Doubling down on data integrity during COVID-19
Data integrity has long been a key issue for the pharmaceutical industry. Data supports critical decision-making processes, and reliable and complete data is needed to ensure all products meet rigid quality standards. Data integrity is also a cornerstone of the development, approval and distribution of critical medical devices, testing procedures, medicines, treatments and vaccines.
The U.S. Food and Drug Administration’s data integrity standards for the pharmaceutical industry dictate how data must be secured and backed up to prevent loss or deterioration, how chain of custody is managed, how copies and reproductions are managed, and how to ensure a complete record of all data from all tests. Adherence to these standards ensures that data is protected from accidental, intentional or malicious modification, duplication, falsification or deletion.
Companies that violate data integrity standards can face regulatory actions, while a failure to preserve and safeguard data can lead to delays in getting much-needed treatments and vaccines to market, with the result that patients suffer.
How COVID-19 poses data integrity challenges
The U.S. Department of Homeland Security (DHS) identifies health care as a designated area of national critical infrastructure, and since the beginning of the COVID-19 pandemic, the urgent need for medicine, treatments vaccines and reliable tests has highlighted the critical nature of every element in the pharma supply chain.
As the industry mobilizes to rapidly produce COVID-related tests, treatments and vaccines, the need to preserve and safeguard data integrity has become even more critical. The pandemic has put pressure on pharma companies to develop products and deliver projects at an accelerated pace. This makes systems more reliant on data-driven decision making and the integrity of data is vitally important to ensure that products meet quality and safety standards.
Within the COVID environment, companies face a greater degree of scrutiny about the decision-making process around testing, treatments and vaccines. This means that the industry must be prepared to support these critical decisions with reliable, complete and trustworthy data.
Regulatory standards and industry guidelines have been developed and updated in response to the pandemic to expedite effective treatments and devices and rapidly bring new solutions to the market, but implementation and adherence in a complex and globally distributed supply chain can be inconsistent and unreliable.
With resources stretched thin during the pandemic, the processes that the industry uses are also under pressure. The accelerated development and approval of tests, vaccines and treatments comes with an increased risk. Governance and protection processes can fail, putting the integrity of quality control, clinical trial and safety data at risk.
These risks can impact operations throughout the entire supply chain that comprises a complex, globally distributed network of suppliers, manufacturing facilities, laboratories, logistics and delivery companies, hospitals, medical centers and pharmaceutical companies.
It means that transparency and data integrity are required to ensure that product quality is not compromised and to mitigate public health risk and detrimental reputational consequences for pharma companies.
Protecting the supply chain
In order to protect data during the pandemic, there is a need to identify any existing vulnerabilities. Due to the complex nature and size of pharma supply chains, all areas, machines and equipment that generate data in this ecosystem are potentially vulnerable, which could risk the availability of accurate and trustworthy data.
The fact that many components in the supply chain are international and are subject to inconsistent application of international regulatory requirements and industry standards adds to the level of uncertainty and increases the potential for fabricated or manipulated data.
Furthermore, data integrity relies on a complete audit trail, with records of who accessed data, who changed it, when and why. These records can be incomplete, lost or manipulated at many points throughout the supply chain.
The COVID-19 pandemic has raised the potential for further vulnerabilities. This is because the rapid migration to a remote workforce has led to millions of unmanaged devices being connected to critical networks every day, often without operating system (OS) upgrades and security updates needed to prevent cyber-attacks.
Devices are connecting to data systems from systems that lack compliance to a robust security policy. Data system security policies often treat remote connections the same as internal connections, creating vulnerabilities and raising the potential for data to be compromised. During a crisis, workers may also forgo basic cyber hygiene such as using strong passwords or avoiding emailed hyperlinks and attachments.
COVID-related cyber risks
Against this backdrop, the pandemic has also led to a dramatic increase in cyber threats for the pharma industry, with the entire supply chain at greater risk as bad actors seek to compromise, fabricate, destroy or alter critical data.
Incidences of ransomware, fraud, supply chain attacks and intellectual property and financial theft are all increasing, while social engineering attacks are also on the rise. Social engineering can prove especially effective for bad actors as they trick people to give up important information and access to information systems, putting critical data systems at risk of compromise.
Furthermore, as an increasingly mobile workforce transitions to teleworking, a much larger attack surface emerges from which adversaries can gain access to critical networks, even when VPNs are used.
There has also been a surge in IoT attacks that have the potential to disrupt the pharma supply chain as well as an increase in phishing attacks throughout the pandemic, whereby bad actors use realistic emails designed to fool employees to click on malicious links or to open attachments that deliver cyber weapons to the user systems.
Bad actors use phishing because the human element provides an effective pathway to gain initial access to a network and allows them to steal a user’s credentials and move throughout the network until they obtain critical data. Once they are inside a system, bad actors can then launch a ransomware attack that could cripple a company that plays a critical role in the supply chain, making its critical data unavailable or unreliable.
In the context of the COVID-19, such attacks could have devastating consequences. The destruction of personal medical records or the falsification of clinical trials data could result in a failure to produce and distribute the medical devices, testing procedures, treatments and vaccines that can help to end the pandemic.
Conventional cyber defenses are inadequate in mitigating COVID-specific threats. Reducing these risks and addressing vulnerabilities requires a holistic approach that includes comprehensive data protection measures across the supply chain, risk and readiness assessments and the use of analytics in preserving data integrity.
Comprehensive data protection measures
Pharma companies must ensure that the systems that hold their most valuable data and the equipment used to generate that data or conduct clinical trials have best-practice cybersecurity measures in place. This will ensure that a company’s most valuable research and IP are protected through inception, regulatory approval and commercialization.
In order to protect data across the supply chain, the following areas must be addressed:
• A lack of centralization of data can lead to incomplete datasets, which makes analyzing data difficult and can cause delays and uncertainty. This means that there is a need to provide a consistent mechanism that records every transaction in the supply chain, ensuring transparency and visibility of all data.
• There is a need for individual networks and systems across the supply chain to be secured, with excellent cyber hygiene and rigid access controls and security policies in place. This includes the need for all supply chain companies to embed a culture of security, providing awareness training to prevent social engineering and phishing attacks and establishing risk reduction policies around the use of removable media. This will prevent unauthorized access to critical data and will ensure it is secured where it is produced and stored.
• Critical data should be encrypted before it is transmitted over public networks. Access to systems that process, format, transform or digitize medical records should be strictly controlled to prevent unauthorized access, and systems that process data must be controlled to prevent data disruption. It is also necessary to ensure that data is not lost when it is digitized or transformed to new formats and that it is properly backed up prior to transformation.
• Ensure that a complete and reliable audit trail is captured and that audit logs are captured for all critical data to track who accessed it or modified records. The audit data must not be modifiable by others in the supply chain.
Risk and readiness assessments
Additionally, there is a need for pharma companies to work with solutions providers to assess the maturity of their data center and network defense capabilities to meet critical functions related to data integrity.
Assessments must focus on identifying the risk inherent in a system and the vulnerabilities that increase the risk and mitigation measures. Industry standards and regulatory compliance standards provide a common baseline of data security and best practices, and companies also need to establish a security practice and regularly test their ability to respond to an incident.
Readiness assessments and tabletop exercises should be designed to evaluate the response of a company to a loss of data integrity within the pharma supply chain. This may be accompanied by exercises that assess responses to a major malware event (e.g. a ransomware attack holding critical data hostage) or other data loss events (e.g. an unauthorized access to a critical data system).
These exercises help to identify the risk mitigation actions the company should take, such as implementing robust data backups and employing robust access logging in the data center.
Technology offers solutions that can be leveraged to help secure data throughout the industry, especially as digitization of records increases in response to COVID-related accelerated pace of research and development. For example, blockchain technology can be applied as a solution throughout the supply chain, offering a reliable record of every transaction at every step.
Blockchain means that the entire pharma supply chain becomes transparent while maintaining the privacy of all participating entities. All kinds of data can be stored in the blockchain, and it provides the security to guarantee that each time-stamped record is immutable, making it a reliable and trustworthy record that can be used to trace assets throughout the entire supply chain.
Using analytics to preserve data integrity
Preserving the integrity of pharma data is a complex task, and there is a need to support the industry with visibility and insights at every step to ensure the integrity of critical data and to identify signals that indicate potential breach, cyberattack or other incidents that impact data security.
Due to the sheer volume of data involved, it cannot be processed and analyzed by human operators alone. There is a need to identify, collect, format, transport secure and store vast amounts of data before actionable insights are provided. This means that analytical platforms must be designed to operate within a globally distributed supply chain environment and provide analysts with findings in a format that can provide actionable intelligence.
While analytics built into these platforms can provide the necessary insights and detailed situational awareness, the right data must be available. Industry must work throughout the supply chain to establish security monitoring capabilities to collect the data necessary to analyze activity and behavior to identify and prevent network intrusion, breach, and data loss.
Also, there is a need for solutions providers to work with pharma companies to help them set up the network tools that collect from host-based logs, network logs, authentication and access, IT asset and configuration information and other sources.
A complete and reliable set of security data enables automation of security monitoring, a key enabler for operating on the ever-growing volume of data that needs to be analyzed to protect the pharma industry. Such an integrated solution provides the data analytics to ask (and answer) the most pressing questions required by incident investigators — what was accessed, how was it accessed, for how long, and how the incident will be mitigated.
Top image courtesy of Scott Graham via Unsplash.com.