SAFE-BioPharma joins health-industry digital security consortium

Move unites pharma efforts with larger healthcare network

The SAFE-Bioppharma group, which has been promulgating standards and practices for cross-industry digital identity management since 2005, is merging into the National Health Information Sharing and Analysis Center (NH-ISAC), a similar nonprofit but one whose membership is deeper among healthcare providers and payers. As of Jan. 1, SAFE-BioPharma will become an offering of CyberFit, one of several suites of security services provided by NH-ISAC.

SAFE-BioPharma has been involved in a number of life sciences cybersecurity efforts, with one of the most obvious being the establishment of a standard for defining a trusted cyber identity. With that credential, individuals or organizations can share data among disparate IT systems that recognize the same credentials. An example of this is the collaboration with TransCelerate, another industry consortium, that enables clinical trial participants to share data. While SAFE-BioPharma’s standards have been widely accepted, progress in building its membership has been slow: about 40 organizations (mostly pharma companies, but others and quite recently, the insurer Aetna) have joined.
Mollie Shields Uehling, CEO of SAFE-BioPharma, is retiring but will stay on the SAFE-BioPharma board. For members, the change “means a reduced SAFE-BioPharma membership fee and the potential to have a substantially expanded number of participants in their identity trust ecosystems,” she wrote in an email notification. “For vendors, it means a larger universe of prospective customers for SAFE-BioPharma compliant products, applications and services.”

NH-ISACPossibly, a downside of the merger is that pharma loses its dominance in cybersecurity standards-setting. The membership of NH-ISAC is dominated by healthcare providers and payers; about 15% of the NH-ISAC membership is pharma, and another 9% medical device manufacturers.

NH-ISAC is one of a number of ISACs, each devoted to the critical infrastructure needs of a US industry sector. They usually operate quietly in the background, informing members of up-to-date security threats and preventives. The healthcare sector has been wracked by security breaches in recent years, which can have financial consequences for providers, but also the reputation damage that patient-health data can be exposed. But cybersecurity is not a triviality for pharma companies themselves; this summer Merck was hit with a company-wide malware attack (now known as the “NotPetya” attack) that disrupted drug production; the cost of the attack has been variously measured at $135-275 million.