The demand for information security audits that can help protect a business’s data integrity is on the rise, particularly among certain sectors such as pharmaceuticals. We’ve conducted several in the last few months.
The drivers for that are in part obvious: On the one hand, the number of cyber attacks and data security breaches – 33.8 million records leaked in 2017 – the high profile of some of the biggest incidents; on the other we have increasing regulatory pressure, not least from the EU’s General Data Protection Regulation, which we’ve discussed previously, and which finally comes into effect this May. As Microsoft’s CTO in the UK recently explained, GDPR is making cyber security a board level issue.
How an IT security audit can help secure your data integrity
In this context, an audit provides not just an information security audit checklist, but a fresh eye of the organisation’s position on its data. Taking a holistic view of not only the IT infrastructure and security, but people, policies and procedures, too, it can provide something of a gap analysis, highlighting weaknesses, suggesting remedies – and providing evidence, if needed, that the organisation is taking data security seriously.
A bitter pill: the need for verifying data integrity in pharma
A key driver for many organisation’s interest in information security audits is data integrity.
For many businesses the key risk may be internal rather than external: not just disgruntled employees who may try to harm systems or steal data, but also those who may try to manipulate it to meet regulatory or management demands.
For pharmaceutical businesses and their regulators, the issue has increasingly come to the fore and, as with IT security, that’s not least as a result of some high profile cases, such as India’s Ranbaxi. In 2013 it pled guilty in US federal criminal courts to selling adulterated drugs with intent to defraud, failing to report that drugs didn’t meet specifications, and making intentionally false statements to the US Food and Drug Administration (FDA).
Evidencing pharma regulatory compliance
Consequently, ensuring data integrity, so that firms can evidence the veracity and accuracy of data from the likes of test results, has been high on the regulatory agenda since – and increasingly so: FDA observations issued in 2016 show integrity related deviations entering the top 15 deviations for the first time.
It’s not just the US either; Annex 11 of the EU’s rules governing medicinal products also specify that “risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality” [emphasis added]. Regulators are taking this seriously, and so are businesses, not just because of the regulatory pressure, but because so many rely on producers in regions such as India and China for their supplies.
That’s why information security audits are so useful in industries such as pharmaceuticals: Not only do they help ensure security from external threats; they can also be used to validate quality critical systems. They provide regulators – and customers – with assurance that an audit trail is in place to show that data has been securely captured and stored and that individuals are given the appropriate level of access to prevent tampering.