Dr Cornelius Namiluko and Caroline Rivett discuss cyber security in the pharmaceutical industry and the approaches companies can take to address the risk of a cyber attack…
Digital health is a hot topic in healthcare offering more effective and more efficient personalised healthcare to patients and carers.
Devices such as fitness trackers, heart monitors and insulin pumps are connected into a medical Internet of Things (“IoT”) to enable us to monitor our activity, heart rate, and blood pressure. We can ask for our genome to be sequenced and interpreted, and pharmaceutical and health companies can apply Big Data analytical techniques to collect and process large amounts of data. All of these can feed data into our own personal interactive health record with alarms and notifications sent to concerned healthcare professionals.
Digital health is all about the use of emerging technologies to enable better health and care for patients and carers. It offers great potential for better self-care, more pro-active health management and faster recovery from diseases. Within hospitals, increased digitisation will decrease error rates, offer faster recuperation, and enable skilled clinicians to co-operate across borders with sick patients. Digitisation enables pharmaceutical companies to create personalised drugs based on individuals’ genomic sequences, more effective measurement of drug uptake and efficacy, and enables a closer relationship between pharmaceutical companies and patients.
This report addresses the key factors shaping pharmaceutical formulation, including regulation, QC and analysis.
Access the full report now to discover the techniques, tools and innovations that are transforming pharmaceutical formulation, and learn how to position your organisation for long-term success.
What you’ll discover:
Key trends shaping the pharmaceutical formulation sector
Innovations leading progress in pharmaceutical formulation and how senior professionals can harness their benefits
Considerations and best practices when utilising QbD during formulation of oral solid dosage forms
At the same time there are cyber security breaches into sophisticated and well-managed companies by hackers, criminals and nation states. Intellectual property is stolen, confidential emails are shared publicly, and medical records used to create fraudulent new identities. For example US retailer Target’s data breach of 2014 involving a reported 70 million credit card records, JP Morgan Chase’s data breach involving 76 million accounts and Anthem’s loss of personal information of its clients and employees earlier this year are some of the recent major security breaches.
Over the past six months we have heard of an alarming number and sophistication of breaches into medical devices, with FDA advisories on cyber security for certain products. Examples include an infusion pump used to deliver programmed amount of fluids into a patient’s body. This device could allow an unauthorised user to change the dosage delivered. We also see that medical devices can be discovered on hospital networks from internet searches which hackers may well exploit in the future.
Compromised information leads to reputational damage
So how do we understand the cyber security risks to pharmaceutical companies? There are risks to their information and to their production systems, with both being exploited in similar ways, but the impact varies greatly. Compromising information leads to financial losses and reputational damage, but compromised production systems could have far reaching impacts including loss of life. Looking at it another way, cyber security breaches into medical devices and pharmaceutical technology impacts the confidentiality of intellectual property and personal information, but of far greater concern is integrity and availability. As a patient, I am more concerned if my recorded blood type is changed (integrity) rather than my blood type is divulged (confidentiality).
Scientific discovery and development is key to pharmaceutical companies. Pharmaceutical companies must innovate and quickly turn innovations into products, possibly before potential competitors develop alternatives. However, the rush to develop could lead to other core business functions being overlooked. Insecurely protected technology increases the risk of exposing sensitive information such as intellectual property which can be exploited by competitors, hacktivists, cyber criminals or nation states for financial gain or for reputational damage.
Pharmaceutical products are manufactured through a number of complex processes. There is increasing business value in connecting manufacturing systems to the company as well as the outside internet. Manufacturing systems’ data can be analysed with environmental, physical and location data to drive efficiencies and more effective production and safety processes, as well as operational cost savings.
Addressing the cyber security risk
One key problem is that the use of manufacturing systems often has technology which is older than the internet itself, meaning that these systems are inherently insecure. They were designed as specialised and isolated systems and not built to withstand cyber security attacks. For pharmaceutical companies, any compromises to manufacturing systems can result in a loss of integrity and availability of the physical process. This can potentially lead to safety problems, breaching statute and reputational damage. The same risks apply to medical devices. Vulnerabilities in the design or implementation of a medical device such as an insulin pump or in anything interconnected to such devices could result in loss of device integrity and potential harm to patients if they are exploited in a cyber-attack.
Risk is an inherent part of any business, and cyber risks are only one aspect of this. In KPMG’s experience the most robust approach to addressing cyber security risk is to understand who is targeting the organisation, what they want, the potential impact and the controls in place. This approach allows operators and managers to balance disruption against the cyber risk while, at the same time, providing assurance that interconnectivity between manufacturing systems and the enterprise will not compromise core operational processes. The key is to place appropriate focus on both the strategic and the tactical elements. The tactical elements are important to deliver cost saving and quick value-add, but the strategic elements are usually even more important to ensure sustainable investment.
The increasing digitisation of the enterprise and production systems together with improved data analytics capabilities opens up numerous opportunities for pharmaceutical organisations to improve efficiency, enhance productivity and achieve substantial revenue generation and cost savings. In addition, medical devices, the IoT, improved data collection and analysis technology have a great potential to improve health care. Cyber risks resulting from interconnectivity to the internet and enterprise systems must be taken into account as we increasingly interconnect devices. We suggest that pharmaceutical organisations should analyse and understand the risks of increasing connectivity together with assessing how their key assets are being protected. It is crucial that security must be included during the design process and as an inherent part of any system.
Biographies
Dr Cornelius Namiluko
Cornelius is a passionate Security Architecture Professional with extensive experience in design and analysis of software and system architecture. Cornelius obtained a PhD. from Oxford with a focus on secure architecture design and verification. Cornelius has delivered designs for technical security controls including compartmentalization, monitoring and trusted storage necessary to ensure secure information flows within highly complex environments. He has worked on embedded device security, mobile and web application security design and implementation, and distributed system security. He was a key member of the development team for an EMR in Africa with a focus on protecting patient records. He currently works as a security architect in industrial control systems within pharmaceuticals, healthcare, oil and gas, and power and utilities sectors.
Caroline Rivett
Caroline Rivett is a Director in KPMG ’s London office. Her area of expertise is Cyber Security & Privacy, Life Sciences & Healthcare. She has over twenty years of experience in technology and risk management: Over the last five years she has specialised in the protection of sensitive information in health and life sciences, and comments regularly on cybersecurity and privacy issues in digital health. In addition, Caroline served as a Chair of the Audit Committee and a Board member in the NHS for eight years.
To find out more about KPMG, please visit: www.kpmg.com
This website uses cookies to enable, optimise and analyse site operations, as well as to provide personalised content and allow you to connect to social media. By clicking "I agree" you consent to the use of cookies for non-essential functions and the related processing of personal data. You can adjust your cookie and associated data processing preferences at any time via our "Cookie Settings". Please view our Cookie Policy to learn more about the use of cookies on our website.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorised as ”Necessary” are stored on your browser as they are as essential for the working of basic functionalities of the website. For our other types of cookies “Advertising & Targeting”, “Analytics” and “Performance”, these help us analyse and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these different types of cookies. But opting out of some of these cookies may have an effect on your browsing experience. You can adjust the available sliders to ‘Enabled’ or ‘Disabled’, then click ‘Save and Accept’. View our Cookie Policy page.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Cookie
Description
cookielawinfo-checkbox-advertising-targeting
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertising & Targeting".
cookielawinfo-checkbox-analytics
This cookie is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance
This cookie is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Performance".
PHPSESSID
This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
zmember_logged
This session cookie is served by our membership/subscription system and controls whether you are able to see content which is only available to logged in users.
Performance cookies are includes cookies that deliver enhanced functionalities of the website, such as caching. These cookies do not store any personal information.
Cookie
Description
cf_ob_info
This cookie is set by Cloudflare content delivery network and, in conjunction with the cookie 'cf_use_ob', is used to determine whether it should continue serving “Always Online” until the cookie expires.
cf_use_ob
This cookie is set by Cloudflare content delivery network and is used to determine whether it should continue serving “Always Online” until the cookie expires.
free_subscription_only
This session cookie is served by our membership/subscription system and controls which types of content you are able to access.
ls_smartpush
This cookie is set by Litespeed Server and allows the server to store settings to help improve performance of the site.
one_signal_sdk_db
This cookie is set by OneSignal push notifications and is used for storing user preferences in connection with their notification permission status.
YSC
This cookie is set by Youtube and is used to track the views of embedded videos.
Analytics cookies collect information about your use of the content, and in combination with previously collected information, are used to measure, understand, and report on your usage of this website.
Cookie
Description
bcookie
This cookie is set by LinkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
GPS
This cookie is set by YouTube and registers a unique ID for tracking users based on their geographical location
lang
This cookie is set by LinkedIn and is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc
This cookie is set by LinkedIn and used for routing.
lissc
This cookie is set by LinkedIn share Buttons and ad tags.
vuid
We embed videos from our official Vimeo channel. When you press play, Vimeo will drop third party cookies to enable the video to play and to see how long a viewer has watched the video. This cookie does not track individuals.
wow.anonymousId
This cookie is set by Spotler and tracks an anonymous visitor ID.
wow.schedule
This cookie is set by Spotler and enables it to track the Load Balance Session Queue.
wow.session
This cookie is set by Spotler to track the Internet Information Services (IIS) session state.
wow.utmvalues
This cookie is set by Spotler and stores the UTM values for the session. UTM values are specific text strings that are appended to URLs that allow Communigator to track the URLs and the UTM values when they get clicked on.
_ga
This cookie is set by Google Analytics and is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. It stores information anonymously and assign a randomly generated number to identify unique visitors.
_gat
This cookies is set by Google Universal Analytics to throttle the request rate to limit the collection of data on high traffic sites.
_gid
This cookie is set by Google Analytics and is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
Advertising and targeting cookies help us provide our visitors with relevant ads and marketing campaigns.
Cookie
Description
advanced_ads_browser_width
This cookie is set by Advanced Ads and measures the browser width.
advanced_ads_page_impressions
This cookie is set by Advanced Ads and measures the number of previous page impressions.
advanced_ads_pro_server_info
This cookie is set by Advanced Ads and sets geo-location, user role and user capabilities. It is used by cache busting in Advanced Ads Pro when the appropriate visitor conditions are used.
advanced_ads_pro_visitor_referrer
This cookie is set by Advanced Ads and sets the referrer URL.
bscookie
This cookie is a browser ID cookie set by LinkedIn share Buttons and ad tags.
IDE
This cookie is set by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
li_sugr
This cookie is set by LinkedIn and is used for tracking.
UserMatchHistory
This cookie is set by Linkedin and is used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
VISITOR_INFO1_LIVE
This cookie is set by YouTube. Used to track the information of the embedded YouTube videos on a website.
