Biobanks should be especially vigilant with regards to hacking attacks.
October 14, 2004 | Life science organizations share many security risks with other IT-enabled organizations, such as preventing unauthorized access to corporate networks and protecting proprietary financial, strategic, and personnel information. In a biopharma, additional measures are required to protect internal information such as scientific trade secrets and intellectual property pending patent protection, as well as external clinical trial data.
Organizations engaged in clinical trials share a special requirement with the healthcare providers that assist in those trials — namely, to protect the identity of patients. As clinical records, biological samples, and genetic data are collected on individuals and combined into databases for analysis, the duty to protect personal private data is not only imperative but also legislated through the Health Insurance Portability and Accountability Act (HIPAA) in the United States, and the European Commission's Directive on Data Protection.
A related situation exists with emerging biobanks. Biobanks accept clinical data and biological samples under an informed-consent protocol, storing those data in multiple databases. An organizational administrator can often access the personal identifiers associated with a sample, de-identified data are shared with medical and scientific researchers, and biobank staff can log into the biobank remotely. In short, biobanks are as vulnerable to external hacking or internal attacks as any healthcare organization, and due to the sensitive data need to be particularly vigilant with regard to security measures.
While such security risks will never be eliminated, they can be significantly mitigated through application of sound security procedures and technology. Network or computer security with regard to personal health data has three major elements articulated in the HIPAA regulations: administrative, physical, and technical. How an organization implements these three elements is left open to interpretation.
Administrative procedures including the creation of clear privacy policies and training of employees in privacy rules and security measures are vital. It is pointless to invest in the best security technology if employees are vulnerable to "social hacking" — when a hacker persuades an employee to provide the login password. Computer security should be assigned to a chief security officer or a chief information security officer. In smaller organizations, the security responsibilities might fall under the auspices of the COO or CIO.
Education and a Multi-Layered Approach
In IDC's Enterprise Security Survey 2003, 38 percent of healthcare respondents indicated that "lack of resources" was their primary challenge. That study also found that the "most important application security dimension" was "education of users and developers." Without direct administrative attention, employee training, and allocation of appropriate budget, computer security will simply be hit or miss.
In addition to computer security, physical safeguards are also a necessity. These may include keyed access to sensitive areas such as data centers, sign-in requirements for visitors, and surveillance systems for sensitive locations.
No single set of technology security measures can safeguard a network, but a multi-layered approach stands a better chance at defeating attacks. The IDC survey revealed that the most common security technologies in healthcare mirror the broader enterprise picture, with firewalls at 98 percent and antivirus software at 94 percent. Encryption measures are also prevalent in healthcare, with data encryption used by 78 percent and transport encryption VPN by 74 percent of respondents.
Pulling together the administrative, physical, and technical mechanisms to support patient privacy is critical to pharmaceutical companies, hospitals, and biobanks. It is crucial not only because of government regulations but also to maintain public trust in the privacy of medical records in an interconnected society that seems to offer less and less in the way of true privacy.
Michael Swenson is a research manager at Life Science Insights. E-mail: firstname.lastname@example.org.
ILLUSTRATION BY ALEX NABAUM