- Customer Profile: Pharmaceutical company; 5,000 employees
- Goals: Regulatory compliance
- Solution: PGP Universal™ Gateway Email with PGP Universal Satellite to encrypt emails at server or end-to-end
- Deployment: On schedule; within budget; low cost of ownership
- Benefits: Security; regulatory compliance; intellectual property protection
Lundbeck chose the PGP® Encryption Platform to protect its intellectual property and the patient data that results from clinical trials.
H. Lundbeck A/S (Lundbeck) is an international pharmaceutical company engaged in the research and development, production, marketing, and sale of drugs for the treatment of psychiatric and neurological disorders. In 2005, the company reported revenue of DKK9,100 million (approximately US$1,400 million) and employed about 5,000 people.
Lundbeck wanted to implement a secure-messaging solution to protect confidential patient information and proprietary research exchanges between collaborating scientists, universities, and other pharmaceutical companies. The company needed to ensure the confidentiality of its internal email communications, partly because its email operations are outsourced to an on-site, third-party organization.
Keld Viftrup Møller is the security designer in the infrastructure delivery department at Lundbeck’s headquarters in Copenhagen, Denmark. He is responsible for the security of the global infrastructure that his department implements in Europe, the Americas, Africa, Asia, and Oceania.
Ease of use. “Our number one requirement was that the solution be transparent and easy to use,” Møller says. “We already had a desktop solution installed, but a lot of users found it cumbersome. The company wanted a secure-messaging solution that didn’t require users to manually secure each email.”
Data protection. The Danish Personal Data Law, a national law based on the EU Privacy Directive, requires Lundbeck to protect research data containing personally identifiable information that results from clinical trials. For example, Lundbeck must protect doctors’ email messages that discuss the properties and effects of new drugs.
FDA regulations. Industry-specific regulations also influence Lundbeck’s need for encryption. Lundbeck sells its drugs in the United States, so the company is subject to the data protection guidelines of Title 21 CFR Part 11 of the U.S. Food and Drug Administration (FDA). “Three-quarters of antipsychotic drugs are sold in the United States,” Møller says. “It’s a critical market for us.”
HIPAA compliance. In addition, Lundbeck is preparing for a possible future need to comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA), which requires organizations that handle personal health records to protect the privacy of individually identifiable health information.
Intellectual property. To help ensure competitive advantage, Lundbeck wanted to encrypt the research and development information it exchanges with collaborating companies and academic institutions. “Email has become the accepted way to deliver this intellectual property, so electronic messages must be protected. We must prevent competitors from having access to our research papers and the premature publication of research data,” Møller says.
Lundbeck decided to use PGP Universal Gateway Email to encrypt emails at the gateway because it does not require installing software on the desktops. Although encryption at the gateway protects email messages that leave the network perimeter, it does not encrypt messages on the internal network. Therefore, Lundbeck issued PGP Universal Satellite to certain users who handle information that is also confidential inside the company. This small no-user-interface piece of software transparently secures emails directly on the desktop by using centrally defined security policies.
Comprehensive solution. The PGP Encryption Platform gives Møller the ability to cover additional encryption needs in the future. “Sometimes we have to buy point solutions, but if at all possible, we prefer solutions that have a broader perspective and solve more than one problem. If you buy point solutions for everything, you have to manage many different solutions,” he says.
Two-way encryption. Another deciding factor was PGP Universal Gateway Email’s ability to provide two-way policy enforcement. “Before installing PGP Universal Gateway Email, we had no technical way of ensuring security policy was followed,” Møller says. “Now, if a business partner doesn’t already have an encryption solution in place, we can provide PGP Universal Satellite or PGP Universal Web Messenger.” That capability is key to ensuring Lundbeck’s continued success in pharmaceutical collaborations.
“Our business partners love that the solution is so automated and easy to use. PGP Universal Gateway Email automatically secures each message using the most appropriate method,” Møller adds. “We’re also thinking about integrating PGP Universal Gateway Email with our email content filter to automatically recognize and encrypt sensitive content.”
Granular policies. Lundbeck started with the first version of PGP Universal and has since upgraded. “PGP Universal has become a lot more granular,” Møller says. “This functionality allowed us to set up intelligent encryption policies instead of only having ‘all or nothing’ encryption.”
Alternative products. Before introducing PGP Universal Gateway Email, Møller evaluated other products. “We looked at a European product that could do many of the same things as PGP Universal, but it relied on users to remember to encrypt sensitive messages,” he says. “If users have a deadline and know someone is waiting for a particular document, they’ll typically decide it is more important that it arrive on time than that it arrive securely.”
Møller also compared the documentation. “Looking at the documentation, we couldn’t figure out how much work it would be to set up the alternative products. PGP Universal Gateway Email was very well documented, so we knew exactly what to do.”
Trusted vendor. Møller had to address other concerns as well. “Some Europeans believe the U.S. National Security Agency is able to eavesdrop on messages encrypted with security products made in the USA,” he explains. “PGP Corporation is the only commercial encryption vendor that publishes its source code, which has been under scrutiny by the world’s cryptography experts for years. Even though we didn’t read every line of code, this practice convinced us that the product was safe to use.”
The selection of PGP Universal Gateway Email was a joint decision by several departments. “Our end users have to live with whatever solution we provide, so it’s important they feel we’ve delivered a necessary, transparent tool that will make email encryption a success,” Møller says. “They know that it’s critical to protect our intellectual property, so they’re happy that we’ve provided them with a means to do so.”
Within budget and schedule. Møller engaged PGP Corporation to advise on the security and network design. “I was very happy with the PGP field engineer’s level of expertise,” Møller says. “All we had to do was change the routing of the mail flow to ensure that the emails are sent through PGP Universal. We completed the project on time and within budget. A couple of years later, we upgraded to the next major version on our own. It was very easy.”
Easy management. Møller integrated PGP Universal Gateway Email with Active Directory. “When a new user wants to use email encryption, the help desk staff simply adds the user to a group in Active Directory,” he says.
Enterprise solution. Lundbeck currently uses two clustered PGP Universal Servers. “The product provides the high availability, redundancy, and performance required by a 24x7 research and development environment,” Møller states. “PGP Universal Gateway Email operates with our existing applications, email systems, and network infrastructure. The product is interoperable with other standards-based solutions because it supports both OpenPGP and S/MIME.”
Low cost of ownership. Møller notes that PGP Universal Gateway Email has an exceptionally low cost of ownership. “After using a client-based solution previously, PGP Universal Gateway Email was a big relief. We now get very few calls at the help desk. Users don’t understand or care about the concept of public and private keys. PGP Universal Gateway Email hides the underlying technology from the user and is therefore much easier to use.”
Møller used the product as provided and recommended by PGP Corporation. “PGP Universal Gateway Email worked right out of the box,” he says. “We haven’t implemented anything we couldn’t do through the user interface. The product covers everything we need.”
Enterprise-level support. Møller has not escalated many cases to PGP Support. “It’s clear that PGP Corporation has invested in its support services and brought them to a true enterprise level,” he says.
Møller believes data encryption is necessary to protect the company from financial damage. “Email has become the accepted way to share information in the pharmaceutical industry, and secure messaging is important to protect our intellectual property,” he says. “It costs an average of US$150 million to develop a new drug. We would lose that investment if our data was breached and our competition was able to patent the new drug. With PGP Universal Gateway Email, we know our communication containing research and patient data is secure.”
Instant messaging. Møller is interested in expanding Lundbeck’s use of the PGP Encryption Platform. “We’re evaluating PGP® Desktop Email for the encryption of instant messaging traffic,” he says. “We previously thought of instant messaging as a gadget, but it’s now becoming a business tool. Our users want to use instant messaging internally and with external partners, so we need to ensure those communications are secure as well.”
Mobile messaging project. Møller’s department is currently designing its global mobile messaging strategy and is glad PGP Corporation has added support for BlackBerry® mobile devices to the PGP Encryption Platform. “It fits right into our security strategy,” Møller says. “BlackBerry users are mostly executives who store a lot of confidential information on the devices. We want these users to be able to send and receive secure email using the BlackBerry.”
Laptop security. Lundbeck had introduced a full disk encryption product before PGP® Whole Disk Encryption was available. Now, the company is considering replacing its current laptop encryption with PGP Whole Disk Encryption. “The existing product works fine, but we want to reduce the total number of solutions we have to administer so we can increase our efficiency and avoid training our operations department in rarely used applications. If they don’t use them regularly, they forget how they work,” Møller says.
Network storage encryption. Møller plans to introduce encryption for files in shared storage. “We’ll definitely consider using PGP® NetShare to encrypt files on network servers because it leverages the PGP Encryption Platform,” he says.
In the meantime, Møller is pleased with Lundbeck’s deployment of PGP products. “I wouldn’t have done anything differently,” he says. “I think we did well.”
The PGP Encryption Platform. The PGP Encryption Platform reduces the complexities of protecting business data by enabling organizations to deploy and manage multiple encryption applications cost-effectively from a single management console. Deployed with the first encryption application, the PGP Encryption Platform makes installing a separate or additional infrastructure unnecessary when the organization needs other encryption applications. The PGP Encryption Platform supports the broadest range of integrated applications to secure email, laptops, desktops, instant messaging (IM), PDAs, network storage, FTP or bulk data transfers, and backups. |
