Article
Three aspects of a digital transformation strategy for life sciences
Dec. 18, 2022 · Authored by Labi Rabiu, Chuck Andrews, Pamela Esparza
Loading...
Article
Dec. 18, 2022 · Authored by Labi Rabiu, Chuck Andrews, Pamela Esparza
Many life sciences companies invest in digital transformation by using technology to automate processes and data flow. Companies can run leaner, be more effective and efficient in their operations, and enhance customer and shareholder experience doing so.
But there are risks. How do you align the technology with your current business processes? Is your current system sufficient, or do you need changes? What are the cyber risks?
When done strategically, digital transformation can be especially beneficial for life sciences companies that have small head counts and focus most of their resources on internal product development.
We’ll touch on three aspects of a digital transformation strategy for life sciences companies:
Transforming business processes with technology can offer many benefits, but it’s important to assess existing systems first, understand potential challenges, and develop a strategy.
There are several significant challenges that your life sciences organization might face as you move through a digital transformation strategy.
Digital transformation requires your organization to be able and willing to invest in technology to meet your strategic goals.
There might be a limited understanding among employees of why the transformation is necessary. Poor planning, communication, and lack of stakeholder buy-in can lead to transformation misalignment.
Most life sciences companies don’t have an abundance of labor force and operate with low headcounts and lean accounting departments.
Companies address low headcount by outsourcing a variety of internal activities to contract research organizations and contract manufacturing organizations; even technical accounting is often outsourced.
There may not be a robust internal team to implement technology with a holistic view. Challenges can occur when there’s a heavy reliance on spreadsheets.
Life sciences companies tend to focus on disbursements, payroll, and headcount associated with the science. The majority of transactions and activities are small volume, nonhomogeneous transactions.
This leaves little room to invest in technology, automation, and real time processing tools.
Improving your internal business systems is a benefit of digital transformation. If any of your systems, such as enterprise resource planning (ERP), customer relationship management (CRM), or payroll, aren’t doing what they need to do, they might be worth assessing.
Before you begin an assessment of your current enterprise system, it can help to understand common system challenges.
Enterprise systems are supposed to reduce manual processes, allow for increased visibility across an organization, and help improve decision making.
If you already have an enterprise system but a particular business process isn’t automated, you may need a process-focused fit gap assessment.
The ability to measure corporate performance is a hallmark of a truly powerful enterprise system. Qualities of an enterprise system with strong reporting capabilities include:
Internal control and compliance are mandatory in many situations and may be both necessary and valuable in others. Failure to meet internal controls and regulatory compliance requirements within an enterprise system can lead to fraud, fines, or both.
Key compliance regulations include:
In advanced technological environments, organizations can more reliably and consistently address risk if they can move to a more automated solution. IT-driven controls aren’t subject to human error, bias, or management override.
Companies can use the following controls to assist in their accounting.
Though technology can be used to supplement manual controls, there will always be instances where management will need to make a subjective conclusion on a complex topic. This must be done via some type of human intervention.
Consider manually monitoring the following:
In spreadsheet-heavy environments, organizations can establish entity-wide programs to help manage EUCs.
The following are strategies to implement that support security if your organization uses spreadsheets:
ITACs include safeguards in relation to specific applications. ITACs prevent, detect, and correct transaction errors and fraud in application programs. They are concerned with the accuracy, completeness, validity, and authorization of the data captured, stored, transmitted to other systems, and reported.
Cybersecurity should be a significant consideration as your organization develops a digital transformation strategy.
Data that’s held on your network or in the cloud, such as intellectual property (IP), financial data, employee information, clinical trial information, and research results are enticing to bad actors and are at risk. Through a variety of strategies, such as phishing, ransomware, and social engineering, bad actors can try to find and exploit vulnerabilities.
If you can apply practical security through these basic hygiene measures, then you can remove some of those opportunities and decrease the risk of an attacker infiltrating your network.
Below are eight areas to focus on to lower the risk of a cyberattack and reduce data loss.
There are reasonable, robust, and readily available ways to train and test employees with realistic, orchestrated phishing and social engineering campaigns — two common methods bad actors use to gain access to a network.
Train employees to inspect URLs before clicking on any links or images in their emails and conduct regular tests to help employees become familiar with phishing emails and malicious links.
There are several principles that are very important from a security perspective around identity and access management.
In many cases, a combination of some or all of these creates the need to assess a system for visibility and scalability in support of all business processes. This is called a comprehensive fit gap assessment.
You’ll document and prioritize your organization’s functional requirements, and assess the system’s ability to meet them with a focus on:
Below is a digital transformation road map detailing how to assess your existing systems and what to look for when in the process of replacing those systems.
Determine who’s going to guide the project, align digital transformation goals with strategic business goals, and communicate the plan to all parties and stakeholders.
Learn about existing processes by:
Then, review your findings to prioritize next steps.
To perform a gap analysis, analyze system requirements, determine what functional and technical needs are not being met, and decide if an alternative solution is needed based on the desired end state.
Develop and document recommendations for your digital transformation, collaborate with the team to decide what needs to be prioritized first, and share the road map with stakeholders to gain buy-in.
Once the system assessment has been completed, consider what to do. The initiatives that result from the assessment typically fall into three categories:
This option typically occurs when a mid-range system hasn’t been configured correctly or features weren’t implemented that could help support business process automation and reporting needs.
Assess the return on investment (ROI) of a potential new system as well as the time required for desired optimizations or upgrades.
Integration could be applicable when a cost-effective solution can be found within the partner ecosystem or an integrated third-party vendor.
Assess the total cost of the integration, including the license, the cost to implement, and ongoing costs, especially in terms of integration platform as a service.
If you have either outgrown the current system or it’s not hitting the mark, you can go through a new system selection process to replace the current system.
Several types of application controls exist with the objective to ensure that input and output data are accurate and complete, processed in an acceptable time, and a record is maintained to track the process of data from input to storage and to the eventual output.
Examples of application controls are:
ITGCs refer to the overarching controls that relate to security, change management, and the use or design of computer programs. They ensure an organization’s control environment is stable and well-managed, including the IT infrastructure and software acquisition, development, and maintenance.
Several types of ITGCs exist with the objective to ensure that system and organization controls (SOC) reports for cloud-based systems are assessed for unmitigated risks, security and access to systems and key reports are limited via least privilege, and there is control over batch processing.
Because life sciences companies rely heavily on third parties, managing third-party risk is critical. Are you outsourcing IT or R&D? If so, work with vendors who have current SOC reports.
Organizations can gain significant effectiveness and efficiency in maintaining internal controls over financial reporting by following the steps needed to maintain this strong IT general control environment.
To further strengthen your internal processes and controls, you can utilize automated process workflows.
Examples of automated process workflows include:
Gain some efficiency and effectiveness in your operations using scripts. A script is a program or sequence of instructions that takes a series of commands and turns it into a single command. With one click, the script can run several sequential tasks.
A common example is using scripts for payroll processes.
There are many individual activities during this process, but with a script, the system is programmed to run the activities consistently and without error.
The script will let the user know if an error occurs. Scripts can be a very potent and effective tool for increasing the effectiveness and efficiency of your operations.
Maintaining accurate inventory of all software and hardware is a foundational and critical part of a cybersecurity program. It’s important that inventory records of approved hardware and software are accurate so that accepted controls can be implemented to protect hardware and software from threats.
Maintaining inventories can be done manually with spreadsheets, passively with a device or software that listens to network traffic, or actively, with software that’s constantly scanning the network for active devices.
Implementing some type of inventory process enables faster remediation. If something happens, it’s easier to remedy the issue if there’s an accurate inventory list to determine which devices are the problem.
Accurate inventories also simplify the decommission process. Attackers look for outdated, vulnerable servers and software. An inventory can make it easier to assess devices and determine what needs to be updated or decommissioned.
A vulnerability management program can be multipronged. Two important aspects are patching and antivirus.
Logging software activity can happen at the application level — each action a user takes — and the application level — the number of connections, memory spikes, or high CPU usage indicating malicious activity.
Benefits of creating an auditing and logging process include finding inefficiencies, identifying attackers, and increased visibility.
For life sciences companies, one of the biggest business assets may be your data. Determine what data is the most sensitive and what data is the most highly valued.
The value and sensitivity of your data will help determine what protections you put in place, such as how you access it, who uses it, and the availability.
For data in storage or in transit, there should be a level of encryption for these environments. Encrypting data stores and data transmissions could prevent you from having to pay regulatory fines should you be attacked.
To protect data, look at your firewall settings, make sure you're using the most up to date transport layer security, and implement a file integrity monitoring system.
Data that’s backed up should have the same level of security, or more, as data in the production environment. Production data and data backups should both be encrypted with strong encryption keys.
Determine how often this data is being overwritten, when it will be archived, if it has continuous data protection, and who’s responsible for the data.
How resilient is your organization when it comes to a data breach? Attacks are just a question of when.
Supply chain risk management is being aware of any additional risk that’s being introduced into your organization through an outside supplier, vendor, or software. If providers are at a high risk, you may not want to do business with them.
Vet a new provider to help identify any potential problems before you sign a contract. With new or existing suppliers or vendors, you can monitor what they’re doing with your data, including when they’re accessing data, why they need access, and who’s accessing it. You can also log the activity to assess what happened in the event of an attack.
After a provider has been offboarded you can continue to keep security in mind by removing access to your network and email and request that third-party service providers turn over all data in their environment or provide proof data has been rendered unreadable.
