In April 2023, the Cloud Industry Forum released its annual report (“Breaking New Ground with Cloud”) showing that 95 percent of businesses across the public, IT and technology, financial services, retail, and manufacturing sectors were operating within the cloud. At least at that time, 55 percent of the organizations surveyed were operating in a hybrid (cloud and on premise) environment, while 42 percent were exclusively cloud-based.
Adoption of cloud technology in the pharmaceutical industry has been slow, however, and tends to lag behind other major industries. The complex regulatory environment no doubt contributes to this hesitancy, given that data security and data privacy laws like the European Union’s General Data Protection Regulation (GDPR) or the US Health Insurance Portability and Accountability Act (HIPAA) demand that cloud providers are compliant in the same manner as on premises providers.
Although pharmaceutical companies have unique obligations related to maintaining patient safety and confidentiality, utilizing cloud technology is not in contravention of those obligations. The benefits of transitioning to a cloud-based environment are well-known (including enhanced data analytics, secure storage of clinical data, and establishing standardized processes across sites), and if configured appropriately, the cloud can better secure data than on premises solutions.
In fact, cloud storage can often be safer than legacy or homegrown systems that are no longer supported or able to be upgraded (and are therefore more vulnerable to attacks or breaches). Using the following safeguards, pharmaceutical companies can ensure their cloud-based technologies sufficiently protect data:
- Secure cloud storage accounts with complex passwords, encryption, and two-factor authentication.
- Investigate cloud storage vendors to identify those that have auditing features built within their platforms to provide more comfort as to the security of the data.
- Set and enforce access rights for access to the data stored in the cloud. Ensure that access is limited to required personnel only, and that those individuals are trained in how to appropriately handle the information they need to access.
Cloud-based technology may also help pharmaceutical companies with DEA registrations meet relevant statutory and regulatory requirements, including:
- Building and maintaining a Suspicious Order Monitoring program
- Conducting due diligence and maintaining customer files
- Maintaining controlled substance records (inventories, purchase/sales documents, etc.) separately from other business records (and by DEA Schedule) that are readily retrievable
For pharmaceutical companies hesitant to move all operations to the cloud, consider utilizing a phased approach whereby the organization moves systems that do not directly impact or affect patient information (like marketing, training, or employment data). After ensuring the cloud is configured appropriately and performing security testing, the company can then transition patient safety and other critical systems to the cloud environment as well. An additional benefit of this approach is that the company can take more time to properly configure cloud settings before critical or patient data is migrated.
Cloud-based technologies have a variety of benefits and advantages, and pharmaceutical companies that fail to adopt them are doing a disservice to their bottom line and may ultimately be left behind. The technology is lower cost and scalable, not to mention more secure than traditional technologies. Companies therefore can reduce operating expenses (since cloud technologies obviate the need to pay for software licenses and updates) and contract or expand the amount of storage needed as the business changes, all while improving data security over their files and data. That combination is a win-win for patients as well, who can hope to see downstream cost savings and increased comfort in the security of their most personal information. Finally, utilizing cloud-based technology may also help some pharmaceutical companies meet regulatory obligations more efficiently and effectively.
Allison Spagnolo
Allison Spagnolo is a senior managing director at Guidepost Solutions and works on numerous compliance-based engagements involving financial institutions, healthcare organizations, government contractors, cryptocurrency exchanges and fintech companies. She has extensive experience developing risk reviews and assessments for public and private entities in a variety of contexts including sufficiency of internal controls. Ms. Spagnolo also advises healthcare clients, including covered entities and business associates, regarding compliance with HIPAA/HITECH and other federal and state privacy, security, and incident response compliance requirements. As Guidepost’s Chief Privacy Officer, Ms. Spagnolo directs global internal privacy compliance efforts, including issues related to the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA). She also regularly advises clients on identifying and resolving privacy risks. Prior to joining Guidepost, she was an attorney with Burt, Blee, Dixon, Sutton & Bloom, LLP, where she focused on the area of corporate law.
Krista Tongring
As Executive Vice President, Krista Tongring leads the Guidepost Solutions DEA Regulatory Compliance Practice. She plays a lead role in overseeing a variety of compliance engagements, monitorships, and investigatory matters. She has provided assessments, evaluations, and enhancements of Controlled Substances Monitoring Programs for drug distributors and manufacturers; DEA regulatory compliance advice, evaluation, enhancement, and training for clients holding DEA registrations; expert witness services; and assistance to clients seeking DEA registrations with the application process. Prior to joining Guidepost, Ms. Tongring was with the Drug Enforcement Administration (DEA) where she served as the Acting Section Chief in the Office of Compliance. She focused on establishing clear and consistent policy which can be implemented throughout the agency and successfully managed the effort to update DEA’s Standards of Conduct. During her tenure, Ms. Tongring also served as a senior attorney for the DEA Diversion and Regulatory Litigation Section where she litigated administrative actions and supervised investigations to ensure compliance with the Controlled Substances Act. She began her career as a federal prosecutor in the U.S. Department of Justice.
