Risk management for cloud-powered medtech: What you need to know

[Photo from Flickr, by GotCredit]

Michael Ford, Pro Back Office

As we kickstart 2018, there are increasing concerns and risk challenges for the life science industry, thanks in part to the evolution of computing technology. Today, many life science businesses are migrating to cloud computing (SAAS, PAAS, etc.). There is data sharing amongst business partners and the use of third-party providers who are managing important data for these life science companies. All of which has most CEOs spending time and money on risk management and compliance. They see tremendous pressure to safeguard sensitive information collected relating to patient data and privacy, intellectual property (IP), and drug and clinical test data.

Having the proper risk management framework in place for a life science business is a great starting point. Medical device companies must deal with government imposed data protection regulations and internal control compliance programs from Sarbanes-Oxley to HIPPA to SSAE16. All have been important additions to help improve data security. However, despite the investments in data protection, the industry also faces increasing cyber threats and attacks. Through the development of proper controls, medtech companies can address vulnerabilities and minimize risk to their data and products.

Cloud computing’s pros and cons

The technological advancements in system virtualization, system resource management and the Internet have led to cloud computing’s emergence as a viable alternative for meeting the technology needs of many life science organization. There are numerous benefits:

• Instantaneous computing resource fulfillment;
• Greater value from technology expenditures at lower costs;
• Decreased need for internal technology support personnel;
• Cost savings – Cloud customers pay for only the computing resources;
• Speed of deployment – Cloud service providers can meet the need for computing resources (e.g. server processing and data storage) much more quickly than most internal information technology (IT) functions;
• Scalability and better alignment of technology;
• Resources – An organization can scale up and down its capacity from one server to hundreds of servers without capital expenditures;
• Decreased effort in managing technology – Owning and operating an IT function is costly and time-consuming. Cloud computing allows an organization to focus more time on its core purpose and goals.

With these benefits, comes risks for the life science company:

• Lack of transparency – A cloud service provider (CSP) is unlikely to divulge detailed information about its processes, operations, controls and methodologies.
• Reliability and performance issues – System failure is a risk event that can occur in any computing environment but poses unique challenges with cloud computing.
• Security and compliance concerns – Depending on the processes cloud computing is supporting, security and retention issues can arise with respect to complying with regulations and laws such as the Sarbanes-Oxley Act of 2002 (SOX), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the various data privacy and protection regulations enacted in different countries.
• High-value cyber-attack targets – The consolidation of multiple organizations operating on a CSP’s infrastructure presents a more attractive target than a single organization, thus increasing the likelihood of attacks. Consequently, the inherent risk levels of a CSP solution in most cases are higher with respect to confidentiality and data integrity.
• Risk of data leakage – A multi-tenant cloud environment in which user organizations and applications share resources presents a risk of data leakage that does not exist when dedicated servers and resources are used exclusively by one organization.
• BYOD (Mobile devices) – Security and encryption must be taken into consideration for devices used to connect and access data in the cloud as these devices are more susceptible to theft.

Protecting your data

To address these risks, third-party cloud service providers have implemented internal controls within their computing environment and have several standards or best practices available to them to report on their security status. The auditing and the verification of these controls are performed by independent third-party accounting firms that present the results of these audits in an AICPA SOC 1, SOC 2 and/ or SOC 3 report. SOC stands for service organization controls. The SOC 1 report is focused on the internal controls over financial reporting controls, while the SOC 2 and SOC 3 reports are specific to controls related to one or more of the five trust principles of security, availability, processing integrity, confidentiality and privacy.

Depending on the nature of the services provided by the cloud service provider, any of these reports would be appropriate to attest to the effectiveness of the internal controls implemented by the cloud service provider. The cloud users can review the SOC report to ascertain the operating effectiveness of these controls and have transparency into the cloud service provider internal controls to manage risks within their environment. Auditors have been using the SOC reports as part of their SOX testing over internal controls over financial reporting. However, a life science company may use cloud computing to manage its confidential non-financial data (i.e. lab tests, trial test results etc.) which are not covered under SOX. As a result, risks and security and compliance controls over these proprietary, confidential data, may not be adequately evaluated.

The potential financial and reputational impacts of the loss of IP or confidential client data would be staggering for any business. To assess where a life science company stands in the risk universe as it relates to cloud computing, it is imperative that they conduct a risk assessment. Risk and compliance executives, internal auditors and risk consultants play an important role in helping life science organizations develop a proactive risk management strategy. What proactive steps and investment will your business make in 2018 to protect your data?

Mike Ford is president of Pro Back Office.

The opinions expressed in this blog post are the author’s only and do not necessarily reflect those of MedicalDesignandOutsourcing.com or its employees.

From the Hospital Bed to the Finish Line Heidi Dohse was diagnosed with a rare arrhythmia in 1982 and has been 100% pacemaker dependent for over 30 years. With the help of wearable devices, she has been able to pursue her dream to become a competitive cyclist. You can hear her story and more when you register for DeviceTalks Boston, October 8-10. REGISTER NOW Use code FINISHLINE to save an additional 10%.