Protect and secure patient data.<\/span><\/h2>\n\t\t\t\t\t\t\tLearn how healthcare and life sciences companies can leverage Health Cloud and Salesforce Shield for compliance, governance, and PHI data protection.<\/p>\n\t\t\t\n\t\t\t\n\t\t\t\t\t\t\t
\n\t\t\t\t\tLearn More<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\n\t\t\n\t\t\t![\"hls-newsroom-card2-min\"](\"https:\/\/www.salesforce.com\/eu\/blog\/wp-content\/uploads\/sites\/14\/2022\/12\/hls-newsroom-card2-min.png\")
\t\t<\/div>\n\t<\/div>\n\n\t\n\t<\/div>\n\n\n\nHealth and life sciences organisations have an even higher duty of care to manage and protect sensitive data responsibly compared to other organisations,<\/b> but there\u2019s also a huge opportunity to tap into non-clinical company data to identify areas for improvement and optimisation. <\/p>\n\n\n\n
The first hurdle in many transformations is overcoming a sentiment of distrust from patients and staff around data being held in the cloud, and many organisations lack the security and technical expertise to assuage these fears and ensure they\u2019re complying with the right regulations. Help is at hand.<\/b><\/p>\n\n\n\nFinding the right partner<\/b><\/span><\/h2>\n\n\n\nWith cloud technology, the service provider \u2013 such as Salesforce \u2013 is considered to be acting as the data processor on behalf of the data controller<\/b> (the health or life science organisation), and each party has different obligations.<\/p>\n\n\n\n
GDPR defines the data controller as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.<\/p>\n\n\n\n
Is cloud storage compliant with GDPR? While ultimately, accountability for compliance lies with the health or life sciences company, Salesforce believes in sharing that responsibility by creating solutions that can be tailored to meet specific compliance needs. <\/b><\/p>\n\n\n\n
Salesforce is committed to trust<\/a> \u2013 in fact, it\u2019s our #1 value. <\/b>Nothing is more important than helping customers protect data and privacy while ensuring compliance with regulations and additional country-specific requirements. You can view the full list of Salesforce compliance certifications and attestations filtered by region and industry here<\/a>.<\/p>\n\n\n\nHow is Salesforce data protected?<\/b><\/h2>\n\n\n\n
We worked and continue to work closely with the EU Commission and its associated bodies, data protection authorities, and industry associates throughout the development and approval of General Data Protection Regulations<\/a> (GDPR), and few companies can match the privacy commitments we\u2019ve set out in our data processing addendum<\/a>. Salesforce was also a founding member of the EU Cloud Code of Conduct<\/a>, a charter that empowers cloud service providers to demonstrate GDPR compliance.<\/b><\/p>\n\n\n\nAs data intelligence becomes more prevalent, it\u2019s critical that companies remain accountable for safeguarding individuals\u2019 privacy and data. The Salesforce platform provides the tools to build trust<\/a> and transparency while improving the human experience, <\/b>and our Customer 360 Privacy Centre<\/a> provides a comprehensive privacy and data management solution to simplify data privacy, compliance, and archiving. <\/p>\n\n\n\nOur robust security and privacy programmes uphold the highest industry standards so you can implement your own security policy to reflect the needs of your unique business.<\/b><\/p>\n\n\n\nSix points to include in your security policy<\/b><\/h2>\n\n\n\n
The Salesforce platform has security built into every layer. <\/b>On an infrastructure level, it comes with replication and backup capabilities that you can configure, and disaster recovery planning tools. Network services include encryption in transit and advanced threat detection, and our application services provide identity management, authentication, and user access controls. <\/p>\n\n\n\n
A comprehensive cloud security policy needs to cover six main focus areas:<\/p>\n\n\n\n
1. Identity and Access Management (IAM)<\/b><\/h3>\n\n\n\n
IAM is really important to create a secure environment. Security measures include multi-factor authentication, password management, creating and disabling credentials, role-based access controls, segregation of environments, and privileged account activity.<\/p>\n\n\n\n
2. Securing data in the cloud<\/b><\/h3>\n\n\n\n
Data needs to be secured in all states. That includes in transit and when it\u2019s being stored. You need to consider who\u2019s responsible for data security at every stage. The shared responsibility model defines how you interact with cloud resources and who\u2019s responsible for data security. Salesforce gives you the power to classify data so you can track who has access to what type of data. Data is encrypted with \u2018hold your own key\u2019 \u2013 Salesforce only ever stores the output of an encryption process, not PII or protected health information (PHI). It also provides data masking to ensure developers are not exposed to PII and PHI in sandbox environments.<\/p>\n\n\n\n
3. Securing the operating system<\/b><\/h3>\n\n\n\n
A well-maintained operating system is a more secure operating system. Scheduling maintenance windows, keeping up with system configuration requirements, and establishing a patch baseline is vital. There are plenty of cyber criminals waiting to exploit vulnerabilities \u2013 don\u2019t give them the opportunity.<\/p>\n\n\n\n
4. Protecting the network layer<\/b><\/h3>\n\n\n\n
Network security can be complex \u2013 especially for healthcare and life science bodies \u2013 but it\u2019s critical to prevent unauthorised access to your systems. Identify where segmentation is needed, how to implement connectivity, and ensure your network is well maintained.<\/p>\n\n\n\n
5. Managing alerts, audit trails, and incident response<\/b><\/h3>\n\n\n\n
There are multiple data points to analyse for event management and security, and proper correlation algorithms are important for cloud operations. Make sure you use your cloud provider\u2019s monitoring and logging features and that you\u2019ve turned on notifications for unexpected changes or authentication failures.<\/p>\n\n\n\n
6. Complying with regulations<\/b><\/h3>\n\n\n\n
Compliance is more involved for healthcare and life sciences companies than other sectors. Take GDPR, for example. GDPR considers health data as a special category of personal data and imposes a higher standard of protection for processing. Organisations processing health data are obligated to:<\/p>\n\n\n\n
\n- Implement appropriate measures to ensure the security of processing systems, services, and personal data<\/span> <\/li>\n\n\n\n
- Perform data protection impact assessments<\/span> <\/li>\n<\/ul>\n\n\n\n
Report data breaches that could impact the rights and freedoms of individuals within 72 hours.<\/p>\n\n\n\n
Is Salesforce GxP compliant? <\/b><\/p>\n\n\n\n
Pharmaceutical and medical device companies need to be aware of EU regulations and any specific requirements of the countries they operate. Solutions need to be developed under internal and external audits that follow Good Automated Manufacturing Practice (GAMP 5) \u2013 also referred to as GxP or good practice compliance. This defines security standards around manufacturing and storage processes, along with research standards for non-clinical laboratory and safe human-subject clinical trials. Salesforce supports GxP by aligning the platform to our customers\u2019 quality management system (QMS) processes.<\/b><\/p>\n\n\n\n
On the provider side, any process such as digitally capturing a physician\u2019s signature when delivering product samples, logging a medical information request, or a manager digitally signing off on changes to quality management processes all need to be compliant with the FDA\u2019s Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures (EMA GMP Annex 11).<\/p>\n\n\n\n
Salesforce gives health and life sciences companies the ability to meet compliance regulations in the following ways:<\/b><\/p>\n\n\n\n\n- Providing auditable, immutable change history for records down to a user level for an extended period<\/span> <\/li>\n\n\n\n
- Capturing and storing data with 256-bit encryption at rest and in transit with the option to bring or hold your own key<\/span> <\/li>\n\n\n\n
- Ensuring developers can use real data without revealing personally identifiable information (PII) with data masking<\/span> <\/li>\n\n\n\n
- Leveraging event monitoring to unlock deeper insights into events, restricting access or raising an alert when suspicious activity is detected.<\/span> <\/li>\n<\/ul>\n\n\n\n
Providing re-authentication in-process to verify user identity when working on controlled records is also on the roadmap for 2023.<\/b><\/p>\n\n\n\nAn ecosystem of trust<\/b><\/h2>\n\n\n\n
There are many solutions on the AppExchange<\/a> designed specifically for the health and life science industry by trusted independent software vendors.<\/b> These include quality management systems, safety and pharmacovigilance, clinical trial management systems, and e-signature solutions that can be configured to achieve compliance.<\/p>\n\n\n\nWorking with a Salesforce systems integrator (SI) partner can also help expedite compliance by leveraging ready-built components, best practices, documentation, testing, and validation. <\/p>\n\n\n\n
Compliance and security can seem overwhelming, but with the right partners and the right technology, you\u2019ll discover that a lot of the measures are already in place. <\/b>Getting your security policies in place allows the appropriate level of data privacy to be applied so you can simplify meeting these critical requirements and keep your data safe as you explore everything the cloud has to offer.<\/p>\n\n\n\n
Learn more about Health Cloud<\/a> or view our accreditations here<\/a>.<\/b><\/p>\n\n\n\n
\t\t<\/div>\n\t<\/div>\n\n\t\n\t<\/div>\n\n\n\nHealth and life sciences organisations have an even higher duty of care to manage and protect sensitive data responsibly compared to other organisations,<\/b> but there\u2019s also a huge opportunity to tap into non-clinical company data to identify areas for improvement and optimisation. <\/p>\n\n\n\n
The first hurdle in many transformations is overcoming a sentiment of distrust from patients and staff around data being held in the cloud, and many organisations lack the security and technical expertise to assuage these fears and ensure they\u2019re complying with the right regulations. Help is at hand.<\/b><\/p>\n\n\n\n With cloud technology, the service provider \u2013 such as Salesforce \u2013 is considered to be acting as the data processor on behalf of the data controller<\/b> (the health or life science organisation), and each party has different obligations.<\/p>\n\n\n\n GDPR defines the data controller as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.<\/p>\n\n\n\n Is cloud storage compliant with GDPR? While ultimately, accountability for compliance lies with the health or life sciences company, Salesforce believes in sharing that responsibility by creating solutions that can be tailored to meet specific compliance needs. <\/b><\/p>\n\n\n\n Salesforce is committed to trust<\/a> \u2013 in fact, it\u2019s our #1 value. <\/b>Nothing is more important than helping customers protect data and privacy while ensuring compliance with regulations and additional country-specific requirements. You can view the full list of Salesforce compliance certifications and attestations filtered by region and industry here<\/a>.<\/p>\n\n\n\n We worked and continue to work closely with the EU Commission and its associated bodies, data protection authorities, and industry associates throughout the development and approval of General Data Protection Regulations<\/a> (GDPR), and few companies can match the privacy commitments we\u2019ve set out in our data processing addendum<\/a>. Salesforce was also a founding member of the EU Cloud Code of Conduct<\/a>, a charter that empowers cloud service providers to demonstrate GDPR compliance.<\/b><\/p>\n\n\n\n As data intelligence becomes more prevalent, it\u2019s critical that companies remain accountable for safeguarding individuals\u2019 privacy and data. The Salesforce platform provides the tools to build trust<\/a> and transparency while improving the human experience, <\/b>and our Customer 360 Privacy Centre<\/a> provides a comprehensive privacy and data management solution to simplify data privacy, compliance, and archiving. <\/p>\n\n\n\n Our robust security and privacy programmes uphold the highest industry standards so you can implement your own security policy to reflect the needs of your unique business.<\/b><\/p>\n\n\n\n The Salesforce platform has security built into every layer. <\/b>On an infrastructure level, it comes with replication and backup capabilities that you can configure, and disaster recovery planning tools. Network services include encryption in transit and advanced threat detection, and our application services provide identity management, authentication, and user access controls. <\/p>\n\n\n\n A comprehensive cloud security policy needs to cover six main focus areas:<\/p>\n\n\n\n IAM is really important to create a secure environment. Security measures include multi-factor authentication, password management, creating and disabling credentials, role-based access controls, segregation of environments, and privileged account activity.<\/p>\n\n\n\n Data needs to be secured in all states. That includes in transit and when it\u2019s being stored. You need to consider who\u2019s responsible for data security at every stage. The shared responsibility model defines how you interact with cloud resources and who\u2019s responsible for data security. Salesforce gives you the power to classify data so you can track who has access to what type of data. Data is encrypted with \u2018hold your own key\u2019 \u2013 Salesforce only ever stores the output of an encryption process, not PII or protected health information (PHI). It also provides data masking to ensure developers are not exposed to PII and PHI in sandbox environments.<\/p>\n\n\n\n A well-maintained operating system is a more secure operating system. Scheduling maintenance windows, keeping up with system configuration requirements, and establishing a patch baseline is vital. There are plenty of cyber criminals waiting to exploit vulnerabilities \u2013 don\u2019t give them the opportunity.<\/p>\n\n\n\n Network security can be complex \u2013 especially for healthcare and life science bodies \u2013 but it\u2019s critical to prevent unauthorised access to your systems. Identify where segmentation is needed, how to implement connectivity, and ensure your network is well maintained.<\/p>\n\n\n\n There are multiple data points to analyse for event management and security, and proper correlation algorithms are important for cloud operations. Make sure you use your cloud provider\u2019s monitoring and logging features and that you\u2019ve turned on notifications for unexpected changes or authentication failures.<\/p>\n\n\n\n Compliance is more involved for healthcare and life sciences companies than other sectors. Take GDPR, for example. GDPR considers health data as a special category of personal data and imposes a higher standard of protection for processing. Organisations processing health data are obligated to:<\/p>\n\n\n\n Report data breaches that could impact the rights and freedoms of individuals within 72 hours.<\/p>\n\n\n\n Is Salesforce GxP compliant? <\/b><\/p>\n\n\n\n Pharmaceutical and medical device companies need to be aware of EU regulations and any specific requirements of the countries they operate. Solutions need to be developed under internal and external audits that follow Good Automated Manufacturing Practice (GAMP 5) \u2013 also referred to as GxP or good practice compliance. This defines security standards around manufacturing and storage processes, along with research standards for non-clinical laboratory and safe human-subject clinical trials. Salesforce supports GxP by aligning the platform to our customers\u2019 quality management system (QMS) processes.<\/b><\/p>\n\n\n\n On the provider side, any process such as digitally capturing a physician\u2019s signature when delivering product samples, logging a medical information request, or a manager digitally signing off on changes to quality management processes all need to be compliant with the FDA\u2019s Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures (EMA GMP Annex 11).<\/p>\n\n\n\n Salesforce gives health and life sciences companies the ability to meet compliance regulations in the following ways:<\/b><\/p>\n\n\n\n Providing re-authentication in-process to verify user identity when working on controlled records is also on the roadmap for 2023.<\/b><\/p>\n\n\n\n There are many solutions on the AppExchange<\/a> designed specifically for the health and life science industry by trusted independent software vendors.<\/b> These include quality management systems, safety and pharmacovigilance, clinical trial management systems, and e-signature solutions that can be configured to achieve compliance.<\/p>\n\n\n\n Working with a Salesforce systems integrator (SI) partner can also help expedite compliance by leveraging ready-built components, best practices, documentation, testing, and validation. <\/p>\n\n\n\n Compliance and security can seem overwhelming, but with the right partners and the right technology, you\u2019ll discover that a lot of the measures are already in place. <\/b>Getting your security policies in place allows the appropriate level of data privacy to be applied so you can simplify meeting these critical requirements and keep your data safe as you explore everything the cloud has to offer.<\/p>\n\n\n\n Learn more about Health Cloud<\/a> or view our accreditations here<\/a>.<\/b><\/p>\n\n\n\nFinding the right partner<\/b><\/span><\/h2>\n\n\n\n
How is Salesforce data protected?<\/b><\/h2>\n\n\n\n
Six points to include in your security policy<\/b><\/h2>\n\n\n\n
1. Identity and Access Management (IAM)<\/b><\/h3>\n\n\n\n
2. Securing data in the cloud<\/b><\/h3>\n\n\n\n
3. Securing the operating system<\/b><\/h3>\n\n\n\n
4. Protecting the network layer<\/b><\/h3>\n\n\n\n
5. Managing alerts, audit trails, and incident response<\/b><\/h3>\n\n\n\n
6. Complying with regulations<\/b><\/h3>\n\n\n\n
\n
\n
An ecosystem of trust<\/b><\/h2>\n\n\n\n