For the 10 years prior to joining 1E, I worked in the pharmaceutical industry handling IT, engineering, products, and services for Novartis Pharmaceuticals in many roles. Before that I worked in a variety of roles, typically as a consultant, for other pharmaceuticals, financial services, and energy companies.
Based on my experience and knowledge, I know intimately the unique difficulties that regulated industries experience, which have often made them slow to embrace certain kinds of technology and reticent to change practices that are well-documented and thorough. Regulation acts as a protective barrier around large companies in some ways, but the same regulations can cripple the speed at which they adapt to change.
I have had first-hand experience working through processes involving drug manufacturing and support of life-saving medications. I have worked through problems that were brought on by GDPR and with litigation-heavy, US-based companies that had to cope with a massive amount of discovery topics and data custodian challenges. These insights gave me an interesting lens when viewing the current work from anywhere (WFA) shift that the world is going through. Some of these practices apply to large enterprises overall, but many are focused in my area of expertise – regulated industries.
Some of those challenges regulated industries will encounter in the WFA world may not change significantly; for example, lab equipment that is GxP relevant will likely still be managed the way it was traditionally. But others, such as the enforcement of social distancing measures in manufacturing sites or research areas, will inevitably slow down some work—although the work itself will remain mostly as it was before the WFA world came to be.
Below are the top 3 challenges regulated industries must address in a WFA world
1. Regulatory compliance
Many of these industries (pharma, finance, public sector, or government) have the same problems: regulations dictating how they can work and where they can put their data are very specific. Migrating data is extremely difficult and sometimes country regulations that enforce data sovereignty (the fact that a certain sort of data belongs to that country) means that the move to WFA is even more difficult.
The good news is that many of these issues have been dealt with already. The major cloud providers have arms that focus specifically on this kind of work. For example, government versions of popular cloud platforms (AWS for government) or country-specific versions of SaaS offerings (O365 with a Swiss data center). The bad news is that vendor lock-in becomes even more problematic for these industries. With the data on premise or locked behind firewalls, there was some ability to dictate the pace of change and ensure proper control.
2. Vendor lock-in
With the move to cloud, change control and ensuring proper regulatory control has become a challenge. That challenge is made more difficult as the regulated industries are forced into a place where a single vendor holds their crown jewels, and those crown jewels are tied to a specific data centre in a specific country. Riskier still from a compliance perspective is that while internal controls can be maintained to ensure a data custodian (GDPR) is compliant, there is still regulation in place that demands accountability from the company that has handed over its data to a third party.
In the pharmaceutical world, this may mean that maintaining a chain of custody for sample handling may become more difficult if that data is stored in the cloud. While that is allowed by regulation (depending on the cloud provider), it means internal processes and controls have to be tied very closely to a cloud platform – even going so far as to name the platform and point to the controls that provider has in place to meet the requirements.
Similar challenges come when financial teams move away from the offices. Within the world of financial controls there have often been physical audits taking place, which may slowly disappear and become virtual audits. Where the primary worry is ensuring that data is kept within the protected walls of the financial institute, it becomes much more difficult as people work from home.
3. Workforce security and compliance
In the rush to embrace remote working during the COVID-10 pandemic and keep companies working, security controls had to become weaker than may otherwise be the case. If the VPN became overburdened (as happened to many companies early on) the access to virtual desktops or e-mail may have been cloud-first. Allowing a data custodian unfettered access to their e-mail over the internet though may introduce new risk. In the desire to just ‘get something done’ it would be too easy to download/modify/upload a document on a machine that is not under the company’s control.
In 1E’s latest research, The New Digital Workplace: Employee experiences with universal remote working since COVID, we surveyed US knowledge workers across industries to uncover their experience of working remotely during the pandemic. Surprisingly, 73% of employees in the healthcare and financial services sector stated that they aren’t concerned that their device security could be breached when working remotely.
Ensuring strong compliance on all devices has never been more important. Because employees delegate security and compliance control to IT rather than seeing it as a shared responsibility, cutting corners could cause irreparable damage. Several technologies exist, and have been embraced, to help IT better manage compliance. For industries with stiffer regulations, these technologies are critical as sometimes the loss of not being able to do business is less than the loss of doing business incorrectly.
Prepare for the work from anywhere world
Considering what compliance is required, which vendors meet those compliance needs, and ensuring proper control are key to the next steps in regulated industries. I’ll be expanding on this article during a breakout session at this year’s WFA enterprise conference, where I’ll take a deep dive into 1E’s latest report and the challenges they highlight for regulated industries. To see the full agenda and sign up for the conference, go to wfaconf.com