Table Tag: HIPAA

Beyond Compliance: Ensuring Data Integrity and Security in the Pharmaceutical Industry

August 14, 2024 at 8:00 am by Amanda Canale

When it comes to the pharmaceutical industry, there is no disputing the fact that they handle vast amounts of sensitive data; ranging from proprietary research and development information to personal health records and clinical trial results. 

As cyber threats grow increasingly sophisticated, protecting this sensitive information from unauthorized access and potential breaches is critical. The stakes are understandably high, as this data is not only the backbone of life-saving drugs and therapies but also a prime target for cybercriminals. 

Thankfully now in the digital age there is a diverse range of cybersecurity measures pharmaceutical companies can adopt: from cloud and network security to compliance regulations and maintaining a strict chain of custody. However, even with these measures in place, the threat of a breach can last long after a drive has reached the end of its lifecycle, which is why high security data decommissioning is another crucial aspect of proper cybersecurity. 

Dark blue digital technology background with glowing cardiogram

Importance of Compliance Regulations

Pharmaceutical companies operate in a highly regulated environment where compliance is critical. Regulatory bodies like the U.S. Food and Drug Administration (FDA), the Health Insurance Portability and Accountability Act (HIPAA), and the EU’s General Data Protection Regulation (GDPR), among others, have stringent guidelines concerning data management. These guidelines also include what constitutes as proper destruction, an aspect of data security that we argue is the most important. 

These guidelines are in place to prevent unauthorized access to confidential information, safeguard patient privacy, and to maintain the integrity of research data. If a pharmaceutical company fails to comply with these regulations, it can result in severe penalties, including hefty fines, legal action, damage to their reputation, and of course, adverse effects on the lives of their patients. 

Critical Compliance Regulations

Regulations like the FDA’s 21 CFR Part 11, which governs electronic records and electronic signatures, require that companies implement robust controls to ensure data integrity and security. Part 11 requires that any actions taken on electronic records, including their destruction, be recorded in an audit trail. This documentation provides validated proof that the records were destroyed in compliance with regulatory standards and that the process was carried out by authorized personnel, ensuring that patient signatures remain secure. This kind of documentation is called a chain of custody, which we will discuss in-depth later on in this blog. 

Similarly, the EU’s General Data Protection Regulation (GDPR) mandates strict data protection measures. Pharmaceutical companies conducting medical trials in Europe are required to comply with GDPR regulations, including the mandate that patient data should never leave the clinical site and is only accessible by authorized personnel. 

For example, pharmaceutical companies must obtain explicit consent from their patients before collecting and processing their personal data. It also requires companies to implement strict security measures to protect data from unauthorized access or disclosure, including the secure disposal of personal data when it is no longer needed. Compliance with these regulations is not optional—it is a legal requirement that ensures the trust and safety of all stakeholders involved.  

One of the most prominent regulations is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes national standards for protecting patient health information, requiring pharmaceutical companies to implement robust safeguards when handling, storing, and transmitting patient data. This includes ensuring that data is encrypted, access to information is restricted, and that there are protocols in place to detect and respond to potential data breaches. Companies must also provide patients with rights over their data, such as the ability to access and request corrections to their health information. 

Francesco Ferri, an OT security deployment and operations lead at GSK, a global biopharma company, told Industrial Cyber that, “a key factor that sets the pharmaceutical sector apart is that integrity takes priority over availability. Safety is always the main focus.”

We couldn’t agree more. After all, high-security data destruction equipment is essential for meeting these regulatory requirements.

Blue tinted photo of a stethoscope on top of an iPad with healthcare data

Criticality of High Security Data Destruction

Beyond compliance and the implementation of the most robust cybersecurity defenses, the need for high security data destruction measures is driven by the critical need for data security and patient privacy. The pharmaceutical industry is a lucrative target for cyberattacks due to the high value of the data it holds. From clinical trial results to proprietary formulas, the information stored by these companies is highly sought after by hackers and competitors. 

Traditional methods of data decommissioning, such as deleting or overwriting files, is not a sufficient form of destruction, especially now in an era where data recovery technologies have advanced significantly. Given the uptick in the storage capacity of hard drives, proper decommissioning is crucial in safeguarding sensitive information. High-security data destruction equipment ensures that data is irretrievably destroyed, leaving no possibility for reconstruction. 

Without proper destruction protocols, sensitive information can be retrieved, leading to breaches that could compromise patient safety, intellectual property, and an advantage for competitors. A breach of this data, in any capacity, could have catastrophic consequences, including the theft of intellectual property, which could cost billions in lost revenue, or the manipulation of research data, potentially leading to unsafe products reaching the market. 

Even though the pharmaceutical industry is worth over a trillion dollars, the average cost of a data breach is approximately $4.88 million, which can still gravely affect the average pharmaceutical company.

Chain of Custody’s Role in Data Security

It would be irresponsible of us to discuss proper compliance regulations and the criticality of high security data destruction in-depth without talking about the vital importance of creating and maintaining a chain of custody.

A chain of custody is strictly detailed documentation of the data’s handling, movement, access, and activity throughout its lifecycle. This type of documentation, which should only ever be handled by authorized personnel, is crucial not only for compliance and auditing purposes, but also in ensuring that the data has been securely destroyed once it reaches end-of-life. A chain of custody and secure data decommissioning procedure should always go hand-in-hand.

Shredded HDDs on a conveyor belt, the image is high contrast and dark

Conclusion

A robust cybersecurity system, compliance with regulatory mandates, a documented chain of custody, and a high security data decommissioning process combine to create a comprehensive framework for safeguarding sensitive information, ensuring data integrity, and mitigating risks throughout the entire data lifecycle. In doing so, pharmaceutical companies can reinforce the trust that stakeholders, including patients, partners, and regulators, place in their hands. 

Protecting this information through proper data destruction and cybersecurity practices are not just regulatory obligations but moral ones, as well. It shows a commitment to safeguarding the dignity and privacy of individuals who rely on pharmaceutical companies to act responsibly. Our very lives depend on it.

 

Making Sense of HIPAA

December 21, 2010 at 11:30 am by SEM

What is HIPAA?

HIPAA is an acronym for Health Insurance Portability Accountability Act which was enacted in 1996. It requires the Secretary of the U.S. Department of Health and Human Services to develop regulations protecting the privacy and security of certain health information.

The HIPAA law applies to anyone that has visited any health care facility, basically everyone. Before the law was enacted, the fates of our medical records were left in the hands of the health care professionals. Some disposed of them properly but some just threw them into the dumpster. As with our old credit card statements and other mail or personal information, once they are thrown in the dumpster they are community property and anyone can have access to them.

HIPAA Medicine doctor working with computer interface as medical

Your Health Information Is Protected By Federal Law

Most of the population believes that medical and health information is private and should be protected, and want to know who has access to this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.

How Our Information Is Treated and Disposed Of

The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.

Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.

Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.

In general, examples of proper disposal methods may include, but are not limited to:

    • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
    • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.

In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88. Guidelines for Media Sanitization

NIST Guidelines

Destruction of media is the ultimate form of sanitization. After media is destroyed, it cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.

If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack.

Disintegration, incineration, pulverization, and melting: these sanitization methods are designed to completely destroy the media. They are typically carried out at an outsourced metal destruction or incineration facility with the specific capabilities to perform these activities effectively, securely, and safely. End-of-life data destruction machines can also be purchased to destroy the material on site.

Shredding: paper shredders can be used to destroy paper and in some models, flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality level that the information cannot be reconstructed.

Optical mass storage media, including compact disks (CD, CD-RW, CD-R, CD-ROM), optical disks (DVD), Blue-ray Discs (BDs) and magneto-optic (MO) disks must be destroyed by pulverizing, crosscut shredding or burning. Destruction of media should be conducted only by trained and authorized personnel. Safety, hazmat, and special disposition needs should be identified and addressed prior to conducting any media destruction.

Enforcement and Penalties for Noncompliance

The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing the standards and may conduct complaint investigations and compliance reviews.

The OCR will seek the cooperation of covered entities and may provide technical assistance to help them comply voluntarily with the Privacy Rule. Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.

Civil Money Penalties

OCR may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement. Criminal Penalties A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.

Summary

HIPAA covers a broad area of responsibilities. We are all involved in this as we all have our personal records out of our personal control and in such are subject to having our personal information compromised. To understand HIPAA is to understand the relationship between the importance of our PHI and our health care providers and the realization that somebody could potentially obtain our information if the proper safeguards are not adhered to. HIPAA sets these guidelines to protect everybody.