In recent years, cloud computing has emerged as a valuable technology, significantly impacting various sectors including the pharmaceutical industry. Like many other industries, the pharmaceutical industry has adopted cloud computing to improve operations, data management, and collaboration. Adopting the cloud has many benefits, including improved collaboration, cost savings, and scalability. Addressing the specific security concerns inherent in cloud computing within the pharmaceutical industry is pivotal for safeguarding sensitive data and ensuring regulatory compliance. Furthermore, proposing potential solutions to inevitable challenges is fundamental to enhancing cybersecurity in the shifting digital world. There are several prominent cloud security challenges in the pharmaceutical industry.
Pharmaceutical companies handle highly sensitive data, including patient information, clinical trial data, and intellectual property. Storing and processing such data in the cloud raises concerns about data privacy, especially concerning compliance with regulations such as the US Health Insurance Portability and Accountability Act (HIPAA), which is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.1 Because of the inherent risk associated with cloud infrastructure, security professionals must ensure that data is appropriately encrypted, access is limited to authorized personnel, and robust access controls are implemented to maintain compliance.
[We] must ensure that data is appropriately encrypted, access is limited to authorized personnel, and robust access controls are implemented to maintain compliance.
Pharmaceutical data is incredibly valuable. As such, enterprises in this sector are a top target for cyberattacks. Cloud infrastructures are prone to insider threats, distributed denial-of-service (DDoS) attacks, ransomware, and data breaches, among other cyberthreats. Successful cyberattacks have the potential to compromise confidential research data, steal intellectual property, and damage the reputation of an organization. To protect their cloud infrastructure, pharmaceutical enterprises must make significant investments in cybersecurity defenses. They must also regularly review their vulnerabilities and use intrusion detection and prevention tools such as Trellix, Cisco Secure IPS, Check Point IPS, Palo Alto systems, and more.
Many pharmaceutical organizations entrust their data and applications to third-party cloud services via external service providers. Although such outsourcing offers scalability and cost-efficiency, it concurrently introduces potential security risk. Pharmaceutical enterprises must be sure that their third-party cloud providers have strong security procedures in place before contracting their services. The provider's security procedures, any International Organization for Standardization (ISO) standard referrals (for example ISO 270012 and ISO 270173), and data protection guidelines must be thoroughly reviewed. A shared responsibility model (A working framework that cloud service providers adhere to, outlining who is responsible for what aspects of a cloud environment—hardware, data, identities, workloads, networks, settings, infrastructure, and more—and how) should be established to clarify security responsibilities between the cloud provider and the pharmaceutical enterprise.
The pharmaceutical industry employs a diverse workforce, including researchers, developers, and contract workers. Hence, the presence of an insider threat is possible. Enterprises must implement access controls for securing physical access areas to prevent unauthorized access, confirming the identities of users who are granted access to data and systems, and monitoring mechanisms to detect and mitigate malicious actions from within the organization.
In some nations, pharmaceutical enterprises are bound by specific laws to store certain information locally. For example, The People's Republic of China's Personal Information Protection Law (PIPL) places strict requirements on data localization.4 In Switzerland, the New Federal Act on Data Protection (nFADP) regulates the gathering, storage, use, and transfer of personal data.5 Using a cloud service provider requires placing trust in the provider’s uptime and security protocols. Enterprises must select trustworthy cloud service providers with a proven track record of strong security procedures through effective vendor management based on business requirements. Many pharmaceutical organizations collaborate with vendors, each of whom may have access to various cloud infrastructure components. It may be difficult to manage these vendors and make sure they follow the organization’s security requirements, making it necessary to implement efficient vendor risk management protocols.
Traditional security solutions may result in a loss of visibility and control over the infrastructure as applications and data migrate to the cloud. Effective detection and response to security incidents may be compromised as a result. Data exposure and security breaches can result from improperly configured cloud resources. Best practices for cloud security to which pharmaceutical enterprises must adhere include monitoring the cloud environment regularly, applying secure configurations, and having automated security checks in place to find and fix configuration errors. Due to regulatory requirements or continuing research, pharmaceutical enterprises are often required to retain data for long periods. For example, all HIPAA-related documents must be retained for a minimum of five years.6 It is important to note that it may be challenging to maintain data integrity and security throughout long periods of storage.
In the pharmaceutical industry, where even brief periods of downtime can lead to substantial repercussions such as delays in the production of critical medications and vaccines, the importance of maintaining uninterrupted operations cannot be overstated. Ensuring business continuity is not just a requirement, but a fundamental responsibility in this sector. Pharmaceutical enterprises should have strategies in place to maintain operations and access critical data in the event of a cloud service outage or other disruption. It is in the pharmaceutical industry's best interest to feel assured in the cloud provider's disaster recovery procedures. They must feel secure with the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) and be ready to go offline.
Pharmaceutical enterprises must adopt an effective cloud security strategy that includes ongoing monitoring, encryption, access controls, multifactor authentication (MFA), routine security audits, employee training, and incident response plans to effectively manage challenges. To maintain a strong defense against emerging cyberattacks, it is also crucial to stay up to date on the most recent threats and solutions. Moreover, staying abreast of any changes in the risk landscape fortifies this defense, enabling these enterprises to effectively manage challenges and mitigate risk. Therefore, such a proactive and holistic approach to cloud security not only ensures the protection of sensitive data but also fosters trust with stakeholders, ultimately contributing to the resilience and success of the enterprise in the competitive pharmaceutical industry.
Endnotes
1 Center for Disease Control and Prevention, Health Insurance Portability and Accountability Act of 1996 (HIPAA), 1996
2 ISO, ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection, 2022
3 ISO, ISO/IEC 27017:2015 Information Technology Security Techniques Code of practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services, 2015
4 Stanford University, “Translation: Personal Information Protection Law of the People’s Republic of China – Effective Nov. 1, 2021,” 20 August 2021
5 Meier, K.; “Switzerland Enters a New Era of Data Protection as the Revised Federal Data Protection Act (revFADP) Comes Into Force on September 1, 2023,” EY, 28 February 2023
6 Adler, S.; “HIPPA Retention Requirements,” The HIPPA Journal, 1 December 2023
Prabin Mariam Litto
Is currently working as regional quality and information security, manager (APAC) at Instem. She has ten years of experience in the IT industry. She is CISA certified, and Lead Auditor certified for ISO 9001 & ISO 27001.