Is there anyone in the community who is in Pharma who has dealt with IT security requirements around Pharma ads? I know that these are generally submitted to the FDA for approval before release, and I've seen a wide range of responses for what is done from an IT Security perspective to protect this data before public release - everything from a closed data system to storage on cloud servers with (selected) external access. Trying to understand the reason for the range of solutions and why.
Hi Greppy,
Could you please provide a bit more info on what exactly you want to know? Protecting pharmaceutical advertising information before making it public - is that it?
If so - yes, FDA also need to "approve" the content but that is not security related. I am not familiar with specific pharma ad security related controls that are required. In my opinion this data is trade secret or internal confidential data and the security for these classifications should kick in. I am not sure if there is government or any other regulatory InfoSec requirement towards pharma advertising data but that may differ based on a country.
I found the original question to be a bit confusing too when it was asked of me. There is an element of this that is hygiene. Of course we we would encrypt at rest, follow least privilege, etc. Anything that we would do for any file share on our networks. But on quizzing some of my counterparts in the industry, I found a very wide swath of practical steps taken. FIPS Secured drives. DOD level encryption. Onsite file stores, inaccessible externally. One person told me that they were looking at quantum resistant encryption schemes. And others just used basic encryption / hygiene. The variance confused me because when I asked, the answer was simply that the FDA had to review the ads before release so they wanted to take proactive steps. Admirable. But why the variance? I read through the FDA regulation on it, and predictably, it is descriptive, but not proscriptive (as any government regulation is). So why is basic hygiene good enough for some pharma companies, and others act like they're holding the nuclear codes?
The most relevant information I've uncovered is this. That some pharma companies are under much higher scrutiny (duh) than others because of the drugs they produce. In some scenarios FDA approval is actually voluntary, and predictably, these companies just use basic security hygiene. Those that are required, typically use a higher degree of security.
I still don't understand the people who go full on "tin foil hat", and I'd still like to understand why. To your point, Deyan, I think that trade secrets have something to do with it. But these are pharma ads. By the time a pharma company is going to market, the basics (at least of what is going to be in an ad) should more or less be known.
You also have a point... 🙂