Security and tech advice for pharma looking to move to the cloud
In an area where data security is a paramount concern, pharmaceutical companies looking to make the move to cloud-based technologies need ensure the digital transition is structured, smooth and secure.
This involves mapping out potential data flows, evaluating cloud service models and identifying mapping assets for cloud deployment, among others.
Healthcare IT News spoke with experts in those issues to collect their guidance about how pharma can successfully and safely move to the cloud.
Beware data breaches
Pharma, much like its payer and provider brethren, has to be careful about protecting sensitive health and patient information.
“We see most data breaches in pharma during the move to the cloud: More than half of incidents happen during this move,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “The knowledge to do this migration well is critically important, and many of these organizations don’t have the people to do this correctly, and that’s definitely an issue.”
He explained that because moving from an on-premises solution to a multi-enabled cloud can be a very complex issue, step one is to make sure you have checks and balances in place and have backups for all critical information that is to be transferred.
“Companies need to have a plan for handling sensitive data, and how that change is going to be implemented, and make sure there isn’t a leakage of sensitive data,” Ponemon said. “A lot of the issues stem from the fact that these companies don’t have the right people with the right expertise to do it. A lot of them try to do it themselves, and that could lead to a security failure.”
Ponemon said he’s seen a lot of failure in migration, and that comes from not having the right governance.
More than a technology problem
“It’s not all about technology; it’s about workflow, and that process is not an easy one,” he said. The biggest vulnerability happens during the migration to the cloud, and protocols need to be implemented.”
He explained compliance becomes important as well — and if companies are not paying attention to the details, it could cause problems with the DEA and other government bodies.
“The industry is heavily regulated for a reason, and compliance issues need to be a part of that migration,” Ponemon noted.
Dr. Abed Saif, founding partner and director of cybersecurity advisory services specialist AbedGraham, noted software-as-a-service (SaaS) business models are increasingly popular and they are pivotal to cloud-based services.
“What’s important is to realize that the rapid flexibility and availability of the cloud means costs can spiral quickly if not monitored correctly,” Saif explained. “Pharma execs need to make sure they wargame different scenarios and the potential costs associated with these to determine whether the business case for the cloud makes sense for them.”
Understand and manage risk
Saif also noted the need for internal risk, capability and business case reviews for any proposed cloud transition to determine which business functions and geographies are ripe for the cloud.
“With these in mind, I’d recommend starting with non-mission-critical areas of the business such as administrative functions in localized regions being transitioned as pilots,” he said.
Once these are tested out, then that process can be repeated under controlled conditions in higher risk areas that deal with supply chains, proprietary information and patient data.
“Each of these transitions needs to be done with constant reference to the agreed internal risk and ROI metrics that have been identified at the very beginning,” Saif explained.
Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: email@example.com
Healthcare IT News is a HIMSS Media publication.