The COVID-19 pandemic has underscored our reliance on data sharing to solve global problems. But there is a fundamental tension between data sharing and data protection. As organizations work to share certain information as needed, they must also maintain its integrity and protect the confidentiality of data that should not be shared.
Data must be shared for the benefit of scientific discovery and public health response, but also protected to preserve patient privacy and safety. This is especially critical as cyber threat actors seek targets of opportunity amid the pandemic. North Korea, for example, reportedly attempted theft of vaccine information from Pfizer. And the targets of the December 2020 “Sunburst” espionage operation reportedly included the National Institutes of Health and Centers for Disease Control and Prevention.
The security of COVID-19 vaccine development, distribution, and the data involved in these efforts are particularly important. Life sciences research and product development have long involved many partners, players, and milestones. And in response to the pandemic, public- and private-sector organizations across the globe rallied together with remarkable speed.
While such teamwork brought several vaccines to market within just a year, the nature of the collaboration introduced cyber risks. The dangers included new vendors with little experience navigating security regulations, outsourcing across multiple jurisdictions, and a lack of standardization and integration across data sources and systems. And such new weak points in the supply chain can make it easier for adversaries to undermine the confidentiality, integrity, and availability of sensitive data and systems.
Adding to the challenge, digital supply chains generally do not have well-coordinated technology development and adoption plans, and regulatory frameworks often fall short to preventing emerging cyber threats and vulnerabilities. The Department of Health and Human Services is calling for better ways to automate data stewardship and regulatory compliance to increase access at speed, while maintaining security.
Data Governance is Needed Now
From genomics data in personalized medicine to the continuous feeds of environmental and biometric data in personal health apps, there’s been an explosion of information in healthcare and life sciences. Organizations charged with safeguarding this data face a host of questions. How is the data generated, shared, and housed? What is it used for, who should be allowed to use it, and what happens to it further “downstream"? How do you document its provenance when it changes hands and moves through the supply chain?
This last question is particularly important in life sciences as researchers make data accessible to their peers for validation of their work and reproducibility of results. And, perhaps the biggest question as we move forward: How do we open up information to those who need to use it but keep bad actors out at the same time?
In such an environment, life science organizations must get ahead of the threats and secure the data itself, not just the systems on which the data resides. One place to start is by looking beyond perimeters and networks for cybersecurity and extending their view to the “supply chain of data.”
Innovation and Next Steps
Here’s the good news: Many organizations in healthcare and life sciences are finding innovative solutions for data security. One example is a cloud-based, customizable blockchain system developed by Booz Allen. The solution is a secure data-sharing network that facilitates real-time exchange of protected, sensitive, patient-level health data between a federal agency and partner hospitals during public health emergencies. Our differentiated approach provides a custom solution for decentralized, permissioned, and encrypted data sharing.
To be sure, cybersecurity must be a collective effort between the generators, owners, and protectors of data. Stakeholders should leverage helpful industry-recognized standards like the NIST Supply Chain Risk Management framework. Organizations should also:
- Train all users, empowering them to stay focused on the research at hand while ensuring better security
- Ensure data protection by applying zero trust principles of least privilege access, and implementing data rights management and encryption
- Provide constructs to allow data to be shared securely to the right users by never trusting, always verifying data requests, and using data tagging and labeling as a method to enforce policies
- Ensure that tools and technology are maintained and up-to-speed to prevent data loss
- Use a maturity model to assess vendor risk based on tools, technologies, and types of data.
In addition, organizations should incorporate cybersecurity by design from the start in new initiatives. When establishing a network for data use and sharing, for instance, build in protection from Day One, including governance for different types of data and risk management frameworks—and support these efforts with the right people and processes.
Data Supply Chain Risk a Top Priority
There will always be new cybersecurity challenges. For example, we foresee that new methods of encryption and the computation needed to support them will be critical for the future of data protection. According to an April 9, 2021 article in The Parallax View, the Defense Advanced Research Projects Agency, for instance, is investing in advanced hardware to support robust processing for fully homomorphic encryption. Booz Allen is researching quantum encryption and key distribution to the same end.
But now more than ever, healthcare and life sciences organizations need to make data supply chain risk a top priority for cybersecurity and enterprise risk management.