Cyber security in pharmaceuticals
Posted: 22 October 2015 |
Dr Cornelius Namiluko and Caroline Rivett discuss cyber security in the pharmaceutical industry and the approaches companies can take to address the risk of a cyber attack…
Digital health is a hot topic in healthcare offering more effective and more efficient personalised healthcare to patients and carers.
Devices such as fitness trackers, heart monitors and insulin pumps are connected into a medical Internet of Things (“IoT”) to enable us to monitor our activity, heart rate, and blood pressure. We can ask for our genome to be sequenced and interpreted, and pharmaceutical and health companies can apply Big Data analytical techniques to collect and process large amounts of data. All of these can feed data into our own personal interactive health record with alarms and notifications sent to concerned healthcare professionals.
Digital health is all about the use of emerging technologies to enable better health and care for patients and carers. It offers great potential for better self-care, more pro-active health management and faster recovery from diseases. Within hospitals, increased digitisation will decrease error rates, offer faster recuperation, and enable skilled clinicians to co-operate across borders with sick patients. Digitisation enables pharmaceutical companies to create personalised drugs based on individuals’ genomic sequences, more effective measurement of drug uptake and efficacy, and enables a closer relationship between pharmaceutical companies and patients.
At the same time there are cyber security breaches into sophisticated and well-managed companies by hackers, criminals and nation states. Intellectual property is stolen, confidential emails are shared publicly, and medical records used to create fraudulent new identities. For example US retailer Target’s data breach of 2014 involving a reported 70 million credit card records, JP Morgan Chase’s data breach involving 76 million accounts and Anthem’s loss of personal information of its clients and employees earlier this year are some of the recent major security breaches.
Over the past six months we have heard of an alarming number and sophistication of breaches into medical devices, with FDA advisories on cyber security for certain products. Examples include an infusion pump used to deliver programmed amount of fluids into a patient’s body. This device could allow an unauthorised user to change the dosage delivered. We also see that medical devices can be discovered on hospital networks from internet searches which hackers may well exploit in the future.
Compromised information leads to reputational damage
So how do we understand the cyber security risks to pharmaceutical companies? There are risks to their information and to their production systems, with both being exploited in similar ways, but the impact varies greatly. Compromising information leads to financial losses and reputational damage, but compromised production systems could have far reaching impacts including loss of life. Looking at it another way, cyber security breaches into medical devices and pharmaceutical technology impacts the confidentiality of intellectual property and personal information, but of far greater concern is integrity and availability. As a patient, I am more concerned if my recorded blood type is changed (integrity) rather than my blood type is divulged (confidentiality).
Scientific discovery and development is key to pharmaceutical companies. Pharmaceutical companies must innovate and quickly turn innovations into products, possibly before potential competitors develop alternatives. However, the rush to develop could lead to other core business functions being overlooked. Insecurely protected technology increases the risk of exposing sensitive information such as intellectual property which can be exploited by competitors, hacktivists, cyber criminals or nation states for financial gain or for reputational damage.
Pharmaceutical products are manufactured through a number of complex processes. There is increasing business value in connecting manufacturing systems to the company as well as the outside internet. Manufacturing systems’ data can be analysed with environmental, physical and location data to drive efficiencies and more effective production and safety processes, as well as operational cost savings.
Addressing the cyber security risk
One key problem is that the use of manufacturing systems often has technology which is older than the internet itself, meaning that these systems are inherently insecure. They were designed as specialised and isolated systems and not built to withstand cyber security attacks. For pharmaceutical companies, any compromises to manufacturing systems can result in a loss of integrity and availability of the physical process. This can potentially lead to safety problems, breaching statute and reputational damage. The same risks apply to medical devices. Vulnerabilities in the design or implementation of a medical device such as an insulin pump or in anything interconnected to such devices could result in loss of device integrity and potential harm to patients if they are exploited in a cyber-attack.
Risk is an inherent part of any business, and cyber risks are only one aspect of this. In KPMG’s experience the most robust approach to addressing cyber security risk is to understand who is targeting the organisation, what they want, the potential impact and the controls in place. This approach allows operators and managers to balance disruption against the cyber risk while, at the same time, providing assurance that interconnectivity between manufacturing systems and the enterprise will not compromise core operational processes. The key is to place appropriate focus on both the strategic and the tactical elements. The tactical elements are important to deliver cost saving and quick value-add, but the strategic elements are usually even more important to ensure sustainable investment.
The increasing digitisation of the enterprise and production systems together with improved data analytics capabilities opens up numerous opportunities for pharmaceutical organisations to improve efficiency, enhance productivity and achieve substantial revenue generation and cost savings. In addition, medical devices, the IoT, improved data collection and analysis technology have a great potential to improve health care. Cyber risks resulting from interconnectivity to the internet and enterprise systems must be taken into account as we increasingly interconnect devices. We suggest that pharmaceutical organisations should analyse and understand the risks of increasing connectivity together with assessing how their key assets are being protected. It is crucial that security must be included during the design process and as an inherent part of any system.
Dr Cornelius Namiluko
Cornelius is a passionate Security Architecture Professional with extensive experience in design and analysis of software and system architecture. Cornelius obtained a PhD. from Oxford with a focus on secure architecture design and verification. Cornelius has delivered designs for technical security controls including compartmentalization, monitoring and trusted storage necessary to ensure secure information flows within highly complex environments. He has worked on embedded device security, mobile and web application security design and implementation, and distributed system security. He was a key member of the development team for an EMR in Africa with a focus on protecting patient records. He currently works as a security architect in industrial control systems within pharmaceuticals, healthcare, oil and gas, and power and utilities sectors.
Caroline Rivett is a Director in KPMG ’s London office. Her area of expertise is Cyber Security & Privacy, Life Sciences & Healthcare. She has over twenty years of experience in technology and risk management: Over the last five years she has specialised in the protection of sensitive information in health and life sciences, and comments regularly on cybersecurity and privacy issues in digital health. In addition, Caroline served as a Chair of the Audit Committee and a Board member in the NHS for eight years.
To find out more about KPMG, please visit: www.kpmg.com