Protecting Sensitive Information in the COVID-19 Era
Cybersecurity has become an enormous concern. In the last year, 80 percent of organizations have experienced a breach caused by a third-party vendor. The level of threat activity in the first half of 2020 surpassed all of the activity in 2019. Hackers create 300,000 pieces of malware every day. Employee decisions are often the weak link in efforts to protect information from hackers. For example, in 2018 a NASA employee brought a personal computer to work without permission and connected it to NASA’s Jet Propulsion Laboratory network, which a hacker later targeted to gain access to adjoining systems. And according to Microsoft, 44 million of its customers are still using passwords that have been compromised by known, large-scale breaches.
The COVID-19 pandemic has dramatically changed how and where people work. This has increased the importance of individual decision-making in protecting companies from cybersecurity risks to their most sensitive information, including trade secrets. Almost overnight, a majority of the global workforce was using technology to work remotely from home—technology that was not designed to replicate all of the data security measures that exist in corporate facilities.
This abrupt shift has been especially challenging for life sciences companies. This is the result of myriad factors, including the increasing transition from written health care records to electronic forms, the confidentiality requirements unique to their business, and their need to protect commercially sensitive intellectual property. Employees of life sciences companies regularly deal with highly confidential information concerning patients, drug manufacturing, trade secrets, and pricing and promotions. Even before COVID-19, these companies were a regular target for cyber-attacks: “Between 2012 and 2014, cybercriminals started to ramp up attacks on the healthcare industry, which remarkably suffered more than the business, military, and government sectors.” Connor McLarren, Once More Unto the Breach: How the Growing Threat of Ransomware Affects Hipaa Compliance for Covered Entities, 15 Ind. Health L. Rev. 305, 308 (2018). But this has been heightened by the pandemic.
Where traditional solutions, such as virtual private networks (VPN), are not seen as sufficient to protect highly sensitive information, such as key information related to a company’s drug development pipeline or financials, companies may opt for the remote use of company-owned devices and data protocols in lieu of personal devices, or limit the types of information that can be accessed remotely (even though personnel will find that to be a frustrating approach).
In addition, companies providing clinical testing may need to adapt in analyzing and preparing patient results, and employees working in general R&D must adopt more robust confidentiality measures for preparing patent applications, analyzing copyrighted data, and documenting trade secret methods, formulations, and manufacturing processes. Companies can conduct cybersecurity training or otherwise educate employees about the various tactics used by cybercriminals to acquire sensitive information and ways they can protect their personal home wireless networks and the devices attached to them. See Amy Candido, et al., “Reasonable Measures” To Protect Trade Secrets At Risk With Employees Working-From-Home Amid Covid-19 Crisis, Quinn Emanuel (Apr. 2, 2020), https://www.quinnemanuel.com/media/pebmpg0u/client-alert-reasonable-measures-to-protect-trade-secrets-at-risk-from-employees-working-from-home-amid-covid-19-crisis-5.pdf.
Federal agencies have weighed in. The FDA has recognized that companies conducting clinical trials might need to change their data management procedures and handling of patient information. U.S. Food & Drug Administration, Conduct of Clinical Trials of Medical Products During the COVID-19 Public Health Emergency (Jan. 27, 2021). The Department of Justice suggests that companies use The National Institute of Standards and Technology’s (“NIST”) voluntary cybersecurity framework as part of their efforts. NSIT voluntary cybersecurity framework, 1 Health L. Prac. Guide § 5B:14 (2020). The NSIT is drafting a guide to cybersecurity risk. The current draft is at https://nvlpubs.nist.gov/nistpubs/ir/2020/ NIST.IR.8286A-draft.pdf, with a final report due later this year. The Department of Health and Human Services has published a list of Top 10 Tips for Cybersecurity in Health Care: (1) establish a security culture; (2) protect mobile devices; (3) maintain good computer habits; (4) use a firewall; (5) maintain anti-virus software; (6) plan for the unexpected; (7) control access to protected health information; (8) use strong passwords and change them regularly; (9) limit network access; and (10) control physical access. https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf. HHS has published its own practices for the health industry. www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf