M Prabhakar Rao, Associate Vice President – IT at NATCO Pharma, in an interaction with CIOTechOutlook, described how the pharma industry can strike a balance between global collaboration, innovation, and cybersecurity. He emphasizes the protection of intellectual property and patient data. He also highlighted risk management policies related to AI, quantum computing, and clinical trial data secure management. He emphasized continuous organizational awareness and preparedness for the protection of sensitive data.

How should companies prioritize cyber security while encouraging innovation and collaboration across global networks?

The pharmaceutical industry is revolving around intellectual property and patient safety. Patient safety is crucial and it should be prioritized. Frameworks must be in place to protect intellectual property and to ensure that businesses can function without interruptions within the larger framework of the sector. The pharmaceutical sector is automated and most processes are dependent on technology, systems, and multiple applications. It is important to keep uptime, safety, and security intact. When the triad of confidentially, integrity, and availability are upheld, the pharmaceutical industry can protect its intellectual property.

What cyber security measures should be implemented to protect sensitive patient data and proprietary research?

Nowadays, many processes are AI-driven, and even emerging threats are also driven by AI. It is crucial to consider whether the data being used is, generated inside the organization or obtained from the public domain. It is also important to ensure that the models and frameworks used are sufficiently validated, or that there is sufficient knowledge to validate the outputs of the AI tools.

Not all information generated by AI should be considered flawless or infallible. It is necessary to be aware of AI hallucinations and aware that AI can produce fabricated data. Thus, the outputs from an AI model need to be assessed with caution. The first step is to define the context: where are the data coming from? Where the data is going? How the data will be used? And where it will be applied? It is essential to identify what model is generating the data and what population or data sets were used to train the model for determining whether the data can be accurate and useful for making informed decisions. Finally, it is crucial to ensure that the frameworks are well-defined.

Confidential data should not be in the public domain. In the rush to get AI-generated data, it is critical to protect confidential data from being compromised or revealed. Internal data should not be fed into LLMs. Clear boundaries and perimeters must be established and maintained for the protection of such data. Additionally, it is important to acknowledge the risks of AI, such as incorrect data, hallucinations, or other invalidated outputs. Being aware of these risks is crucial. Moreover, AI models should have sufficient natural intelligence to evaluate and validate AI-generated results.

In the context of clinical trials, what additional cyber security risks emerge from the increased use of electronic health records and remote patient monitoring technologies?

When dealing with patient-specific data in clinical trials, it is crucial to treat that data with extra caution. Patient-related data, particularly at the individual level, is subject to privacy laws and these can differ from region to region. It is important to ensure that the type of data is being used with the permission or consent of the subjects. Another consideration is the creation and protection of the data - if the data is at rest, in motion, or in the process of being generated.

All the required frameworks must be established to enable data protection during its retention period. When this data is used or aggregated, proper permissions must be obtained where ever applicable. All necessary technical interventions must be enforced to ensure data is always protected; for instance, proper storage media or ensuring data is always in an encrypted state to minimize risks of unauthorized access or data breaches.

How should the pharma industry start preparing for post quantum cryptography while maintaining regulatory compliance?

The main principle is to maintain the confidentiality, integrity, and availability of the data at all times. This applies regardless of the models in use or the type of technology being implemented. Quantum computing adds a new dimension in terms of such kinds of models could also be challenged. Additionally, data security and the risk of data theft must be addressed by establishing equivalent security postures to ensure that such data is not leaked.

There are several ways to ensure that data stays protected all the time. Some of the frameworks include using zero trust methods, and encryptions. This includes separating networks, such as private data networks, and creating demilitarized zones for data that is extremely sensitive or presents a potential risk to the organization. These types of frameworks must be in place to ensure that these vulnerabilities are properly addressed.

Would you like to give any message to our readers?

The pharmaceutical industry is viewed through three principal dimensions. The first dimension is the business requirement in terms of protection. It includes regulatory compliance and understanding how the business is impacted by various compliances, including those from the FDA or the EU. The second dimension is regulatory compliance, including compliance in terms of GDPR and DPDP. The third dimension relates to technical initiatives. That will include segmenting IT and OT networks, implementing zero trust networks, building a Security Operations Center (SOC), finding the best and most appliacable security solutions, customized at industry level to improve overall security posture.

Even with all of the safeguards and systems in place, one person's single mistake can lead to significant consequences. Hence, awareness of cybersecurity and information security must be brought to the attention of all people across an organization. Individuals must be aware of new threats to protect organizations from cyberattacks. As technology evolves, individuals should recognize the potential of data leakages and know about new developments to address emerging challenges.