The days of the Wild West of data are fading into the rearview, and that means high expectations for maturing industries such as life sciences. Thanks to growth, expansion, and — to some degree — cloud adoption, regulators are keeping a close eye on companies in the space, and shortcomings in data quality and integrity can result in inspections, delayed product approvals, recalls, or even shutdowns. That doesn’t even include the damage to one’s reputation and the crippling fines levied for data violations.
In one recent settlement, violations of the Health Insurance Portability and Accountability Act incurred a $16 million bill, while the Federal Trade Commission has levied fines exceeding $20 million for misleading data practices. The California Consumer Privacy Act limits fines to $7,500 per violation, but there’s no such limit on the number that can be issued — and data breaches can quickly rack up astronomical charges.
While most organizations are taking prudent steps necessary to protect their data, many are dangerously unaware of their exposure. In particular, life science organizations have adopted Salesforce en masse for the platform’s abilities to fuel sales teams with data, accelerate R&D through data sharing, and improve patient management programs. All these capabilities offer exciting new opportunities, but entering and storing a wealth of private health information also comes with risks that must be addressed.
To begin securing Salesforce against both external threats and internal negligence, follow these four steps:
Understand applicable security and privacy regulations
The specific regulations governing your company will vary. In healthcare, for example, HITRUST certification requires you to prove user access to ePHI on a regular basis. Other regulations such as Europe’s General Data Protection Regulation or the aforementioned California Consumer Privacy Act in the U.S. apply more broadly to the use and storage of customer data, and your company’s own InfoSec policy will also affect your approach to data security and governance controls in the Salesforce environment.
Baseline with an evaluation of existing controls and associated risks
Conducting an audit of your existing security measures is the only way to effectively start shoring up your Salesforce security posture. If it’s your first time performing this type of exercise, start with a user access report. Producing a user access report will show you who has access to what data; nine times out of 10, the findings will alarm you. You might also discover that it’s difficult to even compile this information, which means there’s even more work to do to improve security.
Classify the data in your Salesforce org
You will never know how to protect your data if you don’t know what data needs protecting. Identify and classify all the different types of data in your Salesforce org, and leverage native classification capabilities so that changes are reflected in real time and you’re always working with the most current data. Apply regulatory tags to make it easy to determine why data is classified in a certain way as you go through and look for holes in your security posture.
Revisit your risk posture regularly
Once you’ve implemented your initial set of controls and proved compliance, your work is far from over. Revisiting your risk posture should be part of your normal development processes, particularly as you actively innovate in terms of how you use the platform. Salesforce has incredible data capture and storage capabilities, but those same capabilities can increase risk if they aren’t adopted with security in mind.
Securing the Salesforce platform can be an intimidating proposition for life science organizations, but Own is here to help. Our solution provides a centralized view of risk, enabling customers to tackle their biggest security shortcomings first. We offer actionable information and simplified reporting to ensure that security gaps are eliminated and that compliance requirements are met.
As Salesforce has grown and evolved, its capabilities have expanded immensely. Even if you started out using the platform one way, your organization might be using it in a completely different way now — capturing PII, ePHI, and other highly regulated data. To meet your data security responsibilities and protect your patients and customers from a potential loss of health and other personally identifiable data, rely on Own to help you implement data security controls on the Salesforce platform and prevent your company from ending up in headlines for the wrong reason.
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.