• Apex drug regulator’s database violation throws up myriad questions
• Data protection and preventing data breaches the need of the hour   

  BY Sumudu Chamara Sri Lanka’s state-run medicines regulator, the National Medicines Regulatory Authority (NMRA), is one of the most discussed institutions at present, due to its role in evaluating and authorising Covid-19 vaccines. However, recently, it also reported a massive data loss in its database, which made it a hot topic again, due to the repercussions the said data loss is likely to cause. On 22 August, it was reported that the process of renewing the registration of medicines and equipment had been affected due to a loss of data of the Lanka Government Cloud (LGC) server of the NMRA. Revealing this to the media, NMRA top officials said that the automated data system of the NMRA was deactivated on 9 July, and that a complaint had been filed with the Criminal Investigations Department (CID) in that connection.  Following this incident, the people began fearing that substandard medicines may enter the market and that medicine prices may go up. In addition to politicians and health professionals who voiced concerns about the outcomes of this data loss, the print media had also reported that the NMRA is likely to grant blanket renewal for registered drugs that were awaiting fresh licences, and that pharmaceutical companies have allegedly been told that this was being considered as an interim measure. A deliberate act?  This NMRA data loss took a new turn when Attorney General (AG) President’s Counsel Sanjay Rajaratnam informed the relevant court this week that the deletion of the said database could have been an act by medicine traffickers, and raised concerns about the fulfilment of the responsibilities of the firm that had been in charge of maintaining the database.  This was informed to Colombo Chief Magistrate Buddhika C. Ragala by Deputy Solicitor General Dileepa Peiris, who, on 13 September, appeared in court on behalf of the CID. Adding that the responsibility for maintaining the NMRA database had been taken over by a private company called “Epic Lanka” five years ago, Peiris stated that the said company had failed to fulfil its responsibilities and that the reason behind the data loss was negligence on the part of the said company. The company’s alleged failure to take proper steps to protect the NMRA database was also noted in court, in addition to the fact that the said company had failed to keep a backup of the data contained in the database. According to the facts revealed in court, there is another aspect to this issue which goes beyond a mere data loss or a system failure. Peiris noted that it can also lead to an unlawful increase of medicine prices. He added that certain pharmaceutical companies import the same medicines under different names (brand names) and that data on the composition of those medicines are stored in the database, which has now been erased. This, according to him, enables those companies to set the prices of medicines as they wish. Even though Peiris further requested the court to give a date to make submissions after studying the database as there is a risk of important information contained in it being deleted if it is updated under the supervision of the suspect/s, the Colombo Chief Magistrate stated that the court could not intervene in the matter regarding the updating of the relevant database. Adding that the recent order preventing the updating of the database in question would be revoked and that the update should be done in consultation with all parties, the court directed the CID to report on the progress of the investigation at the next hearing. Meanwhile, it was reported that Samagi Jana Balawegaya (SJB) Parliamentarian Nalin Bandara Jayamaha had filed a complaint at the CID in this connection, requesting a prompt investigation into it. Concerns The court proceedings regarding the data loss are being carried out in a context where numerous parties have raised concerns about it. On 30 August, Jayamaha lodged a complaint with the CID in connection with this data loss, claiming that it was suspicious. After filing the complaint, he told the media that certain politicians may be behind the existing medicines mafia and that there are reasons to believe so. He opined that losing data which belongs to the State reinforces those suspicions. Opposition and SJB Leader Sajith Premadasa had also raised concerns about this matter, claiming that the data loss could not be an accident, and therefore, called for an investigation. Meanwhile, Government Medical Officers’ Forum (GMOF) President Dr. Rukshan Bellana alleged that the NMRA Chairman and Chief Executive Officer (CEO) should be held responsible for the incident. He added that the data loss is a well-orchestrated act by the medicines mafia. “This data loss occurred at a time when a medicine approved by the World Health Organisation (WHO) to treat Covid-19 had been presented for registration. Even the Director General of Health Services had granted approval for that medicine,” he noted. He further opined that the said data loss could result in a shortage of medicines in the country. Attempts made by The Morning to contact Production, Supply, and Regulation of Pharmaceuticals State Minister Prof. Channa Jayasumana and NMRA CEO Dr. Kamal Jayasinghe for comment with regard to the impact the data loss has caused to the NMRA, were futile. However, in a statement issued recently, NMRA Chairman Dr. Rasitha Wijewantha had stated that there is no reason to fear a price hike or the importation of substandard medicines. He also said that a five-year agreement signed in 2018 between Epic Lanka Technology Group and the Information and Communication Technology Agency (ICTA) to develop the database in question had ensured the security of its data.  “The public should not have any fears regarding a shortage of medicinal drugs or the importation of substandard drugs due to the problematic situation that has arisen. The licence period has been extended as required for the importation and distribution of essential drugs. Also, all the work is underway to issue licences for the importation of essential drugs applicable to the Covid-19 pandemic situation,” the statement read. Data protection Apart from the question as to who planned and executed the acts which resulted in a loss of NMRA data, there are also concerns about the level of safety of the database on which the NMRA data had been stored. On 9 September, the CEO of the private company that had been maintaining the database on which the said data had been stored, was arrested in connection with the incident and was later granted bail by the Colombo Chief Magistrate’s Court as the investigations had not revealed his involvement in the said incident. This arrest was made in a context where allegations had been levelled that NMRA data stored on the LGC had been erased by an employee of the said private company. According to the Epic Lanka Technologies website, it had entered into a five-year contract with the NMRA in 2018, and this partnership is supported by the ICTA. The main purpose of this partnership was to streamline the NMRA’s operations and services, as the manual system that existed before was not efficient enough. The website also showed that later, the first phase of the digitalisation process of the NMRA was launched in 2019. It was initiated under the patronage of then Health Minister Dr. Rajitha Senaratne. The Morning’s attempts to contact ICTA officials to query as to the ICTA’s role in the above-mentioned process and whether any actions are being taken in connection with the data loss, were unsuccessful.  Meanwhile, in a statement, SLT-Mobitel denied reports by certain parties that it had been providing services to the affected LGC server in question. According to SLT-Mobitel, several published media reports have stated that NMRA data, which included confidential information on the formulation of drugs and other supporting documents, had been allegedly erased from its database in July and that a data backup was unavailable.  “The reports note that in 2018, the Authority began accepting online applications for the registration and renewal of drugs and its data was stored on the LGC operated by SLT under the supervision of the ICTA. SLT-Mobitel firmly states and places on record that it does not provide hosting services to the LGC,” the statement read. Further, SLT-Mobitel confirmed that it has not provided such a service to the NMRA and that no NMRA data is hosted at the SLT Data Centre.  Data losses/breaches The events surrounding the loss of NMRA data are rather new to us, and this is the biggest, if not the first, such data loss in the healthcare sector that has been reported in Sri Lanka. According to several institutions studying pharmaceutical markets, there have been an unprecedented number of attacks as hackers have started viewing pharmaceutical companies as benefitting from the Covid-19 pandemic, which has resulted in more data breaches.  According to a 2020 study titled “Cost of a Data Breach” conducted by the Ponemon Institute and IBM Security, highly regulated industries, such as the pharmaceutical industry, experience on average a significantly greater total cost of a data breach than those in less regulated industries. The industry’s average total cost of a data breach is $ 5.06 million, which is fourth on the list after healthcare, energy, and finance. Third party breaches have amplified the average total cost of a data breach to organisations overall by an average of $ 207,411.  Meanwhile, an article published on Forbes said that pharmaceutical companies, which are operating in a high-stakes field predicated on intellectual property, have always been attractive targets for cyber criminals, and that the current attention to Covid-19 vaccine development and distribution may put an even bigger bull’s eye on the industry. It added that pharmaceutical and biotech companies suffer more breaches than those in any other industry, with 53% of them resulting from malicious activity, as per the above study by the Ponemon Institute and IBM Security. It also noted that the growing reliance on the cloud, including hybrid, multi-vendor environments, has greatly expanded the attack surface and underscored the importance of managing identities and permissions. The IBM Security and Ponemon Institute's report has found that most breaches involving the pharmaceutical industry take place during cloud migrations. To prevent these data breaches, it said that the tight management of identities and permission need to become a priority for the pharmaceutical industry, and that ensuring that developer environments are as secure as possible is also important. Accordingly, requiring secure transfer methods and authentication practices within their teams could be a course of action. However, in the recent past, similar incidents of a larger scale have been reported from the overall healthcare sector too, according to Digital Guardian, a leading US-based data loss prevention software company. It noted that in the past few years, there has been a rise in data breaches in the healthcare sector, both in size and frequency, and that such breaches are known to expose highly sensitive information, mainly people’s personal details. Due to such incidents, sometimes, millions have been affected at a time. The NMRA data loss is still unfolding, and the country is yet to find out what exactly happened to the data in question and what exactly would be the consequences of the data loss. However, at a time when the country is fighting a pandemic, the country’s leading medicines regulator being attacked, according to some, is a cause for concern because this indicates there are parties trying to benefit from the prevailing pandemic.