How Roche is pioneering the future of healthcare with secure patient data

In this guest post, Roche explains how using Google Cloud’s Zero Trust security model has helped them improve their security posture and better manage the risks they face.

It’s an exciting time for the pharmaceutical industry. Advancements in science, data, analytics, and technology are opening up new opportunities in what’s known as personalized healthcare: the ability to tailor care uniquely to each individual.

Without data, there would be no hope of fulfilling this promise. It’s what helps us reach the insights we need to understand and diagnose diseases and to develop the most effective medicines and care. Data is priceless. That’s why, at Roche, we do everything we can to keep it secure.

With cybersecurity attacks on the rise, we know we can’t afford to be complacent about our data security. At the same time, with more than 100,000 employees across the organization, it can be difficult to keep track of what every user is doing, making it just as important to guard against insider threats.

We are determined to prevent our confidential data from being shared without permission, either inadvertently or for nefarious reasons. That’s why we began working with Google Cloud to implement a Zero Trust security model with Chrome Enterprise.

Putting our trust in Zero Trust security

Prior to using Chrome Enterprise, we didn’t have full visibility of what our users were doing. They used a range of browsers to access our systems, meaning there wasn’t an integrated log of their activity and we were unable to control access permissions sufficiently and consistently.

Now, with our Zero Trust model, Chrome is the only permitted browser and users must log in using their Roche credentials. With additional security capabilities built into the browser, we now have full visibility of all our users in one place, and are able to configure access controls to ensure they can only access the data they need.

Our Zero Trust model also means that we can give our users more flexibility to work in a hybrid way, enabling them to access their work seamlessly from any device, wherever they are. And because they no longer need to use a Roche computer, this helps to keep our costs down.

At the same time, our Zero Trust model helps to minimize the attack surface by only giving users access to the apps and resources they need. With integrated threat and data protection, by asking users to log in through Chrome instead of accessing the Roche network, we reduce the risk of malware spreading through our network from an infected computer.

Seeing the bigger picture, controlling the smaller details

So what exactly does full visibility mean? With Chrome Enterprise we now have a single interface where we can view all the audit logs of actions taken by our employees across our systems. Critically, these logs record exactly what data has been transferred, meaning we can see who downloaded what, enabling prompt action to protect against data loss.

We can also receive alerts of unsafe user activities, such as downloads that exceed a certain specified threshold, enabling us to investigate incidents in real time. In fact, within hours of first activating Chrome Enterprise, we were alerted to an attempt to download a large amount of corporate information, enabling us to take immediate action.

Visibility is only part of the story. With Chrome Enterprise, we can also take a more proactive approach to protecting against data loss before it happens. For example, we can configure controls to prevent downloads of sensitive documents containing specific keywords, or to allow them to be viewed only and not shared. Likewise, we can restrict who can access sensitive documents by departments or user groups, all of which helps us to keep patient data safe and prevent sensitive information from falling into the wrong hands.

We can restrict access to our applications and data based on information such as the user’s location, device, and IP address, too, with context-aware access. For example, by adjusting the granular access controls, we can ensure that users in embargoed countries can’t access some of our applications, making it easy to comply with certain regulations.

Being able to deny access to users in a range of specific contexts gives us more flexibility in applying access policies, rather than applying blanket restrictions. More users can access what they need, while we have the confidence they are doing so in a secure way.

Building a security profile that works for us

Google Cloud has been working closely with us throughout our journey with Chrome Enterprise. Monthly check-ins, regular workshops, and support sessions ensure we are protecting our systems effectively. This relationship has been particularly important during significant deployments of new functionality, such as when we implemented malware analysis for every user.

This browser-based service to scan file transfers for malware could have had an impact on performance, causing users to have to wait a long time for transfers. But with Google Cloud, we were able to anticipate these potential challenges before deployment and work together to monitor performance, mitigate any issues, and prevent bottlenecks.

The results of using Chrome Enterprise speak for themselves. Being immediately able to see and block large, unauthorized data downloads means we can show the management team the value of our work and the importance of a Zero Trust security model.

Ultimately, our work on the monitoring and incident response team at Roche shouldn’t be an obstacle, but an enabler for users, allowing them to connect from anywhere, on any device, in a safe way. With Chrome Enterprise, we have the right tools for a simple and secure environment. As a result, we’re helping users to work securely, protecting patients’ data, and keeping Roche at the cutting edge of healthcare.