Securing access to sensitive medical data
PAREXEL, the world leader in pharmaceutical tests, manages medical data on thousands of voluntary subjects, on behalf of the biggest manufacturers in the sector.
Its security requirements are, therefore, very high: protecting sensitive data of often competing clients, and guaranteeing the confidentiality of patients’ medical data. Finally, legal constraints on drug marketing authorizations require that documents be “signed” electronically by clearly identified persons to be considered authoritative.
The result: very cumbersome manual identification procedures, with hundreds of applications and resources. Each employee had to manage up to 15 passwords and renew them in an unsynchronised manner.
So, PAREXEL decided to simplify and reinforce the security of access to its applications. All the passwords would be replaced with smartcard and proximity-detector-based single sign-on (SSO), which would guarantee both logical and physical security, simply.
Managing physical and logical access
PAREXEL sought for a supplier capable of meeting some specific technical, regulatory and organizational constraints. Thus, the system should be able to manage mobile employees on dozens of geographic sites with different directory domains. Moreover, the access cards, specifically designed for PAREXEL, should incorporate different contact-less technologies to work in several countries.
After investigating leading suppliers in the market, PAREXEL chose Evidian’s IAM Suite solution. A pilot installation enabled PAREXEL to successfully test the software on a significant sample of the company’s 600 systems and 300 applications.
“Our exchanges with Evidian’s teams and management were very convincing”, explains Marc Jobert, Corporate VP and Chief Technical Officer of PAREXEL. “Evidian took our specific needs into account and we have developed a mutually beneficial partnership in the field”.
Deploying single sign-on
“When the board of directors of PAREXEL gave its green light for the project, the main argument was security reinforcement. However, while deploying the solution we also discussed the technical, regulatory and human aspects with Evidian”, says Marc Jobert.
Therefore, the Evidian IAM Suite software was integrated in a non-intrusive manner into a directory environment with several domains. Management is centralized while keeping the locally designed directories in place: administrators easily share their skills and adapt SSO to new versions of applications.
Moreover, Evidian’s authentication system uses PAREXEL’s human resources database directly.
An employee leaving the company loses his or her access rights immediately, which is a guarantee of security.
When users are convinced…
For PAREXEL, it was indispensable that users participate in the project. In particular, the healthcare staff, which has big responsibilities, should not perceive the new access method as an intrusion. In practice, training and psychology ensure hitch-free deployment.
Upon arriving on site, the project team always starts with a group of ‘early adopter’ users who are open to innovation. These users quickly conclude that they access their applications twice faster than before and they become natural advocates of the solution among their colleagues”, says Marc Jobert. “Our Japanese subsidiary, the last to install the software, got all its employees to use this software within three weeks only.”
Legal requirements on traceability
Legal regulations on drug marketing authorizations require pharmaceutical manufacturers to ensure the integrity of test-result documents. As a subcontractor, PARAXEL must, therefore, provide an irreproachable chain of confidence to its customers, and prove its reliability through access logs.
Evidian’s authentication system is a critical link in this chain of confidence. An audit performed by a specialist company has enabled PARAXEL to confirm the quality of Evidian’s development process. Internal procedures, separation of tasks: the product and supplier’s robustness was a major selection criterion.
Security targets reached
PAREXEL can now put in place procedures suited to the required security levels: Evidian IAM Suite ensures that they are complied with. Thus, application access passwords are systematically hidden from users. These passwords are now long, non-intuitive character strings which are changed very regularly and automatically. So, an employee cannot access an application without a card and PIN.
“The solution based on Evidian IAM Suite is now part of the company’s life: we are using the solution everywhere. On some sites the authentication card is even used to pay for meals at the cafeteria.” concludes Marc Jobert.