Issue:June 2016
RIGHTS MANAGEMENT PROTECTION - You Have the Right to Remain Protected
INTRODUCTION
Pharmaceutical companies are like any for-profit business. Although the products they develop, produce, and sell may improve or save lives, they are not necessarily philanthropists. Their ultimate objective is to generate revenue and maximize profit. In so doing, they not only satisfy investors and shareholders, they also help drive the economy by directly and indirectly creating jobs. They also reinvest to support the research needed to identify the next generation of drugs and therapies.
Achieving the objective is becoming increasingly difficult. Clinical trials and other regulatory requirements and constraints extend the research and development (R&D) process to as much as 10 years, with a cost of between $1.5 and $3 billion to bring a product to market. This timeline shrinks the window between product introduction and patent expiry, placing enormous pressure on the commercial side of the business to recover the R&D investment. The commercial side faces additional costs associated with complying with sales- and marketing-based disclosure requirements, along with public pressure to keep drug prices affordable for all.
Pharmaceutical companies have responded by looking for ways to reduce their R&D and commercial costs while at the same time getting new products to market quicker so they open a wider window to patent expiry. As a result, the business model continues to move in the direction of partners and automation. A global partner network opens the door to accelerating schedules and minimizing expenditures by leveraging niche expertise and engaging resources when and where they are most needed. Automation eliminates the manual, paper-based activities that can introduce errors and performance drag. Enhancing the collaborative experience is critical to the successful operation of a partner network that can include contract research organizations, academia, investigators, marketing agencies, and others.
The partner-centric business model offers the time and cost benefits pharmaceutical companies seek so they can make a reasonable profit while selling drugs at a fair price. However, it also introduces significant risks as sensitive information and intellectual property are shared beyond enterprise boundaries. If documents and data fall into the wrong hands, the impacts can be seismic – just ask Pfizer and Eli Lilly, both of whom have suffered the consequences recently.
SECURITY MUST BE A PRIORITY
Implementing and enforcing strong security policies is a challenge even within a pharmaceutical company’s enterprise. IT has a fighting chance though because the problem is bounded, with users, devices, and applications generally well-known. The introduction of a partner network with external organizations, individuals, systems, and devices raises the stakes to new heights, making the deployment of cloud-based identity and access management and business-to-business collaboration solutions an imperative.
A cloud-based identity and access management solution is a foundational security component. The solution provider can work with pharmaceutical companies and their partners to conduct identity-proofing activities for all individuals and to ensure all proofed individuals receive valid credentials. These credentials can be issued by the solution provider or they can be native credentials issued by the organization to which the individual belongs. The solution controls access to applications by authenticating the presented credentials (thereby verifying the individual’s identity) and granting access based on permissions assigned to an individual by application owners. Individuals enjoy a seamless, single sign-on user experience, while application owners maintain access control across the network of partners.
A cloud-based business-to-business collaboration solution extends the reach of a more traditional enterprise collaboration application to support secure collaboration amongst partners. To do so, the solution should be architected for multi-tenancy (to segment information and limit document visibility to those who qualify to participate in a collaborative effort). The solution also should protect data at-rest (through database encryption) and data in-transit between partners (through end-to-end encryption). Finally, the solution should work in tandem with an identity and access management solution. With this pairing, the business-to-business collaboration solution can support multi-tiered security tied to the strength of credentials issued to individuals. At higher tiers, the collaborative functionality becomes even more limited to better protect information exchange. For example, WebEx attendance can be limited to only those individuals who possess a certain strength of credential and have been identified as part of the current collaborative activity.
While identity and access management and business-to-business collaboration solutions go a long way toward providing the security pharmaceutical companies need to adopt an external partner network business model for drug development and delivery, they don’t completely eliminate the possibility that intellectual property will be compromised. Consider the following scenarios, where an authorized individual accesses and downloads a document in a clinical trial master file:
1. The individual prints out the document, but leaves it unattended in a public place. The document can be scanned, copied, or stolen.
2. The individual saves the document locally, and then forwards it via email to a group of colleagues. Unfortunately, some of these colleagues are not part of this particular phase of the trial and thus should not have access to the information.
3. The individual copies the document to a USB to review at a conference. The individual misplaces the USB or leaves it unattended, and whoever finds it now has access to the document.
In each case, the identity and access management and business-to-business collaboration solutions did their jobs from a security perspective. The problem arose when the legitimate individual downloaded the document and took a subsequent action that produced a data leakage. These scenarios underscore the need to extend security to the document level, where a finer-grained layer of protection can be applied.
WELCOME TO THE WORLD OF RIGHTS MANAGEMENT PROTECTION
Early attempts to secure the integrity of documents revolved around the use of PDFs. These view-only versions may have prevented a document from being modified, but not from being printed, copied, or shared. As a result, PDFs added little in terms of security, and made collaboration a cumbersome, unsatisfying experience.
Rights management protection addresses the security and convenience shortcomings of PDFs. The key concept behind rights management protection is the assignment of policies at the document level. Policies can include the ability to view, edit, print, or share the document. These policies can be applied to the document universally so all individuals wishing to access the document are treated consistently. Policies also can vary and be tied to an individual’s role or permissions.
For example, policies can differ for individuals who work for one partner versus another, based on the responsibilities of each partner organization in a clinical trial. Policies can be based on the time of day, day of the week, duration, physical location, IP address range, or other criteria. These policies follow the document no matter where it travels, and the document owner or administrator maintains full control, with the power to change policies at any time with immediate enforcement.
Rights management protection offers flexible and powerful security, picking up where identity and access management and business-to-business collaboration solutions leave off. With rights management protection, individuals can work in a document’s native application mode, such as Microsoft Word or PowerPoint, which enhances the user experience and streamlines collaboration with partners. In addition, when a new version of a document is created, access to the prior version can be turned off, promoting version control, mitigating confusion and risk, and supporting auditing and compliance initiatives.
PICKING THE RIGHT TYPE OF RIGHTS MANAGEMENT PROTECTION SOLUTION
While the concept of rights management protection is straightforward, how such a capability is implemented makes a huge difference for pharmaceutical companies. There are at least three deployment alternatives.
Enterprise-centric rights management protection applications are just that: limited to the boundaries of the enterprise. They can be paired with enterprise collaboration solutions and basic identity and access management solutions to provide outstanding security within the confines of the enterprise. That said, there is no certainty the protections assigned within the enterprise IT domain will be applied and supported when a document makes its way to an individual’s device outside of that domain. The partner network business model of today’s pharmaceutical industry requires an inter-enterprise purview, not one that is intra-enterprise.
Stand-alone rights management protection applications can be deployed in multi-enterprise environments to deliver the requisite security for documents to be shared between pharmaceutical companies and their partners. This architecture leads to significant overhead, as document owners and administrators must access a separate system each time a policy is to be changed for an existing document or created for a new document. Depending on precisely how the stand-alone application fits within the overarching infrastructure, individuals may need additional identities and credentials to access the application. The consequences are loss of productivity and the introduction of risk with more security information for individuals to manage.
The ideal approach is an embedded rights management protection application, where the application is integrated with the business-to-business collaboration solution. An embedded rights management protection application means its document-level policies can be directly correlated with the roles and permissions and at-rest/intransit encryption provided by the cloud-based identity and access management and business-to-business collaboration solutions. Roles, permissions, and policies that are already set get extended, with no additional effort required. As an individual’s roles and permissions change over time, so do the policies assigned to that individual for document access.
As a consequence, the right policies get applied at the right time across the partner network – automatically. Rights management protection becomes truly dynamic, as opposed to a series of static snapshots that change over time. By integrating with the collaborative process where collaborative spaces and workgroups are defined, rights management protection becomes part of the workflow between pharmaceutical companies and their partners. The result is a consistent, easy-to-understand, more streamlined architecture. It is also more secure, because no additional identities or credentials need be issued. The approach also supports forthcoming industry direction toward multi-factor authentication and step-up access as an individual’s role or the level of information sensitivity changes.
EMBEDDED RIGHTS MANAGEMENT PROTECTION USE CASES
Rights management protection can play a vital role throughout the drug development and delivery process. Pharmaceutical companies can and are taking advantage of its benefits on the clinical R&D and commercial sides of the business.
One of the biggest challenges to clinical R&D is completing Phase III trials on time. Delays can cost upward of $10 million, and often are driven by the need to exchange sensitive content in a highly secure manner. In response to this requirement and concern, pharmaceutical companies and their partners often rely on paper-based document sharing or the creation of siloed collaboration solutions. This methodology introduces drag and inconvenience, and encourages workarounds, which in turn reduce the level of security rather than increase it.
One leading pharmaceutical company estimates that more than one-third of its employees who work with external partners are engaged in the exchange of sensitive content. It has decided to apply rights management protection to its clinical R&D activities by choosing to extend its cloud-based business-to-business collaboration solution with embedded rights management protection. In so doing, the pharmaceutical company is marrying the policies of rights management protection with the permissions assigned to collaboration solution users. Permissions and access are enforced by the cloud-based identity and access management solution to which the collaboration solution is connected.
With this architecture in place, the pharmaceutical company can establish higher-order security for sensitive content. It can require multi-factor authentication for access to sensitive collaboration solution sites, and assign stronger policies for viewing, printing, and sharing documents containing sensitive content. Clinical trials participants get seamless access, can work productively in the document’s native environment, and sensitive content can be controlled throughout the trial, including turning off access entirely to certain parties once the phase has been completed.
For commercial endeavors, rights management protection can reduce the time between product approval and product market introduction. Pharmaceutical companies face strict guidelines on how they can promote their products. Everything from the external packaging, package insert, collateral materials, and advertising must be consistent and approved by the Office of Prescription Drug Promotion (OPDP). Before content even gets to the OPDP, it must be created, reviewed, and edited by constituencies within the pharmaceutical company (including marketing, medical affairs, and regulatory teams) and third-parties (including branding agencies and outside legal counsel).
While this content may not expose intellectual property, it certainly must be protected from a competitive advantage standpoint. The traditional approach to securing this content as it makes its way from asset creation and management to review and approval and ultimately compliance confirmation has been similar to the clinical R&D use case – reliance on paper-based exchange or siloed collaboration solutions. More recently, pharmaceutical companies have begun to embrace rights management protection, but have opted for enterprise or stand-alone applications, which don’t unleash the full power of the technology. By turning to the embedded rights management protection application, pharmaceutical companies can more quickly and more securely navigate the commercial process for product introduction and subsequent marketing campaigns.
RMP = ROI
On the surface, rights management protection may look like another expense and another system to maintain. While that may be true, it is a critical security component that delivers rapid and significant return on investment. A single security breach during the drug development and delivery process can lay waste to hundreds of millions of dollars of R&D cost and years of effort. The inefficiencies of collaborating with external partners in the absence of rights management protection can cause unnecessary loss of productivity and needlessly drive up capital and operating expenditures.
Cloud-based business-to-business collaboration solutions with embedded rights management protection applications and an integration to a cloud-based identity and access management solution extend the blanket of security to individual documents by bringing permissions and policies together. Pharmaceutical companies can confidently engage with their external partner networks because they have complete control over who can access which collaboration sites and their associated documents at which times and places, and with what privileges. Sensitive information and intellectual property are secured, yet individuals benefit from a seamless, single sign-on user experience and the ability to work within a document’s native environment. By exercising their right to remain protected at all times, pharmaceutical companies can achieve their objective of getting new drugs and therapies to market more quickly and cost-effectively – to the benefit of us all.
Tom Johnson has over 25 years of experience guiding process improvement, managing technology deployment, and directing program teams in the Life Science, Healthcare, and Aerospace and Defense industries. He currently serves as Senior Director of Life Science Solutions at Exostar. In this role, Mr. Johnson leads the company’s Life Science secure business collaboration program, directing all development and implementation efforts for solutions for application and information access and protection. Exostar’s cloud-based identity and access management and business-to-business collaboration solutions bring together over 75,000 individuals in more than 1300 manufacturing, CRO, laboratory, and academic organizations worldwide. Mr. Johnson earned his BS in Industrial Engineering from Georgia Tech University.
Total Page Views: 2167