Download PDF

Sensitive Content Communications Privacy and Compliance in Pharmaceuticals

Highlights From Kiteworks’ “2022 Sensitive Content Communications Privacy and Compliance” Report


Proprietary information is the lifeblood of pharmaceutical companies. Development of a typical drug with a life of around 10 years costs around $2.6 billion.1 Some of the largest data repositories exist in the pharmaceutical industry. In addition to intellectual property that includes pharmaceutical formulas, DNA, manufacturing plans, trial designs, and more, pharmaceutical companies must protect protected health information (PHI) of patients, personally identifiable information (PII) of their employees and customers, and the sharing of confidential information with biotech companies.

What Sensitive Content Communications Channel Poses the Greatest Risk?

Cybercriminals recognize this is the case and are targeting them in greater numbers. In a study of data breaches and leakage in the pharmaceutical industry between 2018 and 2021, Constella Intelligence found that 59% of total breaches and 76% of total exposures occurred since 2020. And while proprietary IP-related data certainly was a target, PII data, such as email, password, name, phone number, and date of birth, was in nearly two-thirds of instances. Indeed, 58% of pharmaceutical executives had their credentials exposed during this four-year time frame.2 The cost of an average data breach in pharmaceuticals last year was $5.72 million.3

Security and Compliance Governance

Pharmaceutical companies share critical information internally and externally via various communication channels. Following are some of the more prevalent use cases:

  • Protecting drug formulas, scheduling, manufacturing plans, trial designs, and DNA sequences
  • Applying audit and privacy controls such as Health Insurance Portability and Accountability Act (HIPAA) to clinical trial data scheduled with contract research organizations (CROs) and physicians

Pharmaceuticals Brief

Sensitive Content Communications Privacy and Compliance in Pharmaceuticals

  • Ensuring immutable transfers of manufacturing quality data to comply with Federal Drug Administration (FDA) 21 CFR Part 11 and Governors and good practice guidelines (GxP)
  • Transferring securely DNA genome sequences and other large data sets—internally as well as externally with different third parties involved in the supply chain
  • Automating securely data transfers with manufacturing plants, CROs, and regulators
  • Enabling governed and controlled sharing of confidential dossiers between the pharmaceutical company and biotech companies

These different activities are governed by various compliance standards that cover areas such as personally identifiable information (PII), protected health information (PHI), security foreign corruption and bribery, and securities. Privacy regulations, such as HIPAA, General Data Protection Regulation (GDPR), PIPEDA, and the California Consumer Privacy Act (CCPA), govern PHI and PII, whereas other regulations are more industry specific, such as FDA CFR and Process Analytical Technology (PAT). And as big data becomes increasingly more important in the pharmaceutical sector, tracking and controlling that data grows accordingly. For those organizations found to be in noncompliance, the cost can be dramatic—around 2.71 times more than the cost of compliance.4

Private PHI Communications With Third Parties

In addition to all data that is shared internally, pharmaceutical companies must exchange a lot of sensitive data with third parties—CROs, physicians, supply chain providers, biotech companies, and others. Depending on the regulation or standard, policies are specified around data type, user and device access, data classification, cataloguing, expiration, and audit trail reporting.

In response, pharmaceutical firms must have the right governance tracking and controls in place to ensure privacy and compliance—for both data at rest and in motion. As pharmaceutical companies rely on a vast network of third parties for activities such as research and development (R&D), clinical research, warehousing and logistics, and freight forwarding, their supply chain often poses a significant risk; in particular, confidential data lacking encryption and governance controls can be exposed to malicious third-party actors.

One of the biggest challenges involves the sharing and transfer of data with third parties. The following graphic examines some of the pharmaceutical industry findings.

Pharmaceuticals Brief

Sensitive Content Communications Privacy and Compliance in Pharmaceuticals

What Are Your Top Concerns in Managing Sensitive Content Communications?

What Are Your Top Priorities Around Third-party Sensitive Content Communications?

Governance, Risk, and Compliance Survey Findings

Based on findings from a survey conducted by Kiteworks and Survey Pacific in early 2022, 3 in 10 pharmaceutical companies indicate their organizational governance and protection of sensitive content communications either requires a new approach or needs significant improvement (another 38% indicate some improvement is needed).5 A likely reason is the lack of technologies and processes to measure risk: Fewer than half (49%) have technologies and processes in place to do so.

Almost half (49%) of respondents believe their organizations are well-protected when it comes to third-party risk. Communications in the cloud is a problem for many pharmaceutical firms: 44.5% either do not manage and monitor sensitive content shares and transfers in the cloud or only manage and monitor some of them. However, despite all the time and resources spent on compliance, 17.5% of pharmaceutical respondents lack confidence in the accuracy of their compliance reports.

Pharmaceuticals Brief

Sensitive Content Communications Privacy and Compliance in Pharmaceuticals



use 4 or more systems for tracking, controlling, and securing sensitive data communications with third parties.


believe their governance and protection of third-party content communications either requires a new approach or requires significant improvement (another 38% say some improvement is needed)


have technologies and processes in place to measure risk associated with third-party content communications (the remaining 51% plan to do so)

Risk Management


use antivirus and antispam technologies to verify incoming data communications from third parties


use DLP for file sharing and file transfer with third parties


encrypt 75% or more of their content communications with third parties


indicate their risk management and security of third-party content communications requires a new approach or significant improvement


believe their organization is not well- protected against third-party content communication risks


either do not or only manage and monitor some content communications in the cloud



must generate over 7 compliance reports annually


spend over 40 hours generating each compliance report (25.5% spend 80-plus hours)


feel their compliance reports are fully accurate with 59% saying they are mostly accurate (not contain errors)

Pharmaceuticals Brief

Sensitive Content Communications Privacy and Compliance in Pharmaceuticals

Kiteworks Private Content Network Provides Governance, Compliance, and Security

Kiteworks enables pharmaceutical companies to create a dedicated Private Content Network (PCN) of internal and external digital communications that ensures privacy and compliance of sensitive content—ranging from PHI and PII to proprietary IP-related content. The COVID-19 pandemic heightened awareness around the pharmaceutical industry and the importance of tracking and controlling the latter. And when data breaches do occur, the cost can be dramatic. Cybercriminals and nation-states are targeting pharmaceutical data. According to IBM and Ponemon Institute, breach costs for pharmaceutical firms average around $5.06 million per breach.6

Kiteworks enables pharmaceutical organizations to protect critical IP related to manufacturing drug formulas, clinical trials, and production schedules. PII and PHI that pharmaceutical firms share with their supply chain, CSRs, physicians, and other third parties can be hacked in transit and in motion. Unifying, tracking, controlling, and securing this sensitive content with the Kiteworks platform creates a PCN for pharmaceutical companies that is fully secure and compliant with various standards and regulations.

For these and other highlights from Kiteworks’ “2022 Sensitive Content Communications Privacy and Compliance” report, download a copy.


1 Thomas Sullivan, “A Tough Road: Cost To Develop One New Drug Is $2.6 Billion; Approval Rate for Drugs Entering Clinical Development Is Less Than 12%,” Policy & Medicine, March 21, 2019.

2Pharma Sector Exposures Report: 2018-2021 Digital Risk Findings and Trends,” Constella Intelligence, January 26, 2022.

3Cost of a Data Breach Report 2021,” IBM and Ponemon Institute, July 2021.

4The True Cost of Compliance With Data Protection Regulations: Benchmark Study of Multinational Organizations,” Ponemon Institute, December 2017.

52022 Sensitive Content Communications Privacy and Compliance Report,” Kiteworks, April 13, 2022.

6Cost of a Data Breach Report 2021,” IBM and Ponemon Institute, 2021.

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.


Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Get A Demo