Article | December 9, 2013

Real/Future Information Risk of R&D – CROs

Source: Life Science Leader

By Bruce Murphy (Principal) and Muhammad Kashif (Manager), Deloitte

The jury is still out on the ultimate impact of healthcare reform in general, and perhaps this impact is even murkier in the life sciences  space.  Certainly there will be very dramatic changes to the providers (hospitals, primary care, etc.) and payers (insurance companies, health plans, etc.), but it is more difficult to see exactly how the changes will manifest themselves for the remaining entities in the health sciences arena.

 

Impact of Generic Drugs – they are being used in increasing numbers and this is changing the traditional business model for Big Pharma and ultimately creating price pressure and the need to find innovative and inexpensive ways to produce new drugs.  This, in turn, challenges traditional execution methods and stresses control techniques.

 

Top-Line Growth Waning – due to pricing pressures and the overall impact of the economy, life sciences companies have had difficult time growing top-line revenue.  This has forced them to aggressively control their cost structures to preserve earnings per share and maximize shareholder return.

Mergers & Acquisitions – as companies chase top-line growth, an effective answer has been merger and acquisition.  Several large pharmaceutical companies have adopted this path to growth, and have demonstrated the significant opportunity to capture market share in this way.  While these combinations certainly present opportunity, the glowing promise could go unrealized if the risks to the technology infrastructures and related control programs are not mitigated.

Increasing Costs of R&D – the costs to drive R&D and deliver new products to market are continuing to grow. Clinical trials are more complex and expensive than ever — the cost of bringing a novel drug to market is estimated now at $1.3 billion. This is driven by the regulatory requirement for longer, larger, more diverse and complex clinical trials, resulting in U.S. PhRMA (Pharmaceutical Research and Manufacturers of America) companies collectively spending $50 billion on R&D in 2007 (PhRMA, 2009).

Virtualization & Collaboration – Life sciences companies have regularly looked to external entities to support their innovations and growth. An example of this is using a CRO to perform specific research activities on behalf of the sponsor.  To do this requires an extension of trust to the CRO and necessitates that the controls structure of the parent entity be extended into the CRO and their extended ecosystem.

Emerging Markets – not only are emerging markets a growth engine, they present real opportunities to leverage their less expensive costs structures in the production cycle, from design to manufacture.

Whatever specific scenario manifests itself, it is clear that the changes are real, immediate, and transformational.

Real and present risks today
1. Data Leakage – due to the miniaturization of technology, there are now multiple avenues through which we can share and exchange information.  We can now store terabytes of data on very small computing devices and transmit this data to multiple sources very quickly.
2. Data integrity – as data flows between organizations and systems, considerable stress is placed on the ability to preserve the integrity of the data. Each one of these handoffs present opportunities for error- controls that need to be established over these connection points.
3. Levels of abstraction – third parties of third parties — as the business need to leverage third parties has increased, it has become more difficult to understand the full ecosystem that has been established to support a particular business relationship or application. Data is typically shared with a primary outsourced partner, but what is frequently unknown is the full extent to which your third parties use others to support their environments.
4. Destruction/loss of data – incomplete destruction of data while erasing hard drives, deleting firmware of copiers/printers or incomplete eradication of data from third parties
5. Privacy and Compliance – increasing number of global privacy laws and standards (e.g. privacy regulations set forth by the European Union) intended for organizations that store customer data are getting more stringent.  Staying compliant with U.S. and international privacy regulations during data exchanges (including cross border transfers) is a challenge for life science organizations.

So what can we do about the increased risks?
Life sciences organizations often do not have a good understanding of the movement, proliferation, and evolution of their data. Effective protection of data is not possible without understanding the whole life cycle, which will help identify the level of protection required for different types of data, at various points in the life cycle.
Life sciences organizations need an enterprise-level solution which includes data governance strategies, organizational policies and procedures, and controls to identify, monitor, and protect data through its lifecycle:

• Risk based prioritization – Design and implement controls to protect the information based on its criticality.
• Obfuscation – This technique is used to hide sensitive and/or personally identifiable information (PII) related data from operations as well as the developers in case production data is being used during testing purposes.
• Legal protection – Contract language/right to audit —  this is a traditional technique, but often is difficult to enforce.
• Data mapping – Map the movement, proliferation, and evolution of sensitive data across business processes, third parties and/or cross-border transfers.
• Rationalized regulatory requirements and laws – A multitude of laws, regulation and standards exist around the globe that dictate requirements around data protection and privacy, and complying with them separately can be very inefficient and expensive.

In Summary
Significant changes in the industry, such as the emerging markets and increases in outsourcing, seem sure to impact the information risk posture of the organization.  Companies that will stay ahead of the changes and proactively manage risk to their intellectual property and other sensitive data can successfully avoid higher regulatory scrutiny, damaging press, and other financial implications resulting from the loss or compromise of information.


This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.  Certain services may not be available to attest clients under the rules and regulations of public accounting.

 

Want to publish your opinion?

                Contact us to become part of our Editorial Community.