It can’t have escaped anyone’s attention that the world is being besieged by a wave of cyber attacks, in particular the recent ransomware attacks Wannacry and Petya have hit the headlines by causing major disruption in healthcare and pharmaceuticals, with organisations such as the UK NHS, Merck and Reckitt Benckiser being affected.
Cyber security is an ever evolving, increasingly complex subject, and as such is one I frequently get asked about by pharmaceutical companies. As a supplier of managed security services for small and medium sized pharmaceuticals companies, I know only too well that, even as an IT professional, it needs relentless attention to detail, constantly updated technical skills, ongoing research and stringent procedural controls to keep up with, and mitigate such threats these days.
So what do those pharmaceuticals companies who are dealing in the USA need to be aware of to ensure that they are continually securing their ePHI in a way that is HIPAA compliant?
Well, HIPAA and the HITECH Act focus on 3 key criteria for dealing with Protected Healthcare Information (PHI) – these revolve around availability of the protected data, confidentiality of PHI and integrity of data. The ever evolving challenges in managing cyber security issues impact directly on all 3 of these criteria, since a cyber security breach can leave PHI unavailable (for example when it is encrypted by a ransomware attack), made public or sold (such as in many recent high profile data breaches) or indeed by giving cyber criminals who have gained unauthorised access to your systems, data or medical devices the possibility of changing critical ePHI such as medication or dosages.
In order to meet these criteria, I cannot stress enough how critical it is that cyber security is not just treated as an IT issue, but rather that there is ongoing Director/Owner level involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the organisation’s risk appetite. Such policies will involve a multifaceted approach. Yes, naturally a raft of technologies come into play (and with modern day threats this has to be much more than some anti-virus software), but there is a much wider business approach needed if an organisation is to successfully mitigate these threats. This is likely to incorporate user training to help people at all levels in the organisation know how to reduce the likelihood of attack, a suite of technological solutions to help guard against both insider and external security threats, systems to ensure that vendor security updates are applied promptly, as well as contingency and incident response plans to fall back on should the worst happen.
Sadly, this is also not a one-off task, as with the constantly changing security threat landscape, it is critical that all risk management activities around cyber security are reviewed and updated on a continual basis. It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the temporary administrative worker who unwittingly opens a supposed “remittance advice” which turns out to be something much more sinister, or the employee who inadvertently uses their laptop on an insecure Wi-Fi connection.
To be successful, the Board need to engage with IT specialists who can speak in their language, so that a shared understanding of the risks both from a regulatory and a technological perspective can be obtained. This will allow the development, and ongoing implementation, of policies, technologies and user education which ensure that your organisation meets its HIPAA/ HITECH / GxP / GDPR compliance obligations, protects its ePHI and confidential IP, and yet also allows the organisation to leverage technology to transform the business, facilitating growth and innovation and improving productivity.