Staying in Control - IT security requires some effort. Not investing in security measures can turn out to be much more expensive than actually doing it, according to Marcel Reifenberger, IT Security Officer at Movianto Group, a European healthcare logistics partner for the pharmaceutical, biotech and medical device industry. CHEManager International asked him about the importance of top class IT security for the healthcare industry and its logistics processes.

CHEManager International: How do you define the term IT security?

M. Reifenberger: Security refers to the state of being free from danger or threats, which nowadays is almost impossible to achieve. All the criminal energy creates risks faster than they can be contained. As a consequence, IT security systems should be able to recognize current trends, develop new ideas and fix security flaws before anything can happen. The key to success in IT security is to have your finger at the pulse of time.

Recently, a study conducted by Steria among European companies showed that 90% of the interviewed companies believed themselves capable of dealing with a major security crisis. However, only a quarter stated they had a 24/7 IT security solution. Therefore, the IT security officer's scope of tasks has fundamentally changed. While formerly our work was mainly technical, today questions of 24/7 availability, compliance or marketing play a major role, too, when it comes to defining an IT security framework for the company.

What priority do IT systems have in healthcare logistics?

M. Reifenberger: Electronic thieves could take advantage of opportunities to hack the companies' corporate networks or IT systems and even steal confidential company, client or employee information. Phished information can either be sold or used to counterfeit drugs, commit identity theft or fraud. However, IT systems in general are definitely known and accredited as one of the pillars of a company. Especially in the healthcare industry a major security crisis can seriously threaten your business.

Every IT system - above all in the healthcare sector - should be flexible and safe. A simple example from our line of business depicts clearly, why this is such an important topic. When Movianto is assigned with the delivery of certain drugs directly into the operating room of a hospital, the patient's life is also in our hands. Even the slightest mistake or delay can endanger the successful outcome of the surgery. Therefore, we follow strict protocols and make sure everything goes as planned.

What are the main risks during data exchange in healthcare logistics?

M. Reifenberger: In a globalized world, security threats can occur along the entire supply chain at any time. In this respect, both healthcare companies as well as their logistics providers have a huge responsibility, since they administrate sensitive data of thousands of employees and clinical trial participants.

In addition, targeting healthcare companies seems to have become the new strategy of organized crime. If they manage to hack a corporate IT system, the inside information obtained is usually used to expand their black market operations.

Therefore, every step of the supply chain involves certain risks that need to be contained. Movianto, as the leading European healthcare logistics provider, does not only offer dedicated warehousing and other services but also facilitates the real-time tracking of each delivery, allowing customers full transparency at all times.

What are your methods to maintain IT security?

M. Reifenberger: First, it is my responsibility to consider a great deal of the so-called inefficiency factors and ask myself the question 'How can I run the IT system safely and at the same time grant access to partners and employees - both in an efficient way?'.

Secondly, the introduction of an Information Security Management System - ISMS - is mandatory. This ISMS framework is compiled of an array of different measures - e.g. policies, processes and systems - that guarantee to react in an optimal way in case of any security breaches. In case of a sudden event, risks can be managed better when using intelligent monitoring systems, backups and other tools.

According to a study conducted by Steria Mummert Consulting in 2014, nine out of ten companies in Germany believe themselves to be able to deal with a big IT security crises. However, only a third stated they had a 24/7 IT security solution. This overconfidence causes a significant security risk and shows that obviously only a few companies apply an appropriate solution for the type of risks. We are very much aware of these challenges and the importance of each component for the overall IT performance. For this reason, we use a double failsafe IT environment, which ensures 99.5% availability, i.e. after a complete crash our system is designed to be back online and running after only 3.6 hours.

What else does Movianto do differently?

M. Reifenberger: Let me give you three examples of the security we provide to the European healthcare industry:

In recent years, the frequency and severity of cyber-attacks on businesses and organizations across the pharmaceutical market have increased sharply as well as the direct and indirect costs they inflict. Movianto developed a complete new user validation system, which has already been successfully implemented. Thanks to this system, Movianto owns a personalized authentication module, which basically ensures that neither can personal data be stolen, nor can a password change be exploited in any way.

Movianto enjoys the results of regular external audits on the basis of globally certified standards, streamlined guidelines and our European Quality Management System. Due to our high level risk protection we stay in control. Moreover, we do not restrict ourselves to just one certification - we have several, all of which are reinforced by regular internal audits in all of our European subsidiaries.

In business, operational security is driven by multiple factors, e.g. operational, compliance and audit demands. Of course, all of it needs to be cost efficient and transparent. While standards and methods used to quantify security and operational control are already established, common open standards for the assessment of financial risks and to measure the value of activities were not available. Therefore, I created a solution named OpenDEEM - Open Dynamic Efficiency Evaluation Methodology. This method, which is developed as an open standard, strives to close this missing link. It has recently become an official part of the Fedora Security Lab, an upstream collection of security tools and methods for the official Fedora Security Spin of the Fedora Project, which is one of the largest Open Source Projects with more than 30 million users worldwide. Thanks to this methodology, we now have the ability to compare the costs of an investment to its real value for the company. Let us assume an investment of €5,000 was only worth €2,500 - through the OpenDEEM methodology that would become clear before spending the money. Therefore, it is justified to say that we have the same top level IT security as the "big players" in the logistics industry.

So, what would be your essential piece of advice?

M. Reifenberger: IT security requires some effort, not investing in security measures can turn out to be much more expensive than actually doing it. The worst-case scenario would be an immense damage to corporate reputation. Safety awareness will open new doors. Use this opportunity!