A broad overview of the unique challenges serving biotech, pharma and academia
I’m going to attempt to outline some of the more unique aspects of my twenty-two years of work in Biotechnology and Life Sciences as a CIO and CTO with direct responsibilities for all aspects of information security.
Biotech is an interesting place to inhabit for those of us tasked with protecting property. It’s an industry populated by individuals from a variety of different disciplines, all of whom have different opinions on the definition of property. There are members of these organizations that are protective of the property of the organization and were trained with a more traditional understanding of property. Engineers, HR, IT, the executive team, and of course the legal teams are all examples of people who will make an effort to secure information. While their efforts may not always be according to the wishes of the security professionals, they’re generally willing to comply with guidelines and understand the need to take extra steps that might cost them valuable time out of their day.
There are others in these organizations that may take a more academic approach, particularly in the areas of R&D and customer collaboration. Many of the scientists that populate these areas of the organization come from a world of open communication with their colleagues, and may tend to be more concerned about solving the problem at hand rather than protecting potentially valuable company IP. Academia thrives on the sharing of information, and in a corporate environment this may lead to conflict between “businesspeople” and “research” and the situation is exacerbated when a customer is involved.
The order for many custom reagents is in itself a valuable piece of customer IP. In order to complete the customer’s request, when paired with the customer’s identity, the product itself can speak volumes about the area in which the customer is working and how they’re going about solving the challenge at hand. This may be a pharmaceutical company working on a next-generation drug, a diagnostics firm developing a test for a disease, or a BioAgriculture company developing their next line of seeds. In all cases the order itself has to be treated as highly confidential.
Often when a more complex order is received by a vendor within biotech, a challenge or problem may arise that requires a blend of talents. The sales or technical support team will ask for the expertise and involvement of the research group, and together they make an attempt to ensure that the order is fulfilled with the greatest chance of success. In many cases the customer shares proprietary information on the work they’re doing, the research team lends what knowledge they may have, and manufacturing may be brought in to ensure that what’s being discussed can be produced.
Depending on the dollars involved, the technology in question, and the importance of the customer the legal team may be brought in with their CDA’s, NDA’s and potentially contracts. Everyone involved knows the time that this may add to the process, and frequently, to avoid delays, the lawyers and security professionals aren’t invited to the party. While everyone has the best interests of the customer and the company in mind, it can lead to undue risk and potential disclosures that can be problematic on both sides of the fence.
While these protections may seem relatively straight forward and logical, my experience is that it’s rare. Comments like “I can’t believe I’m reading this…” or “Their legal team would freak if they knew research had passed this to us” are commonplace, and the steps that many smaller biotech organizations take to protect their own IP are modest at best. In many cases, rapid growth or getting a product to market are prioritized well ahead of any protection of their intellectual property.
In all of the examples above the solution to these challenges is rooted in education. Building a solid overall education program that encourages collaboration between information security, legal and the various teams within the company are a key element to protecting both the customer and the company. If a researcher understands the need to protect their company and has an open and productive relationship with the departments tasked with that protection, the risks are lowered significantly. Without that relationship and training the organization is exposing itself to significant and undue risk.
There is also the question of purely company-side intellectual property. Instrumentation designs for use in manufacturing, custom formulations of chemistry that improve quality and efficiency, and custom software are just a few of the core pieces of technology that drive these organizations. They may or may not be patented or patentable, but they’re always at the heart of what makes a biotech reagents supplier successful. These data are primarily stored in a combination of the usual platform of corporate software – ERP, PLM and file shares to name a few. When the introduction of the cloud for any of these systems is brought into the equation the risk can tend to skyrocket.
All of these systems require a proactive information security strategy that spans the organization. Border security, secure network architecture, encryption and DLP tools are only a few of the solutions necessary to pull together the layered protection to secure these valuable data. Paired with the same educational and collaborative approach described to protect knowledge, the chances of data loss and breach are significantly reduced.
This isn’t a complete list of security challenges by any measure, but some of the greater risks in the life sciences world and the challenges faced every day by professionals asked to protect these organizations and their customers. Many of the “standard” infosec requirements also exist – PII, payment information and international data transactions are present in biotech as often as any other multinational organization.
That said, the life sciences industry continues to grow, as does the number of areas of our lives that it impacts. As our dependence on this industry increases, so too does the importance of security awareness and investment within these organizations.
Aaron R. Warner is the former CIO/CTO of Integrated DNA Technologies and the founder of ProCircular InfoSec – a full-service information security firm providing analysis, strategy and implementation of small and medium sized security and risk solutions. firstname.lastname@example.org for more information.