Pharma companies are slow to adopt cloud computing services, mainly because of the perceived data security / data integrity risk and fear of regulatory interpretations. I frequently hear, “How do you validate the cloud?” or “What will the regulator say?”, but most frequently, it’s “I don’t trust the cloud.” As a result, data is being kept on servers that physically reside on-site as the perceived risk is lower. But is it?
Data security – there is NO zero risk option
Cloud computing is finding its place in industries that are traditionally risk-adverse – including banking, health and governments. The World Bank, some Australian banks and many large companies are now using Microsoft Office 365, which is the cloud version of the MS Office software suite. It’s probably the worst kept secret that many of the large multinational pharmaceutical companies are using the cloud too, but in a careful, considered manner. Understandably, there is reluctance. No one wants to be the first one subjected to regulator scrutiny as to how they planned and executed their cloud deployment. However, there should be deeper concern that the regulators will start asking why a company is NOT in the cloud.
Data breaches are common
With plenty of recently published breaches of network security within hospitals (refer to the media coverage of the computer virus that brought the Royal Melbourne Hospital to its knees) and other large organisations (the personal details of 80 million customers of the second largest health insurance company in the US. Check out the world’s biggest data breaches), it’s easy to see that company IT networks are far from secure. With cloud computing companies staking their business on protecting their client’s data, which would you trust more – your internal IT department or a cloud company for whom security means life or death for their business?
Don’t apply a blanket policy
We frequently hear CEOs or non IT managers stating that they will not “allow” their quality or propriety data to be kept in the cloud due to perceived risks related to security, privacy and/or jurisdiction. These are legitimate considerations, however we strongly recommend that clients look at cloud services based on specific circumstances rather than adopting a generic blanket policy. There are many options when it comes to cloud solutions (see an earlier blog post on cloud options in a regulated environment) from using a single application, such as the cloud version of SharePoint through to moving your entire IT infrastructure to the cloud.
Cloud computing offers big advantages
How the World Bank reduced their email costs by 50%
Geographical versus logical boundaries
There are many multi national pharmaceutical companies who now routinely now use public cloud infrastructure from Microsoft Azure and Amazon Web Services (AWS). On 11th May 2016, Microsoft announced that all data on Office 365 servers can now be stored only in Australia, helping those with privacy concerns or regulatory requirements about physical data location (e.g. government data). Microsoft has data centres in NSW and Victoria, giving you near instant connectivity to your information and services. Similarly, Amazon Web Services, another major cloud IT infrastructure provider, has a data centre in Sydney for example.
All too often I see non IT Managers making big calls on “data security”, whilst not having the education, training or experience to fully appreciate the risks associated with smaller, less well-resourced IT departments. These companies are at considerable risk through their current practices, which are often lacking genuine capacity in security, governance, and business resilience.
A number of our clients like to “see” the server on a rack in the corner of a room on-site, as this provides a degree of false comfort. Unfortunately, as soon as this server is connected to the web, without proper firewalls, antivirus software, email server etc. it is vulnerable! It is ironic that the same clients happily log into their online banking and transfer money, but consider putting data into the cloud too risky.
In fact, for many of the smaller organisations, it may be more appropriate to state that “staying out of the Cloud is too risky”.
Staying with an on premises server does not equal zero risk.