Mark Shriner is the Strategic Sales Director for memoQ, leading the company’s market growth in the regulated industries. He has previously worked in several leadership roles in the localization industry including CEO Asia Pacific for CLS Communication.
Data protection and IT security are increasingly important for organizations around the world. For companies doing business in a regulated industry like life sciences or financial services, protecting company and customer data is mission critical.
This is true whether your company sells a healthcare-related product or service such as a device manufacturer or a contract research organization (CRO), or if you are a service provider, such as an LSP that translates medical records or other personal information. Even technology providers to life sciences companies benefit from security controls and regulatory compliance.
Several of the world’s largest CROs use memoQ’s translation management system (TMS). The platform’s security features and ability to offer a variety of on-prem and cloud-based hosting options around the world have been a major factor in the selection and continued use of our TMS and CAT tool. Furthermore, since memoQ is providing a technology to companies in the life sciences industry, and since we are headquartered in Europe, we need to ensure that our technology is secure, and that all of our internal company systems and data are protected and operated in alignment with standards such as GDPR.
Another platform provider operating in alignment with the appropriate regulatory bodies is Boostlingo, a leading platform for interpreter management and remote interpretation. Since Boostlingo’s users include many healthcare providers, the company heavily prioritizes security and compliance.
According to Dieter Runge, Co-Founder and VP of Global Growth & Strategy at Boostlingo: “HIPAA is 100-percent the Bible for us when it comes to compliance.” The company utilizes the services of external consultants to regularly conduct security audits and penetration tests, ensuring both internal company data and the platform are secure.
While HIPAA may be the obvious regulatory body to track for Boostlingo, other companies may find that challenging. For example, a US-based LSP that translates patient reported outcomes (PROs) might prioritize HIPAA. However, if the company has offices or freelance linguists in the EU, or translates the medical records of EU residents, it might also prioritize adhering to GDPR.
With the existence of so many different local, state, national, regional, and industry-specific regulatory bodies, companies can find it extremely challenging to decide which regulations to follow and how best to manage their compliance postures for the various regulatory agencies. A European company providing healthcare-related services that works on data for California, China, Brazil, Singapore, and Canada residents would be subject to at least six regulatory bodies protecting consumer data.
A best practice is to select the most important industry-specific regulatory agency and follow its standards. Alternatively, it may decide to a achieve a security credential such as SOC2, NIST, CIS, and ISO 27001.
“While there is a fair amount of overlap with NIST, CIS, ISO 27001, and SOC2, the most important thing is not to try to do them all,” recommends Hiram Machado, CEO of adaQuest, a Microsoft Cybersecurity Gold Partner. “You should either pick one of them and work through it or identify which certification is most important for your customers and pursue that.”
In the case of memoQ, we closely track and adhere to the GDPR, but we also have achieved ISO27001 certifications. Since many of our customers are requesting SOC2 compliance, we are working towards that credential as well.
But simply achieving a credential or tracking a regulatory body will not guarantee data protection and IT security. A good foundational practice is to create awareness throughout the organization that IT security is a shared responsibility. This goes beyond sending out a data privacy and IT security policy document to employees and freelance workers. Communications should include relevant examples of best practices for data protection and security and highlight typical attacks.
For example, employees should be taught about password hygiene and encryption. Free and low-cost web-based interactive training programs are extremely effective at creating awareness. Another approach are phishing attack simulation tools such as Sophos, Proofpoint, and Phished that demonstrate what an attack looks like and provide tutorials.
Another macro tactic companies use to improve their security and compliance posture is to outsource their IT infrastructure to major cloud providers such Google, AWS, and Microsoft. These companies spend billions every year on security, stability, and resilience for their services, aligning their platforms with many of the leading regulatory bodies and security standards.
By using a major cloud service, life science companies and service providers can inherit many of the security controls, back up capabilities, and compliance measures that the cloud providers have built into their services. Tool and platform vendors in life sciences are adopting this strategy as well. For example, memoQ offers global cloud solutions based upon Microsoft’s Azure for its security, performance, and regional hosting options. Boostlingo uses Amazon Web Services (AWS) for similar reasons.
“Because we are a global company, we need to have instances around the world in order to maintain data sovereignty rights,” said Runge. “A lot of the requirements for web security are already well and truly covered by AWS.”
Major cloud providers also provide useful security and data protection tools at little or no cost. For example, Microsoft 365 (M365) offers document encryption, data loss prevention, endpoint protection, threat detection, and antivirus tools.
Furthermore, M365 subscribers can access the Microsoft Compliance Manager tool. This tool tracks an organization’s compliance posture against all major regulatory bodies, provides detailed recommendations, and allows for the assignment and tracking of follow-up actions.
Not every life sciences company opts to use a global cloud provider, preferring to host their IT infrastructure and tools on premise, or “on prem.” This decision may be related to costs and security concerns, or may be due to local and national governments restricting where data can be stored.
Beyond the macro tactics of creating organizational awareness and outsourcing security and compliance requirements to cloud providers, life sciences companies are implementing best practices that regulate individual actions. For example, permissions management is a practice that only elevates an individual’s access rights to sensitive systems and data for a specified and limited time.
For example, instead granting an IT engineer global admin rights with universal access to all systems, companies can use a permission management tool or privileged identity management (PIM) system to request and grant temporary elevated access rights. By doing so, the company protects itself from the potential harm caused by compromised credentials.
I know of several LSPs that only allow their IT support team to elevate their access rights during the time they are providing support in a specific region or time zone. Likewise, many companies are implementing strict role definitions and related rights when using tools such as their TMS and CRM.
All personally identifiable information (PII) should be encrypted when it’s at rest or when it’s being transmitted. Users of M365 can easily due this using the built-in DLP tools that allow for the tagging of sensitive data and the enforcement of pre-determined policies according to the applied tag. This tool can even recognize sensitive data and recommend or require encryption.
For example, the creator of an Excel spreadsheet that contains Social Security numbers or credit card information could be prompted or forced to encrypt the document. Furthermore, the policy may limit document users from sending the it to people outside the company or even the company’s premises.
In the life sciences industry, all document with patient information should be encrypted, and in some cases anonymized or de-identified. Anonymization and de-identification are similar practices that ensure that data cannot be tied to a specific person. The GDPR favors anonymization, which makes it impossible to reverse the process, while HIPAA and California’s CCPA require de-identification in many cases.
Life sciences companies that send documents outside of their organization for translation often opt for a TMS platform that can restrict external translators from copying, downloading, or capturing a screenshot of sensitive text. Likewise, companies are selecting platforms that are single-sign-on (SSO) friendly.
Using SSO prevents passwords from being compromised. And, as Gartner estimates that close to 40 percent of all support requests are related to passwords, an additional benefit of SSO and self-service password reset (SSPR) is that it greatly reduces IT help desk tickets.
Last, but not least, any company active in the life sciences industry or any other regulated industry should schedule regular and automated backups of important data. This practice will not only help you recover from a ransomware attack, or fire and flood damage, it is also required in certain scenarios by GDPR, HIPAA, and many other regulatory agencies.
Whether you are a life sciences service provider or product maker or a company that provides a service or technology to the life sciences industry, security and privacy should be a top priority. The above best practices are a great way to improve the safety and security of your journey in this amazing and rapidly growing business.