Strengthening the pharma industry’s cyber security defence

Recent research has found that the pharmaceutical industry is among the most threatened areas for cyber crime globally¹ and needs to step up to this growing challenge. This is an industry built on innovation with all of the characteristics that are attractive to cyber hackers, including extensive spend on research and development (R&D), highly sensitive intellectual property (IP) and access to patient data, as well as almost total reliance on technology to efficiently run. But there are some crucial steps that the pharmaceutical industry can take to reinforce its cyber security defence and keep this data safe.

The value of health data

The data held by pharma companies includes proprietary information about drugs, data related to pharmaceutical developments and technologies, as well as sensitive and personal patient information – all of high value to cyber criminals. This data must also abide by strict privacy guidelines regarding the safeguarding of Protected Health Information (PHI). This means that losing control over such information can have devastating repercussions for the business, which emphasises the need for a layered and constructive cyber security approach.

The consequences of such infringements go beyond the financial implications from exposed data. It also affects the company’s reputation, diminishing patient or stakeholder trust, resulting in operational disturbance and potential regulatory fines. When cyber attacks happen, the reputation of a company is one of the key areas that suffers damage, and particularly for pharma organisations, it is vital that individuals have trust in the company to keep their health data secure.

Merck and Co, one of the largest pharmaceutical companies in the world, was hit by a ransomware attack in June 2017, affecting 30,000 computers and 7,500 servers.² The drug manufacturer suffered hundreds of millions in damages and the attack led to unfortunate disruptions of worldwide operations – including manufacturing, research and sales operations. Unfortunately, this included a vaccine-plant going down, crippling the production facilities for a leading vaccine against human papillomavirus. The overall cost of a cyber attack, such as this example, can almost be immeasurable due to the different and complex ways a business can be affected.

COVID-19 accelerating cybercrime

With social distancing measures in place and many working from home as a result of the ongoing pandemic, COVID-19 has accelerated the need to strengthen a business’ cyber security posture across all sectors. Especially as hackers take advantage of this situation, with Her Majesty’s Revenue and Customs (HMRC) finding that cyber hacks peaked in May 2020, after rising 337 percent from 133 in March to 5,152 during the peak of the pandemic.³ These findings demonstrate the significance of having adequate cyber security controls in place and this is no different for pharmaceutical firms – particularly as cyber criminals seek to exploit the progression and experimentation of COVID-19 medication and vaccinations.

Last year, a joint statement was issued by the Certified Information Systems Auditor (CISA), the National Security Agency (NSA) and various cybersecurity authorities across the United Kingdom and Canada, alleging that the Russian Intelligence Services were targeting COVID-19 vaccine and research development facilities with cyber hacks.⁴ The warning highlighted that any serious delay caused by these cyber threats and attackers could jeopardise the lives of millions of people, as well as impact the expenditure that goes into making the medicines.

In line with this, pharmaceutical companies are facing more pressure than ever before with the demand to create and distribute COVID-19 vaccines. Teams will be working harder, faster and for longer to fulfil these needs, which in turn, can cause cyber security to drop to the bottom of their areas of concern. Being tired, distracted and facing new constraints can be prime contributing factors to individuals making errors that lead to security incidents, for example, an accidental data leakage by sending the wrong attachment or email to an incorrect recipient or clicking on a link in a phishing email.

A combined cyber approach

The 2020 Cost of a Data Breach Report found that the average total cost of a data breach was significantly higher for the healthcare and pharmaceutical industry compared to less regulated industries such as hospitality, media and research.⁵ It is therefore vital that pharmaceutical companies have a thorough cyber security policy in place to protect those digital assets.

A layered defence approach is the most important strategy for pharma organisations to have in place, one which combines foundational protection, innovative tools, security culture and workforce education. Email is the most common form of communication within businesses, which means that personal and sensitive information is commonly shared in this way. However, there are solutions available that can support users in ensuring they are sending documents securely and to the right person, providing individuals with a critical double-check alert before clicking send.

Deploying a holistic cyber security approach can provide greater insight into possible security risks before they occur, while continuously re-examining the company’s cyber protocols to ensure they keep up to date with the modern threat landscape and meet the workforce’s needs.

Educated and aware workforce

Pharmaceutical teams need to recognise what they can do to safeguard digital assets and how to circumvent individuals falling victim to a phishing attack or email hack that could reveal confidential data. Especially as cyber hackers continue to deploy a variety of innovative tactics to target all organisations, including the pharma industry. If staff are not aware or educated on the risks they pose, valuable data and intellectual property could end up in the wrong hands. This will be both an advantage for competitors, and an opportunity for the cyber attacker to leverage a ransom for these sensitive resources.

To combat this hurdle, Security Awareness Training programmes can offer real-life training modules for pharmaceutical organisations to assess their reaction to threats, pinpoint where refinements can be made and develop strategies to address any limitations. Such programmes can be used to invigorate current strategies and highlight any weaknesses. The foundation of any successful security strategy is having a strong security culture embedded within an organisation, where teams are educated about the risks they pose in their day-to-day communications and are aware of the responsibilities they hold in keeping data safe.

As the attention draws on pharmaceutical companies during the ongoing pandemic, these organisations are more at risk than ever before. This means they must take the necessary steps to alleviate any internal and external risks. But with a multi-layered strategy in place, including a combination of education, technology and awareness, the pharma industry can execute the appropriate steps to preserve data privacy and protect sensitive and valuable material.

References

1. Deloitte, Deal breaker: Cyber risk in life sciences M&A [Internet]. www.deloitte.com. 2018 [cited 6 May 2021]. Available from: https://www2.deloitte.com/content/dam/Deloitte…
2. Sagonowsky E. Merck, insurers fight over $1.3B in damages from cyberattack: Bloomberg [Internet]. FiercePharma. 2019 [cited 6 May 2021]. Available from: https://www.fiercepharma…
3. Austin A. HMRC investigates 10,000 Covid scams [Internet]. Ftadviser.com. 2020 [cited 6 May 2021]. Available from: https://www.ftadviser.com/companies/2020/08/18/hmrc…
4. Curran J. CISA’s Corman Warns COVID Vaccine Hacks Could Endanger Millions [Internet]. Meritalk.com. 2020 [cited 6 May 2021] Available from: https://www.meritalk.com/articles/cisas…
5. IBM Security. Cost of a Data Breach Report [Internet]. Capita.com. 2020 [cited 6 May 2021]. Available from: https://www.capita.com/sites/g/files/nginej291/files/2020-08/…