Market access update
Information is pharma’s new competitive advantage – make sure you protect it
Written by Kurt Haynes
In this update, Kurt Haynes, security consultant, explains why information security matters in market access and shares four simple steps to help you improve security.
Information security is a priority for pharmaceutical companies as they increasingly adopt digital technology to transform their businesses. If you think the security of your data is someone else’s responsibility, think again – because the stakes are high.
Most people’s eyes glaze over at the very mention of information security. In fact, many confuse it with IT security and assume it’s a matter for somebody else in the organization. The truth is very different. Information security matters to all of us in pharma. It’s essential to maintaining competitive advantage, and without it we risk our hard-earned secrets falling into rival hands. Have I got your attention now? It’s time to tighten up.
In a world where cybersecurity attacks have become all too common, safeguarding your market access data has never been more important. The question is, how do you do it? I’ll come to that shortly. First, let’s look at the context.
It’s widely believed that information is the new currency for global business. As digital innovation fuels more data and greater connectivity, information is now a critical corporate asset and a key driver of growth. This is certainly the case in pharmaceutical market access, where good business intelligence can strengthen payer engagement and accelerate commercial success. World-class information is a priceless commodity and systems that facilitate it are important investments. But maximizing data is only half the battle: protecting it is critical.
From the bottom drawer to the Cloud: the evolution of information security
Back in the day, when business documents were saved onto floppy disks, the most common means of securing confidential information was to lock it in a filing cabinet or hide it in a safe. Nowadays, our most valuable information assets aren’t physical, they’re digital – and they’re typically stored outside company walls in remote data centres, third party systems or, increasingly, the Cloud.
With access often determined via rule-based passwords and clever innovation like face recognition or fingerprint ID, the measures we take to protect our data today are driven by technology rather than padlock.
However, this has created the illusion that Information Security is the job of IT. It isn’t. It’s a responsibility that falls on all of us. The way we do it has changed but the principles are no different to the days when we locked our valuables in the bottom drawer of our desk.
Four simple steps to help keep your market access information safe
In market access, information security is particularly pertinent when selecting a digital application to connect and empower global teams. This is typically the job of the Head of Market Access (or equivalent). As the eventual ‘owner’ of the information they have ultimate responsibility for protecting sensitive data.
Choosing digital applications is about much more than cutting-edge technology and great functionality; it’s about ensuring your data isn’t exposed to unauthorized access that could cost you competitive advantage. Fundamentally, information security is all about mitigating risk because you can never eliminate it altogether. This means conducting a comprehensive risk assessment to ensure the digital application you’re buying locks down information safely and doesn’t have a hole in the fence that lets unwanted visitors in. There’s a lot to consider, but by following some simple steps it becomes easier to find a way through.
Step 1: Identify and classify your information assets
Before opening discussions with any third party, you must first identify and evaluate the asset you’re trying to protect. What information are you thinking about putting with a supplier or their digital application? How valuable is it? And what level of protection do you want around it in your own organization?
In market access, business information systems contain highly sensitive information. They’re often repositories for proprietary information and IP that can seriously influence product success. The most effective systems track markets, regions, and the dynamic payer landscape, and provide frameworks for global value dossiers, HTA submissions, and supplementary documentation. These are high-value assets that drive competitive advantage. They’re the last thing you want in the public domain. So, wherever you choose to put that information, you need to be certain that it’s safe and secure.
Step 2: Know your information security policy
The digital application you select will inevitably be tailored to the specific needs of market access. But choosing one is a business decision that needs to be made holistically. Right from the outset, long before you’ve approached any supplier, it’s important to collaborate with internal stakeholders who understand the protocol. Colleagues from legal and IT can provide essential guidance on your organization’s information security policy. This policy is a standard business requirement. It outlines how specific information is classified and the rules you need to follow to ensure it’s safe. Understanding it is a must. It sets the framework for all subsequent decisions.
Step 3: Establish an access control policy for your market access information
Working out who should be able to access your information, and crucially who shouldn’t, is a key step. This means developing a clear ‘access control policy’ that sets the parameters and specifies access privileges. Most systems include ‘defence in depth’ to ensure people can only access the things they need. Defence in depth introduces multiple security boundaries to authorize access.
Step 4: Evaluate your supplier’s security management system
Finally, you need to make sure that the supplier you’ve chosen to process your market access information follows security standards that match, or exceed, those outlined in your own organization’s Information Security policy. Vendors should be able to demonstrate a working Information Security Management System (ISMS) that follows recognized standards such as CSA STAR and ISO 27001. Here’s a summary of those standards.
For evidence that it’s a working ISMS, ask your supplier for the following:
- information security certification/documentation
- up-to-date policies and protocols, such as retention and GDPR policies
- recent audit reports.
Recency is key. Be wary of policies or protocols that haven’t been reviewed or updated for some time.
It’s important to get this right, so make sure you dig deep and ask your supplier for as much detail as possible on their security protocols. Here’s a full list of questions to ask your supplier.
Your market access information needs security that is built in by design
In an age where information is a valuable currency, information security has emerged as a key enabler of competitive advantage. The most successful organizations don’t dismiss it as ‘the job of IT’, they see it as a collective responsibility and an essential ingredient for business growth.
So, if you want to make the most of your market access data, make sure that the digital application you choose to power it has security built in by design. Because protecting your market access information shouldn’t be an afterthought, it should be your first thought – every time, all the time.
Insight: digital solutions for market access