Authentication and access issues in pharma
Catherine Dhanjal asks: are researchers getting access to the vital data they need?
Pharmaceutical and life science companies spend billions of pounds a year on research, with the Association of the British Pharmaceutical Industry (ABPI) quoting industry investment of £11.4m per day on R&D.
But does this huge investment mean researchers get access to the vital data they need?
Library and information managers are responsible for purchasing hard copy and online research, from journals to content and patent databases and search tools, with the aim of giving researchers and other business users access to a vast knowledge bank which can be incorporated into the research process.
However, it can be hard for users to access this essential information due to a less than straightforward authentication and access process.
OpenAthens and TDNet asked me to work with them to carry out research to gain a deeper understanding of these challenges. The output, “Identity & access management for global pharmaceutical companies – an insight report”, is available online now for download.
In the lead up to the insight paper we ran online discussions, polls and carried out in-depth individual interviews with key stakeholders including librarians, publishers, industry bodies and technology companies.
Six key challenges
We analysed the comments from the in-depth interviews, online discussions and micro surveys and distilled them into six key challenges around authentication and single sign-on.
In terms of identity we focused on the methods or software used to identify people against a list of agreed users, for access we explored current access methods such as IP range, user name/password and single sign-on. Jon Bentley of OpenAthens recently wrote about access management federations for Research Information.
There wasn’t a clear order of priority or ‘pain’ for the challenges although many cited that moving away from IP access towards single sign-on would reduce administration significantly and make the user journey significantly easier, meaning library resources would be more likely to be the starting point for research.
Frustrating user journeys are one of, if not the main reason, cited as a driver for single sign-on (SSO). SSO allows end users to move around all the resources that the information centre subscribes to without the need to enter their credentials multiple times, whether on or off-site, on PC or on mobile device.
The top challenges we identified in the research are:
1. Administering resources off-site; access anytime anywhere
2. Administering access
3. IP addresses
4. Usage statistics
5. Working with the IT department; the IT skills required in the library
6. Privacy, GDPR and security issues
1. Anytime, anywhere access: Users now work in an environment very different to that of even a few years ago. New specialist search engines have sprung up, not all of which are copyright compliant (ResearchGate, for example) and more established search engines like Google have become so ingrained in our consciousness that many of us now start searches in Google and jump from there to subscription resources. In terms of access, mobile devices are more prevalent, flexible and home working is on the increase and we are increasingly working on the move whether within our own country or between countries.
It’s in this context that end-users are pushing for and expecting 24 hour access, irrespective of location or platform. However, that’s not necessarily straightforward or even possible to deliver using current authentication methods such as IP access, and there are security concerns to grapple with too.
2. Administering access: Information centres may have small numbers of staff – one librarian we spoke to has six people in his team serving 25,000 active users with a potential base of 70,000 – and may not have the time or technical expertise to set users up with credentials, keep on top of access in terms of a changing user and resource base or other issues.
3. IP addresses: When IP access works, it’s probably the most straightforward access route for researchers; they may not even be aware that they’re being granted access to resources by the information centre. However, we heard many negative comments about IP access presenting a significant administrative burden for librarians and how it doesn’t allow librarians to identify who’s using which resources, making identifying training or promotional needs difficult, for example.
As one interviewee commented, “If there isn’t single sign-on for resources where the access is IP checked, it’s a challenge to figure out who the users are at each site and to promote the right content to the right functions. We have one IP address for 6,000 of our users. We can’t even tell which department they’re from.”
4. Usage statistics: Libraries and information centres are increasingly requesting that publishers present them with usage statistics as a baseline essential to meet minimum procurement requirements. They underpin cross-charging within organisations, negotiations with publishers and planning future content purchasing budgets. However, there is debate about the accuracy of publisher-only stats and a desire for those statistics to also come from an independent source such as the authentication methods where more granularity might be achieved along with consistency of format and data.
5. Working with the IT department; the IT skills required in the library: Information centre teams today ideally include staff with a range of skills, including a level of technology expertise. However, there is a lot of variation between pharma company libraries in terms of the skill sets required or seen as priority and an equally wide variation in terms of how closely those teams work with the IT department and how positive the relationships are. Sometimes authentication solutions are driven by the IT department and imposed on the information centre; in other companies there’s a much more collaborative approach or the library drives the technology required to run its services.
6. Privacy, GDPR and security issues: The General Data Protection Regulation (GDPR) is an EU initiative which comes into effect on 25th May this year. It will have a wide-ranging effect on any organisation which holds personal data such as being aware of and compliant with GDPR over the rights individuals have over this data, their agreement to privacy, their agreement to share the data with other organisations. Organisations will have to document areas such as their basis for processing the data, data retention periods and how individuals can rectify data held or object to it. This is an additional burden and consideration information centres will need to comply with.
Conclusions and next steps
We are now actively sharing the insights report with the community to help move discussions and developments forward to overcome challenges identified.
We drew five key insights from the research:
1. Single sign-on cannot work in isolation;
2. Collaboration is key: publishers, librarians and end users must all be involved;
3. The end user experience must be straightforward;
4. Building and maintaining a workable federation requires time and resources – using an existing model, such as the OpenAthens Federation presents a proven and workable solution; and
5. Training and educating all stakeholders about the benefits and processes will help generate an improved outcome.
Find out more about the key insights, opportunities for collaboration and more detail of our findings in “Identity & access management for global pharmaceutical companies – an insight report”. Download your copy.
Catherine Dhanjal is strategic communications director at TheAnswer Ltd