ProCircular Information Security Experts Corner

Unique Data Risks in Life Sciences

Posted by Aaron R. Warner on Nov 9, 2016 8:53:59 PM
Find me on:

Some of the more unique data types in life sciences

All organizations face information security challenges when an order from a customer arrives. Even the most basic organizations in a situation where their customer information is made available could prove problematic to their customers. A furniture provider’s data could point towards massive expansion in a particular geography or towards the downsizing in a market when the customer calls the firm asking about resale or repurchase, and those data could be easily located in a CRM database. A company responsible for financing of a firm has significant intelligence on the operations of an organization and how it intends to use the resources available. Even the most rudimentary ordering patterns in the right hands is a valuable piece of information. A law firm ordering 5x the normal amount of paper from an office supply company might provide insight into an upcoming legal action.

Biotech and the Life Sciences market offers an additional level of complexity. Often in the biotech world the order itself is a strong indication of the approach a customer is taking to their research or product development. Unlike an order for paper or furniture, the order itself is often intellectual property or at least an indication of the area in which the customer is working.

It’s commonplace to focus the information security efforts on protection of the areas that are always important in the world of InfoSec. PCI-DSS and PII are just a few examples. There’s no question that these are areas that require attention, and without appropriate efforts to protect these data, and a myriad expertise is available to assist in those efforts.

In the world of Life Sciences, a customer may need to provide the “crown jewels” to the vendor if only to receive the inputs necessary to continue their own product development. The simplest example is a customer requesting the custom DNA that they need in order to continue their research. Paired with the customer name, this information alone could potentially provide a competitor or bad actor with the information necessary to determine a very specific product development direction considered to be proprietary by the customer.

In other cases a customer in the diagnostic space might provide all of the information necessary to replicate or at least understand their new product offering in a new area of healthcare. The organization offering a new cancer diagnostic, veterinary tool or water quality study may have to trust the manufacturer to store their most valuable information in order to produce the kit or toolset in order to go to market.

Both of these situations place a significant information security burden of trust on the manufacturer. The provider of “basic” services has an additional need to separate the customer order information from its source and to build identity management solutions that narrow the access to these data. The more complex example requires a manufacturer to establish a relationship with the customer that allows them to understand together the levels of sensitivity of the information being managed between the organizations.

Education is as critical in these examples as any other form of control. Creating informed employees and security advocates who are able to recognize the sensitivity of these data are as core to protecting the information as any procedural or preventative control. An employee in manufacturing or customer service who understands the relative sensitivity of a set of data is as effective in protecting it as any computer based solution, and may be the key to ensuring the security of the data itself. Bringing teams of people together from a variety of disciplines can make the difference between remedial efforts and a world-class organization that honors the needs of their customers.

The expectations in biotech around customer products may be unique today, over time customers will expect a product that is customized around their specific needs. The more customized the need, the more an organization will know about the work of their customers. As that understanding of a customer deepens, so too will the value and sensitivity of the information held in the vendors’ systems. It will be left to the information security professionals to guide these organizations to better protect their data and ultimately ensure the success of the organizations they enable.

Topics: Life Sciences, Cybersecurity, Data Classification, Information Security