Tuesday 10 April 2018

Preparing your pharmaceutical company for GDPR: Just what is an “appropriate” level of IT security?

This is a question that our Certified GDPR Practitioners are frequently getting asked, so I thought today it would be useful to explore this topic in greater detail and try to bring some clarity to the subject.

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.

Article 32 of the GDPR states that “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

It goes on to list some more specific measures which you may wish to consider, amongst others, which are:-

(a) the pseudonymisation and encryption of personal data; 

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; 

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Whilst this is frustratingly vague, by the nature of data security, it is impossible for the legislation to be prescriptive, because the security threat landscape is constantly evolving, and as such, what constitutes a secure network today almost certainly will not constitute a secure network tomorrow.

So what are “the appropriate technical and organisational measures to ensure a level of security appropriate to the risk” that firms should be taking today?

Well, best practice in the IT industry would suggest that you should be thinking about the following types of technologies and business processes:-

1. Implement a suite of technologies, businesses processes and policies to secure your data from threats like malware, ransomware and hackers.
In days gone by a firewall and some antivirus software would largely do the job, but with the constantly evolving threat landscape this is no longer the case and an effective suite of measures will typically need to include:
  • Virus protection
  • Malware protection
  • Ransomware protection
  • Email filtering 
  • Web filtering
  • Constantly updated firewall protection
  • Encryption of data in transit
  • Encryption of data at rest
  • Mobile working policies
  • Data loss/leakage prevention technology
  • Strong passwords
  • Two factor authentication
  • The ability to remotely wipe data from any user device that is lost or stolen
  • A certified system for securely wiping old servers and PCs prior to disposal
  • Regular penetration testing
  • 24/7 monitoring against threats
2. Implement technologies and procedures to ensure software security updates are applied to all your servers, PCs and portable devices in a timely fashion 
New security threats are emerging daily and software vendors are releasing a constant stream of fixes and patches to try and mitigate the risks from these threats. Therefore it is critical that you apply these security fixes to both your servers and your PCs and laptops in a timely fashion. I wrote a detailed article on this recently, which you can find here: http://www.itinpharmaceuticals.co.uk/2018/03/gdpr-compliance-establishing-effective.html 

3. Implement suitable access control procedures to protect your data from insider threats
This should include things like access control procedures for staff and third parties, starters and leavers procedures, password policies, mobile working policies, data leakage prevention policies and many more.

4. Review your procedures around physical security of your servers and IT equipment 
Having good cyber security in place is critical, but if someone can walk into your building and access your server room or acquire a laptop containing company information then the very best cyber security systems can be rendered useless.

5. Consider how you manage secure disposal of old PC and server equipment 
Equipment that is end-of-life and being replaced will often contain confidential business data or emails, and therefore it is important that it is properly wiped, and certified accordingly, to guarantee that data cannot be restored.

6. Implement ongoing staff training to ensure your team are aware of the latest cyber security threats It is all too easy to click on seemingly legitimate attachments or web links which may actually contain malicious code, and with new threats constantly emerging, the vigilance of your staff in being able to spot such scams will form part of your defence strategy.

7. Make sure you have an effective data backup strategy that really works
More on this topic can be found here: http://www.itinpharmaceuticals.co.uk/2017/11/preparing-your-pharma-company-for-gdpr-data-backup.html

8. Review and test your Disaster Recovery plan 
In particular check that everything is backed up and recoverable, what (if any) the level of data loss would be in a disaster (e.g. if you had to restore back to the previous day’s backup) and that the time it would take to recovery your systems and data is in-line with business requirements.

9. Have a mechanism in place to regularly review and update your cyber security policies 
Given the constantly changing threat landscape, it is critical that procedures and controls around cyber security are regularly reviewed and updated.

I hope this has given you a useful insight into some of the key areas to consider around cyber security when preparing your pharmaceuticals business for GDPR. Should you need help with assessing your current level of security or with implementing policies and technologies to address any or all of the above requirements, please do not hesitate to contact me on (01494) 444065 or email gswanwick@epoq-it.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Epoq IT can help.

For more information about our GDPR services please visit https://www.epoq-it.co.uk/gdpr/

For more information about Epoq IT’s services for pharmaceuticals, please visit our website.

This blog forms part of our series of informational resources for senior pharmaceutical professionals. To read more articles, please visit my blog, IT in Pharmaceuticals.

No comments:

Post a Comment