In February, I previewed the challenges that pharmaceutical organizations face related to integration and data management. Since then, in a series of six blogs, I’ve discussed those challenges as they specifically apply across the pharma lifecycle: Research and Development, Clinical, Manufacturing and Supply Chain, Sales and Marketing, Outcomes and Adherence and Sentiment.
Besides the common thread that these lifecycle segments all share around data issues, the other shared challenge is around compliance, privacy and security. These all fall into what is termed a Trust Framework and these three areas, while related, are different.
- Compliance is about meeting regulatory and industry guidelines. It’s “the action or fact of complying with a wish or command.” This can be the minimum requirements to stay in business based on either government and/or industry requirements. In some cases, you get audited in advance and receive a Certification of Compliance, like the Payment Card Industry’s Data Security Standard (PCI DSS). In other cases, you can get audited by a third-party firm, but there’s no “certification” issued. HIPAA is a good example of this. CMS doesn’t certify organizations, but rather only defines what is required. In pharma, these, along with 21 CFR Part 11 from the Food and Drug Administration are top of mind.
- Security includes the efforts, both physical and digital, to avoid breaches related to information or process. It’s “the state of being free from danger or threat.” While compliance means you’ve checked the boxes at a point in time, security is a continuous process, without being able to prove you’re “secure” at any time. You simply know that there haven’t been any breaches to date! A quality security program drives constant oversight and monitoring of the organization and continues to evolve to stay ahead of the “bad guys.”
- Privacy typically references the protection of information related to individuals from those who should not be entitled to access or know this information. It’s “the state of being away from public attention.” HIPAA controls play a large part in this by defining what Protected Health Information includes. Similarly, there are international controls such as the EU’s Data Protection Directive related to the protection and processing of personal data. Both types of controls are important as part of a clinical trial data capture, and the need to protect the personal information of individuals who are part of the trial.
In a data-centric world, being sensitive to where information resides, where it moves, and who has access to it is important. Having a Trust Framework in place to ensure the compliance, security and privacy around data is paramount for both corporate and consumer credibility. And while we typically think of encryption as the solution to these issues, the reality is that technology is only part of the solution; people and process play a large role as well.
Here are a few briefs about these issues as they relate to integration and data management:
- Industry Stats around Compliance and the Continuance Compliance Model
- Beyond Integration: Future-Proofing Your Enterprise through a Holistic, Data-Centric Approach to Compliance
How is your Trust Framework around compliance, privacy and security? Any good advice and/or lessons learned to share? I’d love to hear about it if so.
Until next time,