Data security in pharma marketing—the path to maturity
The state of data security in pharmaceutical marketing today is a bit like a college freshman trying to get into a bar on his first night on campus: not quite as mature as we think we are. While our capacity to communicate with and collect data from patients and prospects through marketing apparatus grows by the day, our ability to proactively protect those communications and that data is lagging behind. Given the explosive growth of such data, its potential sensitivity, the number of hands through which it may pass, and the consequences to companies and brands if those hands should be careless or if ill-meaning outsiders should acquire it, data security must and will become a top priority for any pharmaceutical brand, if it has not reached that level already.
What do we mean by not quite mature? Pharma sites that collect personal information are all secure, right? They all have the “s” after the “http” and up-to-date security certificates and the little padlock on the browser? Yes, they most likely do. But as any medieval knight would tell you, armor is weakest at the joints. As we see it, the highest risk of unauthorized data capture in the pharma marketing space today is not at the point of entry but at the various points of transfer or collection—not on the site itself but in the data center and the movement of data between the various internal or external constituencies that might be using it. If you are a brand manager, do you know where your data physically lives, who manages it, when it is being expired, backed up, transferred? Do you think the people that control the digital assets of banks or brokerage houses know all those things? You had best believe they do—and so should we.
Sensitive data, soft boundaries
Perhaps the greatest risk presented by the collection of health-related data in a marketing context is the risk of soft boundaries. When a company collects potentially sensitive data from patients for purely internal use, it is generally going to be stored in a secured environment, protected by all the usually rigorous IT practices of a multimillion- or billion-dollar corporation. But when companies start shipping data outside the nest—to content aggregators, data aggregators, or marketing/advertising agencies—they may be placing themselves in a tricky position. A hacker would have to be quite sophisticated to pull anything sensitive off of a website or out from the cellars of a pharma company's own internal storage mechanisms. But when a chunk of data has been bundled up and put on an FTP site to be transferred to a data aggregator, that degree of difficulty drops significantly. And if the partners with which you work are not well versed in the language of data security, it drops even further. If all your security dollars are invested in internal protocols, then you've basically built the modern equivalent of France's Maginot Line, and are pretty much openly inviting the German army to simply go around it.
Some brand managers, we expect, might hear all this and say, “What, me, worry?” Why, they might say, would any hacker worth their name take the time to dig for something that, unlike those credit card numbers at Target, has no obvious dollar signs at the opposite end of it? To this point we have two responses: first, the gigantic data security breach that the marketing services company Epsilon suffered in 2011, and second, the anarchic nature of hackers themselves.
• Epsilon breach. Personal information is valuable on the black market even if it isn't tied to credit card or financial information. A batch of valid email addresses and accompanying usernames and passwords can be sold and used for spamming and phishing schemes.
• Hacker anarchy. Anyone who doesn't think a hacker wouldn't revel in the joy of posting the names of famous people, or even ordinary people, who have clinical depression or low testosterone or even restless leg syndrome on some public forum simply doesn't understand the nature of hackers.
And then, of course, there's the misbalancing of probability and risk. At the R&D end of the building, staff must always have an amplified sense of the danger of the unlikely-but-potentially-catastrophic; if one of their compounds kills or maims or even causes excessive flatulence in one out of every 10,000 people that take them, that compound will likely never see the light of day. Back on this end, if a brand's marketing department suffers a data breach, you can bet it will land on the first page of the New York Times and the Wall Street Journal, shareholders will be none too pleased, jobs will be lost, and patients will likely miss out on potentially lifesaving treatment due to the fallout. We need to defend against that sort of catastrophe with the same sort of rigor that the drug researchers do.
Steps toward data security maturity
So what's a brand manager to do? The first step is to develop a real understanding of the situation – a data security audit – which is often conducted in partnership with their IT department and agencies. Some good questions to ask:
• How many sites, registration forms, data feeds do your marketing teams manage? How many outside vendors are involved? How many subcontractors are those vendors using? What steps are all of above taking to be sure their servers are secure?
• What data are your mobile apps moving around? Consumer health tracking apps, HCP apps, sales rep digital sales aids, all of them.
• Who is using your data? Aggregators, marketing services suppliers, partner agencies, whomever. And under what conditions is access to that data granted or denied? What sorts of QA and data security standards or processes do all those users have?
Your data are a bit like your teenage children; at 10 o'clock, you'd best know where they are, and with whom.
Practicing informed caution
Once you have answers to all these questions, you have to decide what to do, and how much you are willing to invest. And now we'd like to say something that may sound counterintuitive, given all that's come before: don't let your paranoia defeat your real purpose. The natural human response to hearing folks like us say things like what we've been saying is to buy a gun, build a safe room in your house, and make all your data assets so terrifyingly secure that even the NSA's best people won't be able to get in. And that, of course, is exactly the wrong approach. What we are preaching here is informed caution, not paranoia. Any conversation about data security in this context should begin and end with the objective of the digital asset—most frequently here to communicate with and learn from customers. And if your security solution is going to significantly impede that objective, you'd better have a long, hard think about your priorities. Ever encountered one of those CAPTCHA security images online that was so hard to read that you decided not to sign up for whatever you were about to sign up for? That multiplied by all the users of your website is the potential price of too much security. To borrow another overused cliché: don't let the terrorists win.
The starting line: informed caution
There's a healthy distance, though, between the safe room scenario and good old informed caution, and informed caution is where we as marketers need to be. Just the mere act of undergoing a data security audit, of learning the ins and outs of where one's data is coming and going, who is touching it, and what processes are involved in securing, maintaining, and eventually disposing of it, would be an enormous step toward maturity in this area. Another positive step we have helped our clients take has been to create a universal data security best practices policy that applies not only internally but to every constituency that touches your data. And another would be to make review and updating of security procedures a regular part of your brand calendar. And another would be to ask all your marketing partners, digital vendors, etc. what they are proactively doing to keep your data safe – and not just once, but on a regular basis.
Bottom line: there is no magical one-size-fits-all solution to the data security problem in pharma marketing. The potential threats out there are protean – they may look quite different next week and next month and next year – just as your brand's internal data needs and risk tolerance do. But data security in this business needs to be a choice, and a choice based on knowledge, not on guesswork or fear. When we reach that point, we will have indeed grown up.
Intouch Solutions has produced a short guide to help pharma clients understand Heartbleed and how it affects them. You can access it HERE at intouchsol.com.
Brian Corn is VP of professional/consulting services and Paul Pierce is VP of development services for Intouch Solutions.