The vast quantities of data generated around the globe today are having a transformative impact in all kinds of sectors, but the potential to advance nearly every aspect of the health and life sciences (HLS) industry is especially profound. From bringing life-saving drugs like the COVID-19 vaccines to market in record time to creating patient-specific treatments that reduce side effects and improve efficacy, data is the future of healthcare — provided that HLS organizations are equipped to take advantage of it.
HLS is a highly regulated industry. That regulation means that everything from patient data to proprietary processes and other intellectual property must be carefully accounted for and that organizations must be prepared to produce this data for outside auditors at a moment’s notice. Failing to achieve compliance can put companies at tremendous financial risk, but the overarching security implications are perhaps even more severe.
While security used to be considered one of the unavoidable shortcomings of cloud adoption, perception has largely caught up to reality: Cloud platforms such as Salesforce have an unparalleled security posture that few on-premise solutions can match, and customers can turn on complex features like two-factor authentication (2FA) that would take your own team of developers a massive investment of valuable time to create.
Add in advantages like instant scalability and portability in the new remote era, and it’s clear the cloud is the only option for HLS leaders as they move forward.
Many organizations are aiming to bring about a successful digital transformation, but it’s critical to understand that security in the cloud isn’t solely the responsibility of the platform provider. Instead, it will take a concerted effort to tap into the security potential these companies offer, and that starts with the prioritization of security in your own organization. To begin inculcating a culture of security, follow these three steps:
1. Keep security decisions transparent
You might not want to share your security decisions with the outside world, but they should be readily visible within your organization. A record of the actions you’ve taken and the thought processes that led to those decisions can be an important resource when you find yourself in similar circumstances months (or even years) down the road.
Although the details of security can sometimes change rapidly, the overarching practices will remain relevant through all kinds of new threats. A record of security steps — and the conversations and meetings that birthed them — will also help inform the efforts of external auditors as they work to propose steps that can shore up your existing security.
2. Embrace the people side of software
Ask a software vendor about the most important component of security, and they’ll almost certainly tell you it’s the technology protecting your systems from outside attack. In reality, most security slip-ups stem from internal employee ignorance or negligence, which is why you should always prioritize people when you’re trying to secure your systems.
Implement organization-wide training about the most common cybersecurity risks, from phishing to credential stuffing. Teach employees how to create a strong password and why they should never reuse credentials for multiple accounts, and implement a requirement that new passwords must be created every 30 to 90 days. Only after you’ve established a baseline level of security knowledge in your employees should you start to shop around for solutions that help stop threats in their tracks.
3. Conduct regular audits to spot shortcomings
Compliance audits rarely wind up at the top of any busy leader’s to-do list, but they are an important exercise to help you spot gaps in your security posture before a successful attacker points them out for you. When you perform regular security audits, you also offer an opportunity for teams to take a step back from business as usual and put the spotlight, however briefly, on security. This exposure helps employees internalize the importance of security and take it back to their typical roles in new and innovative ways.
Internal audits are invaluable, but they are occasionally too taxing for a busy or understaffed team; they might also turn up fewer insights than you could achieve with an elite audit professional at the helm. Turning to an independent, third-party auditor will be the most revealing because these companies exist specifically to identify security shortcomings and they bring a wealth of field experience with them.
At the outset, audits might seem like an unnecessary expense, but a digital transformation in the HLS industry puts sensitive information in the cloud where a simple misconfiguration could expose it. An independent auditor can offer some critical guidance, not to mention peace of mind during the transition from on-premise to cloud.
SaaS Security Posture Management (SSPM) — and Salesforce in Particular
Your organization’s digital transformation is unique to your own size, capabilities and needs, and it could revolve around any number of established platforms. Because Salesforce is one of the most common — and our core area of expertise here at Own — we spend quite a bit of time working with our clients to secure their Salesforce implementation against both external threats like cyberattacks and internal fumbles such as employee negligence or accidental data deletion.
The following steps will help an organization adapt Salesforce (in particular) safely, but they can also be applied to other far-reaching cloud platforms, including Oracle and SAP:
1. Know what data security and privacy regulations govern your industry
The HLS industry is one of the most heavily regulated by far, and depending on where you do business, you could be expected to comply with healthcare-specific regulations such as the Health Information Portability and Accountability Act (HIPAA), data privacy regulations like Europe’s General Data Protection Regulation (GDPR), or any of a growing number of state-specific legislation in the U.S. like the California Consumer Privacy Act (CCPA).
There are even certification criteria established by private organizations like the Common Security Framework governed by the Health Information Trust (HITRUST) Alliance. It’s an alphabet soup of overlapping rules, and if you want to establish effective data governance, the first step is to spoon through it and determine what applies to your own industry and company.
2. Establish a baseline of existing security controls and pressing gaps
Especially when you know there’s plenty of work to be done, an evaluation of your current Salesforce security controls and associated risks is an intimidating prospect. Nonetheless, an audit is a crucial starting point that will serve as the foundation of your future security measures.
If you’ve never conducted an audit, it’s a good idea to start by assembling a user access report. This document will show you what users in your organization have access to what kind of data, and if your company is like most, the results will be more than a little unsettling. Compiling this kind of information is also a revealing exercise in itself, and it will give you an idea of the magnitude of undertaking you’re setting out on by attempting to solidify your security posture within the Salesforce cloud platform.
3. Work to classify the data in your Salesforce org
Data classification is an important step to determine what restrictions and protections will apply to which data, but at an even more fundamental level, it’s a way to take stock of what data you have that needs protecting. Salesforce implementations often begin as a simple CRM, but the platform’s incredible and varied capabilities cause it to see adoption in not just sales departments but marketing, customer service, and even IT.
Not surprisingly, this expanding influence brings with it a huge amount of new and sensitive data, whether it’s personally identifiable information about your customers or your own company’s valuable intellectual property. To secure a platform like Salesforce, you’ll need to take an inventory of all the data stored in the system and apply tags that make it easier to see classifications and permissions restrictions at a glance.
4. Embrace the security journey
The security of a powerful cloud platform such as Salesforce isn’t a destination — it’s an ongoing journey that requires you to continuously revisit your risk posture, reexamine controls and permissions, and make changes to reduce risk and eliminate vulnerabilities wherever possible. Put processes in place to ensure you don’t go an extended period without a SSPM assessment, and consider leaning on an outside organization to help and hold you accountable when security takes a back seat for too long. Salesforce offers a suite of incredible capabilities to leaders in the HLS space, but those same capabilities can turn into liabilities if organizations fail to properly configure and secure their Salesforce implementations. Own offers a commanding, single-pane-of-glass view into the risk facing your company, and we can help you meet and exceed both external compliance obligations and internal security standards and goals.
Our experience helps payers, providers, and pharmaceutical organizations hold up their end of the shared responsibility bargain and reduce the risk associated with the Salesforce platform. To keep your business from ending up in the headlines for all the wrong reasons, rely on Own as a proven Salesforce security leader.
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.