Simplify Meeting EU Compliance and Security Requirements

How healthcare and life sciences companies can simplify meeting EU compliance and security requirements with Salesforce.

It’s an exciting time for the healthcare and life sciences industry. Advances in technology and cloud computing are continuing to accelerate innovation built on safe and secure platforms, elevate the patient and clinician experience, and transform operations across the MedTech manufacturing supply chain.

In the healthcare sector alone, the number of cloud technologies with the potential to transform the patient experience, safety, quality, medical information, and patient services is vast – from the ERP system, electronic health records, and imaging, to communication services, backend office management, telemedicine, and medical devices.

But central to any conversations around cloud technology are data integrity, system robustness and reliability, regulatory compliance, not to mention patient confidence in data privacy and security. There’s no one law around compliance in the cloud, instead, the legal and regulatory landscape is made up of multiple rules and requirements for different regions and industries.

Health and life sciences organisations have an even higher duty of care to manage and protect sensitive data responsibly compared to other organisations, but there’s also a huge opportunity to tap into non-clinical company data to identify areas for improvement and optimisation.

The first hurdle in many transformations is overcoming a sentiment of distrust from patients and staff around data being held in the cloud, and many organisations lack the security and technical expertise to assuage these fears and ensure they’re complying with the right regulations. Help is at hand.

Finding the right partner

With cloud technology, the service provider – such as Salesforce – is considered to be acting as the data processor on behalf of the data controller (the health or life science organisation), and each party has different obligations.

GDPR defines the data controller as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

Is cloud storage compliant with GDPR? While ultimately, accountability for compliance lies with the health or life sciences company, Salesforce believes in sharing that responsibility by creating solutions that can be tailored to meet specific compliance needs.

Salesforce is committed to trust – in fact, it’s our #1 value. Nothing is more important than helping customers protect data and privacy while ensuring compliance with regulations and additional country-specific requirements. You can view the full list of Salesforce compliance certifications and attestations filtered by region and industry here.

How is Salesforce data protected?

We worked and continue to work closely with the EU Commission and its associated bodies, data protection authorities, and industry associates throughout the development and approval of General Data Protection Regulations (GDPR), and few companies can match the privacy commitments we’ve set out in our data processing addendum. Salesforce was also a founding member of the EU Cloud Code of Conduct, a charter that empowers cloud service providers to demonstrate GDPR compliance.

As data intelligence becomes more prevalent, it’s critical that companies remain accountable for safeguarding individuals’ privacy and data. The Salesforce platform provides the tools to build trust and transparency while improving the human experience, and our Customer 360 Privacy Centre provides a comprehensive privacy and data management solution to simplify data privacy, compliance, and archiving.

Our robust security and privacy programmes uphold the highest industry standards so you can implement your own security policy to reflect the needs of your unique business.

Six points to include in your security policy

The Salesforce platform has security built into every layer. On an infrastructure level, it comes with replication and backup capabilities that you can configure, and disaster recovery planning tools. Network services include encryption in transit and advanced threat detection, and our application services provide identity management, authentication, and user access controls.

A comprehensive cloud security policy needs to cover six main focus areas:

1. Identity and Access Management (IAM)

IAM is really important to create a secure environment. Security measures include multi-factor authentication, password management, creating and disabling credentials, role-based access controls, segregation of environments, and privileged account activity.

2. Securing data in the cloud

Data needs to be secured in all states. That includes in transit and when it’s being stored. You need to consider who’s responsible for data security at every stage. The shared responsibility model defines how you interact with cloud resources and who’s responsible for data security. Salesforce gives you the power to classify data so you can track who has access to what type of data. Data is encrypted with ‘hold your own key’ – Salesforce only ever stores the output of an encryption process, not PII or protected health information (PHI). It also provides data masking to ensure developers are not exposed to PII and PHI in sandbox environments.

3. Securing the operating system

A well-maintained operating system is a more secure operating system. Scheduling maintenance windows, keeping up with system configuration requirements, and establishing a patch baseline is vital. There are plenty of cyber criminals waiting to exploit vulnerabilities – don’t give them the opportunity.

4. Protecting the network layer

Network security can be complex – especially for healthcare and life science bodies – but it’s critical to prevent unauthorised access to your systems. Identify where segmentation is needed, how to implement connectivity, and ensure your network is well maintained.

5. Managing alerts, audit trails, and incident response

There are multiple data points to analyse for event management and security, and proper correlation algorithms are important for cloud operations. Make sure you use your cloud provider’s monitoring and logging features and that you’ve turned on notifications for unexpected changes or authentication failures.

6. Complying with regulations

Compliance is more involved for healthcare and life sciences companies than other sectors. Take GDPR, for example. GDPR considers health data as a special category of personal data and imposes a higher standard of protection for processing. Organisations processing health data are obligated to:

• Implement appropriate measures to ensure the security of processing systems, services, and personal data
• Perform data protection impact assessments

Report data breaches that could impact the rights and freedoms of individuals within 72 hours.

Is Salesforce GxP compliant?

Pharmaceutical and medical device companies need to be aware of EU regulations and any specific requirements of the countries they operate. Solutions need to be developed under internal and external audits that follow Good Automated Manufacturing Practice (GAMP 5) – also referred to as GxP or good practice compliance. This defines security standards around manufacturing and storage processes, along with research standards for non-clinical laboratory and safe human-subject clinical trials. Salesforce supports GxP by aligning the platform to our customers’ quality management system (QMS) processes.

On the provider side, any process such as digitally capturing a physician’s signature when delivering product samples, logging a medical information request, or a manager digitally signing off on changes to quality management processes all need to be compliant with the FDA’s Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures (EMA GMP Annex 11).

Salesforce gives health and life sciences companies the ability to meet compliance regulations in the following ways:

• Providing auditable, immutable change history for records down to a user level for an extended period
• Capturing and storing data with 256-bit encryption at rest and in transit with the option to bring or hold your own key
• Ensuring developers can use real data without revealing personally identifiable information (PII) with data masking
• Leveraging event monitoring to unlock deeper insights into events, restricting access or raising an alert when suspicious activity is detected.

Providing re-authentication in-process to verify user identity when working on controlled records is also on the roadmap for 2023.

An ecosystem of trust

There are many solutions on the AppExchange designed specifically for the health and life science industry by trusted independent software vendors. These include quality management systems, safety and pharmacovigilance, clinical trial management systems, and e-signature solutions that can be configured to achieve compliance.

Working with a Salesforce systems integrator (SI) partner can also help expedite compliance by leveraging ready-built components, best practices, documentation, testing, and validation.

Compliance and security can seem overwhelming, but with the right partners and the right technology, you’ll discover that a lot of the measures are already in place. Getting your security policies in place allows the appropriate level of data privacy to be applied so you can simplify meeting these critical requirements and keep your data safe as you explore everything the cloud has to offer.

Learn more about Health Cloud or view our accreditations here.