Protected From Prying EyesProtected From Prying Eyes

Few industries need to protect and keep confidential their research data and other intellectual property as much as the pharmaceutical industry. That's why Merck & Co. turned to digital-rights-management software to reduce the chance that crucial information falls into the wrong hands.

Until recently, Merck shared sensitive clinical drug-trial information by sending a hard copy to physicians by overnight courier. But this approach added days to the process and also placed confidential information at risk. After Merck sent a report to a physician, there was no way to control who else read it.

Merck recently tested Microsoft's Windows Rights Management Services for Windows Server 2003 to see if it could provide a more efficient, auditable, and secure way to share clinical-trial data with its partnering physicians. The services let companies control access to documents after they've been sent outside the company. Documents are encrypted and can include an expiration date, after which users can't read them. Rights Management Services also can limit the ability of recipients to cut and paste, print, or forward documents.

Merck looked at a number of ways to add digital-rights management to important documents, but most required considerable integration and forced recipients to add software to their systems to access and manage protected content, says Hong Choing, manager of applications development in the clinical-development program technology-management group at Merck.

Another benefit is that the software gives Merck an electronic audit trail of when a document is accessed and by whom, he says.

Rights Management Services works with apps and browsers that support Microsoft's digital-rights-management system. It uses Extensible Rights Mark-Up Language-based certificates and authentication to provide security that travels with the document.

Rights Management Services works natively with Microsoft Office 2003, but, until recently, only those with the latest version of Windows could read protected documents. Microsoft has released an add-on for Internet Explorer, which makes it possible for anyone with the browser to read protected documents. "A lot of our collaboration with physicians and primary investigators doesn't require that they change the document," Choing says. "It's something that they read and agree to or not. So the Explorer add-on fits this need well in read-only mode."

Microsoft doesn't charge for the Rights Management Services server software, but a client-access license, required for each user, is priced at $29 to $37 per person.

Some companies have been critical of digital-rights management, saying that hackers and others can penetrate security to read documents. But Choing says they're missing the point. Rights Management Services adds a layer of security; there's no security in mailing out hard copies. In addition, the system helps Merck better enforce its security policies.

More companies are exploring digital-rights-management applications from vendors such as Authentica, Liquid Machines, Microsoft, and Sealed- Media. All provide similar features to protect content and intellectual property after it leaves the borders of the company firewall, analysts say. "They understand now that electronic documents have the potential to live forever," says Pete Lindstrom, research director at Spire Security. "It just makes sense to protect confidential information throughout its entire life cycle."

The pilot has gone well, Choing says, but the software can be improved to make his job easier. He wants the ability to rights-protect batches of documents, instead of one at a time. He'd also like to see Microsoft make Rights Management Services work with earlier versions of Microsoft Office.