with many pharmaceuticals companies and one of the most frequent questions I get asked is how businesses can manage the ever increasing risks around cyber security.

With the new MHRA GxP data integrity guidance now entering the final week of its consultation period, I thought it would be a good time to share some thoughts on cyber security in pharmaceuticals.

Cybercrime is now a widespread issue, with a study published by Osterman Research Inc in August 2016 showing that 72% of UK based organisations had suffered a security attack in the previous 12 months.

The types of attacks experienced are diverse, ranging from “phishing” attacks where criminals attempt to obtain access to confidential information or passwords, through to “ransomware” attacks where criminals hold your data to ransom by encrypting it and demanding money for its decryption.

The motivation behind these attacks varies from quick money making scams, through to much more sophisticated corporate and state level espionage.

Pharmaceuticals and healthcare, unfortunately, are a natural target of these criminals, as they are dealing with so much confidential material, ranging from patient healthcare information, to critical competitive IP.

In addition, with healthcare devices now becoming increasingly connected to the Internet, there have already been instances of hacking into such devices, with potentially devastating consequences if the dosage or other vital data is changed.

Data integrity is important throughout the pharmaceutical life-cycle, and GxP regulatory requirements have a focus on requiring confidence in the quality and integrity of the data used for decision-making.

As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Board level involvement with reviewing the risks and control measures that are in place.

Sadly, the days when a password and some antivirus software were good enough to defend your business from cyber security threats have long gone. Nowadays security policies have to involve a multifaceted approach, incorporating:

• Documented business security policies that are regularly reviewed and updated to reflect the ever-changing security threat landscape. 
• Regular user training and procedures to ensure people at all levels in the business understand how to reduce the likelihood of attack.
• A suite of integrated technological solutions to help guard against the wide array of threats now present.
• Effective and tested contingency plans to fall back on should the worst happen.

It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the temporary worker in administration who unwittingly opens a supposed "remittance advice" which turns out to be something a lot more sinister – potentially allowing cyber criminals to penetrate your network and intercept, hijack, change or delete your data.

To be successful in combating these threats, directors and owners within pharmaceutical businesses need to engage with IT specialists who can speak in their language, so that a shared understanding of the risks both from a GxP perspective and a technological perspective can be obtained, and a suite of effective control measures can be put in place.

Over coming blogs, I will be exploring in more depth some of the key issues around IT compliance in relation to both GxP and HIPAA. If in the meantime, you need any assistance with assessing or documenting your GxP compliance around cyber security, or with implementing or updating your cyber security policies in light of new threats, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk