Pharmaceutical companies are both producers and collectors of vast quantities of sensitive data stemming from not only selling pharmaceutical products but also developing them. From initial research to the patent filing, clinical research phases, the issuing of licenses, and the manufacturing process, pharmaceutical companies handle massive amounts of highly sensitive, confidential data which they are obligated to protect under data protection laws. Data Loss Prevention (DLP) solutions have become essential tools for pharmaceutical companies to keep sensitive data protected.
In the European Union, the General Data Protection Regulation (GDPR) recognizes data concerning health among its special categories of data, meaning it receives a higher level of protection than regular categories of sensitive data such as Personally Identifiable Information (PII).
The processing of these special categories of sensitive data is prohibited unless exemption criteria are met. Among them is an individual’s explicit consent to process the data, but also processing for health-related purposes where it is necessary for the benefit of natural persons and society as a whole. A further exemption allows the processing of special categories of data when scientific research is being conducted that operates within an ethical framework and aims to grow society’s collective knowledge and wellbeing.
While all these exemptions make it sound like pharmaceutical companies can freely process sensitive data, it is in fact limited to processing in the context of the management of health or social care services and systems, including the management of such data for the purpose of quality control. These limitations aim to curtail attempts to use big data analytics techniques to profile or market to individuals based on their health data.
In the United States, the Health Insurance Portability and Accountability Act (HIPAA) ensures the privacy and security of protected health information (PHI) and applies to electronically submitted claims. As such, most pharmaceutical companies fall under the jurisdiction of HIPAA and need to follow its rules.
Failure to protect sensitive data can lead to heavy fines and pharmaceutical companies need to put robust data protection safeguards in place to avoid them. At the same time, data protection is vital to maintain the trust and confidence of customers and individuals involved in clinical research.
DLP solutions aim at tackling internal threats rather than external ones, thus helping pharmaceutical organizations avoid data leaks and data theft originating from employee carelessness or malicious insiders. Let’s take a closer look at some of the ways in which DLP helps protect pharmaceutical data.
4 ways DLP helps pharmaceutical companies protect their data
1. Monitor pharmaceutical data
DLP solutions allow pharmaceutical companies to discover what types of protected sensitive data they collect or produce, where it is being stored, and how it travels in and out of the company network. They come with predefined policies based on legislation such as HIPAA and GDPR, supporting compliance and ensuring the right type of data is searched for and monitored.
Using content inspection and contextual scanning, DLP tools such as Endpoint Protector can search for sensitive pharmaceutical data in hundreds of file types in real-time, whether in transit or stored locally on employees’ computers. Based on the results of searches, controls can be put into place to limit or block transfers as needed.
2. Block the transfer of pharmaceutical data
The easiest way sensitive pharmaceutical data is leaked is over the internet. Employees accidentally send data to the wrong recipients or use unsecure third-party services such as cloud storage or file sharing websites to transfer data. DLP solutions do not only block the attachment and uploading of files containing sensitive pharmaceutical data but can also prevent employees from copy-pasting or manually inserting sensitive data into emails.
DLP tools also log any attempt to violate a policy, thus allowing pharmaceutical companies to identify the common ways in which data security is threatened and later incorporate them into training exercises to educate employees on best data security practices.
3. Prevent unauthorized storage of pharmaceutical data
As employees perform their duties, they often store sensitive pharmaceutical data locally on their hard drives, in direct violation of data protection regulations such as GDPR and HIPAA. When it comes to GDPR in particular, having data stored in unknown locations can be problematic. GDPR only allows data to be stored for as long as needed for the initial purpose for which it was collected and also grants EU data subjects the possibility to request their data to be deleted from a company’s records. Unknowingly storing copies of this data amounts to non-compliance due to a lack of due diligence.
To prevent this, DLP solutions allow companies to search all computers on their corporate network for sensitive pharmaceutical data and, when found in unauthorized locations, remediation actions can be taken, such as deleting or encrypting these files.
4. Control the transfer of pharmaceutical data on removable devices
Another way pharmaceutical data can be easily lost or stolen is through removable devices such as USBs or external hard drives. Physical access to a device is needed for such incidents to occur, but employees frequently use USBs in particular to copy files they might work on remotely or when traveling for meetings or events outside the company.
To ensure that sensitive pharmaceutical data is not transferred outside of work computers, DLP solutions can be used to block the use of peripheral and USB ports, but also the connection of devices via Bluetooth. Alternatively, pharmaceutical organizations can also limit their use to trusted devices such as those issued by the company.
Frequently Asked Questions
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.