Managing Identity for Big Pharma

A pharma's IT infrastructure is often spread across multiple business units, geographic regions, and legacy systems. A wave of mergers has reshaped the industry, bringing together disparate and sometimes conflicting IT infrastructures and corporate cultures. And rapidly growing, far-flung sales forces are fighting a battle of attrition for their customers' time and attention. Pharmaceutical companies also work in one of the world's most heavily regulated and monitored industries. U.S. Food and Drug Administration (FDA) guidelines cover every aspect of a pharma's operations, from laboratory procedures and manufacturing practices to clinical trials and drug marketing data. As firms adopt electronic new-drug applications and paperless record-keeping procedures, they must extend many of the same authentication, audit, and certification standards that governed their paper-based systems. An effective network-identity management infrastructure delivers a broad and inclusive security solution while allowing pharmas to deliver information wherever and whenever users need it. Identity management solutions allow pharmas to create, manage, and authenticate online identities; to provide customized access based on those identities; and to extend these policies to partners, customers, and suppliers. Among other features, an effective identity management solution provides network security and authentication services, identity management and provisioning, single-sign-on capabilities, and a portal-based Web services infrastructure.

These are tough times for big pharma. Drug research, development, and marketing costs have soared over the past two decades: Firms today routinely invest more than a decade of research and up to $800 million in a typical drug development effort. Biotechnology advances promise to revolutionize the drug discovery process—at a price. Yet, at the same time, pharma firms are under growing pressure to manage rising drug prices.

To prosper in this environment, pharmas have to exploit their most vital asset: knowledge. Companies that open their information technology systems to outside physicians and researchers and to business partners can streamline their drug R&D cycles, cut their time to market, and reduce their marketing costs. As a result, pharma firms are looking for new ways to improve access to their applications, databases and other sources of institutional knowledge, both within and beyond the enterprise.

Far-flung Pharmas

This is a challenging process for companies in any industry, but it is especially tough job for pharmas. A pharma's IT infrastructure is often spread across multiple business units, geographic regions, and legacy systems. A wave of mergers has reshaped the industry, bringing together disparate—and sometimes conflicting—IT infrastructures and corporate cultures. And rapidly growing, far-flung sales forces are fighting a battle of attrition for their customers' time and attention.

Pharmas also manage complex relationships with physicians, hospitals, research organizations, and business partners. Each group plays a critical role in the drug development process, yet each also adds another layer of cost and complexity to a firm's information security practices. In addition, outside partners are often unwilling or unable to deal with the usual virtual private network (VPN), reverse-proxy, and stand-alone access management solutions. "Many physicians simply won't tolerate a pharmaceutical company's telling them to put a VPN on their desktop," says Tony Giaccio, an account executive for Sun Microsystems' Sun Open Net Environment (Sun ONE).

Islands of Compliance

Pharmaceutical companies also work in one of the world's most heavily regulated and monitored industries. U.S. Food and Drug Administration (FDA) guidelines cover every aspect of a pharma's operations, from laboratory procedures and manufacturing practices to clinical trials and drug marketing data. As firms adopt electronic new-drug applications and paperless record-keeping procedures, they must extend many of the same authentication, audit, and certification standards that governed their paper-based systems. New laws, most notably the Health Insurance Portability and Accountability Act of 1996 (HIPAA), impose additional guidelines dealing with patient privacy, electronic signatures and certifications, and other basic data management practices.

Nevertheless, some firms' information security practices are redundant, confusing, and inefficient. In some cases, an IT staff may "manage" employee access by manually configuring individual applications, networks, and directory systems. In other cases, employees may have access to sensitive information for weeks or months after they leave a company, simply because an organization lacks the appropriate tracking and auditing tools. According to Scott Kitlinski, chief information officer for ePresence, a security and identity management solutions provider, such practices are a significant source of regulatory problems. "It's essential to avoid creating islands of compliance," Kitlinski says. "And to do that, firms need to take a holistic approach to their security practices."

What the Doctor Ordered

An effective network-identity management infrastructure delivers a broad and inclusive security solution while allowing pharmas to deliver information wherever and whenever users need it. Identity management solutions allow pharmas to create, manage, and authenticate online identities; to provide customized access based on those identities; and to extend these policies to partners, customers, and suppliers. Among other features, an effective identity management solution provides network security and authentication services, identity management and provisioning, single-sign-on capabilities, and a portal-based Web services infrastructure.

• Deciding which users get access to which resources. This includes the ability to grant, change, and terminate access seamlessly throughout an organization and to monitor the process to comply with internal security policies as well as external regulatory and audit requirements.
• The ability to allocate resources such as e-mail accounts and passwords to employees, contractors, and business partners. This process can reduce a firm's administrative costs, reduce the security risks associated with manual authorization procedures, and enable employees to become productive more quickly.
• A central authentication point, delegated management procedures, and single-sign-on capabilities. This can extend a scalable, secure information-access model across Web-based applications and reduce or eliminate the need for VPN software or other client-side security products.
• Support of key identity management standards that allow for open, fully interoperable solutions, such as the Liberty Alliance and Security Assertions Markup Language (SAML) specifications, the Lightweight Directory Access Protocol, and XML-based standards such as SOAP.
• Support for existing legacy applications, directories, and other legacy infrastructures.

Ready for the Future

An identity management solution also allows pharmas to manage the regulatory burdens as they transition from paper-based to electronic record-keeping and submission systems. This sort of "future-proof" solution is essential in a fluid, and sometimes incomprehensible, regulatory environment. "From the FDA's point of view, what matters is whether you can consistently control and change access within an appropriate time frame," Giaccio says. "There's nothing solid to go on in many cases; no one knows exactly what the rules are until the auditor shows up."