Information Systems Security (ISS)

in Life Sciences

A lack of security always causes damage, even if the severity varies. The company may lose competitiveness. The confidential data it was responsible for may be disclosed. At worst, a takeover by malicious agents can threaten its very existence when operational processes are blocked and its data destroyed or stolen.

Actors in the life sciences sector are particularly exposed. On one hand, there is a trend toward obsolescence of their protection systems. Protective measures are slow to be implemented. On the other hand, health data has immense financial value, especially in research. The strong media coverage of cyberattacks causes lasting reputational damage to the company.

What is health data?
It is information that links a person and their state of health. This regulatory definition applies to natural persons, but also to clinical trial or medical test results, and any data related to a disease or disability.

Health data is protected. Protection regulations apply to all known stakeholders such as hospitals, pharmacies, research centers, medical practices, etc. They also apply to operators who exploit, manage, or host their data. For instance, a company offering IT infrastructures, like a cloud hosting provider, is subject to these regulations.

Some applicable measures for health data protection are:

• Provisions on health data hosting (Articles L.1111-8 and R.1111-8-8 et seq. of the Public Health Code);
• Provisions on health data availability (Articles L.1460-1 et seq. of the Public Health Code).

If health data is subject to very strict protective measures, it is because their confidentiality is a major issue. Access requires explicit prior consent from the patient. All operators, public institutions, and companies must implement strict measures to restrict data reading or disclosure. At the company level, a demanding access control policy is mandatory. It limits the risk of malicious intrusion or simple human error.

By the principle of least privilege, only authorized persons have access. User profiles and associated rights are defined according to individuals’ domains of responsibility. For example, Finance department staff do not have the same access as their Medical colleagues. Training and awareness are indispensable complements to securing IT access.

The company must also eliminate outdated practices from a time when security threats were lower: no shared accounts, no temporary authorizations, no active rights for those who have left the company or changed roles, no generic passwords. Authentication and validation of access requests follow a secure procedure. Periodic review of user accounts verifies access permissions are updated according to organizational changes.

Applicable regulatory texts for health data confidentiality include:

• Law of January 6, 1978, on computing, files and freedoms;
• Law of June 20, 2018, on personal data protection;
• Regulatory part of the Public Health Code (CSP Art. R4127-1);
• HIPAA (Health Insurance Portability and Accountability Act) of 1996.

Protected from illegal access, health data must be available at all times to authorized personnel, for example in pharmaceutical production or clinical trials. Loss of access to data by authorized users risks interrupting operations or threatening patient safety.

Maintaining data availability requires a series of measures applied to IT systems. Systems must undergo preventive and corrective maintenance to limit hardware and software failure risks. IT facilities and corporate networks are secured against external threats.

The company must implement business continuity measures in case of temporary faults and install, maintain, and test backup and recovery systems. All these actions ensuring data availability apply equally to subcontractors hosting the data, especially if located outside national territory.

The diversity, frequency, and intensity of threats created by hackers are increasing. Media regularly report large-scale attacks. Companies must now include cyberattack risks in their prevention plans.

A virus attack infects the IT system with malicious software that spreads and damages the application data it touches as well as related data. A malware attack fraudulently introduces malicious software to allow hackers access to all data. A ransomware attack puts IT systems into reversible dysfunction and demands ransom payments.

Account hijacking involves taking control of IT access to steal confidential data.

Hackers exploit security flaws—vulnerabilities in software infrastructure—to breach information systems. Examples also include phishing emails, fraudulent messages tricking recipients into giving confidential information pretending to be trustworthy parties, and DDoS attacks, overwhelming services, servers or networks with traffic to paralyze them.

Fraudulent acts in healthcare resemble those in other sectors. However, their potentially severe impact on patient safety, product quality, and data integrity demand stringent protective measures. Companies must demonstrate strong anticipation capacity for technical and organizational responses. Attack costs often exceed prevention expenses.

Healthcare actors must be vigilant when implementing new systems or infrastructure elements. They must carefully analyze risks associated with adding new components and increase security requirements if needed.

Qualification teams increasingly focus on identifying security flaws and managing incidents. The shift toward a more formal infrastructure qualification process illustrates this awareness.

Although regulatory requirements have not fully integrated IT security issues, some organizations already updated recommendations:

• ISPE, through the 2nd edition of GAMP 5, recommends integrating cyberattack risk management throughout qualification;
• ISPE’s 2nd edition of the IT Infrastructure Guide;
• International Organization for Standardization (ISO), with standards for security management systems;
• National Institute of Standards and Technology (NIST), which offers a cybersecurity framework;
• PIC/S integrates ISO security standards in its Good Practices Guide for computerized systems.