Keeping data safe — now and in the future
August 1, 2023
By Sonam Solaria
An ISO 27001 certification shows a company takes its information security seriously and understands that customer information must be safeguarded across all interlinked aspects. Unfortunately, not all suppliers to a pharma or medical device company have the capacity to undergo full ISO 27001 certification.
Do you know where your data is?
Whether it’s related to IP, R&D or work continuity, secure data has become the foundation for the success of any pharmaceutical or medical device company. One breach(opens in new tab/window), leak(opens in new tab/window), hack(opens in new tab/window) or cyberattack(opens in new tab/window) could mean the end to a promising lifesaving product. It could also mean the end of your business.
Threats lurk in unexpected places as well. For instance, do you really know who has access to your Google Scholar search history?
“Pharma and medical device companies are famously risk-averse and painfully aware of the importance of information security,” says David Lai(opens in new tab/window), Head of Quality, Compliance and Business Excellence for Elsevier Pharma and Life Sciences Solutions. “They know the horror stories and know it’s only likely to get worse. So, it’s really something they check when buying a solution.”
As one of Elsevier’s in-house experts for quality and compliance management, he has a deep knowledge of information security and the certification process.
“The ISO 27001(opens in new tab/window)certification has become the gold standard because it’s a worldwide standardization and recognized by regulatory bodies,” he explains. “Of course, it doesn’t mean you cannot have an incident. But it means your organization is at least prepared to deal with one by having the right people, processes, training and governance in place. And because of its annual audits by independent bodies, it ensures companies are equipped to take on the latest risks as they arise. You can see it as a shortcut to minimizing risk.”
Quality data is safe data
“You have to make sure you are keeping a customer’s knowledge and data safe,” David says. “And of course, in the process, you are also keeping your company viable and safe.”
For David, this gatekeeper element is a passion. “Technology is only getting more complex and difficult to navigate as time passes,” he says. When I came to Elsevier, I saw I could contribute by putting things in order: helping put the information in a place so the right people can find the right information when they need it. Customers also expect it to be quality information — and security is a key component of this.”
Meanwhile, this idea of information security — keeping data from getting into the wrong hands — is interlinked with data privacy as formulated by the EU’s GDPR. “It runs along with how individuals are able to control, access and regulate their own data,” he explains. “In other words, we’re not just talking about pharma data but also your data, not only as a patient but also as a citizen.”
Building the trust across the pipeline
Meanwhile for pharmaceutical and medical device companies, IS remains largely about protecting IP. “Intellectual property is of course a main thing in Pharma — patents and all the rest,” says David. “But we also have to think about the whole drug discovery supply chain: whether it’s the R&D supply chain, the post-surveillance supply chain, etcetera. These also have to be as secure as possible.”
According to David, there are three things you should do when selecting a new tool for your company. “First you must assess your current use case and identify the information you will share with the tool you are considering. You should also find out if the vendor provides a level of information security that meets your expectations — ideally whether they are certified as ISO27001. And if certification isn’t needed, make sure to do due diligence around information security — and for data privacy if applicable.”
It’s generally beneficial to increase focus on information security around your vendors, David says: “In this way you minimize your own risks by minimizing the possibility of your vendor becoming disrupted. It also ensures your information is handled with utmost care.”
Enabling a more secure future
The next obvious step to expanding digital safety would be to make the ISO certifications mandatory, David says: “But this is a two-edged sword: for those smaller companies — where 'Mike' had a great idea and he’s now trying to take it to the next level — getting such certification would be impossible. It requires too much time and resources.”
Down the line, David sees a future where these little fish — agile and innovative — can start operating through established frameworks:
We need to have quality-by-design, security-by-design, privacy-by-design, compliance-by-design as part of the process in our offerings so they can demonstrate and display the evidence related to their level of compliance. I think that would be the way forward.
But with certification really being the only way to improve safety, certification should become mandatory once a company reaches a certain maturity. Data is the new reality. And as I said, it’s not just about business safety — it’s about safety for everyone.
Ultimately, David regards information security as the ultimate enabler. “More secure information means better pipelines by which you can get the information you need faster and more reliably. And with the confidence of knowing your data is safe, you can focus on the real work: working on your solution in improving health and healthcare.”