Finding The Hidden InfoSec Story

Information Security As Car Insurance

In the clinical research environment Information Governance and Information Security are like car insurance, or at least that’s the analogy we have started to use to ensure the organisation begins to understand the importance of being safe with information.

To us insurance is a way of both protecting ourselves and ensuring that should the worse happen we are up and running again as quickly as possible, and by that we mean recovering from a potential reputational issue as much as we mean recovering from a cyber disaster.

You have to have car insurance in place to drive, you have no choice, but, if you can sell the additional benefit or two then more people will purchase your type of insurance. And yet some people choose not to have car insurance and flout the law, just like with car insurance organisations can choose to take the risk and drive without Information Security, but what does that mean for those of us that do put the insurance in place, just like the car insurance industry those ‘law abiding’ organisations feel that they pay a more expensive insurance premium to secure themselves against those organisations without proper cover.

A similar story can be told and applied to the clinical research world, its going to be easier to get everyone to adopt the highest of standards if the benefits of Information Security and Governance are clear. Also like car insurance, if we get points on our licence through a misdemeanour then the cost of the insurance is definitely going to go up, and, for new “drivers” beginning down the path of Information Insurance the cost of implementation can be a little bit scary.

On every research journey we take we have to consider the level of insurance we need to have in place, we need to identify the level of risk and implement the level of protection needed. There are so many different types of research and a different requirement on security for each type, and as with car insurance there is a broker to help you fill in the security plan, the Info Sec team in our organisation are the Direct Line or Go Compare of the security world, providing assistance in the completion of the security plan, and in our case the on line IG Tool Kit audit tool.

The new researcher, or learner driver, keen to get on and discover the newest most exciting compound wants to quickly be assured that they are covered, can they really access patient information, can they really drive all the way to Cornwall in one day! Information Security in the clinical research environment is all about the provision of tools and standards to enable the real business we are here to do to be completed as successfully as possible. The Department of Health, in this case acting as the DVLA, is here to provide guidance, rules, registration and capability and support research happening, however if like with car insurance the rules are flouted then it has a similar responsibility to ensure that there are consequences for the dangerous driver.

However the most important element for Information Governance and Security in the clinical research environment is the additional benefit it brings to the researcher and finding ways to make that clear. Protected no claims discount is difficult to apply but the ability to have a full documented and governed asset register that enables each clinical research organisation to know who has access to what where and when is a benefit to the whole organisation and is something that the insurance of information provides. The courtesy car plan also makes a difference in the clinical research environment, if a disaster happens having the business continuity plan in place, agreed and communicated means that research continues and information is not lost and the driver can still get to Cornwall!

The many different types and levels of insurance are akin to the decisions that need to be made about the level of governance and security each organisation and indeed each team wishes to apply to its working practices. An organisation embarking on the Information Security journey may well decide to get simple ‘third party fire and theft cover’, an initial cheap and cheerful way to show that you are covered but in reality if disaster strikes its not going to get you up and running again very quickly. As an organisation progresses down the maturity model they will improve the level of insurance they put in place, often for two reasons, those additional benefits we have already mentioned and a dawning realisation that the insurance you put in place is about the protection of your collateral not just your systems.

Protecting the no claims bonus or good reputation of the research organisation or indeed country where research is conducted is a key benefit that is not lost in this story. The sum of all the parts of the insurance and the fact that all researchers in an organisation have put in place information governance and security means that research is protected and that the cost of the insurance can be driven down. The advent of Cyber Liability insurance is surely going to put in place a clear way of evaluating the risk (and the reward) of implementing information security checks and balances and begin to heighten the organisations understanding of what information risk insurance needs to be in place.

In the clinical research world the head of the SIRO is not quite nodding in the back of research car, but the car is likely to contain some useful guide books, a security jack and can of governance oil.


Share This Post On