By Kip Wolf, Tunnell Consulting
During a recent meeting of data integrity professionals representing many industries, including life sciences, a fundamental question was posed by a member of the group: “How can one prevent or detect malicious intent as it relates to changes to information and the impact to data integrity?” Arguably, this question is rooted in information security, which is defined well by Singh et al. (2014) as the protection “of information and its critical elements, including the systems and hardware.”1 However, the tone of the question was one of exasperation, as a number of those present at the meeting had recently felt the frustration and disruption of information security incidents that were the result of malicious intent.
Prevention is difficult, but it is typically accomplished through basic security controls, where the robustness of such controls is commensurate with risk (and regulation). The skill of the perpetrator may make detection very difficult. In this article, we will cover some basic recommendations for both prevention and detection of malicious intent. While these may seem obvious, very often the cause of data incidents is purely failure to cover the most basic elements in information security.
Basic Controls Can Succeed In Prevention
We should start our consideration of basic controls by agreeing on a fundamental guiding principle that procedural controls are never enough. Where humans are involved, mistakes will happen. Human error is an all too common cause of information security breaches. According to Dutton (2018), “4 of the 5 top causes of data breaches are because of human or process error.”2 However, some basic controls provide a first line of defense and can successfully prevent some information security incidents and negative impacts to data integrity.
An illustration of how preventive measures may have a positive impact is offered by a former colleague who now works for a well-known government agency. After finding that his parked car had been broken into, he discovered that his backpack that held his government-supplied laptop (among other important professional and personal items) was missing. Within 24 hours, the backpack and all contents were deposited in the parking lot of the local sheriff’s office, with no evidence of tampering or damage. The assumption by my former colleague and the authorities is that the thief noticed the clear markings and logos of the government agency on the laptop and panicked, returning the stolen possessions. Of course, in accordance with common information security awareness practices, the backpack with the laptop should not have been left unattended in the parked car in the first place. The lessons here are: (1) label any devices or media so that they may be easily identifiable upon simple inspection; and (2) follow the lessons taught in common security awareness training (required by most government agencies) that have been shown to successfully change user behavior (even if not in this case).
Another colleague’s individual work that was completed for a client project over a shared, online collaboration space offers a further example of successful prevention measures. The client had uploaded client-specific documentation, and the project team had created and/or contributed content in the same collaboration space, an online document library. The online document library was secured, with access only by the project team members. Near the end of the project, a team member noticed that the document library was nearly empty. Knowing that team members had the ability to delete data, the project team leader checked the system administrator and found evidence of all of the deleted files, including the person who deleted the files and the date/time stamp of deletion. The deleted files were in an area (similar to a “Recycle Bin”) accessible only to the administrator and indicated that an employee of the client had deleted all of the files. However, with appropriately designed security access, even the deleted files could be recovered by an administrator with access to the Recycle Bin (not accessible by normal users). The lesson here is that, even with malicious intent, appropriately designed security access to a collaborative, cloud-based space allowed for a prevention of disaster and a recovery of the deleted files.
Challenges With Detection Of Malicious Intent
The rule of law is always trying to keep pace with the malicious and/or criminal mind. In the United States, the Computer Fraud and Abuse Act (CFAA) was enacted in 1986 to address cybersecurity. Since then, the act has been amended no less than six times in attempts to align it with contemporary risks and other current laws (e.g., the USA PATRIOT Act and the Identity Theft Enforcement and Restitution Act).
There also exist specific regulations and guidance that address information security for individual markets and industries. These include (but are not limited to): the Code of Federal Regulations, Title 21, Parts 11, 210 and 211, which governs food and drugs within the United States for the FDA; the Data Integrity and Compliance with CGMP (DRAFT) Guidance for Industry published by the FDA that is intended to “clarify the role of data integrity in current good manufacturing practice (CGMP) for drugs”; the ‘GXP’ Data Integrity Guidance and Definitions published by the Medicines & Healthcare products Regulatory Agency (MHRA); the General Data Protection Regulation (GDPR) published by the European Parliament; and the Guidance on good data and record management practices (Annex 5) published by the World Health Organization (WHO) Expert Committee on Specifications for Pharmaceutical Preparations.
A common thread across these regulations and guidance documents is the requirement for and periodic review of what is commonly referred to as an “audit trail.” An audit trail is intended, particularly in transactional software and systems, to document changes in data. In some cases, requirements exist to document both the “before” and “after” values in changed data. With an appropriately configured audit trail, an administrator should be able to detect, explain, or even reconstruct the activities that occurred during a suspected information security event. With modern information technology, most everything that a user does within a system or in a network-connected environment is documented in some way or another. Even after destruction of the physical memory devices, much data can be recovered through advanced techniques in digital forensic science.
While use of an audit trail is a well-intentioned approach and/or requirement, sufficiently malicious users with exceptional technical expertise may be able to outsmart an audit trail, performing nefarious activities on systems and in software, while remaining transparent to system administrators and data custodians. Detection may occur simply by realizing that data is missing or, in some cases, the malicious user may even leave a “calling card” in an effort to gain publicity and/or notoriety.
In these cases, the use of multiple more traditional security elements may be necessary to construct a complete understanding of the incident. These elements may include physical security, personal security, operations security, communications security, and/or network security (to name a few).
One such example occurred when data was found to be missing from a critical operational system (the details of the site or related system are confidential). Not only was data missing, but the application that held the data and the related audit trail were completely deleted in a way that showed sufficient technical ability to ensure that nothing could be recovered. Using date/time signatures on related connected systems, the system administrators were able to identify a likely window of opportunity when the malicious event likely occurred. A profile of the user was created using other security elements during the suspected time of the event, such as:
A likely suspect was identified via the circumstantial evidence collected from these security elements. While the suspect was confronted, and their behavior suggested that they were the indeed the malicious user who deleted data, they did not confess to the information security event. Ultimately, the data could not be recovered, but the culprit was invited (and agreed) to leave the company voluntarily.
Take A Two-Pronged Approach
In short, the best approach to preventing and detecting malicious intent as it relates to changes to information and the impact to data integrity is: (1) do not underestimate the value of taking and reinforcing the common basic security measures; and (2) hire a professional for all the rest. Implement appropriate policies and procedures and make information security and data integrity a component of all processes. Embed it in the cultural fabric of your business operations at all levels. In the modern world, we are all touched by interconnected data and risks to information security. No one is immune from it, nor should anyone in your firm be excused from understanding their responsibility for information security. Build on the fundamental information security elements, such as controlling one’s company ID card/badge, securing sensitive paperwork at the end of the work day, and not discussing confidential matters with family or friends. Make sure that your information technology assets are clearly identified and labeled (i.e., company asset tags and the like), have strong user-based security (e.g., system passwords and media encryption), and users are trained in security awareness, not just when they are hired but throughout their employment. Then, after the common basic security measures have been taken, hire an information security professional to assess what you’ve done and proactively work to improve and take additional technical measures.
About The Author:
Kip Wolf is a principal at Tunnell Consulting, where he leads the data integrity practice. Wolf has more than 25 years of experience as a management consultant, during which he has also temporarily held various leadership positions at some of the world’s top life sciences companies. Wolf temporarily worked inside Wyeth pre-Pfizer merger and inside Merck post-Schering merger. In both cases he led business process management (BPM) groups — in Wyeth’s manufacturing division and in Merck’s R&D division. At Tunnell, he uses his product development program management experience to improve the probability of successful regulatory filing and product launch. He also consults, teaches, speaks, and publishes on topics of data integrity and quality systems. Wolf can be reached at Kip.Wolf@tunnellconsulting.com.