With ever mounting competition it is becoming increasingly important for pharmaceutical companies to leverage new technologies as a means of gaining competitive advantage. Indeed, a recent study by Accenture Research in the US showed that eighty percent of the world’s leading pharmaceutical companies believed Internet-related technologies could not only speed up time to market, but also reduce drug development costs and administration.
There is little doubt that email has been one of these key technologies. It has benefited a number of business processes across the industry, speeding up communication and opening up new information channels. However, from its inception, email was never intended as a carrier for highly sensitive data, the sort shared between financial, governmental, medical and of course pharmaceutical communities.
Pharmaceutical companies have always placed a high value on confidentiality and privacy, thus the open and collaborative nature of the Internet poses significant new security challenges to every organisation, irrespective of size. In essence, unsecured data can easily be compromised. Yet email’s convenience, low cost and speed have secured its place as a key business tool, even to the extent that it is replacing paper-based communication as a carrier for highly sensitive and confidential company information.
The medium presents numerous ‘grey’ areas, for example: When you send an email how do you know it has reached the intended recipient? When you receive a mail how can you be sure the sender is who he says he is?
Has a network administrator had a quick peek? Are you sure it hasn't been altered in anyway during transit? What about those emails you've received mistakenly, have you discarded them without reading them?
Many companies, directors and individuals remain blissfully unaware that email should be treated with exactly the same care, attention and accountability as any communication originating from an organisation. So an email containing company sensitive information sent erroneously, or which is intercepted, could mean the sender is in breach of their obligations and could face legal recourse.
A recent example, in which pharmaceutical giant Eli Lilly accidentally revealed the email addresses of some 600 patients during a routine mailing, demonstrates the variety of potential problems associated with an industry governed by strict regulations. Although, after much assessment, Eli Lilly was found not to be in breach of the US Health Insurance Portability and Accountability Act (HIPPA) which governs data privacy, the mistake clearly demonstrates a need for the industry to assess the ways in which it communicates with peers, suppliers, and customers. As the flow of information increases so to does the possibility of violating certain confidentiality and data privacy laws.
So what measures can be put in place to secure email and protect sensitive data? Traditionally we rely on a set of agreed business practices to ensure the integrity of any communication; for example, sealed envelopes, a recipient’s signature and face-to-face authentication. As the use of email escalates it has become clear that these traditional business processes are equally, if not more, relevant in the digital age.
Given the sensitive nature of information circulated within the pharmaceutical industry it is of the utmost importance to understand that whilst certain IT security technologies address the most basic of privacy and confidentiality issues, only those that offer the highest level of day-to-day security are truly acceptable. To do otherwise is to run the risk that inadvertent messages will breach confidentiality demands and provoke liability.
This is not an industry with any leeway for error. Email users not only need to ensure authenticity – has the email really come from the stated author; but non-repudiation – can either party deny having sent or received an email and confidentiality - to ensure messages are kept private from third parties and not tampered with.
The pharmaceutical industry, like many others is guilty of being too forgiving of email’s shortcomings. We would never accept misdirection or non-delivery of a package delivered by a courier so why so for email?