Preparing your Pharma company for GDPR – Disaster Recovery Considerations

In my last blog, I talked about the importance of data backup in your preparations for GDPR. Since then a number of you have been in touch with questions, many of which revolved around the wider topic of disaster recovery, so today I thought it would be worth expanding a little on disaster recovery provision, an important topic in relation to both GDPR and MHRA compliance.

GDPR places an obligation on your firm to safeguard the personal data which it holds, and my previous articles in this series have talked about ways to protect your data day-in day-out through effective risk management in relation to cyber security, access control and data backup.

However, with the best planning in the world, sometimes the unexpected does happen. We only have to look at the Wannacry ransomware attack that so devastated parts of the NHS to see the reputational damage and compliance breaches that can be caused by such an eventuality. It is therefore important from both a GDPR and MHRA regulatory perspective to have the appropriate incident response and recovery plans in place to handle such a situation.

The key issues to consider here are:

How Long Would it Take to Recover your Data from your Backup? 

(The Recovery Time Objective or RTO) 

and 

How Much Data Loss, if any, Could Your Business Tolerate? 

(The Recovery Point Objective or RPO) 

The answers to these 2 questions will be fundamental in determining both your backup strategy and your disaster recovery plan.

If you have a recovery time objective of minutes or hours (rather than days) on your critical systems, then you will certainly not have time to source alternative hardware and rebuild servers with operating systems and applications and restore data. In this instance you will need to have the ability to spin up replacement servers on pre-existing hardware, so thought needs to be given as to what and where that hardware is, and whether your backup strategy provides for a complete server backup that can be recovered in this way.

Additionally, if the disaster is such that your offices are incapacitated, or perhaps the emergency services will not allow you access to your premises, then the plan needs to consider where your staff would work from and how they would connect to the recovered IT system.

In terms of the Recovery Point Objective, this is all about data loss, and therefore an important aspect to consider under the GDPR, which obliges you to safeguard the data that you hold. If, for example, you only backup your system once a day, typically overnight, then you could lose up to a day’s work and data in a disaster situation. So you need to consider how you would recreate that day’s data and, if your email server is affected by the disaster, how you would cope with potentially having lost a day’s worth of email correspondence.

There is a huge amount to consider in your disaster recovery planning and in reality the only way that you will know with relative certainty that your disaster recovery plan would work when you need to use it for real, is by testing it regularly. I can’t stress enough how vital testing is to success, as in my experience it almost always reveals deficiencies in the plan, whether these be technical issues, operational issues or revealing that the required RTO or RPO could not be met.

Over the years, I have seen disaster recovery tests that have revealed that backups have not been running successfully, or that they have been running but are not actually restorable, along with backups where certain parts of the system/data have been omitted, and backups that take far longer to restore than expected. Then there are the operational oversights of perhaps the DR plan being stored on the network and hence being inaccessible in a disaster, or the contact details for key personnel, customers or suppliers being unavailable due to the disaster itself which can stop the necessary disaster communications plan being executed as envisaged.

There is plenty of scope for problems, and so testing is vital as it allows such deficiencies to be highlighted before the plan is needed in a live invocation, and the necessary remedial actions to be taken, so that when the plan is used “in anger” there is a much better chance of a smooth, swift recovery taking place.

Many smaller pharma companies who we work with just don’t have the time or technical resources to constantly keep on top of disaster recovery planning and testing, which is what led us to launch our MyRecovery service in 2017. This provides a fully managed backup and disaster recovery service tailored to your business’s needs, encompassing the technologies, testing and operational procedures needed to protect your business and your data. Based on a monthly subscription fee, the service is proving popular with small and medium sized pharma companies as it avoids large capital upfront costs and gives Pharma companies the peace of mind that they have a current, working disaster recovery solution in place with guaranteed recovery times.

I hope that this article has given you some useful insight into the key considerations around disaster recovery planning. If you are concerned that your current disaster recovery plan may not be effective and you would like to arrange for us to carry out an independent review or test of your current disaster recovery plan, or you would like more information about our MyRecovery service, please do not hesitate to contact me on 01494 444065 or email gswanwick@epoq-it.co.uk

_________________________________________________________________________________

Epoq IT work with small and medium size pharmaceuticals businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals

Preparing your Pharma company for GDPR – Data Backup

In my recent blogs on the subject of preparing your pharmaceutical business for GDPR, I have talked about the importance of understanding your data, protecting your data from insider threats and cyber security considerations.

In today's article I wanted to talk about the importance of data backup in your preparations for GDPR. Since GDPR places accountability on businesses to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely, data backup forms an important component in demonstrating that your organisation is taking due care of the personal data which is entrusted to it.

Aside from GDPR, backups are a key component in the day-to-day running of any IT system, and as such also form an important part of MHRA compliance and HIPAA compliance, as well as coming under scrutiny in audits which many of the large pharma companies are now undertaking on their supply chain.

There are a variety of technologies available including backups to the cloud, backups to removable media and real-time replication to other servers. It is important to realise that different types of backups are useful in different scenarios, and so more than one type may need to be employed to give you full resilience. For example, cloud backups are a useful way of keeping a copy of your data offsite, which provides for extra protection in the event of a disaster on your premises, which might wipe out locally held backups as well as the live servers. On the other hand, removable media provides a very useful form of backup as it is held off-line and therefore can't be attacked by cyber security threats such as ransomware. Offline backups can also be useful to facilitate fast restoration, since you do not need to pull the data back over the Internet.

Real-time replication to another server works well when no downtime can be tolerated, but bear in mind if a corruption or accidental deletion of a file occurs, that this will be replicated in real-time to the backup server too.

So there are a number of considerations to any company’s backup strategy and it may well be appropriate to employ different solutions for different applications or servers.

Full disaster recovery is also an important consideration under GDPR, since if your business is unlucky enough to suffer a full system failure, be that through a cyber attack like the recent WannaCry ransomware attack, or due to more mundane reasons such as a hardware failure, fire or flood, you need to be able to demonstrate that you have suitably protected the personal data that you store and can recover it successfully.

The first consideration here is for how long your company could manage without each of its various IT systems and data repositories? This is likely to vary from system to system: for example, you may be able to tolerate no downtime on your email server, but it may be acceptable for an archived projects folder to be restored within 72 hours. So your plan needs to consider each system/data repository you use and assess how long you could manage without it.

The second consideration is around data loss. Again for each system and data repository you need to be clear how much data loss, if any, would be acceptable and tailor your disaster recovery systems accordingly. If no data loss is acceptable, then a real-time replication solution should be considered. If some data loss is acceptable in a disaster scenario, then backups that run daily or hourly may be acceptable.

Finally, never underestimate the importance of having an up-to-date, written disaster recovery plan and having tested it on a regular basis, which is something I discussed in more detail in this blog.

Should this article have raised questions or concerns around your business’ current backup and disaster recovery arrangements, please do not hesitate to contact me on (01494) 444065 or email gswanwick@epoq-it.co.uk, for a no obligation discussion around ways Epoq IT can help, which include a full range of backup and disaster recovery solutions, tailored around your company’s specific needs in regards to recovery times and data loss, and based on an affordable monthly subscription.

More information about our company and our range of products and services is also available at our website:-

IT Support for Pharmaceuticals

MySecurity - expert security management of all your systems for an affordable monthly fee

MyRecovery – fully managed backup and disaster recovery tailored to your firm’s needs

MyCIO - consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security.

Preparing your Pharmaceuticals business for GDPR: Cyber Security Considerations

In my last blog, Preparing your Pharmaceuticals business for GDPR: Protecting your Data from Insider Threats I talked about ways to mitigate the risks to your data which may arise from accidental or deliberate threats from staff or third parties who have legitimate access to your data.

In today’s blog, I wanted to talk about the additional precautions that you need to be taking in readiness for GDPR in order to protect your data from external security threats, such as hackers.

In days gone by, a firewall and some anti-virus software were largely good enough to protect your organisation from such threats, but in today’s ever evolving, increasingly complex threat landscape, a far more sophisticated suite of technologies, business processes, policies and staff training measures are needed to mitigate the risk from cyber threats.

If we just consider how working practices have changed in recent years it becomes apparent why a simple anti-virus + firewall strategy is flawed: For example, do you allow staff to synchronise their emails (which often contain confidential data) to their personal smart phones or home computers? If so, bear in mind that those devices are often outside the control of your network firewall and anti-virus policies. So what happens if those mobile devices get infected, lost or stolen? Or data is inadvertently made web facing through the use of cloud-based storage or backup programs on home PCs?

Remote working and cloud based services are just two risk areas that traditional IT security measures do not fully mitigate. There’s also the constant stream of malware and phishing emails that your company receives. It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the temporary administrative worker who unwittingly opens a supposed "invoice" which turns out to be something much more sinister.

Cyber criminals are also constantly busy looking for security loopholes in operating systems and software applications that they can exploit, with the result that software vendors like Microsoft are constantly bringing out a stream of security fixes that need applying to every device on your network. Again, it only takes one laptop or computer to not be updated, for whatever reason, to leave the firm highly exposed to threats like the recent Wannacry ransomware attack that so crippled the NHS.

Indeed patch management has become an even more important part of cyber security management in recent times, as we now have the situation where some cyber criminals are reverse engineering the patches that vendors like Microsoft publish, to work out what underlying vulnerabilities they fix, and then targeting those vulnerabilities in organisations who have not applied the patches promptly.

The reality is that nowadays, the only way to effectively secure your data against cyber security threats is by implementing a wide range of technologies, business processes and controls incorporating things like anti-virus, malware protection, patch management, email filtering, firewall management, encryption, user education, secure wiping of old equipment, remote access policies, website content filtering, mobile security, penetration testing and much more.

I hope this has given you a useful insight into some of the key areas to consider around cyber security when preparing your pharma business for GDPR. Should you need help on assessing your readiness for GDPR or advice on technology solutions that will assist with GDPR compliance, such as Epoq IT’s MySecurity service, which provides expert security management of all your systems for an affordable monthly fee, please do not hesitate to contact me on (01494) 444065 or email gswanwick@epoq-it.co.uk.

_________________________________________________________________________________

Epoq IT work with small and medium size pharmaceuticals businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals

Preparing your Pharmaceuticals business for GDPR: Protecting your Data from Insider Threats

In my last blog I talked about the importance of understanding what data you hold and where it is stored, so that you can ensure that you are protecting it suitably in readiness for GDPR.

Today I wanted to elaborate on considerations around protecting your data. In preparing your pharma business for GDPR it is important to realise that as well as securing your personal data from external cyber threats, you also need to be securing it from insider threats.

So what do I mean by insider security threats?

Well this can be something like a rogue employee, or a disgruntled ex-member of staff, but more likely it will be a genuine member of staff who accidentally causes a security breach or data loss.

Human error, or our natural tendency as human beings to take the easy option, is actually one of the commonest causes of such an incident, so it is good practice to put in place policies and controls that will minimise the risks of such an occurrence.

Password policies would be one such control. I'm sure for ease of memorability, we would all naturally tend towards an obvious password, but these are very easily guessable and as such do not provide the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as overly complex password policies, which demand long and complex passwords which frequently change, can result in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes certainly doesn't demonstrate due care of confidential data under GDPR!

Having appropriate processes and procedures around starters and leavers is also key in ensuring that only authorised personnel have access to your confidential data. Equally, it is best practice to only give staff the minimum access to systems and data that is needed to do their job, in order to minimise risk from a data breach or deletion, whether accidental or deliberate.

Staff education is also vital in ensuring that your systems are not compromised by security threats like malware or ransomware, which are often transmitted via rogue emails.

Mobile working has also opened up a plethora of new challenges, and preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and data often being held on laptops to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid or stolen.

Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop, home PC, tablet or smart phone and may be unwittingly backing up or synchronising confidential and/or personal company data to an unsuitable or insecure location somewhere in the cloud. With many public cloud services hosted worldwide, it is important to realise that such practices can easily be inadvertently creating a breach of the GDPR, which imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your IT systems or data. In this case this needs to be secured in just the same way as it is for your own staff, so you are clear who has access to what data, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Should you need help on assessing your readiness for GDPR or advice on technology solutions that will provide GDPR compliance, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk

Epoq IT work with small and medium size pharmaceuticals businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals

Preparing your Pharmaceuticals business for GDPR: How well do you understand your data?

With Digital Minister, Matt Hancock, having now formally announced the government’s intent to overhaul its data protection laws, in the form of a new Data Protection Bill, which will enshrine the EU’s forthcoming GDPR into UK law, as well as helping to prepare the UK for the future after Brexit, I thought today it would be useful to expand on some of the actions that pharmaceuticals businesses need to be taking in order to ensure they are compliant with the new legislation.

Those of you who read my recent blog, GDPR in Pharmaceuticals – 6 top tips for compliance, will have seen that I talked about the need to identify what personal data you hold, and this is something I wanted to elaborate on today, particularly in relation to knowing where that confidential data is stored.

This may sound like an odd topic, as I'm sure many of you are thinking you know exactly where all your company’s confidential data is held. But do you really?

A pharmaceutical company’s data is precious, and much of that data is personal, including names and contact details for your clients, prospective clients and your staff, medically confidential details of personal patient health information, clinical trial data, not to mention a wealth of commercially confidential details of contracts, agreements, research, IP and email correspondence. Let’s bear in mind that the scope of what constitutes personal data under GDPR will also be expanded to include all kinds of personal identifiers – not just names – so things like IP addresses, DNA and reference numbers will also be counted as personal data. As such, it becomes clear that the vast majority of a pharmaceutical’s data is likely to fall under the scope of the new legislation.

And the scary reality nowadays is that your business data may be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data or emails? Or data that has been copied to removable media such as USB sticks? Or data that has been shared with business partners and other third-party organisations? Or copies of data taken for backup purposes?

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs.

So do you really know where all your data is held? And does it matter?

Well the more widespread and less controlled your data is, the more vulnerable you leave your business to a breach of data security. And under the new data protection bill, any such breach leaves businesses open to potentially crippling fines of up to £17 million and immeasurable reputational damage. In addition, the legislation grants EU citizens the “right to be forgotten”, allowing them to request that companies delete their personal data from any records; therefore being able to identify what data is held and where it is, is vital for compliance.

If your data is very disparate, you may wish to bring it together in one secure, central repository in order to make it easier to control and manage. Luckily nowadays there are technologies that facilitate this; for example we have built several of our clients their own private cloud solution where all their data is brought together in one secure, central, UK-based repository, where they and their authorised business partners can access it securely wherever they are, without the source data ever leaving the security of the UK-based data centre.

For other clients, where data is generally central, but perhaps also resides on some mobile devices too, we work to implement business processes and technologies to prevent data leakage and manage mobile devices.

Either way, it is paramount to put your business back in control of its data, knowing both where it is and who has access to it. This in turn needs to be documented, both so that the Board have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts businesses back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Should you need help on assessing your readiness for GDPR or advice on technology solutions that will provide GDPR compliance, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk

Epoq IT work with small and medium size pharmaceuticals businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals

HIPAA, HITECH and Cyber Security

It can’t have escaped anyone’s attention that the world is being besieged by a wave of cyber attacks, in particular the recent ransomware attacks Wannacry and Petya have hit the headlines by causing major disruption in healthcare and pharmaceuticals, with organisations such as the UK NHS, Merck and Reckitt Benckiser being affected.

Cyber security is an ever evolving, increasingly complex subject, and as such is one I frequently get asked about by pharmaceutical companies. As a supplier of managed security services for small and medium sized pharmaceuticals companies, I know only too well that, even as an IT professional, it needs relentless attention to detail, constantly updated technical skills, ongoing research and stringent procedural controls to keep up with, and mitigate such threats these days.

So what do those pharmaceuticals companies who are dealing in the USA need to be aware of to ensure that they are continually securing their ePHI in a way that is HIPAA compliant?

Well, HIPAA and the HITECH Act focus on 3 key criteria for dealing with Protected Healthcare Information (PHI) – these revolve around availability of the protected data, confidentiality of PHI and integrity of data. The ever evolving challenges in managing cyber security issues impact directly on all 3 of these criteria, since a cyber security breach can leave PHI unavailable (for example when it is encrypted by a ransomware attack), made public or sold (such as in many recent high profile data breaches) or indeed by giving cyber criminals who have gained unauthorised access to your systems, data or medical devices the possibility of changing critical ePHI such as medication or dosages.

In order to meet these criteria, I cannot stress enough how critical it is that cyber security is not just treated as an IT issue, but rather that there is ongoing Director/Owner level involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the organisation’s risk appetite. Such policies will involve a multifaceted approach. Yes, naturally a raft of technologies come into play (and with modern day threats this has to be much more than some anti-virus software), but there is a much wider business approach needed if an organisation is to successfully mitigate these threats. This is likely to incorporate user training to help people at all levels in the organisation know how to reduce the likelihood of attack, a suite of technological solutions to help guard against both insider and external security threats, systems to ensure that vendor security updates are applied promptly, as well as contingency and incident response plans to fall back on should the worst happen.

Sadly, this is also not a one-off task, as with the constantly changing security threat landscape, it is critical that all risk management activities around cyber security are reviewed and updated on a continual basis. It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the temporary administrative worker who unwittingly opens a supposed "remittance advice" which turns out to be something much more sinister, or the employee who inadvertently uses their laptop on an insecure Wi-Fi connection.

To be successful, the Board need to engage with IT specialists who can speak in their language, so that a shared understanding of the risks both from a regulatory and a technological perspective can be obtained. This will allow the development, and ongoing implementation, of policies, technologies and user education which ensure that your organisation meets its HIPAA/ HITECH / GxP / GDPR compliance obligations, protects its ePHI and confidential IP, and yet also allows the organisation to leverage technology to transform the business, facilitating growth and innovation and improving productivity.

With over a decade of experience in the pharmaceuticals industry, Epoq IT provide small and medium sized pharmaceutical companies with outsourced IT services, encompassing the consultancy, policies, processes, training and technologies that are needed to survive and thrive in today’s digital economy, maximising the commercial advantages technology can bring, whilst minimising the risks of a data breach and the associated compliance implications. For more information please download our MySecurity data sheet.

Preparing for an MHRA Inspection Part 6: Business Continuity Planning

Those of you following my blog, will have seen the previous articles I have penned around preparing for an MHRA inspection including Understanding your data, System backups, Information access control, and Cyber security considerations.

All of these are key considerations which are designed to ensure your IT systems run effectively day in, day out, and form some of the ways to help minimise the risk of any "computerised systems" deficiencies being cited in your MHRA inspection.

However, with the best planning in the world, sometimes the unexpected does happen. We only have to look at the recent BA IT outage to see the financial and reputational damage that can be caused by such an eventuality. It is therefore important from both the regulatory and commercial perspective to have the appropriate incident response and recovery plans in place to handle such a situation.

Whilst having a technical disaster recovery plan is vital to recovering systems, it is equally important for the business continuity plan to cover how you would communicate details of an IT failure or data breach to customers, staff, suppliers, the relevant regulator(s) and the public at large to minimise the financial and reputational damage to your firm. Bear in mind that, in such a situation, many of the systems you normally rely on for your communications such as emails or contact databases may be unavailable, so the plan needs to provide for alternative ways to access these details and contact these people.

And to bring the subject of disaster recovery planning into perspective, whilst many pharmaceuticals I talk to tend to associate IT downtime with a large events such as fires or floods, the reality is that the majority of IT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable, with the EMC global data protection index 2016 study showing that the average length of unplanned downtime was 22 hours. Indeed the situation seems to be worsening this year, with IT downtime caused by ransomware attacks in particular often running into a week or more.

It is also critical in this situation that the disaster recovery plan is going to work effectively and in a timely manner. Many businesses I work with had put together a disaster recovery plan some years ago and left it in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as our use of technology in pharmaceuticals has moved on at pace, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend that the board of pharma companies we work with continually reassess and test their plans around resilience, backup and disaster recovery, against the operational needs of their business and their regulatory compliance obligations. Some points to consider would include:

• How long could you afford for each of your various IT systems to be down for?

• How much data, if any, could you afford to lose?

• Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results demonstrate that recovery times and data loss met your current business requirements and compliance obligations?

• Where are your backups held? Would an incident like a fire or a ransomware attack wipe out your backups as well as your live systems?

• In the event of a major disaster what hardware would you restore your backups onto?

• If your offices were incapacitated (or the emergency services wouldn’t allow you access to your premises) where would you work from and how would you connect to your recovered systems?

Tests of disaster recovery plans also need to be documented, so there is clear evidence that testing has been conducted, the plan has been reviewed and any necessary remedial actions highlighted by the test have been actioned.

I hope this has given you a useful insight into some of the key areas to consider around business continuity planning when preparing for an MHRA inspection. If you need help preparing for an MHRA inspection, or indeed with any element of your IT system, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk, when I will be pleased to help.

Epoq IT work with small and medium size pharmaceuticals businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals.

Preparing for an MHRA inspection – Part 5: Cyber Security Considerations

In my last blog I talked about the importance of securing your information systems from internal threats with appropriate access control measures.

In today's article I wanted to talk about the other side of the coin: securing your information systems from external security threats.

We only have to open a newspaper or turn on the news these days to hear about some new cyber security threat or data breach that has occurred. Protecting against such breaches forms an important part of compliance, and as such needs to be factored into your processes and procedures when preparing for an MHRA inspection.

There are a wide range of factors to consider here, which will include:

1. How is your network secured from threats like malware, ransomware and hackers?
In days gone by a firewall and some antivirus software would largely do the job, but with the constantly evolving threat landscape this is no longer the case and a much more sophisticated suite of business procedures, processes and technologies is needed to provide full protection.

2. What are your procedures for applying security updates to your systems?
New security threats are emerging daily and software vendors are releasing a constant stream of fixes and patches to try and mitigate the risks from these threats. Therefore it is critical that you apply these security fixes to both your servers and your PCs and laptops in a timely fashion. Indeed, the timeliness of updates has now become even more critical since some cyber criminals are now reverse engineering the fixes from vendors such as Microsoft, in order that they can see what vulnerabilities have been fixed, and using that information to directly target those vulnerabilities in customers who have not applied the appropriate update to their systems.

3. What are your procedures around physical security of your servers and IT equipment?
Having good cyber security in place is critical, but if someone can walk into your building and pick up a laptop or access your server room then the very best cyber security systems can be rendered useless.

4. How do you manage secure disposal of old PC and server equipment?
Equipment that is end-of-life and being replaced will often contain confidential business data or emails, and therefore it is important that it is properly wiped, and certified accordingly, to guarantee that data cannot be restored.

5. How are your staff educated to ensure they are aware of the latest cyber security threats?
It is all too easy to click on seemingly legitimate attachments or web links which may actually contain malicious code, and with new threats constantly emerging, the vigilance of your staff in being able to spot such scams which will form part of your defence strategy.

6. How and when are your procedures around cyber security reviewed and updated?
Given the constantly changing threat landscape, it is critical that procedures and controls around cyber security are regularly reviewed and updated.

I hope this has given you a useful insight into some of the key areas to consider around cyber security when preparing for an MHRA inspection. If you need help preparing for an MHRA inspection, or indeed with any element of your IT system, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk, when I will be pleased to help.

Epoq IT work with small and medium size pharmaceuticals businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals.

Preparing for an MHRA Inspection – Part 4: Information Access Control

Preparing your Pharmaceuticals business for an MHRA inspection is always a worrying time, and as many of the small and medium sized pharmaceuticals businesses we work with have no in-house CIO, I often get asked to examine their processes, procedures and technology around IT security and access control in order to help them prepare for an MHRA inspection.

In my previous blog, I talked about the need to understand where your data is. Once you have this understanding, the next step is to understand how you secure it.

Having good access control systems lies at the heart of successfully protecting your data, and forms an important part of preparing your information systems for an MHRA inspection.

For each of your computer systems, it is important to understand, and have documented, who has access to that system and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to the system to do their job. Allowing staff wider access to systems puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats. As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.

Nowadays, it is also likely that external organisations and third parties will have access to some of your IT systems or data. In this case this needs to be secured in just the same way, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to company security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just the security of your main company-wide IT systems that will come under scrutiny at an MHRA inspection. In fact one of the common findings from previous inspections has been that locally developed systems are not sufficiently secure. So do make sure you are also including in your access control procedures all those little databases or spreadsheets that have been developed by an individual or department and which now form an important part of your business processes.

I hope this has given you a useful insight into some of the key areas to consider around access control when preparing for an MHRA inspection. If you need help preparing for an MHRA inspection, or indeed with any element of your IT system, please do not hesitate to contact me on (01494) 444065 or email
gary.swanwick@epoq-it.co.uk, when I will be pleased to help.

Epoq IT work with small and medium size pharmaceuticals businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals

Preparing for an MHRA Inspection Part 3: Understanding your Data

In my previous blogs I talked about some of the ways to ensure that your computer systems are prepared for an MHRA inspection.

Following on from that, in today's blog I wanted to further explore the importance of understanding what data you hold and where that confidential data is stored.

This may sound like an odd topic, as I'm sure many of you are thinking you know exactly where all your businesses data is held. But do you really?

A pharmaceutical business' data is precious. Not only does it contain personal data like names and contact details of clients and employees, which are governed by the Data Protection Act and forthcoming GDPR legislation, it also likely contains medically confidential details of patient health information. Then there may be clinical trial data, not to mention a wealth of commercially confidential details of contracts, agreements, research, IP and email correspondence.

And the scary reality nowadays is that your business data may be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data or emails? Or data that has been copied to removable media such as USB sticks? Or data that has been shared with business partners and other third-party organisations? Or copies of data taken for backup purposes?

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs.

So do you really know where all your data is held? And does it matter?

Well the more widespread and less controlled your data is, the more vulnerable you leave your business to a breach of data security or data integrity. This is problem both from an MHRA inspection standpoint and also, with GDPR on the way, there is the potential for crippling fines of up to €20 million and immeasurable reputational damage.

So understanding what data you hold, where it is stored and who has access to it forms one of the first key steps to compliance.

If your data is very disparate, you may wish to bring it together in one secure, central repository in order to make it easier to control and manage. Luckily nowadays there are technologies that facilitate this; for example we have built several of our clients their own private cloud solution where all their data is brought together in one secure, central, UK-based repository, where they and their authorised business partners can access it securely wherever they are, without the source data ever leaving the security of the UK-based data centre.

For other clients, where data is generally central, but perhaps also resides on some mobile devices too, we work to implement business processes and technologies to prevent data leakage and manage mobile devices.

Either way, it is paramount to put the business back in control of its data, knowing both where it is and who has access to it. This in turn needs to be documented, both so that the management team have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts businesses back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Epoq IT work with small and medium size pharmaceuticals businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information please do not hesitate to contact me on 01494 444065 or email gary.swanwick@epoq-it.co.uk

Preparing for an MHRA Inspection Part 2: Computer Systems Backup and Disaster Recovery

Preparing your Pharmaceuticals business for an MHRA inspection is always a stressful time, and many business owners we work with in pharmaceuticals and life sciences often ask for my advice in relation to computer systems issues that may come under the microscope during an inspection.

One of the common themes that is examined is around backup and disaster recovery of computer systems, so today I thought it would be useful to share a few key points about this important topic for MHRA compliance.

Backups form a key component in the day-to-day running of any IT system. There are a variety of different types of backup, such as backups to the cloud, backups to removable media and real-time replication to other servers.

It is important to realise that different types of backups are useful in different scenarios, and so more than one type may need to be employed to give you full resilience. For example, cloud backups are a useful way of keeping a copy of your data offsite, which provides for extra protection in the event of a disaster on your premises, which might wipe out locally held backups as well as the live servers. 
On the other hand, removable media provides a very useful form of backup as it is held off-line and therefore can't be attacked by cyber security threats such as ransomware. Offline backups can also be useful to facilitate fast restoration, since you do not need to pull the data back over the Internet.

Real-time replication to another server works well when no downtime can be tolerated, but bear in mind if a corruption or accidental deletion of a file occurs, that this will be replicated in real-time to the backup server too.

So there are a number of considerations to any company's backup strategy and it may well be appropriate to employ different solutions for different applications or servers.

Full disaster recovery is something else that may come under the spotlight in an MHRA inspection, so it is well worth being prepared for questions. The first key consideration here is how long could you live for without each of your IT systems and data? This is likely to vary from system to system, for example you may be able to tolerate no downtime on your email server, but it may be acceptable for an archived projects folder to be restored within 72 hours. So your plan needs to go through each system you use, considering how long you could live without it. The second key consideration is around data loss. Again for each system you need to be clear how much data loss, if any, would be acceptable and tailor your disaster recovery systems accordingly. If no data loss is acceptable, then a real-time replication solution should be considered. Whilst if some data loss is acceptable in a disaster scenario, then you may be able to live with backups that run daily or hourly.

Finally, never underestimate the importance of having a written disaster recovery plan and having tested it on a regular basis. Testing, in my experience, almost always highlights errors or omissions in the plan which would cause an issue in a live disaster recovery invocation. So regular testing is paramount, bearing in mind that your IT systems are constantly evolving and being updated.

I hope this gives you some key pointers for preparing your IT systems for an MHRA inspection, from a backup and disaster recovery perspective. If you need help preparing for an MHRA inspection, or indeed with any element of your IT system, please do not hesitate to contact me on (01494) 444065 or email Gary.Swanwick@epoq-it.co.uk, when I will be pleased to help.

Preparing for an MHRA Inspection

Many of the small and medium size pharmaceutical companies I work with have no in-house CIO, and as such don't always have a full understanding of what IT systems they've got or how to ensure their computer systems are fully prepared for an MHRA inspection.

 So today I thought it would be useful to highlight some of the key areas to think about when you are preparing your information systems for an MHRA inspection.

Understanding your data

What data do you hold? Where is it stored? Who has access to it? Does it go outside your organisation and if so how is this controlled and secured? How is this data validated? How is all of this documented?

Backup

How is your data backed up? Where are the backups held? How often are they taken? Who is responsible? How much data would you lose if you had to recover your backups? How long would it take to restore your backups? Are you able to restore back to a specific point-in-time?. How are your backup procedures documented?

Disaster Recovery

Who is responsible? Do you have a written disaster recovery plan? Where is it stored? How often is it reviewed? When was it last tested? What was the outcome? How long would a total disaster recovery of your systems take? Would it be successful? How would you operate in the interim? How much data would be lost? How would it be communicated? How is all of this documented?

IT Security

Who has access to your systems, both within and outside the company? What level of access does each system user have? How is this reviewed? What SOPs do you have for starters and leavers? How is your network secured from threats like malware, ransomware and hackers? What are your procedures for applying security updates to your systems? What safeguards and procedures do you have in place around mobile working? What are your procedures around physical security of your servers and IT equipment? How do you manage secure disposal of old PC and server equipment? How is all of this documented? How are your procedures updated in the light of a constantly changing cyber security landscape?

Fit for Purpose

Are your IT systems fit for purpose? What level of resilience do you have built in? How much downtime do you have? Do they run at a sensible speed? How do you operate if a piece of equipment or software application fails? How is all of this documented?

If you are unclear about the answers to any of these questions, or you need help putting together suitable documentation, then please feel free to contact me on 01494 444065 or email gary.swanwick@epoq-it.co.uk for more information on ways Epoq IT can help you prepare your IT systems for an MHRA inspection.

GDPR - 6 Top Tips for Compliance

Following on from my last blog, outlining the background to and impact of GDPR on businesses, I've had lots of calls and emails requesting more information, so I thought it would be useful to share some information on the key actions that businesses need to be taking to ensure compliance.

To recap, the new EU General Data Protection Regulation (GDPR) comes into effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. Failure to comply will have potentially catastrophic implications for companies, with the ICO able to levy fines for as much as 4% of annual turnover or €20 million, whichever is greater.  In addition, the legislation requires disclosure of any breach, leaving companies highly exposed to reputational damage and potential customer pay outs.

So what do businesses need to be doing NOW to mitigate the risks of GDPR?

Well, at the moment myself and my company are engaged with our clients to carry out the following types of work:- 

1.      Identifying what personal data is held (which can be as simple as an individual's name or email address), who has access to it and where it is stored. This could include in-house servers, cloud services, portable devices such as laptops, tablets and smartphones or removable media such as USB sticks. 

2.      Identifying threats to this data, which could include things like cyber crime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. Whilst most businesses have some policies and technologies in place to protect them against these sorts of threats, we often find that these were implemented several years ago, and with the fast moving nature of security threats, they are no longer fully effective. In addition many companies have a piecemeal approach of different technology solutions each designed to cover a specific security threat, but no "joined up" solution to make sure nothing falls between the cracks. 

3.      Investing in and implementing the right technology to deal with insider and external threats to data.  These days such a solution needs to include:- 

          ·         Virus protection

          ·         Malware protection

          ·         Ransomware protection

          ·         A system for applying operating system and application security updates to servers, PCs and laptops promptly.

          ·         Email filtering

          ·         Constantly updated firewall protection

          ·         Encryption of data in transit

          ·         Data loss/leakage prevention technology

          ·         The ability to remotely wipe data from any user device that is lost or stolen

          ·         A certified system for securely wiping old servers and PCs prior to disposal

          ·         Strong passwords or two factor authentication

          ·         Regular penetration testing

          ·         24/7 monitoring against threats

 

         4.       Putting together a new or updated data protection policy and training employees on it.  

5.       Putting in place processes for ongoing user education for all members of staff around cyber security and data protection.  

6.       And finally, for the worst case scenario, creating a breach notification plan, which will typically involve the Board, IT, PR, sales, marketing and HR to ensure that any breach could be communicated smoothly, accurately and with as little damage to the business as possible. 

 Should you need help on assessing your readiness for GDPR or advice on technology solutions that will provide GDPR compliance, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk