In early fall 2020, hundreds of Finnish psychiatric patients faced a profound fear: Someone had hacked into their therapy records and were trying to extort a ransom for that data.
Lily Hay Newman at WIRED covered the story in October. “The hacker or hackers running the extortion campaign have been demanding 200 euros’ worth of bitcoin, about $230, from victims within 24 hours of the initial ask, or 500 euros ($590) after that, or else they’ll make their information public,” Newman reported.
The care provider, too, had received a ransom demand “for around $530,000 worth of bitcoin to keep the stolen data out of the public domain,” Newman wrote.
These are the stakes in cybersecurity today, particularly in medical fields, where organizations face attempted hacks and breaches every single day.
The data these extortionists are trying to acquire is essential to how medical affairs teams operate today. The network of patients, care providers, KOLs, patient advocates and researchers that medical affairs brings together must create safe channels for data to flow; otherwise, insights get siloed and innovations in care stall.
It takes a robust, systemic approach to data security to create those networks of insight sharing.
Here is what medical affairs teams need to know about their roles in adhering to and maintaining that data security.
Data’s Role in Medical Affairs
At the most fundamental level, data helps everyone in healthcare and medicine make better decisions. The more data that is collected and analyzed, the more insights can be generated. Medical affairs serves as conduit for those insights, and this creates numerous pathways for information to get to the decision makers who rely on it.
The work of collecting and analyzing data gets more complex all the time. Viraj Rajadhyaksha at AstraZeneca Medical is the corresponding author of a paper that explores the relationship between digitalization and medical affairs. This includes the applications of technologies like artificial intelligence, and the use of cloud-based platforms for sharing data.
“[M]edical affairs will be responsible for taking ownership of evidence planning and generation in the digital age,” Rajadhyaksha et al. write.
Let’s zoom in a little. Consider the information pathways between a single medical science liaison and the key opinion leaders with whom that person has a relationship. Erik Brown, Robert Eubanks, Jason Smith and Mike Abbadessa at West Monroe note that a single MSL could manage between 20 and 40 KOL relationships per drug.
“MSLs must be able to easily see which fields are represented within their portfolio, areas of expertise, and level of activity around certain topics,” they write. “If a specific area of research is trending within a drug’s purview, an MSL could determine if there is someone within their group who can speak to the issue, or use the social analytics tool to seek out new experts who may be needed.”
Now, add to that network all of the prescription data an MSL needs access to, all of the conferences they attend, all of the clinical trials they track, Brown et al. point out. “There is an ever-expanding world of information that needs to be filtered, reviewed, analyzed, and processed for relevance and strategic importance.”
And MSL relationships aren’t the only complex networks at play here. Consider patient journeys. Each of those is a unique model of touchpoints, decisions and instances of data generation. Again, medical affairs teams plug into those models at important points.
For example, “[many] different types of providers have touchpoints with patients and need to be educated about the disease that they’re treating,” Pamela Morris at BioMarin Pharmaceutical says.
All of this is to demonstrate how medical affairs sits at the nexus of several networks, all of which rely on the flows of data and insights to drive decisions, innovations and better patient outcomes.
And the work of safeguarding those streams of data is growing in complexity, too.
How Organizations Safeguard That Data
Data security is a group effort. It requires organizations to design top-to-bottom processes and systems for the safe handling of every bit of data.
“Without the proper organisational structure that owns and drives these changes, security will be a piecemeal effort at best,” writes Dan Lyon, a senior principal consultant and embedded security practice lead at Synopsys.
“Any piecemeal effort is doomed to fail because security is a systems problem. The organisation needs to set itself up to address systems problems through the development organisation and processes used to create products.”
Regulations play a major role in healthcare data, of course, and those must be factored into organization infosecurity designs. Those designs must also leave room for emerging types of data, such as real-world data. As it becomes easier to collect and analyze, real-world data will require even more complex management procedures.
Already, that runs headlong into different regulations at the national level.
Roche, for example, has a document that outlines its use of real-world data, and the company takes care to explain how it aligns those practices both with countries that have “a public entity with the task of establishing a nationwide, structured, de-identified (real-world data) database” such as the U.K. and with countries like the U.S., where individual hospital systems can directly share real-world data with research organizations.
Another emerging challenge is the proliferation of healthcare startups, who by their nature must process sensitive data. Individually, these companies might have sound data security practices. As part of a larger whole, however, they create new moving parts.
“Sometimes you wonder if everybody is paying enough attention to evaluating all the different partnerships they have,” says Iyiola Obayomi, senior director of marketing analytics at Ogilvy Health. “At times, some organizations might pass on the responsibility [for ensuring data security and privacy] to third-party partners.”
Obayomi’s point underscores how important it is for organizations to think about data security from a holistic perspective. From there, it’s up to individual members of that organization to be reliable stewards of the data they have access to.
How Individuals in the Medical Sector Can Reinforce Security
There are certainly information security challenges at the individual level that all sectors of the economy grapple with.
For example, most MSLs had to move their work to the virtual realm in 2020 because of the COVID-19 pandemic. That presents all kinds of security vulnerabilities. What kinds of devices are medical affairs professionals using? What kinds of networks are they connected to?
“An abrupt shift from on-premises operations to the cloud is a significant challenge for many, requiring the deployment of reliable, fast and secure virtual desktop infrastructure,” writes Josh Gluck, VP of global healthcare technology strategy at Pure Storage. “It is crucial for healthcare organizations and businesses to take a unified approach to data security and ensure the protection of valuable information at a time when access is vital.”
That’s why organizations are training their teams up on data-security best practices.
The team at Eyecare Leaders outlines some of what that training involves. “The data security training should focus on employee education, including what does and doesn’t constitute a HIPAA violation, ways to avoid phishing, social engineering, and other attacks that target employees and advice on using secure passwords on all word-related applications,” they write.
“If possible, training should also cover the dangers of hacking, posting patient information on social networks, and other causes of breaches.”
Further, individual team members need to understand the vulnerabilities inherent in the tools they use. This includes their own phones and the WiFi connections they work from.
“Similarly to how more devices makes you more vulnerable, more wireless connections does the same,” writes Jason Keller at SelectHub, specifically in the context of WiFi networks at clinics, though the advice applies to medical affairs team members just as much.
“But their security is often overlooked since they don’t store patient records. It’s a good idea to create automated procedures that update devices and users. This helps make sure ex-employees don’t continue to have access and that new technology isn’t left unprotected.”
This means that every device a medical affairs team member uses, every network they connect to, and every person they interact with has the potential to create data vulnerabilities. That’s why data security must be addressed systematically.
Medical affairs teams therefore must understand their roles in protecting the data they shepherd, and how their organizations design systems for data protection across all relevant networks. It’s crucial to understand this now, because data analysis and stakeholder networks will only grow more complex, as will the data that those stakeholders rely on.