As we evaluate pharmaceutical cloud computing as an option we see pharma companies are slow to adopt cloud computing services, mainly because of the perceived data security / data integrity risk and fear of regulatory interpretations. I frequently hear, “How do you validate the cloud?” or “What will the regulator say?”, but most frequently, it’s “I don’t trust the cloud.” As a result, data is being kept on servers that physically reside on-site as the perceived risk is lower. But is it?
Data security – there is NO zero risk option
Pharmaceutical cloud computing is finally finding its place in industries that are traditionally risk-adverse – including banking, health and governments. The World Bank, some Australian banks and many large companies are now using Microsoft Office 365, which is the cloud version of the MS Office software suite. It’s probably the worst kept secret that many of the large multinational pharmaceutical companies are using the cloud too, but in a careful, considered manner. Understandably, there is reluctance. No one wants to be the first one subjected to regulator scrutiny as to how they planned and executed their cloud deployment. However, there should be deeper concern that the regulators will start asking why a company is NOT in the cloud.
Data breaches are common
With plenty of recently published breaches of network security within hospitals (refer to the media coverage of the computer virus that brought the Royal Melbourne Hospital to its knees) and other large organisations (the personal details of 80 million customers of the second largest health insurance company in the US. Check out the world’s biggest data breaches), it’s easy to see that company IT networks are far from secure. With cloud computing companies staking their business on protecting their client’s data, which would you trust more – your internal IT department or a cloud company for whom security means life or death for their business?
Don’t apply a blanket policy
We frequently hear CEOs or non IT managers stating that they will not “allow” their quality or propriety data to be kept in the cloud due to perceived risks related to security, privacy and/or jurisdiction. These are legitimate considerations, however we strongly recommend that clients look at cloud services based on specific circumstances rather than adopting a generic blanket policy. There are many options when it comes to cloud solutions (see an earlier blog post on cloud options in a regulated environment) from using a single application, such as the cloud version of SharePoint through to moving your entire IT infrastructure to the cloud.
There is no doubt that cloud provides agility and significant cost savings. Modelling performed by QikSolve, typically shows a 50% cost reduction and enhanced data security and visibility when switching to Microsoft Office 365, compared to hosting in-house. Included in the Office 365 price is a feature rich compliance and security centre to manage Data Loss Prevention (DLP) and Data Management (archiving, retention & recovery), which is probably far better than anything your IT department has in place.
In terms of pricing, a common misunderstanding is that everyone in the company needs to be on the same level license (often the most feature rich). Most cloud licence options allow you to mix and match user access to suit your requirements. This means you can easily scale your licences up or down in terms of both seats and access levels as your needs change. You aren’t locked in to long term contract like the old days. We are experts in helping clients navigate through this confusion, so it’s worthwhile having a conversation with them.
How the World Bank reduced their email costs by 50%
An example from another risk adverse industry – banking, is the World Bank, who were looking for an alternative to Lotus Notes email. The CIO, Stephanie von Friedeburg, and her team initially proposed switching to Microsoft Exchange from Lotus Notes email. They decided they didn’t want the burden or cost of maintaining a mail server in every office in all 186 countries in which the World Bank operates. They ended up replacing 30,000 Notes licenses with Microsoft Office 365, cutting the annual costs of running email from $12 million to $6 million and enabling employees to continue working in the event of political unrest or natural disasters.
Geographical versus logical boundaries
The reluctance to use a cloud solution has been exacerbated by legal systems based on unambiguous physical locations. IT systems only “understand” logical boundaries, not country borders, so these legal definitions are becoming increasingly irrelevant when you consider that data that could potentially be stored anywhere in the world.
Suppliers of cloud based solutions are very aware of pharmaceutical company’s hesitations in moving to the cloud. To help alleviate this, the suppliers provide details of the data protection, availability and retention controls that they implement. Such controls can often provide better protection of your data when compared to current on-premise controls.
There are many multi national pharmaceutical companies who now routinely now use public cloud infrastructure from Microsoft Azure and Amazon Web Services (AWS). On 11th May 2016, Microsoft announced that all data on Office 365 servers can now be stored only in Australia, helping those with privacy concerns or regulatory requirements about physical data location (e.g. government data). Microsoft has data centres in NSW and Victoria, giving you near instant connectivity to your information and services. Similarly, Amazon Web Services, another major cloud IT infrastructure provider, has a data centre in Sydney for example.
All too often I see non IT Managers making big calls on “data security”, whilst not having the education, training or experience to fully appreciate the risks associated with smaller, less well-resourced IT departments. These companies are at considerable risk through their current practices, which are often lacking genuine capacity in security, governance, and business resilience.
A number of our clients like to “see” the server on a rack in the corner of a room on-site, as this provides a degree of false comfort. Unfortunately, as soon as this server is connected to the web, without proper firewalls, antivirus software, email server etc. it is vulnerable! It is ironic that the same clients happily log into their online banking and transfer money, but consider putting data into the cloud too risky.
In fact, for many organisations, it may be more appropriate to state that “staying out of the Cloud is too risky”.