This blog post summarizes a Dreamforce 2018 session delivered on September 26. To watch the session, check out this recording!
If you work in the health or life sciences industries, then you know about the mountain of regulatory requirements you have to comply with. Just to name some big ones, there’s HIPAA, GXP, 21 CFR Part 11, and GDPR. Each one presents a lot to understand and comply with, and requirements can change over time.
At Dreamforce 2018, Salesforce representatives Sam Steiny, product marketing manager in Infrastructure Engineering, and Badri Devuni, life sciences architect, discussed the special needs of life sciences customers and how Salesforce can help you meet them.
Keeping patient and customer information private and secure is just the cost of admission. Layer on the many overlapping but not identical details surrounding data availability, “forgetability,” portability, and consent regulations, and you have a lot to keep up with. So how can you meet your compliance needs?
You’re Not Alone
Salesforce is a trusted partner for a wide range of regulated industries, like finance, transportation, government, and yes, healthcare and life sciences. And the life sciences landscape is changing. In the past, large hospitals acquired smaller hospitals, large pharmaceutical companies acquired smaller pharmaceutical companies, and so on, but for the most part, industry players remained the same. Today, companies like Amazon are getting into the drug distribution business, and Google is investing in health plans. The increase in cross-industry verticalization means that meeting compliance obligations requires a holistic view across several industries’ regulations.
Salesforce has internal and customer experts from many regulated industries, and we proactively monitor regulatory changes that apply to all of them. We study regulations in fine detail and examine how our platform can meet the requirements. We validate our expertise by acquiring and maintaining industry certifications.
We do all of that to help you meet your compliance goals. We look at how the law applies to your industry, geography, and use cases, and partner with you to build the Salesforce implementation that best fits your needs.
We’ll Get You Almost Up the Mountain
So let’s talk specifics.
The Salesforce infrastructure and architecture natively provide three security layers that address compliance needs: infrastructure, networking, and applications. Additional security tools are available with Salesforce Shield.
Regulated industries typically require high data availability. It’s important for business continuity and also for regulatory auditing.
Our infrastructure addresses this core requirement through our secure data centers and our high-availability, active/ready architecture. Active/ready means that your business and data are running on two hardware instances in different data centers with near-real-time replication. So if the active instance experiences a problem, we can switch to the ready one seamlessly. Each instance in turn contains primary and standby copies of your data. Altogether, Salesforce maintains four active, up-to-date copies of your data.
Networking is all about connecting systems and moving data. Our networking layer keeps your data secure by using HTTPS encryption, firewalls, login monitoring and restrictions, and penetration testing.
Applications are the products that we build for you. To create a compliant organization, you can leverage their security and access features, including identity and single sign-on, password policies, two-factor authentication, and user roles and permissions.
Mapping the Path to the Summit
Salesforce continually examines industry and government regulations to see how our capabilities can be used to meet the requirements.
Let’s look at GDPR as an example. GDPR, or General Data Protection Regulation, is a standard for citizen privacy in EU law. It’s a lengthy regulation with hundreds of sub-articles, but you can roughly group them into six main areas. Here’s how the Salesforce platform applies to each GDPR area.
Because one person can have multiple accounts within an org, such as contact, lead, or person, we created the Individual object to centralize managing privacy preferences and help you meet consent requirements. For example, if a patient prefers to be contacted only by email and only for alerts, all other object types can refer to the Individual object for that information. This practice consolidates the information in one place so that it’s always consistent.
Special Gear for Steep Climbs
Salesforce Shield offers features that can be helpful in complying with stricter security regulations.
- Platform Encryption extends your ability to encrypt data beyond what’s available in the base platform. You can use it to satisfy requirements like pseudonymization.
- Event Monitoring gives you access to detailed security and usage data that you can use to set up alerts for unusual activity changes. For example, if a nurse normally accesses 5–10 patient records a day but suddenly accesses several hundred in one day, you can get an alert.
- Field Audit Trail helps you monitor the changes to a field’s value, with extended storage time for change records of up to 10 years. For example, if a patient is discharged prematurely, you can see a complete history of the patient record changes and who made them.
But We Need You at the Top
Salesforce provides resources, support, tools, and experts to guide your organization on its path to compliance, but compliance is a shared responsibility. You define the security and configuration settings that meet your requirements. Consider regulations, contracts with third parties, internal policies, and best practices.
- Define the roles and permissions that people in your organization need. Figuring out the least amount of access necessary for every role is challenging, but it’s an important part of security. After you design the hierarchies of permissions, we can help you set up those permissions and roles.
- Create a backup plan for your data, or work with one of our partners who specializes in backup apps. The most common causes of data loss are internal, like accidental deletion or mistakenly overwriting data.
- Integrate our trust and monitoring APIs into your own monitoring systems.
Getting security right is a challenge. We’re here to help, but access to and usage of the data that you store in Salesforce is a customer responsibility.
Now That You’re Here, Enjoy the View
Let’s revisit the path to compliance.
- Salesforce constantly monitors applicable laws and regulations. Our customers do the same.
- We determine how the regulations apply to our platform. Customers interpret how the laws apply to their business, geographies, and use cases.
- We work with you to determine the configuration and security settings you need to meet your compliance goals, based on your interpretation.
- We provide the infrastructure, technology, and platform, but you determine your use cases and conduct your own risk assessments. We work with you, but we also rely on you. Together, we can help you achieve compliance.
Visit Salesforce Help and Trailhead for a rich library of resources, articles, and white papers on compliance topics such as consent management, data deletion, and data portability.
Check out the recording of the Life Sciences on the World’s Most-Trusted Enterprise Cloud session.