Pharma's HR department: A potential gap in corporate security
The 2001 "Amerithrax" anthrax letter attack uncovered gaps in Defense Department screening of scientists with access to dangerous
substances, and management's inadequate monitoring of changes in employee personality due to potential triggers.
The anthrax-containing letters sent to the Senate were traced to lone-wolf defense scientist Bruce Ivins at the Army's Fort
Detrick research labs. Ivins is believed to have begun mailing his letters because of his anger at loss of funding for a research
project. So respected was Ivins that he was assigned by the Department of Defense to assist the FBI in seeking the anthrax-letter
terrorist—and for months, actually sent investigators in wrong directions.
What should trouble pharma HR is that Ivins' credentials and experience would have made him a candidate for a top research
position at just about any global drug company where he might have applied for employment. Ivins' managers failed to take
note of personality traits that might have tipped them off that something was wrong, especially after his anthrax vaccine
was placed on a development back burner. Management might have detected issues brought to the attention of the FBI by a former
university colleague that he had persistently harassed for years. In fact, Ivins had performed poorly on psychiatric tests,
but the results weren't followed up.
Equally troubling to pharma HR should be the multiple mistruths in the CV of Steven Hatfill, the scientist falsely accused
of being the originator of the anthrax letters. When reporters began researching Hatfill, they uncovered multiple academic
degrees and honors he had never received. All these claims should have been verified before Hatfill was given access to some
of the nation's most virulent organism stores.
What should not be missed by pharma HR is that someone with a profoundly falsified CV did gain access to laboratories where
his incompetence could have endangered coworkers and the nation. Resumes for those with such potential access must be rigorously
examined, and all claimed degrees, published papers, and experience validated.
Dangers for support staff
In February, armed thieves disguised as police broke through the perimeter fence of the Brussels airport and stole more than
$50 million in gems from the cargo hold of a airliner about to take off. The security gaps that enabled such a precise theft
appear to have been guided by inside information by airport personnel. Following the Brussels theft, an airline security specialist
made observations about airport security that may merit considerations for possible parallels for pharmaceutical companies:
"Ground crews are largely unseen by the general public. But in much the same way as flight crews, they have intimate knowledge
about their work environment. They also have unrestricted access to the exterior and interior of aircraft. Despite this access,
these employees are not subject to the same security screenings as passengers and most flight crews."
The Brussels incident suggests the industry needs to consider tighter screening of all who enter their facilities, including
those who clean premises—both offices and labs. Many such functions are outsourced to companies paying minimum wage, and—despite
blanket assurances and signed commitments—minimally checking immigration status. Unsecured computers left logged on, passwords
and codes for copying machines taped to inside desk drawers, loose documents on desks, notebooks beside experiments left running
at night—all represent potential security risks.
Cyber-attacks reveal every industry's vulnerability
Until recently, an international competitor or a terrorist group wishing to obtain and capitalize on a pharma company's confidential
technology would have had to recruit multiple scientists and manufacturing engineers, or insert operatives as employees capable
of stealing lethal organisms or chemicals. Today, however, criminal, political, and terrorist groups might use teams of dedicated
hackers to steal the same information an intruding terrorist masquerading as a scientist might try to obtain. And evidence
suggests they are doing just that.
According to a 2011 report by the US financial news network Bloomberg, international hackers have already penetrated the networks
of top pharma companies (Pfizer and Abbott), at least one medical device company (Boston Scientific)—and even the US FDA's
Parkland, Maryland computer bank. The hackers, likely Chinese from their IP addresses, appear to have broken into the computer
systems of the hotel Internet services provider iBahn, used by traveling executives around the world. In addition to being
able to view both unencrypted and encrypted e-mails, security authorities believe the iBahn hackers may have inserted malware
to the laptops of those executives, enabling them to capture passwords typed by the executives.