Rashmi Knowles is Field CTO EMEA at RSA Security and she recently spoke to TEISS about the impact GDPR is set to have on pharmaceutical companies.
That GDPR is going to be complicated for businesses to come to grips with, is known but according to Knowles, pharmaceutical businesses have an uphill task with compliance. ‘I am spending a lot of time talking about GDPR and with pharma, especially because there are added conflicts and concerns. As far as GDPR challenges go, the first thing is consent. Up until now, businesses have been used to ‘implied’ consent and consumers have known about it but now, it will have to be explicit consent. There is also the added dilemma of patients taking consent away at any point.
‘Once a business has the data, they are responsible for making sure that they can prove that its entire life cycle is secure. This is a massive job because if you think about clinical trials, pharmaceutical businesses have a lot of data! The definition of PII is much broader within GDPR and includes other information too, everything from lab- x ray images to blood tests and MRI results.
READ MORE: GDPR: the challenge to the public sector
‘So, the supply chain has to think about implications, from a trials perspective. The most difficult aspect of it all is how you annonymise the data a business has. GDPR is about protecting the definition of PII but today, x-ray images have names and addresses along with DOBs but with the new definition, you will not be allowed to have these details. You will be expected to work out the age of the patient and the processing of personal data is such that it can be attributed to additional data.
‘The presence of genetic and biometric data makes the situation much more complicated. For example, if you go to the US, they take your fingerprints at arrival, under new legislation, they have to make sure the biometric of the fingerprint will be included under PII. We also need to remember that IP addresses, racial data, sexual orientation is now part of the definition.
There is a lot of confusion and questions around the question of what is data and how can a pharmaceutical company go about secreting what it holds. They can start by following these easy steps
- Education: understand how the regulation is going to impact your business and make sure there is buy-in from everyone.
- Understanding the risk: what data does your business have and what PII means for your company and what areas it will be applicable in
- Understanding the defined data: where it is and how it is being used. How you are getting the data, what you are doing with it and how is it being processed
- Individual’s rights: If a patient revokes consent, then the organisation will need set policies and procedures to deal with it. Your business will have to show evidence that the data has been deleted. You will also be expected to then write to the patient to show that it has been deleted. If you have no way of ‘showing’ that data has been actioned in accordance with the person’s wishes, it can be an issue. There are other regulations that require data to be kept for audit trails so there will have to be discussions with other verticals on which regulation has precedence
- Privacy will have to become a core business program: Understanding the scope of the privacy impact assessment. Everything that concerns patient data will have to become no. 1 priority for the business
- Breach readiness: Understanding that the fine will not be for having a breach, but because you have a privacy violation and these fines will be evidence based. If there is a breach, despite best measures, you have to show evidence that you have done your best to ward it off.
Apart from following these steps, businesses should also work to make sure that they know where personal data and patient data is stored and in what form. They need to understand what it looks like and have a base line to spot anomalies.
‘Once an anomaly is spotted, the business needs to have access to rapid insight that will demystify this unusual behaviour. Businesses will have to remain vigilant especially with sensitive data when it is being moved, or if the business is going through with a server change. If they apply context to it and act fast, they can then mitigate the threat.
As far as the pharmaceutical industry is concerned, they don’t get breached often, at least not as much as the flurry of attempts on banking and education. If you also take into account breaches of custodial data (PII etc), pharma will be at the bottom of the top 10 list. However, for breaches of intellectual property, pharma is in the top 3! The biggest problem is that there are no laws to say you don’t need to report them. Our understanding of the threat landscape is not based on the right picture- people think it doesn’t happen, but it does and breaches of intellectual property are a silent crime.
There is debate about the value of credit card information. That it isn’t that high, the fact is that most malicious actors don’t think they are worth their while. However, the value of healthcare records is going up because there is a lot of money to be made by either blackmailing the owners or by selling them to other pharmaceutical companies.
Ultimately, businesses should not be worried about fines under GDPR, they should instead worry about the eroding of customer confidence. As Knowles says: ‘If an organisation is doing the righ thing security-wise, they wil attract more customers. However, if they are repeatedly in the news for having breaches, their customers will go elsewhere.