Pharma industry must unite in fight against cybercrime

There may be a political gridlock in the American capitol, but for those gathered in Washington DC in June for the annual meeting of the Drug Information Association (DIA), there was unanimous agreement on these three things:

• industry will run more efficiently if it becomes more standardised and interoperable
• information security is top of mind for the pharmaceutical industry
• the medicines industry is one of incremental change, complicated by reluctance of individual managers to travel beyond their respective comfort zones.

The DIA is the trade group that hosts a year-round schedule of meetings and publications dealing with the use of information technology in drug development.

Several thousand people descended on the Walter Washington Convention Center, escaping oppressive heat and humidity to a rich offering of educational seminars and hundreds of exhibitors representing, among other things, CROs, clinical sites, software developers and patient recruitment services.

The timing of the meeting could not have been more appropriate. The US Government has been pummeled by a series of data-stealing cyberattacks. Most visible was the country's tax collection agency, the Internal Revenue Service (IRS), from which Chinese hackers are thought to have stolen 100,000 citizen records and obtained $50 million in tax refunds. That was big news until the breach of the government's uber human resources agency, the Office of Personnel Management (OPM), that exposed more than 21 million social security numbers and other sensitive data. It was a painful incident resulting in the removal of the agency's long-time boss.

Not far away in neighboring Philadelphia, Mark Weatherford, a former head of the US Department of Homeland Security, warned those gathered at the annual meeting of the Biotechnology Industry Organisation (BIO) to fight the "vendor indifference" that, in a matter of minutes, can result in cyberattacks costing drug companies large sums of money.

Short-term financial loss and the embarrassment of news coverage of big hacks are only the tip of the iceberg. Below the surface is where trial data can be compromised. Purloined proprietary information can wind up with competitors. The worst case scenario is that entire trials could be nullified.

These are among the reasons that pharma boards of directors, like those in all sectors, are requiring cyber-accountability in their organisations with regular reports from their chief information security officers. Share values now rise and fall with reports about the most recent theft of what should be secured information.

The problem is exacerbated in pharma with the advent of web-aided global collaboration. Companies are opening files and exchanging confidential information across extensive communication spider webs, frequently extending beyond their firewalls. It raises the core issue of being able to trust the identities of participants across the entire process.

Identity trust

"It all starts with trust," says Mollie Shields-Uehling, president and CEO of SAFE-BioPharma Association, the non-profit that manages the global SAFE-BioPharma digital identity management and digital signature standard. "Identity trust is necessary for secure collaboration, and secure global collaboration is central to global R&D. "The SAFE-BioPharma standard assures this trust among all participants," she says. "The entire clinical development process will become more secure and efficient when all participants are assured that the identity asserted through a cyber-credential accurately reflects the identity of the person behind it."

The standard in question, developed by big pharma with guidance from FDA and EMA, defines and requires how identities are accurately authenticated - including with each digital signature applied to an electronic document.

SAFE-BioPharma uses a two-factor authentication, a requirement that provides tighter control of cyber-identities by demanding more robust verification of the identity of each participant. Once established, the single identity credential can be trusted across similar systems that have taken the steps to operate with each other, among them, all agencies of the US government, including the Food and Drug Administration, the National Institutes of Health and the Veterans Administration.

Shields-Uehling's comments were part of an announcement at DIA that SAFE-BioPharma and another global non-profit, Acres (Alliance for Clinical Research Excellence and Safety), are launching a collaborative effort to design and build a federated trust-framework for the life sciences. The initiative is intended to enable integrated identity management, secure data vaults and global e-commerce across the biomedical R&D ecosystem. Acres, which has about 80 strategic allies worldwide, is a multisector collaborative that is working to build a global, open and shared integrated system for clinical research.

"The willingness of pharmaceutical and clinical research stakeholders to collaborate and share information and core processes is dependent upon trust," said Greg Koski, Acres' president and CEO.

The proposed system will drive adoption and implementation of enterprise-wide standards, uniform policies and practices and provide a shared collaborative technology platform to enhance safety and streamline operations while recognising and rewarding excellence and professionalism. Acres and SAFE-BioPharma estimate annual potential savings approximating $20 billion.

The federated trust framework is to be developed in two phases. The first will map clinical research data flowing through the clinical research process to determine appropriate levels of security for information, as it moves from clinic to sponsor to regulatory body. The second will use information from the first phase to develop the integrated trust-framework as part of a shared global systems approach.

The privacy of data collected and transmitted from wearable devices was the subject of one highly attended session with an inquisitive audience. Increasingly, wearable devices are transmitting vital information from patients at home. Maintaining patient anonymity is a growing concern. Some devices have GPS tracing capabilities, which create a captured activity data profile, potentially revealing the identity of the person wearing the device. As one panelist pointed out, the simple movement of lifting a mobile phone from pocket to ear is so unique and traceable that it is a de facto unique identifier of the individual. Because of this, the advent of wearables introduces a new set of privacy issues associated with their use. While, at present, there is no comprehensive way to protect data from wearable devices, the panel concurred that, like other pan-industry issues, it most likely will be resolved through a collaborative industry standard.

Some at DIA were asking whether the current concern with information and identity security may change as new generations enter the equation.

Social media

Commenting on the subject, Glen DeVries, president and co-founder of Medidata Solutions, said: "I think that as time progresses, people aren't going to care. People seem to be totally comfortable posting things about themselves on social media. God forbid I should find out through a clinical trial that a particular individual had a heart attack, but, I could probably figure it out by looking at his family's Facebook postings.

"Right now we do have real important, legislative and ethical considerations around making sure that clinical trial patients are anonymous and that we can meet those requirements," he says. "But I think data is kind of like Jurassic Park. You can kid yourself that you're going to contain it, but data will find a way to escape."

Attendees escaped in large numbers to dinners and large scale parties around town. Medidata hosted an event at the elegant Library of Congress. Transperfect and ERT mashed it up with costumes and rock music in the mega space of the National Building Museum. But the gathering organised by WIRB Copernicus Group at the National Air and Space Museum was a standout, not just for the location and for a presentation by pioneering astronaut, Buzz Aldrin, but for the planes, satellites and rocket ships that have explored the unreachable.

For this observer, it served as a metaphor for information privacy and security in the life sciences. We have the technology. We know that privacy is essential. And we know that "like Jurassic Park" it will find a way out. However that information is controlled, ultimately, it will depend on knowing and trusting with certainty the identity of the person on the other side of the transaction. It's the only way we can safely collaborate and explore industry's new frontiers.