August 31, 2021
Key industry and government regulations provide a cybersecurity foundation in advanced therapies
This installment continues the discussion on the importance of cybersecurity in life sciences, and what companies can do to protect their patient and company information. The preceding two posts covered the current state of cybersecurity in life sciences along with some of the particular challenges the sector faces, then turned attention to the first strategy for success against cybersecurity issues — prioritizing security as a “Way of working.” In addition to what companies can do internally, both industry organizations and regulatory bodies provide standards that lay the foundation by which companies should operate. This installment provides an overview of the most applicable governance organizations and standards.
Strategy 2: Secure the technology supply chain
The technology supply chain — services and technologies procured from third party vendors— is receiving a lot of attention at the moment and is the focal point of recent proposed federal legislation. The legislation will require companies providing technology products to the U.S. Government to provide a software bill of materials (SBOM).1 This is similar to a manufacturing bill of materials, or the nutritional label on foods.
Software applications today are typically built by incorporating multiple other software and technology components from suppliers that individually perform a specific function and are assembled in a particular way to create a final application. As in drug product manufacturing, where knowing the details of each raw material and vendor is critical, true end-to-end security means that technology providers must know what is in the software and other products used or built into their own products. Providers who are already doing this are well-poised to adapt to new requirements. The current industry best practice is a dual-pronged approach that combines automated tools with manual processes. The automated tools, called software composition analysis (SCA) tools, assess the software supply chain for risk, and the viability and security of all third-party components. One function of the automated tools, such as Dependabot and BlackDuck, is to block code check-ins of libraries or components that have been flagged as dangerous or insecure. Manual processes vet a component’s provenance, assessing how well provenance is maintained by the developers, and then creating a policy for how to incorporate it into the product.
Strategy 3: Meet or exceed industry and regulatory standards
Comprehensive security and privacy program ensure that a company is compliant with key industry standards and regulations. This demonstrates a certain foundational level of competency, readiness, and commitment and it establishes a baseline level of trust with stakeholders. Third-party certifications of compliance go a step further by independently confirming that a provider can demonstrate their adherence to requirements.
The primary security standards of concern to technology organizations in the U.S. are established and published by the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce2 and specifically for SaaS providers, Open Web Application Security Project (OWASP).3 Standards like NIST SP 800-53 help organizations implement appropriate security controls.4 From a global perspective, ISO 27001 is an established, well-respected framework for security governance.5 Additionally, companies serving the biopharmaceutical industry must comply with security standards of the regulatory agencies in the regions where they operate. In the U.S. and E.U., the Food and Drug Administration (FDA) 21 CFR Part 11 and the European Medicines Agency (EMA) EUDRALEX Annex 11 are the primary regulatory authorities and standards.6, 7
Data privacy goes hand in hand with security, and there are specific regulations for how companies manage and protect electronic customer and patient data, and how breach situations are handled. The importance of safeguarding data – especially electronic protected health information (ePHI) – is paramount for companies operating in the biopharma space – and compliance with the Health Insurance Portability and Accountability Act ( HIPAA) and General Data Protection Regulation (GDPR) are must-haves.
Cybersecurity threats change and increase rapidly, while regulations and standards are often slower to evolve. The best defense is for companies to cultivate a proactive way of working with security and privacy principles from start to finish, using the principles outlined in this article. Compliance becomes automatic and additional efforts are made in areas with the most necessity and impact, regardless of the letter of the regulations.
The foundations described in this series are important for a successful overall cybersecurity strategy. But these are only foundations, and ultimately a significant portion of cybercrime prevention rests with the end users and all levels of the organization practicing continuous monitoring and improvement. End users are the easiest and most frequently used entry point for cyberattacks and in a space that is constantly evolving, cybersecurity is not a one-and-done exercise. The fourth and final blog in this series discusses these two topics to round out the discussion of five strategies for success with cybersecurity.
Blog series posts:
Post #1 Cybersecurity challenges in advanced therapies — introducing five strategies for success
Post #2 Cybersecurity success in advanced therapies starts by prioritizing security as a “Way of working”
Post #4 Life Sciences cybersecurity, knowing your first line of defense and continuously improving it
- Sanger, David and Barnes, Julian. Biden Signs Executive Order to Bolster Federal Government’s Cybersecurity. The New York Times 2021 May 12: https://www.nytimes.com/2021/05/12/us/politics/biden-cybersecurity-executive-order.html?referringSource=articleShare
- National Institute of Standards and Technology (NIST); U.S. Department of Commerce:https://www.nist.gov/
- Open Web Application Security Project (OWASP): https://owasp.org/
- National Institute of Standards and Technology (NIST). NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations. , U.S. Department of Commerce. September 2020: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
- International Organization for Standardization (ISO). Information technology — Security techniques — Code of practice for information security controls ISO/IEC 27001:2013. ISO. 2013: https://www.iso.org/standard/54533.html
- Title 21–Food and Drugs, Chapter I–Food and Drug Administration, Department of Health and Human Services, Subchapter A–General, Part 11 – ELECTRONIC RECORDS; ELECTRONIC SIGNATURES. Silver Spring, MD. April 2020: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm?cfrpart=11
- EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4, Guidelines for Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use, Annex 11: Computerised Systems., European Commission Health and Consumers Directorate-General, Health and Consumers Directorate-General. Brussels, SANCO/C8/AM/sl/ares(2010)1064599. 2010: https://ec.europa.eu/health/sites/default/files/files/eudralex/vol-4/annex11_01-2011_en.pdf