跳到主要內容

很遺憾,我們無法支援你的瀏覽器。如果可以,請升級到新版本,或使用 Mozilla Firefox、Microsoft Edge、Google Chrome 或 Safari 14 或更新版本。如果無法升級,而且需要支援,請將你的回饋寄給我們。

我們衷心感謝你對這個新體驗的回饋。告訴我們你的想法 打開新的分頁/視窗

Elsevier
與我們共同出版
Connect

Keeping data safe — now and in the future

2023年8月1日

Sonam Solaria

Image representing infosec in medicine © istock.com/Viorika

An ISO 27001 certification shows a company takes its information security seriously and understands that customer information must be safeguarded across all interlinked aspects. Unfortunately, not all suppliers to a pharma or medical device company have the capacity to undergo full ISO 27001 certification.

Do you know where your data is?

Whether it’s related to IP, R&D or work continuity, secure data has become the foundation for the success of any pharmaceutical or medical device company. One breach 打開新的分頁/視窗, leak 打開新的分頁/視窗, hack 打開新的分頁/視窗 or cyberattack 打開新的分頁/視窗 could mean the end to a promising lifesaving product. It could also mean the end of your business.

Threats lurk in unexpected places as well. For instance, do you really know who has access to your Google Scholar search history? 

“Pharma and medical device companies are famously risk-averse and painfully aware of the importance of information security,” says David Lai 打開新的分頁/視窗, Head of Quality, Compliance and Business Excellence for Elsevier Pharma and Life Sciences Solutions. “They know the horror stories and know it’s only likely to get worse. So, it’s really something they check when buying a solution.”

As one of Elsevier’s in-house experts for quality and compliance management, he has a deep knowledge of information security and the certification process. 

Photo of David Lai

David Lai

“The ISO 27001 打開新的分頁/視窗 certification has become the gold standard because it’s a worldwide standardization and recognized by regulatory bodies,” he explains. “Of course, it doesn’t mean you cannot have an incident. But it means your organization is at least prepared to deal with one by having the right people, processes, training and governance in place. And because of its annual audits by independent bodies, it ensures companies are equipped to take on the latest risks as they arise. You can see it as a shortcut to minimizing risk.”

Quality data is safe data

“You have to make sure you are keeping a customer’s knowledge and data safe,” David says. “And of course, in the process, you are also keeping your company viable and safe.”

For David, this gatekeeper element is a passion. “Technology is only getting more complex and difficult to navigate as time passes,” he says. When I came to Elsevier, I saw I could contribute by putting things in order: helping put the information in a place so the right people can find the right information when they need it. Customers also expect it to be quality information — and security is a key component of this.”

Meanwhile, this idea of information security — keeping data from getting into the wrong hands — is interlinked with data privacy as formulated by the EU’s GDPR. “It runs along with how individuals are able to control, access and regulate their own data,” he explains. “In other words, we’re not just talking about pharma data but also your data, not only as a patient but also as a citizen.” 

Building the trust across the pipeline 

Meanwhile for pharmaceutical and medical device companies, IS remains largely about protecting IP. “Intellectual property is of course a main thing in Pharma — patents and all the rest,” says David. “But we also have to think about the whole drug discovery supply chain: whether it’s the R&D supply chain, the post-surveillance supply chain, etcetera. These also have to be as secure as possible.”

According to David, there are three things you should do when selecting a new tool for your company. “First you must assess your current use case and identify the information you will share with the tool you are considering. You should also find out if the vendor provides a level of information security that meets your expectations — ideally whether they are certified as ISO27001. And if certification isn’t needed, make sure to do due diligence around information security — and for data privacy if applicable.”

It’s generally beneficial to increase focus on information security around your vendors, David says: “In this way you minimize your own risks by minimizing the possibility of your vendor becoming disrupted. It also ensures your information is handled with utmost care.”

Enabling a more secure future

The next obvious step to expanding digital safety would be to make the ISO certifications mandatory, David says: “But this is a two-edged sword: for those smaller companies — where 'Mike' had a great idea and he’s now trying to take it to the next level — getting such certification would be impossible. It requires too much time and resources.”

Down the line, David sees a future where these little fish — agile and innovative — can start operating through established frameworks:

We need to have quality-by-design, security-by-design, privacy-by-design, compliance-by-design as part of the process in our offerings so they can demonstrate and display the evidence related to their level of compliance. I think that would be the way forward.

But with certification really being the only way to improve safety, certification should become mandatory once a company reaches a certain maturity. Data is the new reality. And as I said, it’s not just about business safety — it’s about safety for everyone.

Ultimately, David regards information security as the ultimate enabler. “More secure information means better pipelines by which you can get the information you need faster and more reliably. And with the confidence of knowing your data is safe, you can focus on the real work: working on your solution in improving health and healthcare.” 

貢獻者

Sonam Solaria

SS

Sonam Solaria

Marketing Manager, Customer Engagement

Elsevier