For the 10 years prior to joining 1E, I worked in the pharmaceutical industry. I was handling IT, engineering, products, and services for Novartis Pharmaceuticals in many roles. Before that I worked in a variety of roles – typically as a consultant – for other pharmaceuticals, financial services, and energy companies.
Based on my experience and knowledge, I understand the unique difficulties that regulated industries experience, which have often made firms slow to embrace certain kinds of technology and reticent to change practices that are well-documented and thorough. Regulation acts as a protective barrier around large companies in some ways, but the same regulations can cripple the speed at which they adapt to change.
However, an inability to adapt to change, especially given the increasing move to work from anywhere (WFA), organizations may miss out on the benefits of remote working.
The unique challenges regulated industries face in the world of remote work
I have had first-hand experience working through processes involving drug manufacturing and support of life-saving medications. I have worked through problems that were brought on by GDPR and with litigation-heavy, US-based companies that had to cope with a massive amount of discovery topics and data custodian challenges. These insights provided an interesting lens when viewing the current shift to work from anywhere (WFA) that the world is going through. Some of these practices apply to large enterprises overall, but many are focused in my area of expertise – regulated industries.
Some of the challenges regulated industries and sectors will encounter in the WFA world may not change significantly; for example, lab equipment that is GxP relevant will likely still be managed the way it was traditionally. But others, such as the enforcement of social distancing measures in manufacturing sites or research areas, will inevitably slow down some work—although the work itself will remain mostly as it was before the WFA world and demand to work remotely came to be.
But, from increased productivity (at least 4.4%), to higher retention (54% of employees would change roles for a company that offers more flexibility), the benefits of remote working for organizations are numerous. Below are the top 3 challenges regulated industries must address in a WFA world to reap the benefits of remote working:
Many of these industries (pharma, finance, public sector, or government) have the same problems: industry regulations dictating how they can work and where they can put their data are very specific and highly regulated. Migrating data is extremely difficult and sometimes country regulations that enforce data sovereignty (the fact that a certain sort of data belongs to that country) mean that the move to WFA and the ability to effectively work remotely is even more difficult.
The good news is that many of these issues have been dealt with already. The major cloud providers have arms that focus specifically on this kind of work. For example, government versions of popular cloud platforms (AWS for government) or country-specific versions of SaaS offerings (O365 with a Swiss data center). The bad news is that vendor lock-in becomes even more problematic for these industries. With the data on premise or locked behind firewalls, there was some ability to dictate the pace of change and ensure proper control.
With the move to cloud, change control and ensuring proper regulatory control has become a challenge. That challenge is made more difficult as the regulated industries are forced into a place where a single vendor holds their crown jewels, and those crown jewels are tied to a specific data centre in a specific country. Riskier still from a compliance perspective is that while internal controls can be maintained to ensure a data custodian (GDPR) is compliant, there is still regulation in place that demands accountability from the company that has handed over its data to a third party.
In the pharmaceutical world, this may mean that maintaining a chain of custody for sample handling may become more difficult if that data is stored in the cloud. While that is allowed by regulation (depending on the cloud provider), it means internal processes and controls have to be tied very closely to a cloud platform – even going so far as to name the platform and point to the controls that provider has in place to meet the requirements.
Similar challenges come when financial teams move away from the offices. Within the world of financial controls there have often been physical audits taking place, which may slowly disappear and become virtual audits. Where the primary worry is ensuring that data is kept within the protected walls of the financial institute, it becomes much more difficult as people work from home.
In the rush to embrace remote working during the COVID-10 pandemic and keep companies working, security controls had to become weaker than may otherwise be the case. If the VPN became overburdened (as happened to many companies early on) the access to virtual desktops or e-mail may have been cloud-first. Allowing a data custodian unfettered access to their e-mail over the internet though may introduce new risk. In the desire to just ‘get something done’ it would be too easy to download/modify/upload a document on a machine that is not under the company’s control.
In 1E’s latest research, The New Digital Workplace: Employee experiences with universal remote working since COVID, we surveyed US knowledge workers across industries to uncover their experience of working remotely during the pandemic. Surprisingly, 73% of employees in the healthcare and financial services sector stated that they aren’t concerned that their device security could be breached when working remotely.
Ensuring strong compliance on all devices has never been more important. Because employees delegate security and compliance control to IT rather than seeing it as a shared responsibility, cutting corners could cause irreparable damage. Several technologies exist, and have been embraced, to help IT better manage compliance. For industries with stiffer regulations, these technologies are critical as sometimes the loss of not being able to do business is less than the loss of doing business incorrectly.