Connected Health: 10 Data Security FAQs
Tuesday June 5, 2018
What is GDPR?
General Data Protection Regulation (GDPR) is legislation passed by the European Union (EU) that goes into effect May 25th, 2018. GDPR helps protect citizens by keeping their data private (name, IP address, date of birth, religion, health, etc.) through new rules and regulations. The definition of privacy has been broadened and the penalties for non-compliance to these regulations are higher. Under GDPR, any personal information that can be traced to a person is considered private data. Each person has the right to have their data corrected or erased.
How does IT Sarbanes-Oxley (SOX) apply to Financial SOX Compliance?
IT and Financial both fall under the umbrella of SOX, but respectively have their own set of responsibilities. A company’s IT team must ensure there is ongoing reporting and testing of internal controls to meet SOX requirements, thereby detecting any major concerns related to assessing financial risk.
What are the most common forms of a security breach?
Most breaches are internal and can range from a disgruntled employee to a non-malicious procedure breach. For external breaches, a common example comes from a phishing attack, a frequent way for hackers to gain access to a system. The type of parties that send phishing attacks vary depending on the type of information they are looking for. Some hackers are looking for government, banking, or espionage information, whereas some do this to prove their hacking capabilities.
Can Arbour Group guarantee that companies will be 100% safe from security breaches?
No, a third party company should never guarantee this because you are never 100% safe, but a company can be well prepared. Arbour Group is available to help your company define the processes and procedures to detect when a breach occurs. A process remediation system can be put in place to have a course of action ready when needed. It is not uncommon for companies to experience some form of security breach, whether it is internal or external, and the procedures and processes a company has in place can determine the severity of the outcome.
How does Arbour perform a penetration test to find vulnerabilities in a system?
Companies will always have pain points of vulnerability within their systems, but testing regularly can identify core issues. The penetration test is a means to find that vulnerability. A third party tester intentionally tries to hack a system to assess the effectiveness of security. Even if a penetration test passes successfully, ongoing tests are necessary as hacking procedures evolve. It is recommended that vulnerability testing is conducted on a frequent and regular basis. This can mean quarterly, annually or another established timeframe, depending on the type of data a company may have.
When mergers and acquisitions take place, what key things do companies need to be aware of in order to remain compliant?
Whether you are implementing your system into an acquired company or importing data, the privacy of that data should be reviewed to ensure that it is secure and compliant with current regulations. It is essential to have programs set in place to detect any issues in the data. Arbour Group can provide a plan of validation that includes a quarantine, scan, and a penetration test on the system before it is brought into the network.
How is Artificial Intelligence (AI) software validated if it is not always on a linear path?
Validation is centered on the functionality of the AI software. If you are installing on premise with a vendor, the validation will focus on the installation qualification to establish good change control mechanisms as well as enforce an effective management process. If a program is written internally, the algorithm must be certified as the intended function is what is essential to validate, not the data set itself.
My company operates in a public cloud, how can we ensure that others who share the same cloud cannot see our data?
The cloud provider should describe the type of security and partitioning processes that are available to their customers. Infrastructure as a Service (IaaS) can be partitioned by the vendor to meet a company’s specific security needs. Software as a Service (SaaS) can be customized to meet a company’s security needs if specific requirements for privacy are discussed with the vendor.
My company has developed SOPs to ensure compliance but they are complicated and difficult to follow. What can be done to alleviate this issue?
To help adhere to compliance standards, the SOPs must be streamlined with a redesigned approach, such as differentiating SOPs from work instructions. The new procedures will in effect streamline the process and assist in meeting compliance. Arbour Group can offer support in reducing the number of SOPs so that the procedures work to meet the intended purpose.
Our company has an inspection/audit coming up, what can we do to prepare?
It is critical for a company to always be inherently prepared for an audit. If daily operations are performed correctly, the risk of a negative inspection lessons. If a company is not ready, an initial scope of the audit is necessary to understand the full inspection. An assessment of applications and an audit readiness check list must be established. It is important that a company’s integrity is not put at risk by making quick fixes to prepare for an audit. For example, backdating to hide a prior mistake can be easily discovered by auditors. In preparation for an inspection/audit, Arbour Group services can include preparation of a checklist, an assessment of applications, or development of a training program to assist in audit readiness, and can help a company understand where gaps are located to develop an action plan.
The Arbour Advantage
Arbour Group is a trusted regulatory advisor to over 250 pharmaceutical, medical device and biotechnology companies worldwide. Let us demonstrate how we can prove ourselves as a valuable business partner by delivering effective services that reduce compliance costs.